diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info

--- openssl-1.1.1g/crypto/rand/build.info.crng-test	2020-04-23 13:30:45.863389837 +0200

+++ openssl-1.1.1g/crypto/rand/build.info	2020-04-23 13:31:55.847069892 +0200

@@ -1,6 +1,6 @@

 LIBS=../../libcrypto

 SOURCE[../../libcrypto]=\

-        randfile.c rand_lib.c rand_err.c rand_egd.c \

+        randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \

         rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c

 INCLUDE[drbg_ctr.o]=../modes

diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c

--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test	2020-04-23 13:30:45.818390686 +0200

+++ openssl-1.1.1g/crypto/rand/drbg_lib.c	2020-04-23 13:30:45.864389819 +0200

@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;

 /* NIST SP 800-90A DRBG recommends the use of a personalization string. */

-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";

+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;

 static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;

@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu

     drbg->parent = parent;

     if (parent == NULL) {

+#ifdef OPENSSL_FIPS

+        drbg->get_entropy = rand_crngt_get_entropy;

+        drbg->cleanup_entropy = rand_crngt_cleanup_entropy;

+#else

         drbg->get_entropy = rand_drbg_get_entropy;

         drbg->cleanup_entropy = rand_drbg_cleanup_entropy;

+#endif

 #ifndef RAND_DRBG_GET_RANDOM_NONCE

         drbg->get_nonce = rand_drbg_get_nonce;

         drbg->cleanup_nonce = rand_drbg_cleanup_nonce;

diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c

--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test	2020-04-23 13:30:45.864389819 +0200

+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c	2020-04-23 13:30:45.864389819 +0200

@@ -0,0 +1,118 @@

+/*

+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.

+ * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.

+ *

+ * Licensed under the Apache License 2.0 (the "License").  You may not use

+ * this file except in compliance with the License.  You can obtain a copy

+ * in the file LICENSE in the source distribution or at

+ * https://www.openssl.org/source/license.html

+ */

+

+/*

+ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.

+ */

+

+#include <string.h>

+#include <openssl/evp.h>

+#include "crypto/rand.h"

+#include "internal/thread_once.h"

+#include "rand_local.h"

+

+static RAND_POOL *crngt_pool;

+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];

+

+int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)

+    = &rand_crngt_get_entropy_cb;

+

+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,

+                              unsigned int *md_size)

+{

+    int r;

+    size_t n;

+    unsigned char *p;

+

+    n = rand_pool_acquire_entropy(crngt_pool);

+    if (n >= CRNGT_BUFSIZ) {

+        p = rand_pool_detach(crngt_pool);

+        r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);

+        if (r != 0)

+            memcpy(buf, p, CRNGT_BUFSIZ);

+        rand_pool_reattach(crngt_pool, p);

+        return r;

+    }

+    return 0;

+}

+

+void rand_crngt_cleanup(void)

+{

+    rand_pool_free(crngt_pool);

+    crngt_pool = NULL;

+}

+

+int rand_crngt_init(void)

+{

+    unsigned char buf[CRNGT_BUFSIZ];

+

+    if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)

+        return 0;

+    if (crngt_get_entropy(buf, crngt_prev, NULL)) {

+        OPENSSL_cleanse(buf, sizeof(buf));

+        return 1;

+    }

+    rand_crngt_cleanup();

+    return 0;

+}

+

+static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;

+DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)

+{

+    return OPENSSL_init_crypto(0, NULL)

+        && rand_crngt_init()

+        && OPENSSL_atexit(&rand_crngt_cleanup);

+}

+

+int rand_crngt_single_init(void)

+{

+    return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);

+}

+

+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,

+                              unsigned char **pout,

+                              int entropy, size_t min_len, size_t max_len,

+                              int prediction_resistance)

+{

+    unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];

+    unsigned int sz;

+    RAND_POOL *pool;

+    size_t q, r = 0, s, t = 0;

+    int attempts = 3;

+

+    if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))

+        return 0;

+

+    if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)

+        return 0;

+

+    while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {

+        s = q > sizeof(buf) ? sizeof(buf) : q;

+        if (!crngt_get_entropy(buf, md, &sz)

+            || memcmp(crngt_prev, md, sz) == 0

+            || !rand_pool_add(pool, buf, s, s * 8))

+            goto err;

+        memcpy(crngt_prev, md, sz);

+        t += s;

+        attempts++;

+    }

+    r = t;

+    *pout = rand_pool_detach(pool);

+err:

+    OPENSSL_cleanse(buf, sizeof(buf));

+    rand_pool_free(pool);

+    return r;

+}

+

+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,

+                                unsigned char *out, size_t outlen)

+{

+    OPENSSL_secure_clear_free(out, outlen);

+}

diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h

--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test	2020-04-23 13:30:45.470397250 +0200

+++ openssl-1.1.1g/crypto/rand/rand_local.h	2020-04-23 13:30:45.864389819 +0200

@@ -33,7 +33,15 @@

 # define MASTER_RESEED_TIME_INTERVAL             (60*60)   /* 1 hour */

 # define SLAVE_RESEED_TIME_INTERVAL              (7*60)    /* 7 minutes */

-

+/*

+ * The number of bytes that constitutes an atomic lump of entropy with respect

+ * to the FIPS 140-2 section 4.9.2 Conditional Tests.  The size is somewhat

+ * arbitrary, the smaller the value, the less entropy is consumed on first

+ * read but the higher the probability of the test failing by accident.

+ *

+ * The value is in bytes.

+ */

+#define CRNGT_BUFSIZ    16

 /*

  * Maximum input size for the DRBG (entropy, nonce, personalization string)

@@ -44,6 +52,8 @@

  */

 # define DRBG_MAX_LENGTH                         INT32_MAX

+/* The default nonce */

+# define DRBG_DEFAULT_PERS_STRING                "OpenSSL NIST SP 800-90A DRBG"

 /*

  * Maximum allocation size for RANDOM_POOL buffers

@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *

 /* initializes the AES-CTR DRBG implementation */

 int drbg_ctr_init(RAND_DRBG *drbg);

+/*

+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.

+ * These need to be exposed for the unit tests.

+ */

+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,

+                              unsigned int *md_size);

+extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,

+                                unsigned int *md_size);

+int rand_crngt_init(void);

+void rand_crngt_cleanup(void);

+

+/*

+ * Expose the run once initialisation function for the unit tests because.

+ * they need to restart from scratch to validate the first block is skipped

+ * properly.

+ */

+int rand_crngt_single_init(void);

+

 #endif

diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h

--- openssl-1.1.1g/include/crypto/rand.h.crng-test	2020-04-23 13:30:45.824390573 +0200

+++ openssl-1.1.1g/include/crypto/rand.h	2020-04-23 13:30:45.864389819 +0200

@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN

 void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);

+/* CRNG test entropy filter callbacks. */

+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,

+                              unsigned char **pout,

+                              int entropy, size_t min_len, size_t max_len,

+                              int prediction_resistance);

+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,

+                                unsigned char *out, size_t outlen);

+

 /*

  * RAND_POOL functions

  */

diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c

--- openssl-1.1.1g/test/drbgtest.c.crng-test	2020-04-21 14:22:39.000000000 +0200

+++ openssl-1.1.1g/test/drbgtest.c	2020-04-23 13:30:45.865389800 +0200

@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,

     return t->noncelen;

 }

+ /*

+ * Disable CRNG testing if it is enabled.

+ * If the DRBG is ready or in an error state, this means an instantiate cycle

+ * for which the default personalisation string is used.

+ */

+static int disable_crngt(RAND_DRBG *drbg)

+{

+    static const char pers[] = DRBG_DEFAULT_PERS_STRING;

+    const int instantiate = drbg->state != DRBG_UNINITIALISED;

+

+    if (drbg->get_entropy != rand_crngt_get_entropy)

+        return 1;

+

+     if ((instantiate && !RAND_DRBG_uninstantiate(drbg))

+        || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,

+                                              &rand_drbg_cleanup_entropy,

+                                              &rand_drbg_get_nonce,

+                                              &rand_drbg_cleanup_nonce))

+        || (instantiate

+            && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,

+                                      sizeof(pers) - 1)))

+        return 0;

+    return 1;

+}

+

 static int uninstantiate(RAND_DRBG *drbg)

 {

     int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);

@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA

     if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))

         return 0;

     if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,

-                                           kat_nonce, NULL))) {

+                                           kat_nonce, NULL))

+        || !TEST_true(disable_crngt(drbg))) {

         failures++;

         goto err;

     }

@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT

     unsigned int reseed_counter_tmp;

     int ret = 0;

-    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))

+    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))

+	|| !TEST_true(disable_crngt(drbg)))

         goto err;

     /*

@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)

         || !TEST_ptr_eq(private->parent, master))

         return 0;

+    /* Disable CRNG testing for the master DRBG */

+    if (!TEST_true(disable_crngt(master)))

+        return 0;

+

     /* uninstantiate the three global DRBGs */

     RAND_DRBG_uninstantiate(private);

     RAND_DRBG_uninstantiate(public);

@@ -964,7 +995,8 @@ static int test_rand_seed(void)

     size_t rand_buflen;

     size_t required_seed_buflen = 0;

-    if (!TEST_ptr(master = RAND_DRBG_get0_master()))

+    if (!TEST_ptr(master = RAND_DRBG_get0_master())

+        || !TEST_true(disable_crngt(master)))

         return 0;

 #ifdef OPENSSL_RAND_SEED_NONE

@@ -1013,6 +1045,95 @@ static int test_rand_add(void)

     return 1;

 }

+/*

+ * A list of the FIPS DRGB types.

+ */

+static const struct s_drgb_types {

+    int nid;

+    int flags;

+} drgb_types[] = {

+    { NID_aes_128_ctr,  0                   },

+    { NID_aes_192_ctr,  0                   },

+    { NID_aes_256_ctr,  0                   },

+};

+

+/* Six cases for each covers seed sizes up to 32 bytes */

+static const size_t crngt_num_cases = 6;

+

+static size_t crngt_case, crngt_idx;

+

+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,

+                            unsigned int *md_size)

+{

+    size_t i, z;

+

+    if (!TEST_int_lt(crngt_idx, crngt_num_cases))

+        return 0;

+    /* Generate a block of unique data unless this is the duplication point */

+    z = crngt_idx++;

+    if (z > 0 && crngt_case == z)

+        z--;

+    for (i = 0; i < CRNGT_BUFSIZ; i++)

+        buf[i] = (unsigned char)(i + 'A' + z);

+    return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);

+}

+

+static int test_crngt(int n)

+{

+    const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;

+    RAND_DRBG *drbg = NULL;

+    unsigned char buff[100];

+    size_t ent;

+    int res = 0;

+    int expect;

+

+    if (!TEST_true(rand_crngt_single_init()))

+        return 0;

+    rand_crngt_cleanup();

+

+    if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))

+        return 0;

+    ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;

+    crngt_case = n % crngt_num_cases;

+    crngt_idx = 0;

+    crngt_get_entropy = &crngt_entropy_cb;

+    if (!TEST_true(rand_crngt_init()))

+        goto err;

+#ifndef OPENSSL_FIPS

+    if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,

+                                           &rand_crngt_cleanup_entropy,

+                                           &rand_drbg_get_nonce,

+                                           &rand_drbg_cleanup_nonce)))

+        goto err;

+#endif

+    expect = crngt_case == 0 || crngt_case > ent;

+    if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))

+        goto err;

+    if (!expect)

+        goto fin;

+    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))

+        goto err;

+

+    expect = crngt_case == 0 || crngt_case > 2 * ent;

+    if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))

+        goto err;

+    if (!expect)

+        goto fin;

+    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))

+        goto err;

+

+fin:

+    res = 1;

+err:

+    if (!res)

+        TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,

+                  crngt_case, crngt_idx);

+    uninstantiate(drbg);

+    RAND_DRBG_free(drbg);

+    crngt_get_entropy = &rand_crngt_get_entropy_cb;

+    return res;

+}

+

 int setup_tests(void)

 {

     app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);

@@ -1025,5 +1146,6 @@ int setup_tests(void)

 #if defined(OPENSSL_THREADS)

     ADD_TEST(test_multi_thread);

 #endif

+    ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));

     return 1;

 }