URL:
https://github.com/SSSD/sssd/pull/838
Title: #838: FIPS140 compliant usage of PRNG
frozencemetery commented:
"""
In the FIPS case, you need to fail if RAND_bytes() fails; otherwise you're
noncompliant. If you want to use that in non-FIPS as well, I don't know why you'd
bother with fallback at all - just fail if RAND_bytes() fails. If you don't want to
use RAND_bytes() in the non-FIPS case, then you should use getrandom().
Do you actually support any platforms which wouldn't have it? Keep in mind that el7
does support the getrandom syscall(), which is what we do in krb5 for this reason.
But really, if you don't have any entropy, you shouldn't be doing crypto, full
stop.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/838#issuecomment-506479147