diff options
author | Pauli <pauli@openssl.org> | 2021-07-16 11:38:23 +1000 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2021-07-20 18:34:07 +1000 |
commit | 00f5f3cd0097544540af5b6213ed7d82bc63590f (patch) | |
tree | dff6e7eb94851f05b2e79a5d639f5a0c93aa4aa4 /providers/implementations | |
parent | c5dc9ab965f2a69bca964c709e648158f3e4cd67 (diff) |
drbg: allow the ctr derivation function to be disabled in FIPS mode
Word from the lab is:
The use of the derivation function is optional if either an approved
RBG or an entropy source provides full entropy output when entropy
input is requested by the DRBG mechanism. Otherwise, the derivation
function shall be used.
So our disallowing it's use was more than required.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)
Diffstat (limited to 'providers/implementations')
-rw-r--r-- | providers/implementations/rands/drbg_ctr.c | 14 |
1 files changed, 0 insertions, 14 deletions
diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c index 458feca6a5..dbe57b0d28 100644 --- a/providers/implementations/rands/drbg_ctr.c +++ b/providers/implementations/rands/drbg_ctr.c @@ -496,13 +496,6 @@ static int drbg_ctr_init_lengths(PROV_DRBG *drbg) PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data; int res = 1; -#ifdef FIPS_MODULE - if (!ctr->use_df) { - ERR_raise(ERR_LIB_PROV, RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS); - ctr->use_df = 1; - res = 0; - } -#endif /* Maximum number of bits per request = 2^19 = 2^16 bytes */ drbg->max_request = 1 << 16; if (ctr->use_df) { @@ -730,14 +723,7 @@ static const OSSL_PARAM *drbg_ctr_settable_ctx_params(ossl_unused void *vctx, static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0), OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0), -#ifndef FIPS_MODULE - /* - * Don't advertise this for FIPS, it isn't allowed to change. - * The parameter can still be passed and will be processed but errors - * out. - */ OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL), -#endif OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON, OSSL_PARAM_END }; |