Entropy collection is outside the FIPS boundary. If you don't want to modify the code, you can pass in -DDEVRANDOM using CFLAGS and set it to whatever value you desire. For instance, maybe you have a hardware device mapped to /dev/entropy that provides sufficient random data to seed the DRBG. On 11/12/2015 11:35 AM, Ethan Rahn wrote: > xxiao, > > Are you sure you can't modify that? My understanding of FIPS mode is > that you cannot modify the FIPS code canister, which entropy sources > are not a part of. > > Cheers, > > Ethan > > On Thu, Nov 12, 2015 at 8:08 AM, xxiao8 <xxiao8 at fosiao.com > <mailto:xxiao8 at fosiao.com>> wrote: > > in e_os.h I saw > ====== > #ifndef DEVRANDOM > > /* set this to a comma-separated list of 'random' device files to > try out. > > * My default, we will try to read at least one of these files */ > > #define DEVRANDOM "/dev/urandom","/dev/random","/dev/srandom" > > # endif > ====== > this basically sets /dev/urandom as the default which really is > not FIPS-friendly, is there a way to override this during > compilation to set the default to /dev/random instead? I'm not > supposed to modify the source code as it will invalidate > openssl-FIPS certificate. > > Thanks, > xxiao > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151112/795d8bee/attachment.html>
