forked from pool/libgcrypt
Marcus Meissner
0ee4a0f87b
- add support for SP800-90A DRBG (fate#316929, bnc#856312) * patches by Stephan Mueller (http://www.chronox.de/drbg.html): 0001-SP800-90A-Deterministic-Random-Bit-Generator.patch.bz2 0002-Compile-DRBG.patch 0003-Function-definitions-of-interfaces-for-random.c.patch 0004-Invoke-DRBG-from-common-libgcrypt-RNG-code.patch 0005-Function-definitions-for-gcry_control-callbacks.patch 0006-DRBG-specific-gcry_control-requests.patch 0007-User-interface-to-DRBG.patch * only after 13.1 (the patches need libgpg-error 1.13) - drop libgcrypt-fips-allow-legacy.patch (not needed and wasn't applied anyway) OBS-URL: https://build.opensuse.org/request/show/232937 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=51
133 lines
4.5 KiB
Diff
133 lines
4.5 KiB
Diff
From 6aa1bc1df0dbbf5b4cb06b86f949aa9d80f68700 Mon Sep 17 00:00:00 2001
|
|
From: Stephan Mueller <smueller@chronox.de>
|
|
Date: Sat, 8 Mar 2014 23:14:58 +0100
|
|
Subject: [PATCH v3 4/7] Invoke DRBG from common libgcrypt RNG code
|
|
To: gcrypt-devel@gnupg.org
|
|
Cc: jeremy.wayne.powell@gmail.com
|
|
|
|
Integrate the DRBG invocation with the common libgcrypt RNG code. This
|
|
integration replaces the old ANSI X9.31 RNG invocation. As the ANSI
|
|
X9.31 shall only be invoked in FIPS mode and it is sunset at the end of
|
|
2014 for FIPS purposes, a complete replacement with the DRBG is
|
|
considered appropriate. The DRBG is FIPS approved deterministic random
|
|
number generator for the forseeable future.
|
|
|
|
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
---
|
|
Index: libgcrypt-1.6.1/random/random.c
|
|
===================================================================
|
|
--- libgcrypt-1.6.1.orig/random/random.c 2014-01-29 10:48:38.000000000 +0100
|
|
+++ libgcrypt-1.6.1/random/random.c 2014-05-06 14:51:42.350644283 +0200
|
|
@@ -153,11 +153,13 @@ _gcry_random_initialize (int full)
|
|
}
|
|
|
|
if (fips_mode ())
|
|
- _gcry_rngfips_initialize (full);
|
|
+ //_gcry_rngfips_initialize (full);
|
|
+ _gcry_drbg_init(full);
|
|
else if (rng_types.standard)
|
|
_gcry_rngcsprng_initialize (full);
|
|
else if (rng_types.fips)
|
|
- _gcry_rngfips_initialize (full);
|
|
+ _gcry_drbg_init(full);
|
|
+ //_gcry_rngfips_initialize (full);
|
|
else if (rng_types.system)
|
|
_gcry_rngsystem_initialize (full);
|
|
else
|
|
@@ -174,11 +176,13 @@ _gcry_random_close_fds (void)
|
|
the entropy gatherer. */
|
|
|
|
if (fips_mode ())
|
|
- _gcry_rngfips_close_fds ();
|
|
+ //_gcry_rngfips_close_fds ();
|
|
+ _gcry_drbg_close_fds ();
|
|
else if (rng_types.standard)
|
|
_gcry_rngcsprng_close_fds ();
|
|
else if (rng_types.fips)
|
|
- _gcry_rngfips_close_fds ();
|
|
+ //_gcry_rngfips_close_fds ();
|
|
+ _gcry_drbg_close_fds ();
|
|
else if (rng_types.system)
|
|
_gcry_rngsystem_close_fds ();
|
|
else
|
|
@@ -212,7 +216,8 @@ void
|
|
_gcry_random_dump_stats (void)
|
|
{
|
|
if (fips_mode ())
|
|
- _gcry_rngfips_dump_stats ();
|
|
+ //_gcry_rngfips_dump_stats ();
|
|
+ _gcry_drbg_dump_stats ();
|
|
else
|
|
_gcry_rngcsprng_dump_stats ();
|
|
}
|
|
@@ -271,7 +276,8 @@ int
|
|
_gcry_random_is_faked (void)
|
|
{
|
|
if (fips_mode ())
|
|
- return _gcry_rngfips_is_faked ();
|
|
+ //return _gcry_rngfips_is_faked ();
|
|
+ return _gcry_drbg_is_faked ();
|
|
else
|
|
return _gcry_rngcsprng_is_faked ();
|
|
}
|
|
@@ -301,11 +307,13 @@ static void
|
|
do_randomize (void *buffer, size_t length, enum gcry_random_level level)
|
|
{
|
|
if (fips_mode ())
|
|
- _gcry_rngfips_randomize (buffer, length, level);
|
|
+ //_gcry_rngfips_randomize (buffer, length, level);
|
|
+ _gcry_drbg_randomize (buffer, length, level);
|
|
else if (rng_types.standard)
|
|
_gcry_rngcsprng_randomize (buffer, length, level);
|
|
else if (rng_types.fips)
|
|
- _gcry_rngfips_randomize (buffer, length, level);
|
|
+ //_gcry_rngfips_randomize (buffer, length, level);
|
|
+ _gcry_drbg_randomize (buffer, length, level);
|
|
else if (rng_types.system)
|
|
_gcry_rngsystem_randomize (buffer, length, level);
|
|
else /* default */
|
|
@@ -437,7 +445,8 @@ _gcry_create_nonce (void *buffer, size_t
|
|
nonce generator which is seeded by the RNG actual in use. */
|
|
if (fips_mode ())
|
|
{
|
|
- _gcry_rngfips_create_nonce (buffer, length);
|
|
+ //_gcry_rngfips_create_nonce (buffer, length);
|
|
+ _gcry_drbg_randomize (buffer, length, GCRY_WEAK_RANDOM);
|
|
return;
|
|
}
|
|
|
|
@@ -514,7 +523,8 @@ gpg_error_t
|
|
_gcry_random_selftest (selftest_report_func_t report)
|
|
{
|
|
if (fips_mode ())
|
|
- return _gcry_rngfips_selftest (report);
|
|
+ //return _gcry_rngfips_selftest (report);
|
|
+ return _gcry_drbg_selftest (report);
|
|
else
|
|
return 0; /* No selftests yet. */
|
|
}
|
|
@@ -530,6 +540,7 @@ _gcry_random_init_external_test (void **
|
|
const void *seed, size_t seedlen,
|
|
const void *dt, size_t dtlen)
|
|
{
|
|
+ return GPG_ERR_NOT_SUPPORTED;
|
|
(void)flags;
|
|
if (fips_mode ())
|
|
return _gcry_rngfips_init_external_test (r_context, flags, key, keylen,
|
|
@@ -544,6 +555,7 @@ _gcry_random_init_external_test (void **
|
|
gcry_err_code_t
|
|
_gcry_random_run_external_test (void *context, char *buffer, size_t buflen)
|
|
{
|
|
+ return GPG_ERR_NOT_SUPPORTED;
|
|
if (fips_mode ())
|
|
return _gcry_rngfips_run_external_test (context, buffer, buflen);
|
|
else
|
|
@@ -554,6 +566,7 @@ _gcry_random_run_external_test (void *co
|
|
void
|
|
_gcry_random_deinit_external_test (void *context)
|
|
{
|
|
+ return;
|
|
if (fips_mode ())
|
|
_gcry_rngfips_deinit_external_test (context);
|
|
}
|