You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
157 lines
6.5 KiB
157 lines
6.5 KiB
diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c |
|
--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200 |
|
+++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200 |
|
@@ -48,6 +48,8 @@ |
|
# include <fcntl.h> |
|
# include <unistd.h> |
|
# include <sys/time.h> |
|
+# include <sys/random.h> |
|
+# include <openssl/evp.h> |
|
|
|
static uint64_t get_time_stamp(void); |
|
static uint64_t get_timer_bits(void); |
|
@@ -342,66 +342,8 @@ static ssize_t syscall_random(void *buf, |
|
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion |
|
* between size_t and ssize_t is safe even without a range check. |
|
*/ |
|
- |
|
- /* |
|
- * Do runtime detection to find getentropy(). |
|
- * |
|
- * Known OSs that should support this: |
|
- * - Darwin since 16 (OSX 10.12, IOS 10.0). |
|
- * - Solaris since 11.3 |
|
- * - OpenBSD since 5.6 |
|
- * - Linux since 3.17 with glibc 2.25 |
|
- * - FreeBSD since 12.0 (1200061) |
|
- * |
|
- * Note: Sometimes getentropy() can be provided but not implemented |
|
- * internally. So we need to check errno for ENOSYS |
|
- */ |
|
-# if !defined(__DragonFly__) && !defined(__NetBSD__) |
|
-# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) |
|
- extern int getentropy(void *buffer, size_t length) __attribute__((weak)); |
|
- |
|
- if (getentropy != NULL) { |
|
- if (getentropy(buf, buflen) == 0) |
|
- return (ssize_t)buflen; |
|
- if (errno != ENOSYS) |
|
- return -1; |
|
- } |
|
-# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM) |
|
- |
|
- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) |
|
- return (ssize_t)buflen; |
|
- |
|
- return -1; |
|
-# else |
|
- union { |
|
- void *p; |
|
- int (*f)(void *buffer, size_t length); |
|
- } p_getentropy; |
|
- |
|
- /* |
|
- * We could cache the result of the lookup, but we normally don't |
|
- * call this function often. |
|
- */ |
|
- ERR_set_mark(); |
|
- p_getentropy.p = DSO_global_lookup("getentropy"); |
|
- ERR_pop_to_mark(); |
|
- if (p_getentropy.p != NULL) |
|
- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; |
|
-# endif |
|
-# endif /* !__DragonFly__ */ |
|
- |
|
- /* Linux supports this since version 3.17 */ |
|
-# if defined(__linux) && defined(__NR_getrandom) |
|
- return syscall(__NR_getrandom, buf, buflen, 0); |
|
-# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) |
|
- return sysctl_random(buf, buflen); |
|
-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \ |
|
- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) |
|
- return getrandom(buf, buflen, 0); |
|
-# else |
|
- errno = ENOSYS; |
|
- return -1; |
|
-# endif |
|
+ /* Red Hat uses downstream patch to always seed from getrandom() */ |
|
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0); |
|
} |
|
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ |
|
|
|
diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c |
|
--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200 |
|
+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200 |
|
@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb |
|
#endif |
|
} |
|
|
|
+#ifdef FIPS_MODULE |
|
+ prediction_resistance = 1; |
|
+#endif |
|
/* Reseed using our sources in addition */ |
|
entropylen = get_entropy(drbg, &entropy, drbg->strength, |
|
drbg->min_entropylen, drbg->max_entropylen, |
|
@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d |
|
reseed_required = 1; |
|
} |
|
if (drbg->parent != NULL |
|
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) |
|
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { |
|
+#ifdef FIPS_MODULE |
|
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ |
|
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); |
|
+#else |
|
reseed_required = 1; |
|
+#endif |
|
+ } |
|
|
|
if (reseed_required || prediction_resistance) { |
|
if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0, |
|
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c |
|
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 |
|
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 |
|
@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused |
|
size_t entropy_available; |
|
RAND_POOL *pool; |
|
|
|
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); |
|
+ /* |
|
+ * OpenSSL still implements an internal entropy pool of |
|
+ * some size that is hashed to get seed data. |
|
+ * Note that this is a conditioning step for which SP800-90C requires |
|
+ * 64 additional bits from the entropy source to claim the requested |
|
+ * amount of entropy. |
|
+ */ |
|
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); |
|
if (pool == NULL) { |
|
ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE); |
|
return 0; |
|
diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c |
|
--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200 |
|
+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200 |
|
@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG |
|
* to the nearest byte. If the entropy is of less than full quality, |
|
* the amount required should be scaled up appropriately here. |
|
*/ |
|
- bytes_needed = (entropy + 7) / 8; |
|
+ /* |
|
+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy |
|
+ * + 128 bits during initial seeding |
|
+ */ |
|
+ bytes_needed = (entropy + 128 + 7) / 8; |
|
if (bytes_needed < min_len) |
|
bytes_needed = min_len; |
|
if (bytes_needed > max_len) |
|
diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h |
|
--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100 |
|
+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100 |
|
@@ -38,7 +38,7 @@ |
|
* |
|
* The value is in bytes. |
|
*/ |
|
-#define CRNGT_BUFSIZ 16 |
|
+#define CRNGT_BUFSIZ 32 |
|
|
|
/* |
|
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
|
|