rpms / libgcrypt

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c9-beta
  2.   SOURCES
  3.   libgcrypt-1.10.0-fips-getrandom.patch
Blob Blame History Raw 
From 0a5e608b8b18d4f41e4d7434c6262bf11507f859 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 16 Aug 2022 15:30:43 +0200
Subject: [PATCH] random: Use getrandom (GRND_RANDOM) in FIPS mode

The SP800-90C (clarified in IG D.K.) requires the following when
different DRBGs are chained:
 * the parent needs to be reseeded before generate operation
 * the reseed & generate needs to be atomic

In RHEL, this is addressed by change in the kernel, that will do this
automatically, when the getentropy () is called with GRND_RANDOM flag.

* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Use
  GRND_RANDOM in FIPS Mode
---

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
 random/rndgetentropy.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/random/rndgetentropy.c b/random/rndgetentropy.c
index 7580873e..db4b09ed 100644
--- a/random/rndgetentropy.c
+++ b/random/rndgetentropy.c
@@ -82,9 +82,18 @@ _gcry_rndgetentropy_gather_random (void (*add)(const void*, size_t,
        * never blocking once the kernel is seeded.  */
       do
         {
-          nbytes = length < sizeof (buffer)? length : sizeof (buffer);
           _gcry_pre_syscall ();
-          ret = getentropy (buffer, nbytes);
+          if (fips_mode ())
+            {
+              /* The getrandom API returns maximum 32 B of strong entropy */
+              nbytes = length < 32 ? length : 32;
+              ret = getrandom (buffer, nbytes, GRND_RANDOM);
+            }
+          else
+            {
+              nbytes = length < sizeof (buffer) ? length : sizeof (buffer);
+              ret = getentropy (buffer, nbytes);
+            }
           _gcry_post_syscall ();
         }
       while (ret == -1 && errno == EINTR);
-- 
2.37.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation