Even without linking the canister (not using fipsld), if I use the FIPS includes, RAND_status() fails. According to nm, the RAND_status is still redirected to FIPS_rand_status.
If I use the libcrypto by itself with the native includes only and without fipsld, the PRNG seeds fine. As expected, nm reports RAND_status as the symbol, not FIPS_rand_status. I am using the same library that was compiled against the FIPS canister in both cases. Interesting to me is that in the opensslconf.h that is installed with the FIPS canister, OPENSSL_NO_SEED is defined. The problem is limited to FIPS_rand* which RAND_* is moved over with when properly FIPS linked. RAND_status() still fails before FIPS_mode_set is called. Loading the error strings at the start provided no additional output on any failure. I am really confused as the FIPS_mode_set suceeds which happens to included invoking FIPS_selftest. /dev/urandom is access for 32 bytes during the FIPS_mode_set. Thanks, Woody Dr. Stephen Henson wrote on 02/25/2012 06:24 AM: > > On Fri, Feb 24, 2012, gatewood_gr...@mcafee.com wrote: > > > What is your test environment and method? We've tried this in both our > > embedded OS (minimized LFS style build) and OpenSUSE. Both ways the > > result is the same. > > > > Specificically tested on Ubuntu 64 bit VM but it should be OK on any > platform > where the PRNG is auto seeded. > > > Focusing on the PRNG, We cannot get FIPS_rand_status() to report 1. > > Tried both on hardware and in VMs. > > > > Do you get any error print out at all? > > Try calling ERR_load_crypto_strings() at the start of the program > instead of > only after an error. > > If the PRNG cannot be seeded then RAND_status() should fail outside > FIPS mode > and RAND_bytes() should return an error too. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Gatewood Green Principal Software Engineer NitroSecurity, now part of McAfee o: 2085528269 c: 2082067455 e: gatewood_gr...@mcafee.com w: http://www.nitrosecurity.com/ Imagine, if you will, a world in which there are no hypothetical situations...
signature.asc
Description: OpenPGP digital signature
