[openssl-users] FIPS: Any setup required for using a default DRBG ?
jonetsu at teksavvy.com
Thu Mar 26 18:57:30 UTC 2015
> From: jonetsu <jonetsu at teksavvy.com>
> Date: 03/26/15 11:11
> Is FIPS_mode_set(1) taking care of setting up a default DRBG ?
Yes. It does. When using post_cb() from fips_test_suite.c in for instance the fips_hmac.c demo, with only but a FIPS_mode_set(1) call, it is reported that the four DRBGs are tested: DRBG AES-256-CTR DF, DRBG AES-256-CTR, DRBG SHA256 and DRBG HMAC-SHA256, amongst others.
After FIPS_mode_set(1) is executed along with the POST tests, a call to RAND_pseudo_bytes() will not run the tests again. In this context, when do occur the DRBG continuous tests as shown in table 6b of the 2.0.9 Security Policy ? Is there a need to actually call FIPS_selftest() ?
More information about the openssl-users