git.ipfire.org Git - thirdparty/openssl.git/commit

author	Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
	Fri, 1 Nov 2024 14:16:18 +0000 (14:16 +0000)
committer	Tomas Mraz <tomas@openssl.org>
	Tue, 14 Jan 2025 11:12:02 +0000 (12:12 +0100)
commit	3b7bd871c19056c8116b67dff68e0860785935eb
tree	31b25ce82715d4c486faf2e127343832bfae6163	tree
parent	4188ab2b198a5c9f302e15c5e08c3c095389b6e5	commit \| diff

drbg: provide requested amount of entropy, rather than self-strength

Parent DRBG can be seed source (os or jitter) and thus able to provide
unlimited entropy.

get_entropy is documented to provide at least the request amount of
entropy. If requested amount of entropy is same as, or less than
drbg->strength, everything is compliant. However, if requested entropy
is more than drbg->strength (unlikely, but possible), the returned
amount of entropy will be insufficient and additional repeated calls
to get_entropy will be required.

Reading history of refactors, it seems to me that this function call
previouslly had assumptions and usecases that couldn't ever request or
require more than strength amount of entropy.

If entropy is set, request that amount, otherwise request
drbg->strength amount.

Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25850)