[openssl-users] FIPS: Any setup required for using a default DRBG ?

jonetsu jonetsu at teksavvy.com
Thu Mar 26 15:09:46 UTC 2015


  Is FIPS_mode_set(1) taking care of setting up a default DRBG ?  Would a subsequent call to RAND_pseudo_bytes() for instance be using the default DRBG ( 256-bit CTR AES ?) There are quite a few DRBG-related FIPS methods described in the User Guide, and one that is called FIPS_get_default_drbg().  Does this have to be actually called ?  I'm asking since I added in crypto/o_fips.c a FIPS_post_set_callback() in FIPS_set_mode() with a case switch on FIPS_TEST_DRBG (amongst others).  SHA256, HMAC-SHA256, AES-128-CBC, AES-256-CTR amongst others are reported to be tested, although there's no sign of the FIPS_TEST_DRBG.  Nor FIPS_TEST_CONTINUOUS for that matter.  Wouldn't the DRBG be tested in a 'continuous' way before each use ?  - thanks.


More information about the openssl-users mailing list