Hi,
I'm experimenting with porting openssl-1.0.1/openssl-fips-2.0 to a proprietary
platform. FIPS_mode_set was failing for me, and some investigation showed that
it was the rsa post tests that failed, and that it was related to RNG
initialization. I found that if I added the following code before my
FIPS_mode_set() call, FIPS mode was entered successfully.
{
DRBG_CTX *ctx;
size_t i;
/*FIPS_set_error_callbacks(put_err_cb, add_err_cb); */
for (i = 0; i < sizeof(dummy_entropy); i++)
dummy_entropy[i] = i & 0xff;
if (entropy_stick)
memcpy(dummy_entropy + 32, dummy_entropy + 16, 16);
ctx = FIPS_get_default_drbg();
FIPS_drbg_init(ctx, NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);
FIPS_drbg_set_callbacks(ctx, dummy_cb, 0, 16, dummy_cb, 0);
FIPS_drbg_instantiate(ctx, dummy_entropy, 10);
FIPS_rand_set_method(FIPS_drbg_method());
}
This looks a bit complicated. I've been trying to find information on how RNG
initialization is supposed to work in FIPS mode, but I have not been able to
find anything. How is this supposed to be handled? I fear that I unknowingly
have ripped something out that is causing this.
Can anyone give me a description of RNG initialization in FIPS mode, please?
--
R
