[openssl-users] /dev/random in FIPS mode Error: PRNG not seeded

Paul Dale paul.dale at oracle.com
Wed Sep 12 21:36:30 UTC 2018

In FIPS mode, the default entropy gathering is not performed.  You, the user, must supply all entropy to the module.
See section 6.1.1 of the OpenSSL FIPS User Guide (https://www.openssl.org/docs/fips/UserGuide-2.0.pdf).

Dr Paul Dale | Cryptographer | Network Security & Encryption 
Phone +61 7 3031 7217
Oracle Australia

-----Original Message-----
From: Cipher [mailto:dhanukumar1990 at gmail.com] 
Sent: Wednesday, 12 September 2018 7:24 PM
To: openssl-users at openssl.org
Subject: [openssl-users] /dev/random in FIPS mode Error: PRNG not seeded


We have a custom hardware system running Linux Debian OS having openssl 1.0.2l compiled with FIPS module 2.0. We are trying for FIPS 140-2 certification.

By default it looks like openssl RAND_poll() uses /dev/urandom for entropy.
We are told this may not be acceptable for FIPS 140-2 Level 1 certification and we should be using /dev/random. So we patched e_os.h to change order to use "/dev/random" than /dev/urandom.

 i.e  before   define DEVRANDOM  "/dev/urandom","/dev/random"
       after     define DEVRANDOM  "/dev/random","/dev/urandom"

Now we see that openssl is using /dev/random, but the problem is openssl operations randomly fail when run multiple times with "PRNG not seeded"
error. This is in-spite of having rngd installed to boost entropy.

[root at debian ~]# OPENSSL_FIPS=1 openssl version FIPS mode ON.
OpenSSL 1.0.2l-fips  25 May 2017
[root at debian ~]# OPENSSL_FIPS=1 openssl version FIPS mode ON.
OpenSSL 1.0.2l-fips  25 May 2017
[root at debian ~]#
[root at debian ~]# OPENSSL_FIPS=1 openssl version 139889362065040:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:549:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
139889362065040:error:2D07406D:FIPS routines:FIPS_drbg_instantiate:error
retrieving entropy:fips_drbg_lib.c:284:
139889362065040:error:24066067:random number generator:RAND_init_fips:error instantiating drbg:rand_lib.c:293:
139889362065040:error:04088003:rsa routines:RSA_setup_blinding:BN
139889362065040:error:04066044:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:internal
139889362065040:error:2D079089:FIPS routines:fips_pkey_signature_test:test
failure:fips_post.c:334:Type=RSA SHA256 PSS 139889362065040:error:2A067068:lib(42):ECDSA_sign_setup:random number generation failed:ecs_ossl.c:149:
139889362065040:error:2D079089:FIPS routines:fips_pkey_signature_test:test
failure:fips_post.c:334:Type=ECDSA P-224 139889362065040:error:0A06B003:dsa routines:DSA_sign_setup:BN
139889362065040:error:0A070003:dsa routines:DSA_do_sign:BN
139889362065040:error:2D079089:FIPS routines:fips_pkey_signature_test:test
failure:fips_post.c:334:Type=DSA SHA384

[root at debian ~]# cat /proc/sys/kernel/random/entropy_avail
[root at debian ~]#

Few Questions:
1)Would anyone know if usage of /dev/random as openssl entropy source is mandatory for FIPS 140-2 certification?
2) entropy_avail shows 3090, yet we hit 'PRNG not seeded' error. Is this because every FIPS_mode_set(1) call utilizes lot of entropy for selfTests etc? Is there any entropy estimate for each FIPS_mode_set() call?
3) Is there a way to avoid this issue with openssl code changes? i.e by doing some sort of auto-fallback to /dev/urandom if /dev/random pool is drained.
4) Since /dev/random is blocking, shouldn't openssl commands get stuck than error out if enough entropy is not available? Is there a way to do such a thing(by waiting for pool to get replenished). If yes what part of code needs to be changed?

Thanks in Advance,

Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list