URL: https://github.com/SSSD/sssd/pull/838 Title: #838: FIPS140 compliant usage of PRNG
alexey-tikhonov commented: """ > IMO, you should be using `getrandom()` (with no flags) in preference to > srand, or reading /dev/[u]random, etc. You're guaranteed to have getrandom > from kernel 3.17 onward. This matches what we do in krb5. Support of NSS in SSSD is going to be deprecated very soon, so we don't care what to put there. For OpenSSL case `RAND_bytes()` is used, and this is what FIPS really wants. The `getrandom()` or `/dev/(u)random` are not approved DRBG. srand()/rand() are only used as a fallback in case `RAND_bytes()` fails. (And my understanding is, this (fail) is only possible if there is no entropy available so it doesn't make any sense to try reading "/dev/[u]random" as those are used by OpenSSL to draw entropy from) In regards of `getrandom()`: `Support was added to glibc in version 2.25`. It is possible to check this in compile time and use `getrandom()` if available, but again, I do not think it makes sense for "fallback" branch... """ See the full comment at https://github.com/SSSD/sssd/pull/838#issuecomment-506443909
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
