URL: https://github.com/SSSD/sssd/pull/838 Title: #838: FIPS140 compliant usage of PRNG
frozencemetery commented: """ In the FIPS case, you need to fail if RAND_bytes() fails; otherwise you're noncompliant. If you want to use that in non-FIPS as well, I don't know why you'd bother with fallback at all - just fail if RAND_bytes() fails. If you don't want to use RAND_bytes() in the non-FIPS case, then you should use getrandom(). Do you actually support any platforms which wouldn't have it? Keep in mind that el7 does support the getrandom syscall(), which is what we do in krb5 for this reason. But really, if you don't have any entropy, you shouldn't be doing crypto, full stop. """ See the full comment at https://github.com/SSSD/sssd/pull/838#issuecomment-506479147
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
