In FIPS mode, the default entropy gathering is not performed. You, the user, must supply all entropy to the module. See section 6.1.1 of the OpenSSL FIPS User Guide (https://www.openssl.org/docs/fips/UserGuide-2.0.pdf). Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia -----Original Message----- From: Cipher [mailto:dhanukumar1990@xxxxxxxxx] Sent: Wednesday, 12 September 2018 7:24 PM To: openssl-users@xxxxxxxxxxx Subject: /dev/random in FIPS mode Error: PRNG not seeded Hello, We have a custom hardware system running Linux Debian OS having openssl 1.0.2l compiled with FIPS module 2.0. We are trying for FIPS 140-2 certification. By default it looks like openssl RAND_poll() uses /dev/urandom for entropy. We are told this may not be acceptable for FIPS 140-2 Level 1 certification and we should be using /dev/random. So we patched e_os.h to change order to use "/dev/random" than /dev/urandom. i.e before define DEVRANDOM "/dev/urandom","/dev/random" after define DEVRANDOM "/dev/random","/dev/urandom" Now we see that openssl is using /dev/random, but the problem is openssl operations randomly fail when run multiple times with "PRNG not seeded" error. This is in-spite of having rngd installed to boost entropy. [root@debian ~]# OPENSSL_FIPS=1 openssl version FIPS mode ON. OpenSSL 1.0.2l-fips 25 May 2017 [root@debian ~]# OPENSSL_FIPS=1 openssl version FIPS mode ON. OpenSSL 1.0.2l-fips 25 May 2017 [root@debian ~]# [root@debian ~]# OPENSSL_FIPS=1 openssl version 139889362065040:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:549:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 139889362065040:error:2D07406D:FIPS routines:FIPS_drbg_instantiate:error retrieving entropy:fips_drbg_lib.c:284: 139889362065040:error:24066067:random number generator:RAND_init_fips:error instantiating drbg:rand_lib.c:293: 139889362065040:error:04088003:rsa routines:RSA_setup_blinding:BN lib:rsa_crpt.c:212: 139889362065040:error:04066044:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:internal error:rsa_eay.c:443: 139889362065040:error:2D079089:FIPS routines:fips_pkey_signature_test:test failure:fips_post.c:334:Type=RSA SHA256 PSS 139889362065040:error:2A067068:lib(42):ECDSA_sign_setup:random number generation failed:ecs_ossl.c:149: 139889362065040:error:2A06502A:lib(42):ECDSA_do_sign:reason(42):ecs_ossl.c:308: 139889362065040:error:2D079089:FIPS routines:fips_pkey_signature_test:test failure:fips_post.c:334:Type=ECDSA P-224 139889362065040:error:0A06B003:dsa routines:DSA_sign_setup:BN lib:dsa_ossl.c:318: 139889362065040:error:0A070003:dsa routines:DSA_do_sign:BN lib:dsa_ossl.c:225: 139889362065040:error:2D079089:FIPS routines:fips_pkey_signature_test:test failure:fips_post.c:334:Type=DSA SHA384 [root@debian ~]# cat /proc/sys/kernel/random/entropy_avail 3090 [root@debian ~]# Few Questions: 1)Would anyone know if usage of /dev/random as openssl entropy source is mandatory for FIPS 140-2 certification? 2) entropy_avail shows 3090, yet we hit 'PRNG not seeded' error. Is this because every FIPS_mode_set(1) call utilizes lot of entropy for selfTests etc? Is there any entropy estimate for each FIPS_mode_set() call? 3) Is there a way to avoid this issue with openssl code changes? i.e by doing some sort of auto-fallback to /dev/urandom if /dev/random pool is drained. 4) Since /dev/random is blocking, shouldn't openssl commands get stuck than error out if enough entropy is not available? Is there a way to do such a thing(by waiting for pool to get replenished). If yes what part of code needs to be changed? Thanks in Advance, D -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
