2012-05-21 Milan Broz <gmazyland@gmail.com>
* Add --enable-fips for linking with fipscheck library.
* Initialize binary and library selfcheck if running in FIPS mode.
+ * Use FIPS RNG in FIPS mode for KEY and SALT (only gcrypt backend supported).
2012-05-09 Milan Broz <gmazyland@gmail.com>
* Fix keyslot removal (wipe keyslot) for device with 4k hw block (1.4.0).
int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length);
int crypt_hmac_destroy(struct crypt_hmac *ctx);
+/* RNG (must be usable in FIPS mode) */
+int crypt_backend_fips_rng(char *buffer, size_t length, int quality);
+
#endif /* _CRYPTO_BACKEND_H */
free(ctx);
return 0;
}
+
+/* RNG */
+int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+{
+ switch(quality) {
+ case CRYPT_RND_NORMAL:
+ gcry_randomize(buffer, length, GCRY_STRONG_RANDOM);
+ break;
+ case CRYPT_RND_SALT:
+ case CRYPT_RND_KEY:
+ default:
+ gcry_randomize(buffer, length, GCRY_VERY_STRONG_RANDOM);
+ break;
+ }
+ return 0;
+}
free(ctx);
return 0;
}
+
+/* RNG - N/A */
+int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+{
+ return -EINVAL;
+}
free(ctx);
return 0;
}
+
+/* RNG - N/A */
+int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+{
+ return -EINVAL;
+}
free(ctx);
return 0;
}
+
+/* RNG - N/A */
+int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+{
+ return -EINVAL;
+}
free(ctx);
return 0;
}
+
+/* RNG - N/A */
+int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+{
+ return -EINVAL;
+}
status = _get_urandom(ctx, buf, len);
break;
case CRYPT_RND_SALT:
- status = _get_urandom(ctx, buf, len);
+ if (crypt_fips_mode())
+ status = crypt_backend_fips_rng(buf, len, quality);
+ else
+ status = _get_urandom(ctx, buf, len);
break;
case CRYPT_RND_KEY:
+ if (crypt_fips_mode()) {
+ status = crypt_backend_fips_rng(buf, len, quality);
+ break;
+ }
rng_type = ctx ? crypt_get_rng_type(ctx) :
crypt_random_default_key_rng();
switch (rng_type) {
projects / platform / upstream / cryptsetup.git / commitdiff