Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-28 23:21:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

crypto: drbg - ignore jitterentropy errors if not in FIPS mode

Browse Source 
A subsequent patch will make the jitterentropy RNG to unconditionally
report health test errors back to callers, independent of whether
fips_enabled is set or not. The DRBG needs access to a functional
jitterentropy instance only in FIPS mode (because it's the only SP800-90B
compliant entropy source as it currently stands). Thus, it is perfectly
fine for the DRBGs to obtain entropy from the jitterentropy source only
on a best effort basis if fips_enabled is off.

Make the DRBGs to ignore jitterentropy failures if fips_enabled is not set.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This commit is contained in:
Nicolai Stange 2021-11-30 15:10:07 +01:00 committed by Herbert Xu
parent 95fe2253cc
commit 8f79772843
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
crypto/drbg.c
View File

@ -1193,11 +1193,14 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
entropylen); entropylen);
} else { } else {
/* Get seed from Jitter RNG */ /*
* Get seed from Jitter RNG, failures are
* fatal only in FIPS mode.
*/
ret = crypto_rng_get_bytes(drbg->jent, ret = crypto_rng_get_bytes(drbg->jent,
entropy + entropylen, entropy + entropylen,
entropylen); entropylen);
if (ret) { if (fips_enabled && ret) {
pr_devel("DRBG: jent failed with %d\n", ret); pr_devel("DRBG: jent failed with %d\n", ret);
/* /*