Apparently, NIST is tightening up its requirements for FIPS validation
with respect to RNGs. Its always been required that in fips mode, the
ansi cprng not be fed key and seed material that was identical, but
they're now interpreting FIPS 140-2, section AS07.09 as requiring that
the implementation itself must enforce the requirement. Easy fix, we
just do a memcmp of key and seed in fips_cprng_reset and call it a day.
CC: Neil Horman <[email protected]>
CC: Stephan Mueller <[email protected]>
CC: Steve Grubb <[email protected]>
Signed-off-by: Jarod Wilson <[email protected]>
---
crypto/ansi_cprng.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index ffa0245..a7fdcb4 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -414,10 +414,15 @@ static int fips_cprng_get_random(struct crypto_rng *tfm, u8 *rdata,
static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
{
u8 rdata[DEFAULT_BLK_SZ];
+ u8 *key = seed + DEFAULT_BLK_SZ;
int rc;
struct prng_context *prng = crypto_rng_ctx(tfm);
+ /* fips strictly requires seed != key */
+ if (!memcmp(seed, key, DEFAULT_PRNG_KSZ))
+ return -EINVAL;
+
rc = cprng_reset(tfm, seed, slen);
if (!rc)
--
1.7.1
On Thu, Nov 03, 2011 at 04:24:45PM -0400, Jarod Wilson wrote:
> Apparently, NIST is tightening up its requirements for FIPS validation
> with respect to RNGs. Its always been required that in fips mode, the
> ansi cprng not be fed key and seed material that was identical, but
> they're now interpreting FIPS 140-2, section AS07.09 as requiring that
> the implementation itself must enforce the requirement. Easy fix, we
> just do a memcmp of key and seed in fips_cprng_reset and call it a day.
>
> CC: Neil Horman <[email protected]>
> CC: Stephan Mueller <[email protected]>
> CC: Steve Grubb <[email protected]>
> Signed-off-by: Jarod Wilson <[email protected]>
> ---
> crypto/ansi_cprng.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
> index ffa0245..a7fdcb4 100644
> --- a/crypto/ansi_cprng.c
> +++ b/crypto/ansi_cprng.c
> @@ -414,10 +414,15 @@ static int fips_cprng_get_random(struct crypto_rng *tfm, u8 *rdata,
> static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
> {
> u8 rdata[DEFAULT_BLK_SZ];
> + u8 *key = seed + DEFAULT_BLK_SZ;
> int rc;
>
> struct prng_context *prng = crypto_rng_ctx(tfm);
>
> + /* fips strictly requires seed != key */
> + if (!memcmp(seed, key, DEFAULT_PRNG_KSZ))
> + return -EINVAL;
> +
> rc = cprng_reset(tfm, seed, slen);
>
> if (!rc)
> --
> 1.7.1
>
>
Thank you Jarod, The idea is fine to me. Unfortunately, because you're indexing
into the seed to grab the key value, just like cprng_reset does now, you
probably need to add the slen checks that cprng_reset does to make sure theres
enough seed data as well, to avoid dereferencing unallocated memory. If you fix
that up I'll ack it.
Neil
Apparently, NIST is tightening up its requirements for FIPS validation
with respect to RNGs. Its always been required that in fips mode, the
ansi cprng not be fed key and seed material that was identical, but
they're now interpreting FIPS 140-2, section AS07.09 as requiring that
the implementation itself must enforce the requirement. Easy fix, we
just do a memcmp of key and seed in fips_cprng_reset and call it a day.
v2: Per Neil's advice, ensure slen is sufficiently long before we
compare key and seed to avoid looking at potentially unallocated mem.
CC: Neil Horman <[email protected]>
CC: Stephan Mueller <[email protected]>
CC: Steve Grubb <[email protected]>
Signed-off-by: Jarod Wilson <[email protected]>
---
crypto/ansi_cprng.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index ffa0245..6ddd99e 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -414,10 +414,18 @@ static int fips_cprng_get_random(struct crypto_rng *tfm, u8 *rdata,
static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
{
u8 rdata[DEFAULT_BLK_SZ];
+ u8 *key = seed + DEFAULT_BLK_SZ;
int rc;
struct prng_context *prng = crypto_rng_ctx(tfm);
+ if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
+ return -EINVAL;
+
+ /* fips strictly requires seed != key */
+ if (!memcmp(seed, key, DEFAULT_PRNG_KSZ))
+ return -EINVAL;
+
rc = cprng_reset(tfm, seed, slen);
if (!rc)
--
1.7.1
On Fri, Nov 04, 2011 at 10:01:25AM -0400, Jarod Wilson wrote:
> Apparently, NIST is tightening up its requirements for FIPS validation
> with respect to RNGs. Its always been required that in fips mode, the
> ansi cprng not be fed key and seed material that was identical, but
> they're now interpreting FIPS 140-2, section AS07.09 as requiring that
> the implementation itself must enforce the requirement. Easy fix, we
> just do a memcmp of key and seed in fips_cprng_reset and call it a day.
>
> v2: Per Neil's advice, ensure slen is sufficiently long before we
> compare key and seed to avoid looking at potentially unallocated mem.
>
> CC: Neil Horman <[email protected]>
> CC: Stephan Mueller <[email protected]>
> CC: Steve Grubb <[email protected]>
> Signed-off-by: Jarod Wilson <[email protected]>
Thanks Jarod. Adding Herbert to the cc list so he can pull this into the crypto
tree.
Acked-by: Neil Horman <[email protected]>
> ---
> crypto/ansi_cprng.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
> index ffa0245..6ddd99e 100644
> --- a/crypto/ansi_cprng.c
> +++ b/crypto/ansi_cprng.c
> @@ -414,10 +414,18 @@ static int fips_cprng_get_random(struct crypto_rng *tfm, u8 *rdata,
> static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
> {
> u8 rdata[DEFAULT_BLK_SZ];
> + u8 *key = seed + DEFAULT_BLK_SZ;
> int rc;
>
> struct prng_context *prng = crypto_rng_ctx(tfm);
>
> + if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
> + return -EINVAL;
> +
> + /* fips strictly requires seed != key */
> + if (!memcmp(seed, key, DEFAULT_PRNG_KSZ))
> + return -EINVAL;
> +
> rc = cprng_reset(tfm, seed, slen);
>
> if (!rc)
> --
> 1.7.1
>
>
On Fri, Nov 04, 2011 at 11:25:13AM -0400, Neil Horman wrote:
> On Fri, Nov 04, 2011 at 10:01:25AM -0400, Jarod Wilson wrote:
> > Apparently, NIST is tightening up its requirements for FIPS validation
> > with respect to RNGs. Its always been required that in fips mode, the
> > ansi cprng not be fed key and seed material that was identical, but
> > they're now interpreting FIPS 140-2, section AS07.09 as requiring that
> > the implementation itself must enforce the requirement. Easy fix, we
> > just do a memcmp of key and seed in fips_cprng_reset and call it a day.
> >
> > v2: Per Neil's advice, ensure slen is sufficiently long before we
> > compare key and seed to avoid looking at potentially unallocated mem.
> >
> > CC: Neil Horman <[email protected]>
> > CC: Stephan Mueller <[email protected]>
> > CC: Steve Grubb <[email protected]>
> > Signed-off-by: Jarod Wilson <[email protected]>
> Thanks Jarod. Adding Herbert to the cc list so he can pull this into the crypto
> tree.
>
> Acked-by: Neil Horman <[email protected]>
Patch applied. Jarod, please cc me in future for patches.
Thanks!
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt