forked from rpms/openssl
Reseed all the parent DRBGs in chain on reseeding a DRBG
Related: rhbz#2102541
This commit is contained in:
parent
a0907c129c
commit
fc45520150
129
0076-FIPS-140-3-DRBG.patch
Normal file
129
0076-FIPS-140-3-DRBG.patch
Normal file
@ -0,0 +1,129 @@
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200
|
||||
@@ -48,6 +48,8 @@
|
||||
# include <fcntl.h>
|
||||
# include <unistd.h>
|
||||
# include <sys/time.h>
|
||||
+# include <sys/random.h>
|
||||
+# include <openssl/evp.h>
|
||||
|
||||
static uint64_t get_time_stamp(void);
|
||||
static uint64_t get_timer_bits(void);
|
||||
@@ -342,66 +342,8 @@ static ssize_t syscall_random(void *buf,
|
||||
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
|
||||
* between size_t and ssize_t is safe even without a range check.
|
||||
*/
|
||||
-
|
||||
- /*
|
||||
- * Do runtime detection to find getentropy().
|
||||
- *
|
||||
- * Known OSs that should support this:
|
||||
- * - Darwin since 16 (OSX 10.12, IOS 10.0).
|
||||
- * - Solaris since 11.3
|
||||
- * - OpenBSD since 5.6
|
||||
- * - Linux since 3.17 with glibc 2.25
|
||||
- * - FreeBSD since 12.0 (1200061)
|
||||
- *
|
||||
- * Note: Sometimes getentropy() can be provided but not implemented
|
||||
- * internally. So we need to check errno for ENOSYS
|
||||
- */
|
||||
-# if !defined(__DragonFly__) && !defined(__NetBSD__)
|
||||
-# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
|
||||
- extern int getentropy(void *buffer, size_t length) __attribute__((weak));
|
||||
-
|
||||
- if (getentropy != NULL) {
|
||||
- if (getentropy(buf, buflen) == 0)
|
||||
- return (ssize_t)buflen;
|
||||
- if (errno != ENOSYS)
|
||||
- return -1;
|
||||
- }
|
||||
-# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
|
||||
-
|
||||
- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
|
||||
- return (ssize_t)buflen;
|
||||
-
|
||||
- return -1;
|
||||
-# else
|
||||
- union {
|
||||
- void *p;
|
||||
- int (*f)(void *buffer, size_t length);
|
||||
- } p_getentropy;
|
||||
-
|
||||
- /*
|
||||
- * We could cache the result of the lookup, but we normally don't
|
||||
- * call this function often.
|
||||
- */
|
||||
- ERR_set_mark();
|
||||
- p_getentropy.p = DSO_global_lookup("getentropy");
|
||||
- ERR_pop_to_mark();
|
||||
- if (p_getentropy.p != NULL)
|
||||
- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
|
||||
-# endif
|
||||
-# endif /* !__DragonFly__ */
|
||||
-
|
||||
- /* Linux supports this since version 3.17 */
|
||||
-# if defined(__linux) && defined(__NR_getrandom)
|
||||
- return syscall(__NR_getrandom, buf, buflen, 0);
|
||||
-# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
|
||||
- return sysctl_random(buf, buflen);
|
||||
-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \
|
||||
- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000)
|
||||
- return getrandom(buf, buflen, 0);
|
||||
-# else
|
||||
- errno = ENOSYS;
|
||||
- return -1;
|
||||
-# endif
|
||||
+ /* Red Hat uses downstream patch to always seed from getrandom() */
|
||||
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
|
||||
}
|
||||
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
|
||||
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200
|
||||
@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
|
||||
#endif
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ prediction_resistance = 1;
|
||||
+#endif
|
||||
/* Reseed using our sources in addition */
|
||||
entropylen = get_entropy(drbg, &entropy, drbg->strength,
|
||||
drbg->min_entropylen, drbg->max_entropylen,
|
||||
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
|
||||
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
|
||||
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200
|
||||
@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
|
||||
size_t entropy_available;
|
||||
RAND_POOL *pool;
|
||||
|
||||
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
|
||||
+ /*
|
||||
+ * OpenSSL still implements an internal entropy pool of
|
||||
+ * some size that is hashed to get seed data.
|
||||
+ * Note that this is a conditioning step for which SP800-90C requires
|
||||
+ * 64 additional bits from the entropy source to claim the requested
|
||||
+ * amount of entropy.
|
||||
+ */
|
||||
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
|
||||
if (pool == NULL) {
|
||||
ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200
|
||||
@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
|
||||
* to the nearest byte. If the entropy is of less than full quality,
|
||||
* the amount required should be scaled up appropriately here.
|
||||
*/
|
||||
- bytes_needed = (entropy + 7) / 8;
|
||||
+ /*
|
||||
+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy
|
||||
+ * + 128 bits during initial seeding
|
||||
+ */
|
||||
+ bytes_needed = (entropy + 128 + 7) / 8;
|
||||
if (bytes_needed < min_len)
|
||||
bytes_needed = min_len;
|
||||
if (bytes_needed > max_len)
|
@ -155,6 +155,9 @@ Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
|
||||
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
|
||||
Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
|
||||
# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2102541
|
||||
Patch76: 0076-FIPS-140-3-DRBG.patch
|
||||
|
||||
License: ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -492,6 +495,8 @@ install -m644 %{SOURCE9} \
|
||||
Related: rhbz#2102537
|
||||
- Use signature for RSA pairwise test according FIPS-140-3 requirements
|
||||
Related: rhbz#2102540
|
||||
- Reseed all the parent DRBGs in chain on reseeding a DRBG
|
||||
Related: rhbz#2102541
|
||||
|
||||
* Mon Aug 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-39
|
||||
- Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test
|
||||
|
Loading…
Reference in New Issue
Block a user