Re: [openssl-users] FIPS: Any setup required for using a default DRBG ?
From: jonetsu jone...@teksavvy.com Date: 03/26/15 11:11 Is FIPS_mode_set(1) taking care of setting up a default DRBG ? Yes. It does. When using post_cb() from fips_test_suite.c in for instance the fips_hmac.c demo, with only but a FIPS_mode_set(1) call, it is reported that the four DRBGs are tested: DRBG AES-256-CTR DF, DRBG AES-256-CTR, DRBG SHA256 and DRBG HMAC-SHA256, amongst others. After FIPS_mode_set(1) is executed along with the POST tests, a call to RAND_pseudo_bytes() will not run the tests again. In this context, when do occur the DRBG continuous tests as shown in table 6b of the 2.0.9 Security Policy ? Is there a need to actually call FIPS_selftest() ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Any setup required for using a default DRBG ?
Hello, Is FIPS_mode_set(1) taking care of setting up a default DRBG ? Would a subsequent call to RAND_pseudo_bytes() for instance be using the default DRBG ( 256-bit CTR AES ?) There are quite a few DRBG-related FIPS methods described in the User Guide, and one that is called FIPS_get_default_drbg(). Does this have to be actually called ? I'm asking since I added in crypto/o_fips.c a FIPS_post_set_callback() in FIPS_set_mode() with a case switch on FIPS_TEST_DRBG (amongst others). SHA256, HMAC-SHA256, AES-128-CBC, AES-256-CTR amongst others are reported to be tested, although there's no sign of the FIPS_TEST_DRBG. Nor FIPS_TEST_CONTINUOUS for that matter. Wouldn't the DRBG be tested in a 'continuous' way before each use ? - thanks. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users