From 6aa1bc1df0dbbf5b4cb06b86f949aa9d80f68700 Mon Sep 17 00:00:00 2001 From: Stephan Mueller Date: Sat, 8 Mar 2014 23:14:58 +0100 Subject: [PATCH v3 4/7] Invoke DRBG from common libgcrypt RNG code To: gcrypt-devel@gnupg.org Cc: jeremy.wayne.powell@gmail.com Integrate the DRBG invocation with the common libgcrypt RNG code. This integration replaces the old ANSI X9.31 RNG invocation. As the ANSI X9.31 shall only be invoked in FIPS mode and it is sunset at the end of 2014 for FIPS purposes, a complete replacement with the DRBG is considered appropriate. The DRBG is FIPS approved deterministic random number generator for the forseeable future. Signed-off-by: Stephan Mueller --- Index: libgcrypt-1.6.1/random/random.c =================================================================== --- libgcrypt-1.6.1.orig/random/random.c 2014-01-29 10:48:38.000000000 +0100 +++ libgcrypt-1.6.1/random/random.c 2014-05-06 14:51:42.350644283 +0200 @@ -153,11 +153,13 @@ _gcry_random_initialize (int full) } if (fips_mode ()) - _gcry_rngfips_initialize (full); + //_gcry_rngfips_initialize (full); + _gcry_drbg_init(full); else if (rng_types.standard) _gcry_rngcsprng_initialize (full); else if (rng_types.fips) - _gcry_rngfips_initialize (full); + _gcry_drbg_init(full); + //_gcry_rngfips_initialize (full); else if (rng_types.system) _gcry_rngsystem_initialize (full); else @@ -174,11 +176,13 @@ _gcry_random_close_fds (void) the entropy gatherer. */ if (fips_mode ()) - _gcry_rngfips_close_fds (); + //_gcry_rngfips_close_fds (); + _gcry_drbg_close_fds (); else if (rng_types.standard) _gcry_rngcsprng_close_fds (); else if (rng_types.fips) - _gcry_rngfips_close_fds (); + //_gcry_rngfips_close_fds (); + _gcry_drbg_close_fds (); else if (rng_types.system) _gcry_rngsystem_close_fds (); else @@ -212,7 +216,8 @@ void _gcry_random_dump_stats (void) { if (fips_mode ()) - _gcry_rngfips_dump_stats (); + //_gcry_rngfips_dump_stats (); + _gcry_drbg_dump_stats (); else _gcry_rngcsprng_dump_stats (); } @@ -271,7 +276,8 @@ int _gcry_random_is_faked (void) { if (fips_mode ()) - return _gcry_rngfips_is_faked (); + //return _gcry_rngfips_is_faked (); + return _gcry_drbg_is_faked (); else return _gcry_rngcsprng_is_faked (); } @@ -301,11 +307,13 @@ static void do_randomize (void *buffer, size_t length, enum gcry_random_level level) { if (fips_mode ()) - _gcry_rngfips_randomize (buffer, length, level); + //_gcry_rngfips_randomize (buffer, length, level); + _gcry_drbg_randomize (buffer, length, level); else if (rng_types.standard) _gcry_rngcsprng_randomize (buffer, length, level); else if (rng_types.fips) - _gcry_rngfips_randomize (buffer, length, level); + //_gcry_rngfips_randomize (buffer, length, level); + _gcry_drbg_randomize (buffer, length, level); else if (rng_types.system) _gcry_rngsystem_randomize (buffer, length, level); else /* default */ @@ -437,7 +445,8 @@ _gcry_create_nonce (void *buffer, size_t nonce generator which is seeded by the RNG actual in use. */ if (fips_mode ()) { - _gcry_rngfips_create_nonce (buffer, length); + //_gcry_rngfips_create_nonce (buffer, length); + _gcry_drbg_randomize (buffer, length, GCRY_WEAK_RANDOM); return; } @@ -514,7 +523,8 @@ gpg_error_t _gcry_random_selftest (selftest_report_func_t report) { if (fips_mode ()) - return _gcry_rngfips_selftest (report); + //return _gcry_rngfips_selftest (report); + return _gcry_drbg_selftest (report); else return 0; /* No selftests yet. */ } @@ -530,6 +540,7 @@ _gcry_random_init_external_test (void ** const void *seed, size_t seedlen, const void *dt, size_t dtlen) { + return GPG_ERR_NOT_SUPPORTED; (void)flags; if (fips_mode ()) return _gcry_rngfips_init_external_test (r_context, flags, key, keylen, @@ -544,6 +555,7 @@ _gcry_random_init_external_test (void ** gcry_err_code_t _gcry_random_run_external_test (void *context, char *buffer, size_t buflen) { + return GPG_ERR_NOT_SUPPORTED; if (fips_mode ()) return _gcry_rngfips_run_external_test (context, buffer, buflen); else @@ -554,6 +566,7 @@ _gcry_random_run_external_test (void *co void _gcry_random_deinit_external_test (void *context) { + return; if (fips_mode ()) _gcry_rngfips_deinit_external_test (context); }