I can do mutch more i can give the source code:
#include <iostream>
using std::cout;
using std::endl;
#include <stdlib.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <fips/fips_rand.h>
#include <fips/fips_rand_lcl.h>
#include <openssl/rand.h>
#include <string.h>
typedef struct
{
const unsigned char *ent;
size_t entlen;
int entcnt;
const unsigned char *nonce;
size_t noncelen;
int noncecnt;
} TEST_ENT;
static unsigned char dummy_drbg_entropy[1024];
static unsigned char entropy_x[32];
static unsigned char nonce[16];
static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
int entropy, size_t min_len, size_t
max_len)
{
TEST_ENT *t = (TEST_ENT*)FIPS_drbg_get_app_data(dctx);
*pout = (unsigned char *)t->ent;
t->entcnt++;
return t->entlen;
}
static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
int entropy, size_t min_len, size_t
max_len)
{
TEST_ENT *t = (TEST_ENT*)FIPS_drbg_get_app_data(dctx);
*pout = (unsigned char *)t->nonce;
t->noncecnt++;
return t->noncelen;
}
int main(int argc, char* argv[])
{
int rc, mode;
mode = FIPS_mode();
if(mode == 0)
{
rc = FIPS_mode_set(1);
if(rc == 0) {
cout << "Failed to enable FIPS mode, ";
cout << "error: " << ERR_get_error() << endl;
} else {
cout << "Enabled FIPS mode" << endl;
}
}
else
{
cout << "Already in FIPS mode" << endl;
}
DRBG_CTX *dctx;
dctx = FIPS_drbg_new(NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);
unsigned char entropytmp[] =
{
0x36, 0x40, 0x19, 0x40, 0xfa, 0x8b, 0x1f, 0xba,
0x91, 0xa1, 0x66, 0x1f, 0x21, 0x1d, 0x78, 0xa0,
0xb9, 0x38, 0x9a, 0x74, 0xe5, 0xbc, 0xcf, 0xec,
0xe8, 0xd7, 0x66, 0xaf, 0x1a, 0x6d, 0x3b, 0x14
};
unsigned char noncetmp[] =
{
0x49, 0x6f, 0x25, 0xb0, 0xf1, 0x30, 0x1b, 0x4f,
0x50, 0x1b, 0xe3, 0x03, 0x80, 0xa1, 0x37, 0xeb
};
/* AES-256 use df PR */
std::cout << FIPS_drbg_get_strength(dctx) << " " <<
FIPS_rand_strength() << std::endl;
//if (!FIPS_drbg_set_callbacks(dctx, drbg_test_entropy, 0, 0x10,
drbg_test_nonce, 0))
if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce,
0))
{
std::cout << "dupa" << std::endl;
}
//memcpy(entropy_x, entropytmp, sizeof(entropy_x));
// memcpy(nonce, noncetmp, sizeof(nonce));
TEST_ENT t;
FIPS_drbg_set_app_data(dctx, &t);
t.ent = entropytmp;
t.entlen = sizeof(entropytmp);
t.nonce = noncetmp;
t.noncelen = sizeof(noncetmp);
t.entcnt = 0;
t.noncecnt = 0;
//FIPS_drbg_instantiate(dctx, pers, sizeof(pers));
if (!FIPS_drbg_instantiate(dctx, NULL, 0))
{
ERR_load_crypto_strings();
ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
}
size_t outlen = 32;
unsigned char outbuf[outlen];
if(!FIPS_drbg_generate(dctx, outbuf, outlen, 0, NULL, 0))
{
ERR_load_crypto_strings();
ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
}
FIPS_drbg_uninstantiate(dctx);
FIPS_drbg_free(dctx);
return 0;
* }
Dnia 2015-02-26, czw o godzinie 16:43 +0000, Dr. Stephen Henson pisze:
> On Thu, Feb 26, 2015, Piotr ??obacz wrote:
>
> > Yes,
> > i have read that RAND API will use CTR_DRBG by default but what if i
> > want to have set seed and than calculate and have the same results on
> > two different machines? As far as i understand if i set seed - which is
> > calculated from entropy, nonce and personal string - if it is given i
> > should get some deterministic value of returned buffer and RAND_bytes
> > doesn't give me such result it is always different. Correct me if i am
> > wrong.
> >
>
> OK, can you give some details of how you are instantiating the DRBG?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
________________________________________________________________________
Piotr ?obacz
Biuro System?w i Oprogramowania
RADMOR S.A.
tel. (58) 6996 929
e-mail: piotr.lobacz at radmor.com.pl
www.radmor.com.pl
RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia
NIP: 586-010-21-39
REGON: 190432077
KRS: 0000074029 (S?d Rejonowy Gda?sk-P??noc w Gda?sku)
Kapita? zak?adowy wp?acony: 9 282 830 PLN
