git.librecmc.org Git - oweals/openssl.git/commit

author	Pauli <paul.dale@oracle.com>
	Tue, 30 Apr 2019 03:43:19 +0000 (13:43 +1000)
committer	Pauli <paul.dale@oracle.com>
	Tue, 30 Apr 2019 03:43:19 +0000 (13:43 +1000)
commit	8094a6945873f492fe40c88b966b86629bc6c6d7
tree	37d6dbdcd190b7a79fb7bd7b7549ac6a3eb876af	tree \| snapshot
parent	555cbb328ee2eaa9356cd23e2194c1600653c500	commit \| diff

Squashed commit of the following:

Digest stored entropy for CRNG test.

Via the FIPS lab, NIST confirmed:

    The CMVP had a chance to discuss this inquiry and we agree that
    hashing the NDRNG block does meet the spirit and letter of AS09.42.

    However, the CMVP did have a few questions: what hash algorithm would
    be used in this application? Is it approved? Is it CAVs tested?

SHA256 is being used here and it will be both approved and CAVs tested.

This means that no raw entropy needs to be kept between RNG seedings, preventing
a potential attack vector aganst the randomness source and the DRBG chains.

It also means the block of secure memory allocated for this purpose is no longer
required.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8790)

crypto/rand/rand_crng_test.c		diff \| blob \| history
crypto/rand/rand_lcl.h		diff \| blob \| history
test/drbgtest.c		diff \| blob \| history