isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone
727bdf
diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
727bdf
--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand	2022-08-03 11:09:01.301637515 +0200
727bdf
+++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c	2022-08-03 11:13:00.058688605 +0200
727bdf
@@ -48,6 +48,8 @@
727bdf
 # include <fcntl.h>
727bdf
 # include <unistd.h>
727bdf
 # include <sys/time.h>
727bdf
+# include <sys/random.h>
727bdf
+# include <openssl/evp.h>
727bdf
 
727bdf
 static uint64_t get_time_stamp(void);
727bdf
 static uint64_t get_timer_bits(void);
727bdf
@@ -342,66 +342,8 @@ static ssize_t syscall_random(void *buf,
727bdf
      * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
727bdf
      * between size_t and ssize_t is safe even without a range check.
727bdf
      */
727bdf
-
727bdf
-    /*
727bdf
-     * Do runtime detection to find getentropy().
727bdf
-     *
727bdf
-     * Known OSs that should support this:
727bdf
-     * - Darwin since 16 (OSX 10.12, IOS 10.0).
727bdf
-     * - Solaris since 11.3
727bdf
-     * - OpenBSD since 5.6
727bdf
-     * - Linux since 3.17 with glibc 2.25
727bdf
-     * - FreeBSD since 12.0 (1200061)
727bdf
-     *
727bdf
-     * Note: Sometimes getentropy() can be provided but not implemented
727bdf
-     * internally. So we need to check errno for ENOSYS
727bdf
-     */
727bdf
-#  if !defined(__DragonFly__) && !defined(__NetBSD__)
727bdf
-#    if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
727bdf
-    extern int getentropy(void *buffer, size_t length) __attribute__((weak));
727bdf
-
727bdf
-    if (getentropy != NULL) {
727bdf
-        if (getentropy(buf, buflen) == 0)
727bdf
-            return (ssize_t)buflen;
727bdf
-        if (errno != ENOSYS)
727bdf
-            return -1;
727bdf
-    }
727bdf
-#    elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
727bdf
-
727bdf
-    if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
727bdf
-	    return (ssize_t)buflen;
727bdf
-
727bdf
-    return -1;
727bdf
-#    else
727bdf
-    union {
727bdf
-        void *p;
727bdf
-        int (*f)(void *buffer, size_t length);
727bdf
-    } p_getentropy;
727bdf
-
727bdf
-    /*
727bdf
-     * We could cache the result of the lookup, but we normally don't
727bdf
-     * call this function often.
727bdf
-     */
727bdf
-    ERR_set_mark();
727bdf
-    p_getentropy.p = DSO_global_lookup("getentropy");
727bdf
-    ERR_pop_to_mark();
727bdf
-    if (p_getentropy.p != NULL)
727bdf
-        return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
727bdf
-#    endif
727bdf
-#  endif /* !__DragonFly__ */
727bdf
-
727bdf
-    /* Linux supports this since version 3.17 */
727bdf
-#  if defined(__linux) && defined(__NR_getrandom)
727bdf
-    return syscall(__NR_getrandom, buf, buflen, 0);
727bdf
-#  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
727bdf
-    return sysctl_random(buf, buflen);
727bdf
-#  elif (defined(__DragonFly__)  && __DragonFly_version >= 500700) \
727bdf
-     || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000)
727bdf
-    return getrandom(buf, buflen, 0);
727bdf
-#  else
727bdf
-    errno = ENOSYS;
727bdf
-    return -1;
727bdf
-#  endif
727bdf
+    /* Red Hat uses downstream patch to always seed from getrandom() */
727bdf
+    return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
727bdf
 }
727bdf
 #  endif    /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
727bdf
 
727bdf
diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
727bdf
--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand	2022-08-03 12:14:39.409370134 +0200
727bdf
+++ openssl-3.0.1/providers/implementations/rands/drbg.c	2022-08-03 12:19:06.320700346 +0200
727bdf
@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
727bdf
 #endif
727bdf
     }
727bdf
 
727bdf
+#ifdef FIPS_MODULE
727bdf
+    prediction_resistance = 1;
727bdf
+#endif
727bdf
     /* Reseed using our sources in addition */
727bdf
     entropylen = get_entropy(drbg, &entropy, drbg->strength,
727bdf
                              drbg->min_entropylen, drbg->max_entropylen,
727bdf
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
727bdf
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand	2022-08-04 12:17:52.148556301 +0200
727bdf
+++ openssl-3.0.1/crypto/rand/prov_seed.c	2022-08-04 12:19:41.783533552 +0200
727bdf
@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
727bdf
     size_t entropy_available;
727bdf
     RAND_POOL *pool;
727bdf
 
727bdf
-    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
727bdf
+    /*
727bdf
+     * OpenSSL still implements an internal entropy pool of
727bdf
+     * some size that is hashed to get seed data.
727bdf
+     * Note that this is a conditioning step for which SP800-90C requires
727bdf
+     * 64 additional bits from the entropy source to claim the requested
727bdf
+     * amount of entropy.
727bdf
+     */
727bdf
+    pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
727bdf
     if (pool == NULL) {
727bdf
         ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE);
727bdf
         return 0;
727bdf
diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
727bdf
--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand	2022-08-04 11:56:10.100950299 +0200
727bdf
+++ openssl-3.0.1/providers/implementations/rands/crngt.c	2022-08-04 11:59:11.241564925 +0200
727bdf
@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
727bdf
      * to the nearest byte.  If the entropy is of less than full quality,
727bdf
      * the amount required should be scaled up appropriately here.
727bdf
      */
727bdf
-    bytes_needed = (entropy + 7) / 8;
727bdf
+    /*
727bdf
+     * FIPS 140-3: the yet draft SP800-90C requires requested entropy
727bdf
+     * + 128 bits during initial seeding
727bdf
+     */
727bdf
+    bytes_needed = (entropy + 128 + 7) / 8;
727bdf
     if (bytes_needed < min_len)
727bdf
         bytes_needed = min_len;
727bdf
     if (bytes_needed > max_len)