Re: FIPS seed_pid issue

Tue, 16 Oct 2012 11:54:16 -0700 

Can somebody please respond to my question? OpenSSH is aborting if  1.1
fips module is used.Here my question is whether we need to comment this
logic(by compiling with "GETPID_IS_MEANINGLESS") or we need to generate
seed again for child process.

I want to know under what circumstances we can build fips with
"GETPID_IS_MEANINGLES". Thanks.



On Sun, Oct 14, 2012 at 8:32 PM, Kumar Ghanta <kumar...@gmail.com> wrote:

> Thank you very much for the quick response Stephen. Is it fine if we allow
> parent and child processes to share the same seed? I just want to know if
> there are any NIST restrictions. If possible, can you please elaborate on
> how does openssl takes care automatically after 1.2?
>
>
> On Fri, Oct 12, 2012 at 1:31 PM, Dr. Stephen Henson <st...@openssl.org>wrote:
>
>> On Fri, Oct 12, 2012, Kumar Ghanta wrote:
>>
>> > Hi,
>> > Earlier versions of openssl-fips (versions 1.1.2 etc) have the following
>> > checks in the fips_rand.c. It looks this check is being removed in the
>> > later versions. I just want to know whether we need this check in
>> earlier
>> > versions as per the NIST guide lines. Thanks.
>> >
>> > #ifndef GETPID_IS_MEANINGLESS
>> >     pid=getpid();
>> >     if(pid != seed_pid)
>> > {
>> > RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_RESEEDED);
>> > return 0;
>> > }
>> >     if(pid != key_pid)
>> > {
>> > RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_REKEYED);
>> > return 0;
>> > }
>> > #endif
>>
>> The 1.1 module has checks in place to avoid two processes sharing the same
>> PRNG state after a fork() call and required manual intervention by the
>> application to cover this case.
>>
>> The 1.2 and 2.0 modules no longer require this as steps are taken
>> automatically by OpenSSL.
>>
>> Steve.
>> --
>> Dr Stephen N. Henson. OpenSSL project core developer.
>> Commercial tech support now available see: http://www.openssl.org
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    openssl-users@openssl.org
>> Automated List Manager                           majord...@openssl.org
>>
>
>

Reply via email to