Thank you very much for the quick response Stephen. Is it fine if we allow
parent and child processes to share the same seed? I just want to know if
there are any NIST restrictions. If possible, can you please elaborate on
how does openssl takes care automatically after 1.2?
On Fri, Oct 12, 2012 at 1:31 PM, Dr. Stephen Henson <st...@openssl.org>wrote:
> On Fri, Oct 12, 2012, Kumar Ghanta wrote:
>
> > Hi,
> > Earlier versions of openssl-fips (versions 1.1.2 etc) have the following
> > checks in the fips_rand.c. It looks this check is being removed in the
> > later versions. I just want to know whether we need this check in earlier
> > versions as per the NIST guide lines. Thanks.
> >
> > #ifndef GETPID_IS_MEANINGLESS
> > pid=getpid();
> > if(pid != seed_pid)
> > {
> > RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_RESEEDED);
> > return 0;
> > }
> > if(pid != key_pid)
> > {
> > RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_REKEYED);
> > return 0;
> > }
> > #endif
>
> The 1.1 module has checks in place to avoid two processes sharing the same
> PRNG state after a fork() call and required manual intervention by the
> application to cover this case.
>
> The 1.2 and 2.0 modules no longer require this as steps are taken
> automatically by OpenSSL.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
