[openssl-users] Testing FIPS mode using 0 randomness

jonetsu jonetsu at teksavvy.com
Mon Mar 2 17:18:06 UTC 2015


  I tried a simple test to see if FIPS mode would fail, using the example given in the FIPS user guide 2.0.  The test consisted of replacing the /dev/random and /dev/urandom with /dev/zero.  I would have expected that no source of randomness would make the tests ran at the call of FIPS_mode_set(1) fail.


cd dev
rm random
mknod -m 666 /dev/random c 1 5

Verify presence of zeroes all over:
cat /dev/random | xxd

./fips_hmac fips_hmac.o

If added a ret value to catch the return code from FIPS_mode_set(1).  Random or no random, it always returns 1.  

Shouldn't randomness be an important part of the power-up tests ?  I understand there are continuous RNG tests within OpenSSL FIPS mode, although 'later on' (eg. continuous). Wouldn't these tests be part of the power-up sequence as called by FIPS_mode_set(1) also ?


More information about the openssl-users mailing list