entropy.go

     1  // Copyright 2024 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package entropy provides the passive entropy source for the FIPS 140-3
     6  // module. It is only used in FIPS mode by [crypto/internal/fips140/drbg.Read]
     7  // from the FIPS 140-3 Go Cryptographic Module v1.0.0.
     8  //
     9  // Later versions of the module use the CPU jitter-based entropy source in the
    10  // crypto/internal/entropy/v1.0.0 sub-package.
    11  //
    12  // This complied with IG 9.3.A, Additional Comment 12, which until January 1,
    13  // 2026 allows new modules to meet an [earlier version] of Resolution 2(b):
    14  // "A software module that contains an approved DRBG that receives a LOAD
    15  // command (or its logical equivalent) with entropy obtained from [...] inside
    16  // the physical perimeter of the operational environment of the module [...]."
    17  //
    18  // Distributions that have their own SP 800-90B entropy source should replace
    19  // this package with their own implementation.
    20  //
    21  // [earlier version]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/IG%209.3.A%20Resolution%202b%5BMarch%2026%202024%5D.pdf
    22  package entropy
    23  
    24  import "crypto/internal/sysrand"
    25  
    26  // Depleted notifies the entropy source that the entropy in the module is
    27  // "depleted" and provides the callback for the LOAD command.
    28  func Depleted(LOAD func(*[48]byte)) {
    29  	var entropy [48]byte
    30  	sysrand.Read(entropy[:])
    31  	LOAD(&entropy)
    32  }
    33
View as plain text