Re: Entropy Source for Openssl 3.8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It is possible for a FIPS approved implementation to use a FIPS approved
entropy source, and then to incorporate additional entropy from a
non-approved source via the "personalization string" and "additional input"
arguments to the DRBG.  Making that available from the FIPS provider would
be nice (but would need revalidating of course).

Martin Bonner

----------------------------------------------------------------------
> *From:*openssl-users <openssl-users-bounces@xxxxxxxxxxx> *On Behalf Of
> *Dr Paul Dale
> The code there is somewhat confused by the way the FIPS provider
> gathers it's entropy.
> It doesn't access the seed source directly, instead it has call-backs
> into libcrypto to request entropy.
> The critical function is ossl_rand_get_entropy in
> crypto/rand/prov_seed.c.? This function satisfies the FIPS provider's
> request for entropy and it doesn't access the seed source specified,
> instead it goes directly to OpenSSL's internal entropy gathering.
>
> So, no there isn't a way to do what you want.
>
> It wasn't intended to operate this way and I'll look at producing a fix.
>
> Pauli

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux