Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

rngtest(1) [centos man page]

RNGTEST(1)						      General Commands Manual							RNGTEST(1)

NAME

       rngtest - Check the randomness of data using FIPS 140-2 tests

SYNOPSIS

       rngtest [-c n | --blockcount=n] [-b n | --blockstats=n] [-t n | --timedstats=n] [-p | --pipe] [-?] [--help] [-V] [--version]

DESCRIPTION

       rngtest works on blocks of 20000 bits at a time, using the FIPS 140-2 (errata of 2001-10-10) tests to verify the randomness of the block of
       data.

       It takes input from stdin, and outputs statistics to stderr, optionally echoing blocks that passed the FIPS tests to stdout (when operating
       in pipe mode).  Errors are sent to stderr.

       At  startup,  rngtest  will trow away the first 32 bits of data when operating in pipe mode.  It will use the next 32 bits of data to boot-
       strap the FIPS tests (even when not operating in pipe mode).  These bits are not tested for randomness.

       Statistics are dumped to stderr when the program exits.

OPTIONS

       -p, --pipe
	      Enable pipe mode.  All data blocks that pass the FIPS tests are echoed to stdout, and rngtest operates in silent mode.

       -c n, --blockcount=n (default: 0)
	      Exit after processing n input blocks, if n is not zero.

       -b n, --blockstats=n (default: 0)
	      Dump statistics every n blocks, if n is not zero.

       -t n, --timedstats=n (default: 0)
	      Dump statistics every n seconds, if n is not zero.

       -?, --help
	      Give a short summary of all program options.

       -V, --version
	      Print program version

STATISTICS

       rngtest will dump statistics to stderr when it exits, and when told to by blockstats or timedstats.

       FIPS 140-2 successes and FIPS 140-2 failures counts the number of 20000-bit blocks either accepted or rejected by  the  FIPS  140-2  tests.
       The  other  statistics  show  a	breakdown of the FIPS 140-2 failures by FIPS 140-2 test.  See the FIPS 140-2 document for more information
       (note that these tests are defined on FIPS 140-1 and FIPS  140-2  errata  of  2001-10-10.  They	were  removed  in  FIPS  140-2	errata	of
       2002-12-03).

       The speed statistics are taken for every 20000-bit block transferred or processed.

EXIT STATUS

       0 if no errors happen, and no blocks fail the FIPS tests.

       1 if no errors happen, but at least one block fails the FIPS tests.

       10 if there are problems with the parameters.

       11 if an input/output error happens.

       12 if an operating system or resource starvation error happens.

SEE ALSO

       random(4), rngd(8)

       FIPS PUB 140-2 Security Requirements for Cryptographic Modules, NIST,
	      http://csrc.nist.gov/cryptval/140-2.htm

AUTHORS

       Henrique de Moraes Holschuh <hmh@debian.org>

rng-tools 4							    March 2004								RNGTEST(1)

Check Out this Related Man Page

FIPSCHECK(3)							     fipscheck							      FIPSCHECK(3)

NAME

       FIPSCHECK_verify, FIPSCHECK_verify_ex, FIPSCHECK_verify_files, FIPSCHECK_verify_files_ex, FIPSCHECK_fips_module_installed,
       FIPSCHECK_get_binary_path, FIPSCHECK_get_library_path, FIPSCHECK_kernel_fips_mode, fipscheck.h - Various functions relating to running in
       FIPS mode

SYNOPSIS

       #include <fipscheck.h>

       int FIPSCHECK_verify(const char *libname, const char *symbolname);

       int FIPSCHECK_verify_ex(const char *libname, const char *symbolname, const char *hmac_suffix, int fail_if_missing);

       int FIPSCHECK_verify_files(const char *files[]);

       int FIPSCHECK_verify_files_ex(const char *hmac_suffix, int fail_if_missing, const char *files[]);

       int FIPSCHECK_fips_module_installed(const char *libname, const char *symbolname, const char *hmac_suffix);

       int FIPSCHECK_get_binary_path(char *path, size_t pathlen);

       int FIPSCHECK_get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen);

       int FIPSCHECK_kernel_fips_mode(void);

DESCRIPTION

       The function FIPSCHECK_kernel_fips_mode() tests for the FIPS-140-2 mode in kernel.

       The function FIPSCHECK_verify() computes and compares HMAC-SHA256 checksum by spawning the fipscheck command. The parameters libname and
       symbolname determine which shared library file loaded into the process space will be checksummed. If these parameters are set to NULL, the
       executable of the calling process is checksummed.

       The function FIPSCHECK_verify_ex() in addition to the functionality above also allows to specify the full hmac_suffix with the default
       value of .hmac. And will return success if the hmac file is missing and the fail_if_missing parameter is set to 0.

       The function FIPSCHECK_verify_files() can be used to explicitly specify NULL terminated array of file names in the parameter files to
       check.

       Similarly the function FIPSCHECK_verify_files_ex() in addition to the functionality above also allows to specify the full hmac_suffix with
       the default value of .hmac. And will return success if the first hmac file is missing and the fail_if_missing parameter is set to 0.

       The checksum file contains the HMAC-SHA256 encoded in hexadecimal notation using lowercase letters with one EOL character appended at the
       end.

       The function FIPSCHECK_fips_module_installed() returns 1 if the hmac checksum file is found and 0 otherwise.

       The functions FIPSCHECK_get_library_path() and FIPSCHECK_get_binary_path() return the shared library and executable paths in the path. The
       buffer pointed to by the parameter must be large enough to hold the path otherwise the path is truncated. The size of the buffer is
       specified by the pathlen.

RETURN VALUE

       The main functions FIPSCHECK_verify() and FIPSCHECK_verify_files() return 1 when the verification of the binaries succeeds and 0 otherwise.
       The function FIPSCHECK_kernel_fips_mode() returns 1 when the kernel is in fips mode and 0 otherwise.

       The auxiliary functions FIPSCHECK_get_binary_path() and FIPSCHECK_get_library_path() return 0 on success and -1 if the path cannot be
       determined.

FIPS MODE

       A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode by specifying fips=1 as kernel parameter. Please refer to the
       security policy of the Kernel FIPS module for further details.

SEE ALSO

       fipscheck(8), fipshmac(8), https://fedorahosted.org/fipscheck/

AUTHOR

       Tomas Mraz <tmraz@redhat.com>.

       Man page authors Paul Wouters <pwouters@redhat.com> and Tomas Mraz <tmraz@redhat.com>.

COPYRIGHT

       Copyright 2008, 2012 Red Hat, Inc. All rights reserved.

       Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are
       met:

       1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

       2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the
       documentation and/or other materials provided with the distribution.

fipscheck							   16 April 2012						      FIPSCHECK(3)
Man Page