Browse Source

drbg: allow the ctr derivation function to be disabled in FIPS mode

Word from the lab is:

    The use of the derivation function is optional if either an approved
    RBG or an entropy source provides full entropy output when entropy
    input is requested by the DRBG mechanism. Otherwise, the derivation
    function shall be used.

So our disallowing it's use was more than required.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)
master
Pauli 10 months ago
parent
commit
00f5f3cd00
1 changed files with 0 additions and 14 deletions
  1. +0
    -14
      providers/implementations/rands/drbg_ctr.c

+ 0
- 14
providers/implementations/rands/drbg_ctr.c View File

@ -496,13 +496,6 @@ static int drbg_ctr_init_lengths(PROV_DRBG *drbg)
PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data;
int res = 1;
#ifdef FIPS_MODULE
if (!ctr->use_df) {
ERR_raise(ERR_LIB_PROV, RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS);
ctr->use_df = 1;
res = 0;
}
#endif
/* Maximum number of bits per request = 2^19 = 2^16 bytes */
drbg->max_request = 1 << 16;
if (ctr->use_df) {
@ -730,14 +723,7 @@ static const OSSL_PARAM *drbg_ctr_settable_ctx_params(ossl_unused void *vctx,
static const OSSL_PARAM known_settable_ctx_params[] = {
OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0),
#ifndef FIPS_MODULE
/*
* Don't advertise this for FIPS, it isn't allowed to change.
* The parameter can still be passed and will be processed but errors
* out.
*/
OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL),
#endif
OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON,
OSSL_PARAM_END
};


Loading…
Cancel
Save