3

I am trying to use the OpenSSL FIPS Object module v2.0 with the base OpenSSL library (1.0.1c) to make my application FIPS 140-2 complaint. The problem is I am not able to figure out how to use the DRBG API from the FIPS object module for replacing my RAND_* calls.

I can see few instances of the RAND_bytes call made within OpenSSL modules and also use them in other libraries/source files (outside of OpenSSL). The user documentation provided in http://www.openssl.org/docs/fips/UserGuide-2.0.pdf talks about the respective API but does not illustrate on which calls needs to be mapped to its respective RAND_* counterpart.

I have tried looking for this information on various forums but not been lucky so far. I would appreciate it, if someone could help me understand how to use these calls and replace the RAND_* calls that are currently in use.

Thanks, Sandeep

user1912223
  • 31
  • 1
  • 2
  • 1
    The `RAND_` API is an interface. You don't replace any of the `RAND_` calls. Instead, you register the DRBG (probably done automatically when you call `FIPS_mode()` or something) and then your `RAND_` calls will use it instead of the default RNG implementation. – indiv Dec 19 '12 at 18:39

1 Answers1

2

The problem is I am not able to figure out how to use the DRBG API from the FIPS object module for replacing my RAND_* calls.

Once you call FIPS_mode_set (and assuming it returns non-zero), you are using the NIST approved DRBGs. From OpenSSL's Random Numbers wiki page:

The default DRBG is 256-bit CTR AES using a derivation function ... To use the FIPS random number generator, simply use RAND_bytes as described earlier. Note that the call to FIPS_mode_set must succeed in order to operate in FIPS 140 mode.

jww
  • 97,681
  • 90
  • 411
  • 885
  • Upvoted this age old answer, but the question remains if these engines are avaialble *without switching to FIPS mode*. That might be too great a step just to use the RNG. – Maarten Bodewes Apr 17 '17 at 21:14