RAND, FIPS and providers

Matt Caswell matt at openssl.org
Tue Sep 24 09:20:26 UTC 2019

On 24/09/2019 10:17, Matthias St. Pierre wrote:
> On 24.09.19 10:58, Matthias St. Pierre wrote:
>> It would also make sense to make the entropy sources themselves fetchable and
>> configurable.  This would enable us to
>> - separate FIPS and non-FIPS entropy sources (using the 'fips' attribute)
> This concept would also enable us to ensure that FIPS DRBGs can only seed from
> FIPS entropy sources, without having to
> hardcode the list of approved entropy sources.

It's not quite as simple as that. Although allowed by FIPS standards, we made
the simplifying assumption that our FIPS module would never fetch or use
algorithms external to its own boundary. This is physically not possible in the
FIPS module as it stands today.


More information about the openssl-project mailing list