[openssl-users] OpenSSL DRBG in FIPS mode confusion.

[Matthias St. Pierre]

On 15.03.2017 10:50, Jayalakshmi bhat wrote:
> Hi All,
>
> OpenSSL uses 256 bit AES-CTR DRBG as default DRBG in FIPS mode. I have question associated with this. 
>
> 1. OpenSSL wiki says  : Default DRBG is 256-bit CTR AES *using a derivation function*
> 2. Where as the document http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf  mentions "no derivation function" in one place and in another sections mentions both
> *Section 4 Modes of Operation and Cryptographic Functionality*
> Random Number  Generation;    [SP 800­90] DRBG5                         Hash DRBG  
> Symmetric key  generation        Prediction resistance                       HMAC DRBG, no reseed 
>                                                supported for all variations               CTR DRBG (AES), no derivation function 
> *Section 6 Self­test *
> DRBG  KAT  CTR_DRBG: AES, 256 bit with and without derivation function *
> *
>
> Please can any one let me know what is the default behavior? Is there any way to toggle between using and not using derivation function.
>
> Regards
> Jayalakshmi
>

The default is set by the FIPS enabled OpenSSL crypto library (not by the OpenSSL  FIPS object module itself) in RAND_init_fips(), rand_lib.c:277:

openssl-1.0.2k/crypto/rand/rand_lib.c:277:    if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0) {


The default value is DRBG_FLAG_CTR_USE_DF, wich  follows from

openssl-1.0.2k/crypto/rand/rand_lib.c:251:# ifndef OPENSSL_DRBG_DEFAULT_FLAGS
openssl-1.0.2k/crypto/rand/rand_lib.c:252:#  define OPENSSL_DRBG_DEFAULT_FLAGS      DRBG_FLAG_CTR_USE_DF
openssl-1.0.2k/crypto/rand/rand_lib.c:256:static int fips_drbg_flags = OPENSSL_DRBG_DEFAULT_FLAGS;
openssl-1.0.2k/crypto/rand/rand_lib.c:261:    fips_drbg_flags = flags;

and you can change it using void RAND_set_fips_drbg_type(int type, int flags).


Regards,
Matthias St. Pierre