I don't know how critical is the DEVRANDOM for openssl-fips, in e_os.h I
saw this:
#define DEVRANDOM "/dev/urandom","/dev/random","/dev/srandom"
we have a hardware RNG that is feeding /dev/random via:
/sbin/rngd -r /dev/hwrng -W 4000
so the /dev/random will never block, I
I'm trying to run the algorithm tests under linux for fips 2.0.10 +
openssl 1.0.1e, using the fips-2.0-tv.tar.gz from openssl website, and
saw quite some errors, anything am I missing?
Thanks,
xxiao
perl fipsalgtest.pl --dir=/tmp/tv
WARNING: unrecognized filename
in e_os.h I saw
==
#ifndef DEVRANDOM
/* set this to a comma-separated list of 'random' device files to try out.
* My default, we will try to read at least one of these files */
#define DEVRANDOM "/dev/urandom","/dev/random","/dev/srandom"
# endif
==
this basically sets /dev/urandom as
I'm trying to make wpa_supplicant fips-safe and one step is to set up:
#openssl_ciphers=DEFAULT:!EXP:!LOW
(based on http://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf)
https://www.openssl.org/docs/apps/ciphers.html has a list of all ciphers.
Is there a way somehow to set up a
The key issue still remains, are the validated SP800-90 DRBGs the _same_
as SP800-90A's DRBGs? If yes then we can probably use Openssl-FIPS with
SP800-90A, otherwise OpenSSL-FIPS 2.0.9 probably can no longer be used
for any new validations?
Thanks,
xxiao
---
Hi,
For the second question any
At the moment OpenSSL FIPS validation supports ANSI X9.31 with AES128
for RNG, however it will be outdated in 2015.
Another alternative RNG in OpenSSL FIPS is SP800-90 DRBG, however the
new requirement is to use DRBG per SP800-90A.
Are the DRBGs in SP800-90/OpenSSL-FIPS-2.0.9 the same as