Use openssl's PRNG in FIPS mode
This commit is contained in:
Robbie Harwood
parent
645562ea2f
commit
7e29fac83e
40
Use-openssl-s-PRNG-in-FIPS-mode.patch
Normal file
40
Use-openssl-s-PRNG-in-FIPS-mode.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 643b5e486624989acddf66ac7ce2cf71b3816fda Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 4 Jan 2019 17:00:15 -0500
|
||||
Subject: [PATCH] Use openssl's PRNG in FIPS mode
|
||||
|
||||
---
|
||||
src/lib/crypto/krb/prng.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
|
||||
index cb9ca9b98..f0e9984ca 100644
|
||||
--- a/src/lib/crypto/krb/prng.c
|
||||
+++ b/src/lib/crypto/krb/prng.c
|
||||
@@ -26,6 +26,8 @@
|
||||
|
||||
#include "crypto_int.h"
|
||||
|
||||
+#include <openssl/rand.h>
|
||||
+
|
||||
krb5_error_code KRB5_CALLCONV
|
||||
krb5_c_random_seed(krb5_context context, krb5_data *data)
|
||||
{
|
||||
@@ -99,9 +101,16 @@ krb5_boolean
|
||||
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
|
||||
{
|
||||
const char *device;
|
||||
-#if defined(__linux__) && defined(SYS_getrandom)
|
||||
int r;
|
||||
|
||||
+ /* A wild FIPS mode appeared! */
|
||||
+ if (FIPS_mode()) {
|
||||
+ /* The return codes on this API are not good */
|
||||
+ r = RAND_bytes(buf, len);
|
||||
+ return r == 1;
|
||||
+ }
|
||||
+
|
||||
+#if defined(__linux__) && defined(SYS_getrandom)
|
||||
while (len > 0) {
|
||||
/*
|
||||
* Pull from the /dev/urandom pool, but require it to have been seeded.
|
||||
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.17
|
||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||
Release: 1.beta2.5%{?dist}
|
||||
Release: 1.beta2.6%{?dist}
|
||||
|
||||
# lookaside-cached sources; two downloads and a build artifact
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
|
||||
@ -65,6 +65,7 @@ Patch89: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch
|
||||
Patch90: Add-tests-for-KCM-ccache-type.patch
|
||||
Patch91: Remove-incorrect-KDC-assertion.patch
|
||||
Patch92: Address-some-optimized-out-memset-calls.patch
|
||||
Patch93: Use-openssl-s-PRNG-in-FIPS-mode.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -712,6 +713,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Fri Jan 04 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.6
|
||||
- Use openssl's PRNG in FIPS mode
|
||||
|
||||
* Fri Jan 04 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.5
|
||||
- Address some optimized-out memset() calls
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user