On Thu, Apr 18, 2013, no_spam...@yahoo.com wrote: > Second try... > > The FIPS_rand_set_key and FIPS_rand_seed functions in 0.9.8 appear to have > been removed in newer OpenSSL FIPS Object Module v2.0. >
Those functions relate to the old X9.31 PRNG which isn't the default any more for the 2.0 module. The default is the SP800-90 DRBG. > Are there replacements? Or are they not needed anymore? If an > application is in FIPS mode (i.e. the OpenSSL FIPS Object Module is in FIPS > mode), can the application fork without having to reset the FIPS rand state? > Yes fork protection is included in the 2.0 module. In fact it was also in the 1.2.x module, you only needed to worry about fork for the 1.1 module. > I see an interface called FIPS_x931_set_key, but I want to use an RBG that > is compliant with SP 800-90 - which I believe the OpenSSL FIPS Object Module > v2.0 supports. > In FIPS mode the default RAND method uses the SP800-90 DRBG so you use it automatically. > When does one use the RAND_init_fips function? > You don't normally need to call that at all: it is handled automaticaly when you enter FIPS mode. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
