> This also puts into question the no_df tests in test/drbgtest.c, how > can we possibly, under the diverse conditions we're facing, assume to > know if those tests will succeed or fail?
The no_df tests are o.k. as they are. In fact, OpenSSL supports using the DRBG with or without the derivation function. We ourselves, we are not using the no_df feature. But that does not mean we have to rip it out of our sources. It's there since FIPS 2.0 and it's implemented correctly. A possible use case would be the following: if an application has access to a true RNG then it could replace the get_entropy() callbacks and operate our DRBG without the derivation function. > So I guess I'm still on track with wanting to specify a get_nonce > function for VMS. Speaking of that, got any ideas on how to hook that > on appropriately, without butchering the current DRBG code? Hold the line, I'm currently working on it... Matthias
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project