crypto: ansi_cprng - enforce key != seed in fips mode

Apparently, NIST is tightening up its requirements for FIPS validation with respect to RNGs. Its always been required that in fips mode, the ansi cprng not be fed key and seed material that was identical, but they're now interpreting FIPS 140-2, section AS07.09 as requiring that the implementation itself must enforce the requirement. Easy fix, we just do a memcmp of key and seed in fips_cprng_reset and call it a day. v2: Per Neil's advice, ensure slen is sufficiently long before we compare key and seed to avoid looking at potentially unallocated mem. CC: Stephan Mueller <smueller@atsec.com> CC: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Jarod Wilson <jarod@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

crypto: ansi_cprng - enforce key != seed in fips mode
Apparently, NIST is tightening up its requirements for FIPS validation with respect to RNGs. Its always been required that in fips mode, the ansi cprng not be fed key and seed material that was identical, but they're now interpreting FIPS 140-2, section AS07.09 as requiring that the implementation itself must enforce the requirement. Easy fix, we just do a memcmp of key and seed in fips_cprng_reset and call it a day. v2: Per Neil's advice, ensure slen is sufficiently long before we compare key and seed to avoid looking at potentially unallocated mem. CC: Stephan Mueller <smueller@atsec.com> CC: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Jarod Wilson <jarod@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Jarod Wilson · Herbert Xu
1 parent bae6d3038b
Showing 1 changed file with 8 additions and 0 deletions Side-by-side Diff
crypto/ansi_cprng.c
@@ -414,9 +414,17 @@
 static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
 {
 	u8 rdata[DEFAULT_BLK_SZ];
+	u8 *key = seed + DEFAULT_BLK_SZ;
 	int rc;
  
 	struct prng_context *prng = crypto_rng_ctx(tfm);
+
+	if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
+		return -EINVAL;
+
+	/* fips strictly requires seed != key */
+	if (!memcmp(seed, key, DEFAULT_PRNG_KSZ))
+		return -EINVAL;
  
 	rc = cprng_reset(tfm, seed, slen);
...	...	@@ -414,9 +414,17 @@
414	414	static int fips_cprng_reset(struct crypto_rng tfm, u8 seed, unsigned int slen)
415	415	{
416	416	u8 rdata[DEFAULT_BLK_SZ];
	417	+ u8 *key = seed + DEFAULT_BLK_SZ;
417	418	int rc;
418	419
419	420	struct prng_context *prng = crypto_rng_ctx(tfm);
	421	+
	422	+ if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
	423	+ return -EINVAL;
	424	+
	425	+ /* fips strictly requires seed != key */
	426	+ if (!memcmp(seed, key, DEFAULT_PRNG_KSZ))
	427	+ return -EINVAL;
420	428
421	429	rc = cprng_reset(tfm, seed, slen);
422	430