[openssl-users] FIPS: Any setup required for using a default DRBG ?

jonetsu jonetsu at teksavvy.com
Thu Mar 26 18:57:30 UTC 2015

> From: jonetsu <jonetsu at teksavvy.com> 
> Date: 03/26/15 11:11 

>   Is FIPS_mode_set(1) taking care of setting up a default DRBG ?  

Yes. It does.  When using post_cb() from fips_test_suite.c in for instance the fips_hmac.c demo, with only but a FIPS_mode_set(1) call, it is reported that the four DRBGs are tested: DRBG AES-256-CTR DF, DRBG AES-256-CTR, DRBG SHA256 and DRBG HMAC-SHA256, amongst others.

After FIPS_mode_set(1) is executed along with the POST tests, a call to RAND_pseudo_bytes() will not run the tests again.  In this context, when do occur the DRBG continuous tests as shown in table 6b of the 2.0.9 Security Policy ?  Is there a need to actually call FIPS_selftest() ?


More information about the openssl-users mailing list