[openssl-users] Testing FIPS mode using 0 randomness
jonetsu
jonetsu at teksavvy.com
Mon Mar 2 17:18:06 UTC 2015
Hello,
I tried a simple test to see if FIPS mode would fail, using the example given in the FIPS user guide 2.0. The test consisted of replacing the /dev/random and /dev/urandom with /dev/zero. I would have expected that no source of randomness would make the tests ran at the call of FIPS_mode_set(1) fail.
ex.:
cd dev
rm random
mknod -m 666 /dev/random c 1 5
Verify presence of zeroes all over:
cat /dev/random | xxd
./fips_hmac fips_hmac.o
If added a ret value to catch the return code from FIPS_mode_set(1). Random or no random, it always returns 1.
Shouldn't randomness be an important part of the power-up tests ? I understand there are continuous RNG tests within OpenSSL FIPS mode, although 'later on' (eg. continuous). Wouldn't these tests be part of the power-up sequence as called by FIPS_mode_set(1) also ?
Thanks.
More information about the openssl-users
mailing list