This is to highlight a bug in the FIPS Object Module 2.10 and corrective
documentation in its User Guide.
The User Guide for the FIPS Object Module 2.10 describes the (*get_entropy)()
callback:
size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
int entropy, size_t min_len, size_t max_len)
"A call to this function requests entropy bits of entropy in a
buffer of between min_len and
max_len size bytes inclusive. The values of these are mechanism
specific and taken from
SP800-90 tables. This callback should then return the amount of
data in the buffer *pout and the
length in the return value, or zero in case of being unable to
retrieve sufficient entropy."
The caller of (*get_entropy)() is the static function fips_get_entropy().
Notice how it constructs the <entropy> value, which should be in bits:
rv = dctx->get_entropy(dctx, &tout, entropy + bl,
min_len + bl, max_len + bl);
*pout = tout + bl;
if (rv < (min_len + bl) || (rv % bl))
return 0;
The "entropy + bl" expression is mixing types, adding bits and bytes together.
Anyone defining a (*get_entropy)() callback had better ignore the <entropy>
parameter. What's more, the callback had better return <min_len> rounded up to
a dctx->entropy_blocklen boundary or face failure. The User Guide mentions none
of this.
I realize the FIPS Object Module is frozen. The documentation should be
corrected to expose the real restrictions on the callback.
Doug Gibbons | Consulting Engineer | Avaya Inc. | 12121 Grant St | 2S-237 |
Thornton, CO 80241 | 303-538-3538 |
[email protected]<mailto:[email protected]>
_______________________________________________
openssl-bugs-mod mailing list
[email protected]
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
