Commit 505172e1 authored Nov 09, 2011 by Jarod Wilson Committed by Herbert Xu Nov 09, 2011

crypto: ansi_cprng - enforce key != seed in fips mode



Apparently, NIST is tightening up its requirements for FIPS validation
with respect to RNGs. Its always been required that in fips mode, the
ansi cprng not be fed key and seed material that was identical, but
they're now interpreting FIPS 140-2, section AS07.09 as requiring that
the implementation itself must enforce the requirement. Easy fix, we
just do a memcmp of key and seed in fips_cprng_reset and call it a day.

v2: Per Neil's advice, ensure slen is sufficiently long before we
compare key and seed to avoid looking at potentially unallocated mem.

CC: Stephan Mueller <smueller@atsec.com>
CC: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Jarod Wilson <jarod@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

parent bae6d303

crypto/ansi_cprng.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -414,10 +414,18 @@ static int fips_cprng_get_random(struct crypto_rng tfm, u8 rdata,
		static int fips_cprng_reset(struct crypto_rng tfm, u8 seed, unsigned int slen)
		{
		u8 rdata[DEFAULT_BLK_SZ];
		u8 *key = seed + DEFAULT_BLK_SZ;
		int rc;

		struct prng_context *prng = crypto_rng_ctx(tfm);

		if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
		return -EINVAL;

		/* fips strictly requires seed != key */
		if (!memcmp(seed, key, DEFAULT_PRNG_KSZ))
		return -EINVAL;

		rc = cprng_reset(tfm, seed, slen);

		if (!rc)

Admin message