Do we really use the FIPS version of random number generator
We basically follow the instructions in this link to enable FIPS mode.
How can I make RHEL 6 or RHEL 7 FIPS 140-2 compliant?
And we seem to have succeeded because
$ sysctl crypto.fips_enabled crypto.fips_enabled = 1
And calling FIPS_mode_set(1) returns 1, which means success.
Quote from OpenSSL wiki:
Random Numbers
To use the FIPS random number generator, simply use RAND_bytes as described earlier. Note that the call to FIPS_mode_set must succeed in order to operate in FIPS 140 mode.
However, I run this code:
#include#include #include int main() { unsigned char buffer[4]; int rc; rc = FIPS_mode_set(1); printf("FIPS_mode_set rc=%d\n", rc); rc = RAND_bytes(buffer, sizeof(buffer)); printf("RAND_bytes rc=%d random number=%08X\n", rc, *(int *)buffer); rc = FIPS_rand_bytes(buffer, sizeof(buffer)); printf("FIPS_rand_bytes rc=%d random number=%08X\n", rc, *(int *)buffer); return 0; }
And I patched the RAND_bytes() and FIPS_rand_bytes() in openssl-1.0.1e to let them print their function names.
I found they are still called separately.
I thought RAND_bytes() will automatically be mapped to FIPS_rand_bytes().
Is my assumption wrong?
How do I know we are really using the FIPS version of functions.
Responses