On Fri, Nov 04, 2011 at 10:01:25AM -0400, Jarod Wilson wrote:
> Apparently, NIST is tightening up its requirements for FIPS validation
> with respect to RNGs. Its always been required that in fips mode, the
> ansi cprng not be fed key and seed material that was identical, but
> they're now interpreting FIPS 140-2, section AS07.09 as requiring that
> the implementation itself must enforce the requirement. Easy fix, we
> just do a memcmp of key and seed in fips_cprng_reset and call it a day.
>
> v2: Per Neil's advice, ensure slen is sufficiently long before we
> compare key and seed to avoid looking at potentially unallocated mem.
>
> CC: Neil Horman <nhorman@xxxxxxxxxxxxx>
> CC: Stephan Mueller <smueller@xxxxxxxxx>
> CC: Steve Grubb <sgrubb@xxxxxxxxxx>
> Signed-off-by: Jarod Wilson <jarod@xxxxxxxxxx>
Thanks Jarod. Adding Herbert to the cc list so he can pull this into the crypto
tree.
Acked-by: Neil Horman <nhorman@xxxxxxxxxxxxx>
> ---
> crypto/ansi_cprng.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
> index ffa0245..6ddd99e 100644
> --- a/crypto/ansi_cprng.c
> +++ b/crypto/ansi_cprng.c
> @@ -414,10 +414,18 @@ static int fips_cprng_get_random(struct crypto_rng *tfm, u8 *rdata,
> static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
> {
> u8 rdata[DEFAULT_BLK_SZ];
> + u8 *key = seed + DEFAULT_BLK_SZ;
> int rc;
>
> struct prng_context *prng = crypto_rng_ctx(tfm);
>
> + if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
> + return -EINVAL;
> +
> + /* fips strictly requires seed != key */
> + if (!memcmp(seed, key, DEFAULT_PRNG_KSZ))
> + return -EINVAL;
> +
> rc = cprng_reset(tfm, seed, slen);
>
> if (!rc)
> --
> 1.7.1
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
