[PATCH v2 4/8] Invoke DRBG from common libgcrypt RNG code

Stephan Mueller smueller at chronox.de
Sun Mar 9 00:27:05 CET 2014


Integrate the DRBG invocation with the common libgcrypt RNG code. This
integration replaces the old ANSI X9.31 RNG invocation. As the ANSI
X9.31 shall only be invoked in FIPS mode and it is sunset at the end of
2014 for FIPS purposes, a complete replacement with the DRBG is
considered appropriate. The DRBG is FIPS approved deterministic random
number generator for the forseeable future.

Signed-off-by: Stephan Mueller <smueller at chronox.de>

diff --git a/random/random.c b/random/random.c
index 41d4cb3..fcb0513 100644
--- a/random/random.c
+++ b/random/random.c
@@ -140,11 +140,13 @@ void
 _gcry_random_initialize (int full)
 {
   if (fips_mode ())
-    _gcry_rngfips_initialize (full);
+    //_gcry_rngfips_initialize (full);
+    _gcry_drbg_init(full);
   else if (rng_types.standard)
     _gcry_rngcsprng_initialize (full);
   else if (rng_types.fips)
-    _gcry_rngfips_initialize (full);
+    _gcry_drbg_init(full);
+    //_gcry_rngfips_initialize (full);
   else if (rng_types.system)
     _gcry_rngsystem_initialize (full);
   else
@@ -161,11 +163,13 @@ _gcry_random_close_fds (void)
      the entropy gatherer.  */
 
   if (fips_mode ())
-    _gcry_rngfips_close_fds ();
+    //_gcry_rngfips_close_fds ();
+    _gcry_drbg_close_fds ();
   else if (rng_types.standard)
     _gcry_rngcsprng_close_fds ();
   else if (rng_types.fips)
-    _gcry_rngfips_close_fds ();
+    //_gcry_rngfips_close_fds ();
+    _gcry_drbg_close_fds ();
   else if (rng_types.system)
     _gcry_rngsystem_close_fds ();
   else
@@ -199,7 +203,8 @@ void
 _gcry_random_dump_stats (void)
 {
   if (fips_mode ())
-    _gcry_rngfips_dump_stats ();
+    //_gcry_rngfips_dump_stats ();
+    _gcry_drbg_dump_stats ();
   else
     _gcry_rngcsprng_dump_stats ();
 }
@@ -258,7 +263,8 @@ int
 _gcry_random_is_faked (void)
 {
   if (fips_mode ())
-    return _gcry_rngfips_is_faked ();
+    //return _gcry_rngfips_is_faked ();
+    return _gcry_drbg_is_faked ();
   else
     return _gcry_rngcsprng_is_faked ();
 }
@@ -288,11 +294,13 @@ static void
 do_randomize (void *buffer, size_t length, enum gcry_random_level level)
 {
   if (fips_mode ())
-    _gcry_rngfips_randomize (buffer, length, level);
+    //_gcry_rngfips_randomize (buffer, length, level);
+    _gcry_drbg_randomize (buffer, length, level);
   else if (rng_types.standard)
     _gcry_rngcsprng_randomize (buffer, length, level);
   else if (rng_types.fips)
-    _gcry_rngfips_randomize (buffer, length, level);
+    //_gcry_rngfips_randomize (buffer, length, level);
+    _gcry_drbg_randomize (buffer, length, level);
   else if (rng_types.system)
     _gcry_rngsystem_randomize (buffer, length, level);
   else /* default */
@@ -424,7 +432,8 @@ _gcry_create_nonce (void *buffer, size_t length)
      nonce generator which is seeded by the RNG actual in use.  */
   if (fips_mode ())
     {
-      _gcry_rngfips_create_nonce (buffer, length);
+      //_gcry_rngfips_create_nonce (buffer, length);
+      _gcry_drbg_randomize (buffer, length, GCRY_WEAK_RANDOM);
       return;
     }
 
@@ -501,7 +510,8 @@ gpg_error_t
 _gcry_random_selftest (selftest_report_func_t report)
 {
   if (fips_mode ())
-    return _gcry_rngfips_selftest (report);
+    //return _gcry_rngfips_selftest (report);
+    return _gcry_drbg_selftest (report);
   else
     return 0; /* No selftests yet.  */
 }
@@ -517,6 +527,7 @@ _gcry_random_init_external_test (void **r_context,
                                  const void *seed, size_t seedlen,
                                  const void *dt, size_t dtlen)
 {
+  return GPG_ERR_NOT_SUPPORTED;
   (void)flags;
   if (fips_mode ())
     return _gcry_rngfips_init_external_test (r_context, flags, key, keylen,
@@ -531,6 +542,7 @@ _gcry_random_init_external_test (void **r_context,
 gcry_err_code_t
 _gcry_random_run_external_test (void *context, char *buffer, size_t buflen)
 {
+  return GPG_ERR_NOT_SUPPORTED;
   if (fips_mode ())
     return _gcry_rngfips_run_external_test (context, buffer, buflen);
   else
@@ -541,6 +553,7 @@ _gcry_random_run_external_test (void *context, char *buffer, size_t buflen)
 void
 _gcry_random_deinit_external_test (void *context)
 {
+  return;
   if (fips_mode ())
     _gcry_rngfips_deinit_external_test (context);
 }
-- 
1.8.5.3





More information about the Gcrypt-devel mailing list