diff -aur openssl-1.0.2h/crypto/o_init.c openssl-1.0.2h-1/crypto/o_init.c --- openssl-1.0.2h/crypto/o_init.c 2016-05-03 06:44:42.000000000 -0700 +++ openssl-1.0.2h-1/crypto/o_init.c 2016-07-22 17:14:23.368059530 -0700 @@ -57,6 +57,7 @@ #include <openssl/err.h> #ifdef OPENSSL_FIPS # include <openssl/fips.h> +# include <openssl/fips_rand.h> # include <openssl/rand.h> #endif @@ -76,6 +77,14 @@ FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata); FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free); RAND_init_fips(); +/* +* Calling RAND_init_fips() followed by +* RAND_set_rand_method(FIPS_rand_get_method()) will +* cause OpenSSL to use the FIPS default DRBG +* in lieu of the non-compliant OpenSSL default RAND. This +* requires FIPS-capable OpenSSL. +*/ + RAND_set_rand_method(FIPS_rand_get_method()); #endif #if 0 fprintf(stderr, "Called OPENSSL_init\n");