--0-1787796228-1206389292=:77695
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

According to Dr. Henson, this is a known problem and can be fixed by:

RAND_set_rand_method(NULL);

when calling FIPS_mode_set(0);

Ken


John Firebaugh wrote: Is it intended that it is not possible to re-enter FIPS mode via
FIPS_mode_set(1) after previouly calling FIPS_mode_set(1) then
FIPS_mode_set(0)? If you do so, the RAND_bytes() call at fips.c line 307
fails. It seem the sequence of events is this:

1. FIPS_mode_set(1), RAND_set_rand_method(FIPS_rand_method()) called.
2. FIPS_mode_set(0), FIPS mode disabled but rand_method not reset to
non-FIPS method.
3. FIPS_mode_set(1), RAND_bytes() fails because it attempts to use
fips_rand with an unkeyed context.

This is with openssl-fips-test-1.2.0.

John
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org


--0-1787796228-1206389292=:77695
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

According to Dr. Henson, this is a known problem and can be fixed by:

RAND_set_rand_method(NULL);

when calling FIPS_mode_set(0);

Ken


John Firebaugh <john_firebaugh@bigfix.com> wrote:
Is it intended that it is not possible to re-enter FIPS mode via
FIPS_mode_set(1) after previouly calling FIPS_mode_set(1) then
FIPS_mode_set(0)? If you do so, the RAND_bytes() call at fips.c line 307
fails. It seem the sequence of events is this:

1. FIPS_mode_set(1), RAND_set_rand_method(FIPS_rand_method()) called.
2. FIPS_mode_set(0), FIPS mode disabled but rand_method not reset to
non-FIPS method.
3. FIPS_mode_set(1), RAND_bytes() fails because it attempts to use
fips_rand with an unkeyed context.

This is with
openssl-fips-test-1.2.0.

John
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org


--0-1787796228-1206389292=:77695--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org