Blame SOURCES/openssl-1.1.1-fips-crng-test.patch

9b88be
diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
9b88be
--- openssl-1.1.1g/crypto/rand/build.info.crng-test	2020-04-23 13:30:45.863389837 +0200
9b88be
+++ openssl-1.1.1g/crypto/rand/build.info	2020-04-23 13:31:55.847069892 +0200
9b88be
@@ -1,6 +1,6 @@
9b88be
 LIBS=../../libcrypto
9b88be
 SOURCE[../../libcrypto]=\
9b88be
-        randfile.c rand_lib.c rand_err.c rand_egd.c \
9b88be
+        randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
9b88be
         rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
9b88be
 
9b88be
 INCLUDE[drbg_ctr.o]=../modes
9b88be
diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
9b88be
--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test	2020-04-23 13:30:45.818390686 +0200
9b88be
+++ openssl-1.1.1g/crypto/rand/drbg_lib.c	2020-04-23 13:30:45.864389819 +0200
9b88be
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
9b88be
 
9b88be
 
9b88be
 /* NIST SP 800-90A DRBG recommends the use of a personalization string. */
9b88be
-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
9b88be
+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
9b88be
 
9b88be
 static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
9b88be
 
9b88be
@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu
9b88be
     drbg->parent = parent;
9b88be
 
9b88be
     if (parent == NULL) {
9b88be
+#ifdef OPENSSL_FIPS
9b88be
+        drbg->get_entropy = rand_crngt_get_entropy;
9b88be
+        drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
9b88be
+#else
9b88be
         drbg->get_entropy = rand_drbg_get_entropy;
9b88be
         drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
9b88be
+#endif
9b88be
 #ifndef RAND_DRBG_GET_RANDOM_NONCE
9b88be
         drbg->get_nonce = rand_drbg_get_nonce;
9b88be
         drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
9b88be
diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
9b88be
--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test	2020-04-23 13:30:45.864389819 +0200
9b88be
+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c	2020-04-23 13:30:45.864389819 +0200
9b88be
@@ -0,0 +1,118 @@
9b88be
+/*
9b88be
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
9b88be
+ * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
9b88be
+ *
9b88be
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
9b88be
+ * this file except in compliance with the License.  You can obtain a copy
9b88be
+ * in the file LICENSE in the source distribution or at
9b88be
+ * https://www.openssl.org/source/license.html
9b88be
+ */
9b88be
+
9b88be
+/*
9b88be
+ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
9b88be
+ */
9b88be
+
9b88be
+#include <string.h>
9b88be
+#include <openssl/evp.h>
9b88be
+#include "crypto/rand.h"
9b88be
+#include "internal/thread_once.h"
9b88be
+#include "rand_local.h"
9b88be
+
9b88be
+static RAND_POOL *crngt_pool;
9b88be
+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
9b88be
+
9b88be
+int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)
9b88be
+    = &rand_crngt_get_entropy_cb;
9b88be
+
9b88be
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
9b88be
+                              unsigned int *md_size)
9b88be
+{
9b88be
+    int r;
9b88be
+    size_t n;
9b88be
+    unsigned char *p;
9b88be
+
9b88be
+    n = rand_pool_acquire_entropy(crngt_pool);
9b88be
+    if (n >= CRNGT_BUFSIZ) {
9b88be
+        p = rand_pool_detach(crngt_pool);
9b88be
+        r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
9b88be
+        if (r != 0)
9b88be
+            memcpy(buf, p, CRNGT_BUFSIZ);
9b88be
+        rand_pool_reattach(crngt_pool, p);
9b88be
+        return r;
9b88be
+    }
9b88be
+    return 0;
9b88be
+}
9b88be
+
9b88be
+void rand_crngt_cleanup(void)
9b88be
+{
9b88be
+    rand_pool_free(crngt_pool);
9b88be
+    crngt_pool = NULL;
9b88be
+}
9b88be
+
9b88be
+int rand_crngt_init(void)
9b88be
+{
9b88be
+    unsigned char buf[CRNGT_BUFSIZ];
9b88be
+
9b88be
+    if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
9b88be
+        return 0;
9b88be
+    if (crngt_get_entropy(buf, crngt_prev, NULL)) {
9b88be
+        OPENSSL_cleanse(buf, sizeof(buf));
9b88be
+        return 1;
9b88be
+    }
9b88be
+    rand_crngt_cleanup();
9b88be
+    return 0;
9b88be
+}
9b88be
+
9b88be
+static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;
9b88be
+DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)
9b88be
+{
9b88be
+    return OPENSSL_init_crypto(0, NULL)
9b88be
+        && rand_crngt_init()
9b88be
+        && OPENSSL_atexit(&rand_crngt_cleanup);
9b88be
+}
9b88be
+
9b88be
+int rand_crngt_single_init(void)
9b88be
+{
9b88be
+    return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);
9b88be
+}
9b88be
+
9b88be
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
9b88be
+                              unsigned char **pout,
9b88be
+                              int entropy, size_t min_len, size_t max_len,
9b88be
+                              int prediction_resistance)
9b88be
+{
9b88be
+    unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];
9b88be
+    unsigned int sz;
9b88be
+    RAND_POOL *pool;
9b88be
+    size_t q, r = 0, s, t = 0;
9b88be
+    int attempts = 3;
9b88be
+
9b88be
+    if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
9b88be
+        return 0;
9b88be
+
9b88be
+    if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
9b88be
+        return 0;
9b88be
+
9b88be
+    while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
9b88be
+        s = q > sizeof(buf) ? sizeof(buf) : q;
9b88be
+        if (!crngt_get_entropy(buf, md, &sz)
9b88be
+            || memcmp(crngt_prev, md, sz) == 0
9b88be
+            || !rand_pool_add(pool, buf, s, s * 8))
9b88be
+            goto err;
9b88be
+        memcpy(crngt_prev, md, sz);
9b88be
+        t += s;
9b88be
+        attempts++;
9b88be
+    }
9b88be
+    r = t;
9b88be
+    *pout = rand_pool_detach(pool);
9b88be
+err:
9b88be
+    OPENSSL_cleanse(buf, sizeof(buf));
9b88be
+    rand_pool_free(pool);
9b88be
+    return r;
9b88be
+}
9b88be
+
9b88be
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
9b88be
+                                unsigned char *out, size_t outlen)
9b88be
+{
9b88be
+    OPENSSL_secure_clear_free(out, outlen);
9b88be
+}
9b88be
diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
9b88be
--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test	2020-04-23 13:30:45.470397250 +0200
9b88be
+++ openssl-1.1.1g/crypto/rand/rand_local.h	2020-04-23 13:30:45.864389819 +0200
9b88be
@@ -33,7 +33,15 @@
9b88be
 # define MASTER_RESEED_TIME_INTERVAL             (60*60)   /* 1 hour */
9b88be
 # define SLAVE_RESEED_TIME_INTERVAL              (7*60)    /* 7 minutes */
9b88be
 
9b88be
-
9b88be
+/*
9b88be
+ * The number of bytes that constitutes an atomic lump of entropy with respect
9b88be
+ * to the FIPS 140-2 section 4.9.2 Conditional Tests.  The size is somewhat
9b88be
+ * arbitrary, the smaller the value, the less entropy is consumed on first
9b88be
+ * read but the higher the probability of the test failing by accident.
9b88be
+ *
9b88be
+ * The value is in bytes.
9b88be
+ */
9b88be
+#define CRNGT_BUFSIZ    16
9b88be
 
9b88be
 /*
9b88be
  * Maximum input size for the DRBG (entropy, nonce, personalization string)
9b88be
@@ -44,6 +52,8 @@
9b88be
  */
9b88be
 # define DRBG_MAX_LENGTH                         INT32_MAX
9b88be
 
9b88be
+/* The default nonce */
9b88be
+# define DRBG_DEFAULT_PERS_STRING                "OpenSSL NIST SP 800-90A DRBG"
9b88be
 
9b88be
 /*
9b88be
  * Maximum allocation size for RANDOM_POOL buffers
9b88be
@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
9b88be
 /* initializes the AES-CTR DRBG implementation */
9b88be
 int drbg_ctr_init(RAND_DRBG *drbg);
9b88be
 
9b88be
+/*
9b88be
+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
9b88be
+ * These need to be exposed for the unit tests.
9b88be
+ */
9b88be
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
9b88be
+                              unsigned int *md_size);
9b88be
+extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,
9b88be
+                                unsigned int *md_size);
9b88be
+int rand_crngt_init(void);
9b88be
+void rand_crngt_cleanup(void);
9b88be
+
9b88be
+/*
9b88be
+ * Expose the run once initialisation function for the unit tests because.
9b88be
+ * they need to restart from scratch to validate the first block is skipped
9b88be
+ * properly.
9b88be
+ */
9b88be
+int rand_crngt_single_init(void);
9b88be
+
9b88be
 #endif
9b88be
diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
9b88be
--- openssl-1.1.1g/include/crypto/rand.h.crng-test	2020-04-23 13:30:45.824390573 +0200
9b88be
+++ openssl-1.1.1g/include/crypto/rand.h	2020-04-23 13:30:45.864389819 +0200
9b88be
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
9b88be
 
9b88be
 void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
9b88be
 
9b88be
+/* CRNG test entropy filter callbacks. */
9b88be
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
9b88be
+                              unsigned char **pout,
9b88be
+                              int entropy, size_t min_len, size_t max_len,
9b88be
+                              int prediction_resistance);
9b88be
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
9b88be
+                                unsigned char *out, size_t outlen);
9b88be
+
9b88be
 /*
9b88be
  * RAND_POOL functions
9b88be
  */
9b88be
diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
9b88be
--- openssl-1.1.1g/test/drbgtest.c.crng-test	2020-04-21 14:22:39.000000000 +0200
9b88be
+++ openssl-1.1.1g/test/drbgtest.c	2020-04-23 13:30:45.865389800 +0200
9b88be
@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
9b88be
     return t->noncelen;
9b88be
 }
9b88be
 
9b88be
+ /*
9b88be
+ * Disable CRNG testing if it is enabled.
9b88be
+ * If the DRBG is ready or in an error state, this means an instantiate cycle
9b88be
+ * for which the default personalisation string is used.
9b88be
+ */
9b88be
+static int disable_crngt(RAND_DRBG *drbg)
9b88be
+{
9b88be
+    static const char pers[] = DRBG_DEFAULT_PERS_STRING;
9b88be
+    const int instantiate = drbg->state != DRBG_UNINITIALISED;
9b88be
+
9b88be
+    if (drbg->get_entropy != rand_crngt_get_entropy)
9b88be
+        return 1;
9b88be
+
9b88be
+     if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
9b88be
+        || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
9b88be
+                                              &rand_drbg_cleanup_entropy,
9b88be
+                                              &rand_drbg_get_nonce,
9b88be
+                                              &rand_drbg_cleanup_nonce))
9b88be
+        || (instantiate
9b88be
+            && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
9b88be
+                                      sizeof(pers) - 1)))
9b88be
+        return 0;
9b88be
+    return 1;
9b88be
+}
9b88be
+
9b88be
 static int uninstantiate(RAND_DRBG *drbg)
9b88be
 {
9b88be
     int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
9b88be
@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
9b88be
     if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
9b88be
         return 0;
9b88be
     if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
9b88be
-                                           kat_nonce, NULL))) {
9b88be
+                                           kat_nonce, NULL))
9b88be
+        || !TEST_true(disable_crngt(drbg))) {
9b88be
         failures++;
9b88be
         goto err;
9b88be
     }
9b88be
@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
9b88be
     unsigned int reseed_counter_tmp;
9b88be
     int ret = 0;
9b88be
 
9b88be
-    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
9b88be
+    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))
9b88be
+	|| !TEST_true(disable_crngt(drbg)))
9b88be
         goto err;
9b88be
 
9b88be
     /*
9b88be
@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
9b88be
         || !TEST_ptr_eq(private->parent, master))
9b88be
         return 0;
9b88be
 
9b88be
+    /* Disable CRNG testing for the master DRBG */
9b88be
+    if (!TEST_true(disable_crngt(master)))
9b88be
+        return 0;
9b88be
+
9b88be
     /* uninstantiate the three global DRBGs */
9b88be
     RAND_DRBG_uninstantiate(private);
9b88be
     RAND_DRBG_uninstantiate(public);
9b88be
@@ -964,7 +995,8 @@ static int test_rand_seed(void)
9b88be
     size_t rand_buflen;
9b88be
     size_t required_seed_buflen = 0;
9b88be
 
9b88be
-    if (!TEST_ptr(master = RAND_DRBG_get0_master()))
9b88be
+    if (!TEST_ptr(master = RAND_DRBG_get0_master())
9b88be
+        || !TEST_true(disable_crngt(master)))
9b88be
         return 0;
9b88be
 
9b88be
 #ifdef OPENSSL_RAND_SEED_NONE
9b88be
@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
9b88be
     return 1;
9b88be
 }
9b88be
 
9b88be
+/*
9b88be
+ * A list of the FIPS DRGB types.
9b88be
+ */
9b88be
+static const struct s_drgb_types {
9b88be
+    int nid;
9b88be
+    int flags;
9b88be
+} drgb_types[] = {
9b88be
+    { NID_aes_128_ctr,  0                   },
9b88be
+    { NID_aes_192_ctr,  0                   },
9b88be
+    { NID_aes_256_ctr,  0                   },
9b88be
+};
9b88be
+
9b88be
+/* Six cases for each covers seed sizes up to 32 bytes */
9b88be
+static const size_t crngt_num_cases = 6;
9b88be
+
9b88be
+static size_t crngt_case, crngt_idx;
9b88be
+
9b88be
+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
9b88be
+                            unsigned int *md_size)
9b88be
+{
9b88be
+    size_t i, z;
9b88be
+
9b88be
+    if (!TEST_int_lt(crngt_idx, crngt_num_cases))
9b88be
+        return 0;
9b88be
+    /* Generate a block of unique data unless this is the duplication point */
9b88be
+    z = crngt_idx++;
9b88be
+    if (z > 0 && crngt_case == z)
9b88be
+        z--;
9b88be
+    for (i = 0; i < CRNGT_BUFSIZ; i++)
9b88be
+        buf[i] = (unsigned char)(i + 'A' + z);
9b88be
+    return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
9b88be
+}
9b88be
+
9b88be
+static int test_crngt(int n)
9b88be
+{
9b88be
+    const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
9b88be
+    RAND_DRBG *drbg = NULL;
9b88be
+    unsigned char buff[100];
9b88be
+    size_t ent;
9b88be
+    int res = 0;
9b88be
+    int expect;
9b88be
+
9b88be
+    if (!TEST_true(rand_crngt_single_init()))
9b88be
+        return 0;
9b88be
+    rand_crngt_cleanup();
9b88be
+
9b88be
+    if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
9b88be
+        return 0;
9b88be
+    ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
9b88be
+    crngt_case = n % crngt_num_cases;
9b88be
+    crngt_idx = 0;
9b88be
+    crngt_get_entropy = &crngt_entropy_cb;
9b88be
+    if (!TEST_true(rand_crngt_init()))
9b88be
+        goto err;
9b88be
+#ifndef OPENSSL_FIPS
9b88be
+    if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
9b88be
+                                           &rand_crngt_cleanup_entropy,
9b88be
+                                           &rand_drbg_get_nonce,
9b88be
+                                           &rand_drbg_cleanup_nonce)))
9b88be
+        goto err;
9b88be
+#endif
9b88be
+    expect = crngt_case == 0 || crngt_case > ent;
9b88be
+    if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))
9b88be
+        goto err;
9b88be
+    if (!expect)
9b88be
+        goto fin;
9b88be
+    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
9b88be
+        goto err;
9b88be
+
9b88be
+    expect = crngt_case == 0 || crngt_case > 2 * ent;
9b88be
+    if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))
9b88be
+        goto err;
9b88be
+    if (!expect)
9b88be
+        goto fin;
9b88be
+    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
9b88be
+        goto err;
9b88be
+
9b88be
+fin:
9b88be
+    res = 1;
9b88be
+err:
9b88be
+    if (!res)
9b88be
+        TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
9b88be
+                  crngt_case, crngt_idx);
9b88be
+    uninstantiate(drbg);
9b88be
+    RAND_DRBG_free(drbg);
9b88be
+    crngt_get_entropy = &rand_crngt_get_entropy_cb;
9b88be
+    return res;
9b88be
+}
9b88be
+
9b88be
 int setup_tests(void)
9b88be
 {
9b88be
     app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
9b88be
@@ -1025,5 +1146,6 @@ int setup_tests(void)
9b88be
 #if defined(OPENSSL_THREADS)
9b88be
     ADD_TEST(test_multi_thread);
9b88be
 #endif
9b88be
+    ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));
9b88be
     return 1;
9b88be
 }