On Fri, Oct 12, 2012, Kumar Ghanta wrote:
> Hi,
> Earlier versions of openssl-fips (versions 1.1.2 etc) have the following
> checks in the fips_rand.c. It looks this check is being removed in the
> later versions. I just want to know whether we need this check in earlier
> versions as per the NIST guide lines. Thanks.
>
> #ifndef GETPID_IS_MEANINGLESS
> pid=getpid();
> if(pid != seed_pid)
> {
> RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_RESEEDED);
> return 0;
> }
> if(pid != key_pid)
> {
> RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_REKEYED);
> return 0;
> }
> #endif
The 1.1 module has checks in place to avoid two processes sharing the same
PRNG state after a fork() call and required manual intervention by the
application to cover this case.
The 1.2 and 2.0 modules no longer require this as steps are taken
automatically by OpenSSL.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
