|
 |
db6389 |
From 196ee40d489e4e6a72232a3cdbb7af19a72362b3 Mon Sep 17 00:00:00 2001
|
|
|
db6389 |
From: Robbie Harwood <rharwood@redhat.com>
|
|
|
db6389 |
Date: Fri, 4 Jan 2019 17:00:15 -0500
|
|
|
db6389 |
Subject: [PATCH] Use openssl's PRNG in FIPS mode
|
|
|
db6389 |
|
|
|
db6389 |
(cherry picked from commit 31277d79675a76612015ea00d420b41b9a232d5a)
|
|
|
db6389 |
---
|
|
|
db6389 |
src/lib/crypto/krb/prng.c | 11 ++++++++++-
|
|
|
db6389 |
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
db6389 |
|
|
|
db6389 |
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
|
|
|
db6389 |
index cb9ca9b98..f0e9984ca 100644
|
|
|
db6389 |
--- a/src/lib/crypto/krb/prng.c
|
|
|
db6389 |
+++ b/src/lib/crypto/krb/prng.c
|
|
|
db6389 |
@@ -26,6 +26,8 @@
|
|
|
db6389 |
|
|
|
db6389 |
#include "crypto_int.h"
|
|
|
db6389 |
|
|
|
db6389 |
+#include <openssl/rand.h>
|
|
|
db6389 |
+
|
|
|
db6389 |
krb5_error_code KRB5_CALLCONV
|
|
|
db6389 |
krb5_c_random_seed(krb5_context context, krb5_data *data)
|
|
|
db6389 |
{
|
|
|
db6389 |
@@ -99,9 +101,16 @@ krb5_boolean
|
|
|
db6389 |
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
|
|
|
db6389 |
{
|
|
|
db6389 |
const char *device;
|
|
|
db6389 |
-#if defined(__linux__) && defined(SYS_getrandom)
|
|
|
db6389 |
int r;
|
|
|
db6389 |
|
|
|
db6389 |
+ /* A wild FIPS mode appeared! */
|
|
|
db6389 |
+ if (FIPS_mode()) {
|
|
|
db6389 |
+ /* The return codes on this API are not good */
|
|
|
db6389 |
+ r = RAND_bytes(buf, len);
|
|
|
db6389 |
+ return r == 1;
|
|
|
db6389 |
+ }
|
|
|
db6389 |
+
|
|
|
db6389 |
+#if defined(__linux__) && defined(SYS_getrandom)
|
|
|
db6389 |
while (len > 0) {
|
|
|
db6389 |
/*
|
|
|
db6389 |
* Pull from the /dev/urandom pool, but require it to have been seeded.
|