openssl-1.1.1-fips-post-rand.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189

diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/fips/fips.c
--- openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand	2020-12-09 10:26:41.634106328 +0100
+++ openssl-1.1.1i/crypto/fips/fips.c	2020-12-09 10:26:41.652106475 +0100
@@ -68,6 +68,7 @@
 
 # include <openssl/fips.h>
 # include "internal/thread_once.h"
+# include "crypto/rand.h"
 
 # ifndef PATH_MAX
 #  define PATH_MAX 1024
@@ -76,6 +77,7 @@
 static int fips_selftest_fail = 0;
 static int fips_mode = 0;
 static int fips_started = 0;
+static int fips_post = 0;
 
 static int fips_is_owning_thread(void);
 static int fips_set_owning_thread(void);
@@ -158,6 +160,11 @@ void fips_set_selftest_fail(void)
     fips_selftest_fail = 1;
 }
 
+int fips_in_post(void)
+{
+    return fips_post;
+}
+
 /* we implement what libfipscheck does ourselves */
 
 static int
@@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff)
         }
 # endif
 
+        fips_post = 1;
+
         if (!FIPS_selftest()) {
             fips_selftest_fail = 1;
             ret = 0;
@@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff)
             goto end;
         }
 
+        fips_post = 0;
+
         fips_set_mode(onoff);
+        /* force RNG reseed with entropy from getrandom() on next call */
+        rand_force_reseed();
+
         ret = 1;
         goto end;
     }
diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/crypto/rand/drbg_lib.c
--- openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand	2020-12-08 14:20:59.000000000 +0100
+++ openssl-1.1.1i/crypto/rand/drbg_lib.c	2020-12-09 10:26:41.652106475 +0100
@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
     return min_entropy > min_entropylen ? min_entropy : min_entropylen;
 }
 
+void rand_force_reseed(void)
+{
+    RAND_DRBG *drbg;
+
+    drbg = RAND_DRBG_get0_master();
+    drbg->fork_id = 0;
+
+    drbg = RAND_DRBG_get0_private();
+    drbg->fork_id = 0;
+
+    drbg = RAND_DRBG_get0_public();
+    drbg->fork_id = 0;
+}
+
 /* Implements the default OpenSSL RAND_add() method */
 static int drbg_add(const void *buf, int num, double randomness)
 {
diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/crypto/rand/rand_unix.c
--- openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand	2020-12-08 14:20:59.000000000 +0100
+++ openssl-1.1.1i/crypto/rand/rand_unix.c	2020-12-09 10:36:59.531221903 +0100
@@ -17,10 +17,12 @@
 #include <openssl/crypto.h>
 #include "rand_local.h"
 #include "crypto/rand.h"
+#include "crypto/fips.h"
 #include <stdio.h>
 #include "internal/dso.h"
 #ifdef __linux
 # include <sys/syscall.h>
+# include <sys/random.h>
 # ifdef DEVRANDOM_WAIT
 #  include <sys/shm.h>
 #  include <sys/utsname.h>
@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf,
  * syscall_random(): Try to get random data using a system call
  * returns the number of bytes returned in buf, or < 0 on error.
  */
-static ssize_t syscall_random(void *buf, size_t buflen)
+static ssize_t syscall_random(void *buf, size_t buflen, int nonblock)
 {
     /*
      * Note: 'buflen' equals the size of the buffer which is used by the
@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf,
      * Note: Sometimes getentropy() can be provided but not implemented
      * internally. So we need to check errno for ENOSYS
      */
+#  if 0
 #  if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
     extern int getentropy(void *buffer, size_t length) __attribute__((weak));
 
@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf,
     if (p_getentropy.p != NULL)
         return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
 #  endif
-
+#  endif
     /* Linux supports this since version 3.17 */
-#  if defined(__linux) && defined(__NR_getrandom)
-    return syscall(__NR_getrandom, buf, buflen, 0);
+#  if defined(__linux) && defined(SYS_getrandom)
+    return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0);
 #  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
     return sysctl_random(buf, buflen);
 #  else
@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
     size_t entropy_available;
 
 #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
+    int in_post;
+
+    for (in_post = fips_in_post(); in_post >= 0; --in_post) {
     {
         size_t bytes_needed;
         unsigned char *buffer;
@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
         bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
         while (bytes_needed != 0 && attempts-- > 0) {
             buffer = rand_pool_add_begin(pool, bytes_needed);
-            bytes = syscall_random(buffer, bytes_needed);
+            bytes = syscall_random(buffer, bytes_needed, in_post);
             if (bytes > 0) {
                 rand_pool_add_end(pool, bytes, 8 * bytes);
                 bytes_needed -= bytes;
@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
             int attempts = 3;
             const int fd = get_random_device(i);
 
-            if (fd == -1)
+            if (fd == -1) {
+                OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]);
                 continue;
+            }
 
             while (bytes_needed != 0 && attempts-- > 0) {
                 buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
             return entropy_available;
     }
 #   endif
-
+#   ifdef OPENSSL_RAND_SEED_GETRANDOM
+    }
+#   endif
     return rand_pool_entropy_available(pool);
 #  endif
 }
diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/include/crypto/fips.h
--- openssl-1.1.1i/include/crypto/fips.h.fips-post-rand	2020-12-09 10:26:41.639106369 +0100
+++ openssl-1.1.1i/include/crypto/fips.h	2020-12-09 10:26:41.657106516 +0100
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
 int FIPS_selftest_drbg(void);
 int FIPS_selftest_cmac(void);
 
+int fips_in_post(void);
+
 int fips_pkey_signature_test(EVP_PKEY *pkey,
                                  const unsigned char *tbs, int tbslen,
                                  const unsigned char *kat,
diff -up openssl-1.1.1i/include/crypto/rand.h.fips-post-rand openssl-1.1.1i/include/crypto/rand.h
--- openssl-1.1.1i/include/crypto/rand.h.fips-post-rand	2020-12-08 14:20:59.000000000 +0100
+++ openssl-1.1.1i/include/crypto/rand.h	2020-12-09 10:26:41.657106516 +0100
@@ -24,6 +24,7 @@
 typedef struct rand_pool_st RAND_POOL;
 
 void rand_cleanup_int(void);
+void rand_force_reseed(void);
 void rand_drbg_cleanup_int(void);
 void drbg_delete_thread_state(void);