diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/fips/fips.c --- openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand 2020-12-09 10:26:41.634106328 +0100 +++ openssl-1.1.1i/crypto/fips/fips.c 2020-12-09 10:26:41.652106475 +0100 @@ -68,6 +68,7 @@ # include # include "internal/thread_once.h" +# include "crypto/rand.h" # ifndef PATH_MAX # define PATH_MAX 1024 @@ -76,6 +77,7 @@ static int fips_selftest_fail = 0; static int fips_mode = 0; static int fips_started = 0; +static int fips_post = 0; static int fips_is_owning_thread(void); static int fips_set_owning_thread(void); @@ -158,6 +160,11 @@ void fips_set_selftest_fail(void) fips_selftest_fail = 1; } +int fips_in_post(void) +{ + return fips_post; +} + /* we implement what libfipscheck does ourselves */ static int @@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff) } # endif + fips_post = 1; + if (!FIPS_selftest()) { fips_selftest_fail = 1; ret = 0; @@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff) goto end; } + fips_post = 0; + fips_set_mode(onoff); + /* force RNG reseed with entropy from getrandom() on next call */ + rand_force_reseed(); + ret = 1; goto end; } diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/crypto/rand/drbg_lib.c --- openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 +++ openssl-1.1.1i/crypto/rand/drbg_lib.c 2020-12-09 10:26:41.652106475 +0100 @@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg return min_entropy > min_entropylen ? min_entropy : min_entropylen; } +void rand_force_reseed(void) +{ + RAND_DRBG *drbg; + + drbg = RAND_DRBG_get0_master(); + drbg->fork_id = 0; + + drbg = RAND_DRBG_get0_private(); + drbg->fork_id = 0; + + drbg = RAND_DRBG_get0_public(); + drbg->fork_id = 0; +} + /* Implements the default OpenSSL RAND_add() method */ static int drbg_add(const void *buf, int num, double randomness) { diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/crypto/rand/rand_unix.c --- openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 +++ openssl-1.1.1i/crypto/rand/rand_unix.c 2020-12-09 10:36:59.531221903 +0100 @@ -17,10 +17,12 @@ #include #include "rand_local.h" #include "crypto/rand.h" +#include "crypto/fips.h" #include #include "internal/dso.h" #ifdef __linux # include +# include # ifdef DEVRANDOM_WAIT # include # include @@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf, * syscall_random(): Try to get random data using a system call * returns the number of bytes returned in buf, or < 0 on error. */ -static ssize_t syscall_random(void *buf, size_t buflen) +static ssize_t syscall_random(void *buf, size_t buflen, int nonblock) { /* * Note: 'buflen' equals the size of the buffer which is used by the @@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf, * Note: Sometimes getentropy() can be provided but not implemented * internally. So we need to check errno for ENOSYS */ +# if 0 # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) extern int getentropy(void *buffer, size_t length) __attribute__((weak)); @@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf, if (p_getentropy.p != NULL) return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; # endif - +# endif /* Linux supports this since version 3.17 */ -# if defined(__linux) && defined(__NR_getrandom) - return syscall(__NR_getrandom, buf, buflen, 0); +# if defined(__linux) && defined(SYS_getrandom) + return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0); # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) return sysctl_random(buf, buflen); # else @@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO size_t entropy_available; # if defined(OPENSSL_RAND_SEED_GETRANDOM) + int in_post; + + for (in_post = fips_in_post(); in_post >= 0; --in_post) { { size_t bytes_needed; unsigned char *buffer; @@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); - bytes = syscall_random(buffer, bytes_needed); + bytes = syscall_random(buffer, bytes_needed, in_post); if (bytes > 0) { rand_pool_add_end(pool, bytes, 8 * bytes); bytes_needed -= bytes; @@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO int attempts = 3; const int fd = get_random_device(i); - if (fd == -1) + if (fd == -1) { + OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]); continue; + } while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); @@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO return entropy_available; } # endif - +# ifdef OPENSSL_RAND_SEED_GETRANDOM + } +# endif return rand_pool_entropy_available(pool); # endif } diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/include/crypto/fips.h --- openssl-1.1.1i/include/crypto/fips.h.fips-post-rand 2020-12-09 10:26:41.639106369 +0100 +++ openssl-1.1.1i/include/crypto/fips.h 2020-12-09 10:26:41.657106516 +0100 @@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void); int FIPS_selftest_drbg(void); int FIPS_selftest_cmac(void); +int fips_in_post(void); + int fips_pkey_signature_test(EVP_PKEY *pkey, const unsigned char *tbs, int tbslen, const unsigned char *kat, diff -up openssl-1.1.1i/include/crypto/rand.h.fips-post-rand openssl-1.1.1i/include/crypto/rand.h --- openssl-1.1.1i/include/crypto/rand.h.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 +++ openssl-1.1.1i/include/crypto/rand.h 2020-12-09 10:26:41.657106516 +0100 @@ -24,6 +24,7 @@ typedef struct rand_pool_st RAND_POOL; void rand_cleanup_int(void); +void rand_force_reseed(void); void rand_drbg_cleanup_int(void); void drbg_delete_thread_state(void);