Reseed all the parent DRBGs in chain on reseeding a DRBG
Related: rhbz#2102541
This commit is contained in:
		
							parent
							
								
									a0907c129c
								
							
						
					
					
						commit
						fc45520150
					
				
							
								
								
									
										129
									
								
								0076-FIPS-140-3-DRBG.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										129
									
								
								0076-FIPS-140-3-DRBG.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,129 @@ | |||||||
|  | diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
 | ||||||
|  | --- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand	2022-08-03 11:09:01.301637515 +0200
 | ||||||
|  | +++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c	2022-08-03 11:13:00.058688605 +0200
 | ||||||
|  | @@ -48,6 +48,8 @@
 | ||||||
|  |  # include <fcntl.h> | ||||||
|  |  # include <unistd.h> | ||||||
|  |  # include <sys/time.h> | ||||||
|  | +# include <sys/random.h>
 | ||||||
|  | +# include <openssl/evp.h>
 | ||||||
|  |   | ||||||
|  |  static uint64_t get_time_stamp(void); | ||||||
|  |  static uint64_t get_timer_bits(void); | ||||||
|  | @@ -342,66 +342,8 @@ static ssize_t syscall_random(void *buf,
 | ||||||
|  |       * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion | ||||||
|  |       * between size_t and ssize_t is safe even without a range check. | ||||||
|  |       */ | ||||||
|  | -
 | ||||||
|  | -    /*
 | ||||||
|  | -     * Do runtime detection to find getentropy().
 | ||||||
|  | -     *
 | ||||||
|  | -     * Known OSs that should support this:
 | ||||||
|  | -     * - Darwin since 16 (OSX 10.12, IOS 10.0).
 | ||||||
|  | -     * - Solaris since 11.3
 | ||||||
|  | -     * - OpenBSD since 5.6
 | ||||||
|  | -     * - Linux since 3.17 with glibc 2.25
 | ||||||
|  | -     * - FreeBSD since 12.0 (1200061)
 | ||||||
|  | -     *
 | ||||||
|  | -     * Note: Sometimes getentropy() can be provided but not implemented
 | ||||||
|  | -     * internally. So we need to check errno for ENOSYS
 | ||||||
|  | -     */
 | ||||||
|  | -#  if !defined(__DragonFly__) && !defined(__NetBSD__)
 | ||||||
|  | -#    if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
 | ||||||
|  | -    extern int getentropy(void *buffer, size_t length) __attribute__((weak));
 | ||||||
|  | -
 | ||||||
|  | -    if (getentropy != NULL) {
 | ||||||
|  | -        if (getentropy(buf, buflen) == 0)
 | ||||||
|  | -            return (ssize_t)buflen;
 | ||||||
|  | -        if (errno != ENOSYS)
 | ||||||
|  | -            return -1;
 | ||||||
|  | -    }
 | ||||||
|  | -#    elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
 | ||||||
|  | -
 | ||||||
|  | -    if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
 | ||||||
|  | -	    return (ssize_t)buflen;
 | ||||||
|  | -
 | ||||||
|  | -    return -1;
 | ||||||
|  | -#    else
 | ||||||
|  | -    union {
 | ||||||
|  | -        void *p;
 | ||||||
|  | -        int (*f)(void *buffer, size_t length);
 | ||||||
|  | -    } p_getentropy;
 | ||||||
|  | -
 | ||||||
|  | -    /*
 | ||||||
|  | -     * We could cache the result of the lookup, but we normally don't
 | ||||||
|  | -     * call this function often.
 | ||||||
|  | -     */
 | ||||||
|  | -    ERR_set_mark();
 | ||||||
|  | -    p_getentropy.p = DSO_global_lookup("getentropy");
 | ||||||
|  | -    ERR_pop_to_mark();
 | ||||||
|  | -    if (p_getentropy.p != NULL)
 | ||||||
|  | -        return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
 | ||||||
|  | -#    endif
 | ||||||
|  | -#  endif /* !__DragonFly__ */
 | ||||||
|  | -
 | ||||||
|  | -    /* Linux supports this since version 3.17 */
 | ||||||
|  | -#  if defined(__linux) && defined(__NR_getrandom)
 | ||||||
|  | -    return syscall(__NR_getrandom, buf, buflen, 0);
 | ||||||
|  | -#  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
 | ||||||
|  | -    return sysctl_random(buf, buflen);
 | ||||||
|  | -#  elif (defined(__DragonFly__)  && __DragonFly_version >= 500700) \
 | ||||||
|  | -     || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000)
 | ||||||
|  | -    return getrandom(buf, buflen, 0);
 | ||||||
|  | -#  else
 | ||||||
|  | -    errno = ENOSYS;
 | ||||||
|  | -    return -1;
 | ||||||
|  | -#  endif
 | ||||||
|  | +    /* Red Hat uses downstream patch to always seed from getrandom() */
 | ||||||
|  | +    return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
 | ||||||
|  |  } | ||||||
|  |  #  endif    /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ | ||||||
|  |   | ||||||
|  | diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
 | ||||||
|  | --- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand	2022-08-03 12:14:39.409370134 +0200
 | ||||||
|  | +++ openssl-3.0.1/providers/implementations/rands/drbg.c	2022-08-03 12:19:06.320700346 +0200
 | ||||||
|  | @@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
 | ||||||
|  |  #endif | ||||||
|  |      } | ||||||
|  |   | ||||||
|  | +#ifdef FIPS_MODULE
 | ||||||
|  | +    prediction_resistance = 1;
 | ||||||
|  | +#endif
 | ||||||
|  |      /* Reseed using our sources in addition */ | ||||||
|  |      entropylen = get_entropy(drbg, &entropy, drbg->strength, | ||||||
|  |                               drbg->min_entropylen, drbg->max_entropylen, | ||||||
|  | diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
 | ||||||
|  | --- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand	2022-08-04 12:17:52.148556301 +0200
 | ||||||
|  | +++ openssl-3.0.1/crypto/rand/prov_seed.c	2022-08-04 12:19:41.783533552 +0200
 | ||||||
|  | @@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
 | ||||||
|  |      size_t entropy_available; | ||||||
|  |      RAND_POOL *pool; | ||||||
|  |   | ||||||
|  | -    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
 | ||||||
|  | +    /*
 | ||||||
|  | +     * OpenSSL still implements an internal entropy pool of
 | ||||||
|  | +     * some size that is hashed to get seed data.
 | ||||||
|  | +     * Note that this is a conditioning step for which SP800-90C requires
 | ||||||
|  | +     * 64 additional bits from the entropy source to claim the requested
 | ||||||
|  | +     * amount of entropy.
 | ||||||
|  | +     */
 | ||||||
|  | +    pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
 | ||||||
|  |      if (pool == NULL) { | ||||||
|  |          ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE); | ||||||
|  |          return 0; | ||||||
|  | diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
 | ||||||
|  | --- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand	2022-08-04 11:56:10.100950299 +0200
 | ||||||
|  | +++ openssl-3.0.1/providers/implementations/rands/crngt.c	2022-08-04 11:59:11.241564925 +0200
 | ||||||
|  | @@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
 | ||||||
|  |       * to the nearest byte.  If the entropy is of less than full quality, | ||||||
|  |       * the amount required should be scaled up appropriately here. | ||||||
|  |       */ | ||||||
|  | -    bytes_needed = (entropy + 7) / 8;
 | ||||||
|  | +    /*
 | ||||||
|  | +     * FIPS 140-3: the yet draft SP800-90C requires requested entropy
 | ||||||
|  | +     * + 128 bits during initial seeding
 | ||||||
|  | +     */
 | ||||||
|  | +    bytes_needed = (entropy + 128 + 7) / 8;
 | ||||||
|  |      if (bytes_needed < min_len) | ||||||
|  |          bytes_needed = min_len; | ||||||
|  |      if (bytes_needed > max_len) | ||||||
| @ -155,6 +155,9 @@ Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch | |||||||
| Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch | Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 | # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 | ||||||
| Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch | Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch | ||||||
|  | # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM) | ||||||
|  | # https://bugzilla.redhat.com/show_bug.cgi?id=2102541 | ||||||
|  | Patch76: 0076-FIPS-140-3-DRBG.patch | ||||||
| 
 | 
 | ||||||
| License: ASL 2.0 | License: ASL 2.0 | ||||||
| URL: http://www.openssl.org/ | URL: http://www.openssl.org/ | ||||||
| @ -492,6 +495,8 @@ install -m644 %{SOURCE9} \ | |||||||
|   Related: rhbz#2102537 |   Related: rhbz#2102537 | ||||||
| - Use signature for RSA pairwise test according FIPS-140-3 requirements | - Use signature for RSA pairwise test according FIPS-140-3 requirements | ||||||
|   Related: rhbz#2102540 |   Related: rhbz#2102540 | ||||||
|  | - Reseed all the parent DRBGs in chain on reseeding a DRBG | ||||||
|  |   Related: rhbz#2102541 | ||||||
| 
 | 
 | ||||||
| * Mon Aug 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-39 | * Mon Aug 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-39 | ||||||
| - Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test | - Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user