diff options
| author | Stephan Mueller <smueller@chronox.de> | 2014-12-05 16:40:21 -0500 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2014-12-22 07:02:37 -0500 |
| commit | 905b42e559fa4952569b3444bc6c054c0103e5a0 (patch) | |
| tree | ccb4a45d70686fea9c0f104a6e43cf33fcffae73 | |
| parent | 0efcb8d5b2f7af86818179810cc080b326a83e19 (diff) | |
crypto: drbg - panic on continuous self test error
This patch adds a panic if the FIPS 140-2 self test error failed.
Note, that entire code is only executed with fips_enabled (i.e. when the
kernel is booted with fips=1. It is therefore not executed for 99.9% of
all user base.
As mathematically such failure cannot occur, this panic should never be
triggered. But to comply with NISTs current requirements, an endless
loop must be replaced with the panic.
When the new version of FIPS 140 will be released, this entire
continuous self test function will be ripped out as it will not be
needed any more.
This patch is functionally equivalent as implemented in ansi_cprng.c and drivers/char/random.c.
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| -rw-r--r-- | crypto/drbg.c | 11 |
1 files changed, 2 insertions, 9 deletions
diff --git a/crypto/drbg.c b/crypto/drbg.c index d748a1d0ca24..96138396ce01 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c | |||
| @@ -223,15 +223,6 @@ static inline unsigned short drbg_sec_strength(drbg_flag_t flags) | |||
| 223 | * function. Thus, the function implicitly knows the size of the | 223 | * function. Thus, the function implicitly knows the size of the |
| 224 | * buffer. | 224 | * buffer. |
| 225 | * | 225 | * |
| 226 | * The FIPS test can be called in an endless loop until it returns | ||
| 227 | * true. Although the code looks like a potential for a deadlock, it | ||
| 228 | * is not the case, because returning a false cannot mathematically | ||
| 229 | * occur (except once when a reseed took place and the updated state | ||
| 230 | * would is now set up such that the generation of new value returns | ||
| 231 | * an identical one -- this is most unlikely and would happen only once). | ||
| 232 | * Thus, if this function repeatedly returns false and thus would cause | ||
| 233 | * a deadlock, the integrity of the entire kernel is lost. | ||
| 234 | * | ||
| 235 | * @drbg DRBG handle | 226 | * @drbg DRBG handle |
| 236 | * @buf output buffer of random data to be checked | 227 | * @buf output buffer of random data to be checked |
| 237 | * | 228 | * |
| @@ -258,6 +249,8 @@ static bool drbg_fips_continuous_test(struct drbg_state *drbg, | |||
| 258 | return false; | 249 | return false; |
| 259 | } | 250 | } |
| 260 | ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg)); | 251 | ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg)); |
| 252 | if (!ret) | ||
| 253 | panic("DRBG continuous self test failed\n"); | ||
| 261 | memcpy(drbg->prev, buf, drbg_blocklen(drbg)); | 254 | memcpy(drbg->prev, buf, drbg_blocklen(drbg)); |
| 262 | /* the test shall pass when the two compared values are not equal */ | 255 | /* the test shall pass when the two compared values are not equal */ |
| 263 | return ret != 0; | 256 | return ret != 0; |