rpms / compat-openssl11

Clone
Source Code
GIT

Blame SOURCES/openssl-1.1.1-rewire-fips-drbg.patch

c9 c9-beta
  1.   0bf02dac4c3b882c843a2ecf37ab0a5bc63bd38a
  2.   SOURCES
  3.   openssl-1.1.1-rewire-fips-drbg.patch
Blob History Raw
0bf02d 
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c
0bf02d 
--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg	2020-06-22 13:32:47.611852927 +0200
0bf02d 
+++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c	2020-06-22 13:32:47.675852917 +0200
0bf02d 
@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx,
0bf02d 
 int FIPS_drbg_reseed(DRBG_CTX *dctx,
0bf02d 
                      const unsigned char *adin, size_t adinlen)
0bf02d 
 {
0bf02d 
+    int len = (int)adinlen;
0bf02d 
+
0bf02d 
+    if (len < 0 || (size_t)len != adinlen) {
0bf02d 
+        FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
0bf02d 
+        return 0;
0bf02d 
+    }
0bf02d 
+    RAND_seed(adin, len);
0bf02d 
+    return 1;
0bf02d 
+}
0bf02d 
+
0bf02d 
+int FIPS_drbg_reseed_internal(DRBG_CTX *dctx,
0bf02d 
+                     const unsigned char *adin, size_t adinlen)
0bf02d 
+{
0bf02d 
     return drbg_reseed(dctx, adin, adinlen, 1);
0bf02d 
 }
0bf02d
0bf02d 
@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u
0bf02d 
                        int prediction_resistance,
0bf02d 
                        const unsigned char *adin, size_t adinlen)
0bf02d 
 {
0bf02d 
+    int len = (int)outlen;
0bf02d 
+
0bf02d 
+    if (len < 0 || (size_t)len != outlen) {
0bf02d 
+        FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG);
0bf02d 
+        return 0;
0bf02d 
+    }
0bf02d 
+    return RAND_bytes(out, len);
0bf02d 
+}
0bf02d 
+
0bf02d 
+int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
0bf02d 
+                       int prediction_resistance,
0bf02d 
+                       const unsigned char *adin, size_t adinlen)
0bf02d 
+{
0bf02d 
     int r = 0;
0bf02d
0bf02d 
     if (FIPS_selftest_failed()) {
0bf02d 
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c
0bf02d 
--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg	2020-06-22 13:32:47.611852927 +0200
0bf02d 
+++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c	2020-06-22 13:32:47.675852917 +0200
0bf02d 
@@ -57,6 +57,8 @@
0bf02d 
 #include <openssl/err.h>
0bf02d 
 #include <openssl/rand.h>
0bf02d 
 #include <openssl/fips.h>
0bf02d 
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
0bf02d 
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
0bf02d 
 #include <openssl/fips_rand.h>
0bf02d 
 #include "fips_rand_lcl.h"
0bf02d
0bf02d 
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
0bf02d 
--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg	2020-06-22 13:32:47.612852927 +0200
0bf02d 
+++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c	2020-06-22 13:32:47.675852917 +0200
0bf02d 
@@ -55,6 +55,8 @@
0bf02d 
 #include <openssl/crypto.h>
0bf02d 
 #include <openssl/err.h>
0bf02d 
 #include <openssl/fips.h>
0bf02d 
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
0bf02d 
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
0bf02d 
 #include <openssl/fips_rand.h>
0bf02d 
 #include "fips_rand_lcl.h"
0bf02d 
 #include "fips_locl.h"
0bf02d 
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c
0bf02d 
--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg	2020-06-22 13:32:47.672852918 +0200
0bf02d 
+++ openssl-1.1.1g/crypto/fips/fips_post.c	2020-06-22 13:32:47.675852917 +0200
0bf02d 
@@ -79,8 +79,6 @@ int FIPS_selftest(void)
0bf02d 
         ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
0bf02d 
         rv = 0;
0bf02d 
     }
0bf02d 
-    if (!FIPS_selftest_drbg())
0bf02d 
-        rv = 0;
0bf02d 
     if (!FIPS_selftest_sha1())
0bf02d 
         rv = 0;
0bf02d 
     if (!FIPS_selftest_sha2())
0bf02d 
diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c
0bf02d 
--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg	2020-06-22 13:32:47.613852927 +0200
0bf02d 
+++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c	2020-06-22 13:36:28.722817967 +0200
0bf02d 
@@ -120,6 +120,7 @@ void FIPS_rand_reset(void)
0bf02d
0bf02d 
 int FIPS_rand_seed(const void *buf, int num)
0bf02d 
 {
0bf02d 
+#if 0
0bf02d 
     if (!fips_approved_rand_meth && FIPS_module_mode()) {
0bf02d 
         FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
0bf02d 
         return 0;
0bf02d 
@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int
0bf02d 
     if (fips_rand_meth && fips_rand_meth->seed)
0bf02d 
         fips_rand_meth->seed(buf, num);
0bf02d 
     return 1;
0bf02d 
+#else
0bf02d 
+    RAND_seed(buf, num);
0bf02d 
+    return 1;
0bf02d 
+#endif
0bf02d 
 }
0bf02d
0bf02d 
 int FIPS_rand_bytes(unsigned char *buf, int num)
0bf02d 
 {
0bf02d 
+#if 0
0bf02d 
     if (!fips_approved_rand_meth && FIPS_module_mode()) {
0bf02d 
         FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
0bf02d 
         return 0;
0bf02d 
@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf,
0bf02d 
     if (fips_rand_meth && fips_rand_meth->bytes)
0bf02d 
         return fips_rand_meth->bytes(buf, num);
0bf02d 
     return 0;
0bf02d 
+#else
0bf02d 
+    return RAND_bytes(buf, num);
0bf02d 
+#endif
0bf02d 
 }
0bf02d
0bf02d 
 int FIPS_rand_status(void)
0bf02d 
 {
0bf02d 
+#if 0
0bf02d 
     if (!fips_approved_rand_meth && FIPS_module_mode()) {
0bf02d 
         FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
0bf02d 
         return 0;
0bf02d 
@@ -149,6 +159,9 @@ int FIPS_rand_status(void)
0bf02d 
     if (fips_rand_meth && fips_rand_meth->status)
0bf02d 
         return fips_rand_meth->status();
0bf02d 
     return 0;
0bf02d 
+#else
0bf02d 
+    return RAND_status();
0bf02d 
+#endif
0bf02d 
 }
0bf02d
0bf02d 
 /* Return instantiated strength of PRNG. For DRBG this is an internal
0bf02d 
diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h
0bf02d 
--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg	2020-06-22 13:32:47.672852918 +0200
0bf02d 
+++ openssl-1.1.1g/include/openssl/fips.h	2020-06-22 13:32:47.675852917 +0200
0bf02d 
@@ -64,6 +64,11 @@ extern "C" {
0bf02d
0bf02d 
     int FIPS_selftest(void);
0bf02d 
     int FIPS_selftest_failed(void);
0bf02d 
+
0bf02d 
+    /*
0bf02d 
+     * This function is deprecated as it performs selftest of the old FIPS drbg
0bf02d 
+     * implementation that is not validated.
0bf02d 
+     */
0bf02d 
     int FIPS_selftest_drbg_all(void);
0bf02d
0bf02d 
     int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
0bf02d 
diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h
0bf02d 
--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg	2020-06-22 13:32:47.617852926 +0200
0bf02d 
+++ openssl-1.1.1g/include/openssl/fips_rand.h	2020-06-22 13:32:47.675852917 +0200
0bf02d 
@@ -60,6 +60,20 @@
0bf02d 
 #  ifdef  __cplusplus
0bf02d 
 extern "C" {
0bf02d 
 #  endif
0bf02d 
+
0bf02d 
+/*
0bf02d 
+ * IMPORTANT NOTE:
0bf02d 
+ * All functions in this header file are deprecated and should not be used
0bf02d 
+ * as they use the old FIPS_drbg implementation that is not FIPS validated
0bf02d 
+ * anymore.
0bf02d 
+ * To provide backwards compatibility for applications that need FIPS compliant
0bf02d 
+ * RNG number generation and use FIPS_drbg_generate, this function was
0bf02d 
+ * re-wired to call the FIPS validated DRBG instance instead through
0bf02d 
+ * the RAND_bytes() call.
0bf02d 
+ *
0bf02d 
+ * All these functions will be removed in future.
0bf02d 
+ */
0bf02d 
+
0bf02d 
     typedef struct drbg_ctx_st DRBG_CTX;
0bf02d 
 /* DRBG external flags */
0bf02d 
 /* Flag for CTR mode only: use derivation function ctr_df */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation