Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

crypto: drbg - ignore jitterentropy errors if not in FIPS mode

A subsequent patch will make the jitterentropy RNG to unconditionally
report health test errors back to callers, independent of whether
fips_enabled is set or not. The DRBG needs access to a functional
jitterentropy instance only in FIPS mode (because it's the only SP800-90B
compliant entropy source as it currently stands). Thus, it is perfectly
fine for the DRBGs to obtain entropy from the jitterentropy source only
on a best effort basis if fips_enabled is off.

Make the DRBGs to ignore jitterentropy failures if fips_enabled is not set.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Nicolai Stange and committed by
Herbert Xu
8f797728 95fe2253

+5 -2
+5 -2
crypto/drbg.c
··· 1193 1193 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1194 1194 entropylen); 1195 1195 } else { 1196 - /* Get seed from Jitter RNG */ 1196 + /* 1197 + * Get seed from Jitter RNG, failures are 1198 + * fatal only in FIPS mode. 1199 + */ 1197 1200 ret = crypto_rng_get_bytes(drbg->jent, 1198 1201 entropy + entropylen, 1199 1202 entropylen); 1200 - if (ret) { 1203 + if (fips_enabled && ret) { 1201 1204 pr_devel("DRBG: jent failed with %d\n", ret); 1202 1205 1203 1206 /*