From bd9060b13c128860032a30deff247359e1dd60ac Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 23 May 2024 16:02:16 +0200
Subject: [PATCH] Update RNG changing for FIPS purpose

Resolves: RHEL-35380
---
 0076-FIPS-140-3-DRBG.patch | 81 ++++++++++++++++++++++++++++++++++++++
 openssl.spec               |  6 ++-
 2 files changed, 86 insertions(+), 1 deletion(-)

diff --git a/0076-FIPS-140-3-DRBG.patch b/0076-FIPS-140-3-DRBG.patch
index cb2b504..591b49c 100644
--- a/0076-FIPS-140-3-DRBG.patch
+++ b/0076-FIPS-140-3-DRBG.patch
@@ -198,6 +198,14 @@ diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
 index 14999540ab..b05b84717b 100644
 --- a/crypto/rand/rand_lib.c
 +++ b/crypto/rand/rand_lib.c
+@@ -11,6 +11,7 @@
+ #define OPENSSL_SUPPRESS_DEPRECATED
+ 
+ #include <openssl/err.h>
++#include <openssl/evp.h>
+ #include <openssl/opensslconf.h>
+ #include <openssl/core_names.h>
+ #include "internal/cryptlib.h"
 @@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
          return ret;
      }
@@ -215,3 +223,76 @@ index 14999540ab..b05b84717b 100644
                                          PRIMARY_RESEED_INTERVAL,
                                          PRIMARY_RESEED_TIME_INTERVAL, 1);
      /*
+@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_
+         if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL
+                 && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
+             return NULL;
+-        rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
++        rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
+                              SECONDARY_RESEED_TIME_INTERVAL, 0);
+         CRYPTO_THREAD_set_local(&dgbl->public, rand);
+     }
+@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB
+         if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL
+                 && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
+             return NULL;
+-        rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
++        rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
+                              SECONDARY_RESEED_TIME_INTERVAL, 0);
+         CRYPTO_THREAD_set_local(&dgbl->private, rand);
+     }
+diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c
+--- openssl-3.2.1/test/drbgtest.c.xxx	2024-05-02 15:37:23.550979597 +0200
++++ openssl-3.2.1/test/drbgtest.c	2024-05-02 15:45:37.189979881 +0200
+@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s
+         reseed_when = time(NULL);
+ 
+     /* Generate random output from the public and private DRBG */
+-    before_reseed = expect_primary_reseed == 1 ? reseed_when : 0;
++    before_reseed = 0;
+     if (!TEST_int_eq(rand_bytes((unsigned char*)public_random,
+                                 RANDOM_SIZE), expect_success)
+         || !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random,
+@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s
+      */
+ 
+     /* Test whether reseeding succeeded as expected */
+-    if (!TEST_int_eq(state(primary), expected_state)
+-        || !TEST_int_eq(state(public), expected_state)
++    if (/*!TEST_int_eq(state(primary), expected_state)
++        ||*/ !TEST_int_eq(state(public), expected_state)
+         || !TEST_int_eq(state(private), expected_state))
+         return 0;
+ 
+@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s
+     if (expect_public_reseed >= 0) {
+         /* Test whether public DRBG was reseeded as expected */
+         if (!TEST_int_ge(reseed_counter(public), public_reseed)
+-                || !TEST_uint_ge(reseed_counter(public),
+-                                 reseed_counter(primary)))
++                /*|| !TEST_uint_ge(reseed_counter(public),
++                                 reseed_counter(primary))*/)
+             return 0;
+     }
+ 
+     if (expect_private_reseed >= 0) {
+         /* Test whether public DRBG was reseeded as expected */
+         if (!TEST_int_ge(reseed_counter(private), private_reseed)
+-                || !TEST_uint_ge(reseed_counter(private),
+-                                 reseed_counter(primary)))
++                /*|| !TEST_uint_ge(reseed_counter(private),
++                                 reseed_counter(primary))*/)
+             return 0;
+     }
+ 
+@@ -577,8 +577,8 @@ static int test_rand_reseed(void)
+     if (!TEST_ptr_ne(public, private)
+         || !TEST_ptr_ne(public, primary)
+         || !TEST_ptr_ne(private, primary)
+-        || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
+-        || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary)))
++        /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
++        || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/)
+         return 0;
+ 
+     /* Disable CRNG testing for the primary DRBG */
diff --git a/openssl.spec b/openssl.spec
index d3e478f..41fbc00 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.2.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -500,6 +500,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu May 23 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.1-2
+- Update RNG changing for FIPS purpose
+  Resolves: RHEL-35380
+
 * Wed Apr 03 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.1-1
 - Rebasing OpenSSL to 3.2.1
   Resolves: RHEL-26271