On Fri, Oct 12, 2012, Kumar Ghanta wrote: > Hi, > Earlier versions of openssl-fips (versions 1.1.2 etc) have the following > checks in the fips_rand.c. It looks this check is being removed in the > later versions. I just want to know whether we need this check in earlier > versions as per the NIST guide lines. Thanks. > > #ifndef GETPID_IS_MEANINGLESS > pid=getpid(); > if(pid != seed_pid) > { > RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_RESEEDED); > return 0; > } > if(pid != key_pid) > { > RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_REKEYED); > return 0; > } > #endif
The 1.1 module has checks in place to avoid two processes sharing the same PRNG state after a fork() call and required manual intervention by the application to cover this case. The 1.2 and 2.0 modules no longer require this as steps are taken automatically by OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org