feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Increase RNG_SECURITY_STRENGTH for FIPS

Browse Source
This commit is contained in:
Tesfa Mael
2022-12-06 14:16:29 -08:00
parent 6bde6af973
commit 5c020c6ad4
1 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
wolfcrypt/src/random.c
View File

@ -246,11 +246,29 @@ int wc_RNG_GenerateByte(WC_RNG* rng, byte* b)
#define RESEED_INTERVAL WC_RESEED_INTERVAL #define RESEED_INTERVAL WC_RESEED_INTERVAL
/* For FIPS builds, the user should not be adjusting the values. */
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
#if defined(RNG_SECURITY_STRENGTH) \
|| defined(ENTROPY_SCALE_FACTOR) \
|| defined(SEED_BLOCK_SZ)
#error "Do not change the RNG parameters for FIPS builds."
#endif
#endif
/* The security strength for the RNG is the target number of bits of /* The security strength for the RNG is the target number of bits of
* entropy you are looking for in a seed. */ * entropy you are looking for in a seed. */
#ifndef RNG_SECURITY_STRENGTH #ifndef RNG_SECURITY_STRENGTH
/* SHA-256 requires a minimum of 256-bits of entropy. */ #if defined(HAVE_FIPS) && \
#define RNG_SECURITY_STRENGTH (256) defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* SHA-256 requires a minimum of 256-bits of entropy. The goal
* of 1024 will provide 4 times that. */
#define RNG_SECURITY_STRENGTH (1024)
#else
/* If not using FIPS or using old FIPS, set the number down a bit.
* More is better, but more is also slower. */
#define RNG_SECURITY_STRENGTH (256)
#endif
#endif #endif
#ifndef ENTROPY_SCALE_FACTOR #ifndef ENTROPY_SCALE_FACTOR