[openssl-users] Fips CTR_DRBG

Dr. Stephen Henson steve at openssl.org
Thu Feb 26 13:28:47 UTC 2015

On Thu, Feb 26, 2015, Piotr ??obacz wrote:

> Hello,
> i have a question about FIPS CTR_DRBG. I have managed to compile openssl
> with fips and everything works fine. The method FIPS_mode returns me 1
> so i am in FIPS mode, but what is my problem i dunno how to use properly
> FIPS_drbg api.

If you simply want to use the DRBG in CTR mode then you don't need to do
anything special: in FIPS mode the DRBG in CTR mode with a 256 bit AES key is
the default and you can just use the normal RAND APIs.

Do not use the self test or algorithm test code in applications: you need to
set up proper entropy gathering callbacks and the test code contains
deterministic examples which would have zero security in a real application.
That's what the RAND API will do by default.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list