File libgcrypt-FIPS-rndjent_poll.patch of Package libgcrypt
Index: libgcrypt-1.12.0/random/rndoldlinux.c
===================================================================
--- libgcrypt-1.12.0.orig/random/rndoldlinux.c
+++ libgcrypt-1.12.0/random/rndoldlinux.c
@@ -132,7 +132,7 @@ _gcry_rndoldlinux_gather_random (void (*
volatile pid_t apid;
int fd;
int n;
- byte buffer[768];
+ byte buffer[256];
size_t n_hw;
size_t want = length;
size_t last_so_far = 0;
@@ -187,26 +187,43 @@ _gcry_rndoldlinux_gather_random (void (*
my_pid = apid;
}
+ if (fips_mode())
+ {
+ if (level >= GCRY_VERY_STRONG_RANDOM)
+ {
+ size_t n;
- /* First read from a hardware source. Note that _gcry_rndhw_poll_slow lets
- it account only for up to 50% (or 25% for RDRAND) of the requested
- bytes. */
- n_hw = _gcry_rndhw_poll_slow (add, origin, length);
- if (length > 1)
- length -= n_hw;
-
- /* When using a blocking random generator try to get some entropy
- * from the jitter based RNG. In this case we take up to 50% of the
- * remaining requested bytes. */
- if (level >= GCRY_VERY_STRONG_RANDOM)
- {
- n_hw = _gcry_rndjent_poll (add, origin, length/2);
- if (n_hw > length/2)
- n_hw = length/2;
+ n = _gcry_rndjent_poll (add, origin, length);
+ if (n == 0)
+ log_fatal ("unexpected error from rndjent: %s\n",
+ strerror (errno));
+ if (n > length)
+ n = length;
+ if (length > 1)
+ length -= n;
+ }
+ }
+ else
+ {
+ /* First read from a hardware source. Note that _gcry_rndhw_poll_slow lets
+ it account only for up to 50% (or 25% for RDRAND) of the requested
+ bytes. */
+ n_hw = _gcry_rndhw_poll_slow (add, origin, length);
if (length > 1)
length -= n_hw;
- }
+ /* When using a blocking random generator try to get some entropy
+ * from the jitter based RNG. In this case we take up to 50% of the
+ * remaining requested bytes. */
+ if (level >= GCRY_VERY_STRONG_RANDOM)
+ {
+ n_hw = _gcry_rndjent_poll (add, origin, length/2);
+ if (n_hw > length/2)
+ n_hw = length/2;
+ if (length > 1)
+ length -= n_hw;
+ }
+ }
/* Open the requested device. The first time a device is to be
opened we fail with a fatal error if the device does not exists.
@@ -262,8 +279,6 @@ _gcry_rndoldlinux_gather_random (void (*
do
{
nbytes = length < sizeof(buffer)? length : sizeof(buffer);
- if (nbytes > 256)
- nbytes = 256;
_gcry_pre_syscall ();
ret = getentropy (buffer, nbytes);
_gcry_post_syscall ();
Index: libgcrypt-1.12.0/random/rndjent.c
===================================================================
--- libgcrypt-1.12.0.orig/random/rndjent.c
+++ libgcrypt-1.12.0/random/rndjent.c
@@ -294,15 +294,23 @@ _gcry_rndjent_poll (void (*add)(const vo
jent_rng_collector = NULL;
if ( !(_gcry_random_read_conf () & RANDOM_CONF_DISABLE_JENT))
{
- if (!jent_entropy_init ())
+ if (!jent_entropy_init_ex (1, 0))
{
jent_rng_collector = jent_entropy_collector_alloc (1, 0);
- if (jent_rng_collector != NULL)
- jent_rng_is_initialized = 1;
+ jent_rng_is_initialized = 1;
}
}
}
+ if (!jent_rng_collector)
+ {
+ if (!jent_entropy_init_ex (1, 0))
+ {
+ jent_rng_collector = jent_entropy_collector_alloc (1, 0);
+ jent_rng_is_initialized = 1;
+ }
+ }
+
if (jent_rng_collector && add)
{
/* We have a working JENT and it has not been disabled. */
