Hi all, I'm trying to investigate how entropy is gathered for CTR_DRBG when OpenSSL is in FIPS mode.
Environment: RHEL 6 and OpenSSL FIPS Object Module 2.0.2 and OpenSSL 1.0.1c. If I understood this correctly it looks like the security_strength is 256 bits (32 bytes) and seed length is 384 bits (48 bytes). When instantiating (in FIPS_drbg_instantiate), it eventually calls fips_get_entropy with the values entropy == 256, min_len = 32 and max_len as a whole lot more). What is the difference here between entropy and min_len? Eventually it calls drbg_get_entropy with entropy = 256+20 (where 20 is the block length) and min_len = 32+20. This calls into RAND_SSLeay()->bytes() to get 60 bytes of rand (as the comment says this uses the standard OpenSSL PRNG to get entropy). fips_get_entropy then returns the last 40 bytes as the entropy (it uses the first 20 for the continuous PRNG test). Now inside of RAND_SSLeay()->bytes() it eventually ends up in ssleay_rand_bytes (in md_rand.c) and I'm having some trouble understanding the code here. It fetches 32 bytes of random bytes from /dev/urandom and adds that to the seed (using RAND_add). It also adds another 24 bytes (but 0.0 entropy) of data in the current pid, uid and time. ssleay_rand_bytes also does some hashing (I can't tell what hash method it's actually using). In the end I'm a bit confused, so I'd appreciate some help with a few questions: 1) How many bytes of entropy do we really need? Just security_strength (i.e. 32 bytes) or as many bytes as the RNG is requested (e.g. if we request 64 bytes, do we need 64 bytes of entropy). 2) How many bytes is it actually getting in the end? fips_get_entropy seems to return 40 even RAND_poll only returns 32 from /dev/urandom. 3) What exactly is the hash in ssleay_rand_bytes doing? The main reason I ask is that I heard for the new FIPS requirements we can only use 20 bytes from /dev/urandom. Is OpenSSL compliant with this? If not, is there a way I can combine another source of entropy (for example egd + urandom)? Thanks a lot!
