rpms / libgcrypt

Clone
Source Code
GIT

Blame SOURCES/libgcrypt-1.10.0-fips-getrandom.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   ff8b6ab7c606a85431dbaaed448000615f387d4a
  2.   SOURCES
  3.   libgcrypt-1.10.0-fips-getrandom.patch
Blob History Raw
25c200 
From 0a5e608b8b18d4f41e4d7434c6262bf11507f859 Mon Sep 17 00:00:00 2001
25c200 
From: Jakub Jelen <jjelen@redhat.com>
25c200 
Date: Tue, 16 Aug 2022 15:30:43 +0200
25c200 
Subject: [PATCH] random: Use getrandom (GRND_RANDOM) in FIPS mode
25c200
25c200 
The SP800-90C (clarified in IG D.K.) requires the following when
25c200 
different DRBGs are chained:
25c200 
 * the parent needs to be reseeded before generate operation
25c200 
 * the reseed & generate needs to be atomic
25c200
25c200 
In RHEL, this is addressed by change in the kernel, that will do this
25c200 
automatically, when the getentropy () is called with GRND_RANDOM flag.
25c200
25c200 
* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Use
25c200 
  GRND_RANDOM in FIPS Mode
25c200 
---
25c200
25c200 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
25c200 
---
25c200 
 random/rndgetentropy.c | 5 ++++-
25c200 
 1 file changed, 4 insertions(+), 1 deletion(-)
25c200
25c200 
diff --git a/random/rndgetentropy.c b/random/rndgetentropy.c
25c200 
index 7580873e..db4b09ed 100644
25c200 
--- a/random/rndgetentropy.c
25c200 
+++ b/random/rndgetentropy.c
ff8b6a 
@@ -82,9 +82,18 @@ _gcry_rndgetentropy_gather_random (void (*add)(const void*, size_t,
ff8b6a 
        * never blocking once the kernel is seeded.  */
ff8b6a 
       do
25c200 
         {
ff8b6a 
-          nbytes = length < sizeof (buffer)? length : sizeof (buffer);
25c200 
           _gcry_pre_syscall ();
25c200 
-          ret = getentropy (buffer, nbytes);
25c200 
+          if (fips_mode ())
ff8b6a 
+            {
ff8b6a 
+              /* The getrandom API returns maximum 32 B of strong entropy */
ff8b6a 
+              nbytes = length < 32 ? length : 32;
ff8b6a 
+              ret = getrandom (buffer, nbytes, GRND_RANDOM);
ff8b6a 
+            }
25c200 
+          else
ff8b6a 
+            {
ff8b6a 
+              nbytes = length < sizeof (buffer) ? length : sizeof (buffer);
ff8b6a 
+              ret = getentropy (buffer, nbytes);
ff8b6a 
+            }
25c200 
           _gcry_post_syscall ();
25c200 
         }
25c200 
       while (ret == -1 && errno == EINTR);
25c200 
--
25c200 
2.37.1
25c200

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation