rpms/openssl
8
1
Fork 1
Code Issues Pull Requests Releases Activity

Stop everlasting RNG reseeding

Browse Source 
Resolves: rhbz#2168224
This commit is contained in:
Dmitry Belyavskiy 2023-03-01 19:56:51 +01:00
parent 9d8f618208
commit 9ebabfa10a
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
0076-FIPS-140-3-DRBG.patch
View File

@ -92,6 +92,22 @@ diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3
/* Reseed using our sources in addition */ /* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength, entropylen = get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen, drbg->max_entropylen, drbg->min_entropylen, drbg->max_entropylen,
@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
reseed_required = 1;
}
if (drbg->parent != NULL
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
+#ifdef FIPS_MODULE
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
+#else
reseed_required = 1;
+#endif
+ }
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0,
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 --- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 +++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200

6
openssl.spec
View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.0.7 Version: 3.0.7
Release: 5%{?dist} Release: 6%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -494,6 +494,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
- Fixes RNG slowdown in FIPS mode
Resolves: rhbz#2168224
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-5 * Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-5
- Fixed X.509 Name Constraints Read Buffer Overflow - Fixed X.509 Name Constraints Read Buffer Overflow
Resolves: CVE-2022-4203 Resolves: CVE-2022-4203