From: Jarod Wilson Date: Wed, 9 Nov 2011 04:04:06 +0000 (+0800) Subject: crypto: ansi_cprng - enforce key != seed in fips mode X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=505172e11f5a0d9916e20e40d3b0a6f87d3a59b6;p=openwrt%2Fstaging%2Fblogic.git crypto: ansi_cprng - enforce key != seed in fips mode Apparently, NIST is tightening up its requirements for FIPS validation with respect to RNGs. Its always been required that in fips mode, the ansi cprng not be fed key and seed material that was identical, but they're now interpreting FIPS 140-2, section AS07.09 as requiring that the implementation itself must enforce the requirement. Easy fix, we just do a memcmp of key and seed in fips_cprng_reset and call it a day. v2: Per Neil's advice, ensure slen is sufficiently long before we compare key and seed to avoid looking at potentially unallocated mem. CC: Stephan Mueller CC: Steve Grubb Signed-off-by: Jarod Wilson Acked-by: Neil Horman Signed-off-by: Herbert Xu --- diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c index ffa0245e2abc..6ddd99e6114b 100644 --- a/crypto/ansi_cprng.c +++ b/crypto/ansi_cprng.c @@ -414,10 +414,18 @@ static int fips_cprng_get_random(struct crypto_rng *tfm, u8 *rdata, static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen) { u8 rdata[DEFAULT_BLK_SZ]; + u8 *key = seed + DEFAULT_BLK_SZ; int rc; struct prng_context *prng = crypto_rng_ctx(tfm); + if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ) + return -EINVAL; + + /* fips strictly requires seed != key */ + if (!memcmp(seed, key, DEFAULT_PRNG_KSZ)) + return -EINVAL; + rc = cprng_reset(tfm, seed, slen); if (!rc)