Reseed the kernel DRBG by using GRND_RANDOM
Resolves: rhbz#2118695
This commit is contained in:
Jakub Jelen
parent
c59f3d1447
commit
af1e1e5923
41
libgcrypt-1.10.0-fips-getrandom.patch
Normal file
41
libgcrypt-1.10.0-fips-getrandom.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 0a5e608b8b18d4f41e4d7434c6262bf11507f859 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 16 Aug 2022 15:30:43 +0200
|
||||
Subject: [PATCH] random: Use getrandom (GRND_RANDOM) in FIPS mode
|
||||
|
||||
The SP800-90C (clarified in IG D.K.) requires the following when
|
||||
different DRBGs are chained:
|
||||
* the parent needs to be reseeded before generate operation
|
||||
* the reseed & generate needs to be atomic
|
||||
|
||||
In RHEL, this is addressed by change in the kernel, that will do this
|
||||
automatically, when the getentropy () is called with GRND_RANDOM flag.
|
||||
|
||||
* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Use
|
||||
GRND_RANDOM in FIPS Mode
|
||||
---
|
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
---
|
||||
random/rndgetentropy.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/random/rndgetentropy.c b/random/rndgetentropy.c
|
||||
index 7580873e..db4b09ed 100644
|
||||
--- a/random/rndgetentropy.c
|
||||
+++ b/random/rndgetentropy.c
|
||||
@@ -82,7 +82,10 @@ _gcry_rndgetentropy_gather_random (void (*add)(const void*, size_t,
|
||||
{
|
||||
nbytes = length < sizeof (buffer)? length : sizeof (buffer);
|
||||
_gcry_pre_syscall ();
|
||||
- ret = getentropy (buffer, nbytes);
|
||||
+ if (fips_mode ())
|
||||
+ ret = getrandom (buffer, nbytes, GRND_RANDOM);
|
||||
+ else
|
||||
+ ret = getentropy (buffer, nbytes);
|
||||
_gcry_post_syscall ();
|
||||
}
|
||||
while (ret == -1 && errno == EINTR);
|
||||
--
|
||||
2.37.1
|
||||
|
||||
@ -26,6 +26,7 @@ Patch2: libgcrypt-1.10.0-fips-disable-pkcs1.5.patch
|
||||
Patch3: libgcrypt-1.10.0-ppc-hwf.patch
|
||||
Patch4: libgcrypt-1.10.0-allow-small-RSA-verify.patch
|
||||
Patch5: libgcrypt-1.10.0-allow-short-salt.patch
|
||||
Patch6: libgcrypt-1.10.0-fips-getrandom.patch
|
||||
|
||||
%global gcrylibdir %{_libdir}
|
||||
%global gcrysoname libgcrypt.so.20
|
||||
@ -66,6 +67,7 @@ applications using libgcrypt.
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
|
||||
%build
|
||||
# This package has a configure test which uses ASMs, but does not link the
|
||||
|
||||
Loading…
Reference in New Issue
Block a user