File openssl-1.1.1-fips-crng-test.patch of Package openssl-1_1
xxxxxxxxxx
1
Index: openssl-1.1.1d/crypto/include/internal/rand_int.h
2
===================================================================
3
--- openssl-1.1.1d.orig/crypto/include/internal/rand_int.h 2020-01-23 13:45:11.368633835 +0100
4
+++ openssl-1.1.1d/crypto/include/internal/rand_int.h 2020-01-23 13:45:11.384633930 +0100
5
6
7
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
8
9
+/* CRNG test entropy filter callbacks. */
10
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
11
+ unsigned char **pout,
12
+ int entropy, size_t min_len, size_t max_len,
13
+ int prediction_resistance);
14
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
15
+ unsigned char *out, size_t outlen);
16
+
17
/*
18
* RAND_POOL functions
19
*/
20
Index: openssl-1.1.1d/crypto/rand/build.info
21
===================================================================
22
--- openssl-1.1.1d.orig/crypto/rand/build.info 2019-09-10 15:13:07.000000000 +0200
23
+++ openssl-1.1.1d/crypto/rand/build.info 2020-01-23 13:45:11.384633930 +0100
24
25
LIBS=../../libcrypto
26
SOURCE[../../libcrypto]=\
27
- randfile.c rand_lib.c rand_err.c rand_egd.c \
28
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
29
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
30
Index: openssl-1.1.1d/crypto/rand/drbg_lib.c
31
===================================================================
32
--- openssl-1.1.1d.orig/crypto/rand/drbg_lib.c 2020-01-23 13:45:11.368633835 +0100
33
+++ openssl-1.1.1d/crypto/rand/drbg_lib.c 2020-01-23 13:45:11.384633930 +0100
34
35
36
37
/* NIST SP 800-90A DRBG recommends the use of a personalization string. */
38
-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
39
+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
40
41
static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
42
43
44
drbg->parent = parent;
45
46
if (parent == NULL) {
47
+#ifdef OPENSSL_FIPS
48
+ drbg->get_entropy = rand_crngt_get_entropy;
49
+ drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
50
+#else
51
drbg->get_entropy = rand_drbg_get_entropy;
52
drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
53
+#endif
54
#ifndef RAND_DRBG_GET_RANDOM_NONCE
55
drbg->get_nonce = rand_drbg_get_nonce;
56
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
57
Index: openssl-1.1.1d/crypto/rand/rand_crng_test.c
58
===================================================================
59
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
60
+++ openssl-1.1.1d/crypto/rand/rand_crng_test.c 2020-01-23 13:45:11.384633930 +0100
61
62
+/*
63
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
64
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
65
+ *
66
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
67
+ * this file except in compliance with the License. You can obtain a copy
68
+ * in the file LICENSE in the source distribution or at
69
+ * https://www.openssl.org/source/license.html
70
+ */
71
+
72
+/*
73
+ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
74
+ */
75
+
76
+#include <string.h>
77
+#include <openssl/evp.h>
78
+#include "internal/rand_int.h"
79
+#include "internal/thread_once.h"
80
+#include "rand_lcl.h"
81
+
82
+static RAND_POOL *crngt_pool;
83
+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
84
+
85
+int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)
86
+ = &rand_crngt_get_entropy_cb;
87
+
88
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
89
+ unsigned int *md_size)
90
+{
91
+ int r;
92
+ size_t n;
93
+ unsigned char *p;
94
+
95
+ n = rand_pool_acquire_entropy(crngt_pool);
96
+ if (n >= CRNGT_BUFSIZ) {
97
+ p = rand_pool_detach(crngt_pool);
98
+ r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
99
+ if (r != 0)
100
+ memcpy(buf, p, CRNGT_BUFSIZ);
101
+ rand_pool_reattach(crngt_pool, p);
102
+ return r;
103
+ }
104
+ return 0;
105
+}
106
+
107
+void rand_crngt_cleanup(void)
108
+{
109
+ rand_pool_free(crngt_pool);
110
+ crngt_pool = NULL;
111
+}
112
+
113
+int rand_crngt_init(void)
114
+{
115
+ unsigned char buf[CRNGT_BUFSIZ];
116
+
117
+ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
118
+ return 0;
119
+ if (crngt_get_entropy(buf, crngt_prev, NULL)) {
120
+ OPENSSL_cleanse(buf, sizeof(buf));
121
+ return 1;
122
+ }
123
+ rand_crngt_cleanup();
124
+ return 0;
125
+}
126
+
127
+static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;
128
+DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)
129
+{
130
+ return OPENSSL_init_crypto(0, NULL)
131
+ && rand_crngt_init()
132
+ && OPENSSL_atexit(&rand_crngt_cleanup);
133
+}
134
+
135
+int rand_crngt_single_init(void)
136
+{
137
+ return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);
138
+}
139
+
140
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
141
+ unsigned char **pout,
142
+ int entropy, size_t min_len, size_t max_len,
143
+ int prediction_resistance)
144
+{
145
+ unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];
146
+ unsigned int sz;
147
+ RAND_POOL *pool;
148
+ size_t q, r = 0, s, t = 0;
149
+ int attempts = 3;
150
+
151
+ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
152
+ return 0;
153
+
154
+ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
155
+ return 0;
156
+
157
+ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
158
+ s = q > sizeof(buf) ? sizeof(buf) : q;
159
+ if (!crngt_get_entropy(buf, md, &sz)
160
+ || memcmp(crngt_prev, md, sz) == 0
161
+ || !rand_pool_add(pool, buf, s, s * 8))
162
+ goto err;
163
+ memcpy(crngt_prev, md, sz);
164
+ t += s;
165
+ attempts++;
166
+ }
167
+ r = t;
168
+ *pout = rand_pool_detach(pool);
169
+err:
170
+ OPENSSL_cleanse(buf, sizeof(buf));
171
+ rand_pool_free(pool);
172
+ return r;
173
+}
174
+
175
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
176
+ unsigned char *out, size_t outlen)
177
+{
178
+ OPENSSL_secure_clear_free(out, outlen);
179
+}
180
Index: openssl-1.1.1d/crypto/rand/rand_lcl.h
181
===================================================================
182
--- openssl-1.1.1d.orig/crypto/rand/rand_lcl.h 2019-09-10 15:13:07.000000000 +0200
183
+++ openssl-1.1.1d/crypto/rand/rand_lcl.h 2020-01-23 13:45:11.384633930 +0100
184
185
# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
186
# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
187
188
-
189
+/*
190
+ * The number of bytes that constitutes an atomic lump of entropy with respect
191
+ * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat
192
+ * arbitrary, the smaller the value, the less entropy is consumed on first
193
+ * read but the higher the probability of the test failing by accident.
194
+ *
195
+ * The value is in bytes.
196
+ */
197
+#define CRNGT_BUFSIZ 16
198
199
/*
200
* Maximum input size for the DRBG (entropy, nonce, personalization string)
201
202
*/
203
# define DRBG_MAX_LENGTH INT32_MAX
204
205
+/* The default nonce */
206
+# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
207
208
/*
209
* Maximum allocation size for RANDOM_POOL buffers
210
211
/* initializes the AES-CTR DRBG implementation */
212
int drbg_ctr_init(RAND_DRBG *drbg);
213
214
+/*
215
+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
216
+ * These need to be exposed for the unit tests.
217
+ */
218
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
219
+ unsigned int *md_size);
220
+extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,
221
+ unsigned int *md_size);
222
+int rand_crngt_init(void);
223
+void rand_crngt_cleanup(void);
224
+
225
+/*
226
+ * Expose the run once initialisation function for the unit tests because.
227
+ * they need to restart from scratch to validate the first block is skipped
228
+ * properly.
229
+ */
230
+int rand_crngt_single_init(void);
231
+
232
#endif
233
Index: openssl-1.1.1d/test/drbgtest.c
234
===================================================================
235
--- openssl-1.1.1d.orig/test/drbgtest.c 2019-09-10 15:13:07.000000000 +0200
236
+++ openssl-1.1.1d/test/drbgtest.c 2020-01-23 13:45:11.384633930 +0100
237
238
return t->noncelen;
239
}
240
241
+ /*
242
+ * Disable CRNG testing if it is enabled.
243
+ * If the DRBG is ready or in an error state, this means an instantiate cycle
244
+ * for which the default personalisation string is used.
245
+ */
246
+static int disable_crngt(RAND_DRBG *drbg)
247
+{
248
+ static const char pers[] = DRBG_DEFAULT_PERS_STRING;
249
+ const int instantiate = drbg->state != DRBG_UNINITIALISED;
250
+
251
+ if (drbg->get_entropy != rand_crngt_get_entropy)
252
+ return 1;
253
+
254
+ if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
255
+ || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
256
+ &rand_drbg_cleanup_entropy,
257
+ &rand_drbg_get_nonce,
258
+ &rand_drbg_cleanup_nonce))
259
+ || (instantiate
260
+ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
261
+ sizeof(pers) - 1)))
262
+ return 0;
263
+ return 1;
264
+}
265
+
266
static int uninstantiate(RAND_DRBG *drbg)
267
{
268
int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
269
270
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
271
return 0;
272
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
273
- kat_nonce, NULL))) {
274
+ kat_nonce, NULL))
275
+ || !TEST_true(disable_crngt(drbg))) {
276
failures++;
277
goto err;
278
}
279
280
unsigned int reseed_counter_tmp;
281
int ret = 0;
282
283
- if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
284
+ if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))
285
+ || !TEST_true(disable_crngt(drbg)))
286
goto err;
287
288
/*
289
290
|| !TEST_ptr_eq(private->parent, master))
291
return 0;
292
293
+ /* Disable CRNG testing for the master DRBG */
294
+ if (!TEST_true(disable_crngt(master)))
295
+ return 0;
296
+
297
/* uninstantiate the three global DRBGs */
298
RAND_DRBG_uninstantiate(private);
299
RAND_DRBG_uninstantiate(public);
300
301
size_t rand_buflen;
302
size_t required_seed_buflen = 0;
303
304
- if (!TEST_ptr(master = RAND_DRBG_get0_master()))
305
+ if (!TEST_ptr(master = RAND_DRBG_get0_master())
306
+ || !TEST_true(disable_crngt(master)))
307
return 0;
308
309
#ifdef OPENSSL_RAND_SEED_NONE
310
311
return 1;
312
}
313
314
+/*
315
+ * A list of the FIPS DRGB types.
316
+ */
317
+static const struct s_drgb_types {
318
+ int nid;
319
+ int flags;
320
+} drgb_types[] = {
321
+ { NID_aes_128_ctr, 0 },
322
+ { NID_aes_192_ctr, 0 },
323
+ { NID_aes_256_ctr, 0 },
324
+};
325
+
326
+/* Six cases for each covers seed sizes up to 32 bytes */
327
+static const size_t crngt_num_cases = 6;
328
+
329
+static size_t crngt_case, crngt_idx;
330
+
331
+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
332
+ unsigned int *md_size)
333
+{
334
+ size_t i, z;
335
+
336
+ if (!TEST_int_lt(crngt_idx, crngt_num_cases))
337
+ return 0;
338
+ /* Generate a block of unique data unless this is the duplication point */
339
+ z = crngt_idx++;
340
+ if (z > 0 && crngt_case == z)
341
+ z--;
342
+ for (i = 0; i < CRNGT_BUFSIZ; i++)
343
+ buf[i] = (unsigned char)(i + 'A' + z);
344
+ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
345
+}
346
+
347
+static int test_crngt(int n)
348
+{
349
+ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
350
+ RAND_DRBG *drbg = NULL;
351
+ unsigned char buff[100];
352
+ size_t ent;
353
+ int res = 0;
354
+ int expect;
355
+
356
+ if (!TEST_true(rand_crngt_single_init()))
357
+ return 0;
358
+ rand_crngt_cleanup();
359
+
360
+ if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
361
+ return 0;
362
+ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
363
+ crngt_case = n % crngt_num_cases;
364
+ crngt_idx = 0;
365
+ crngt_get_entropy = &crngt_entropy_cb;
366
+ if (!TEST_true(rand_crngt_init()))
367
+ goto err;
368
+#ifndef OPENSSL_FIPS
369
+ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
370
+ &rand_crngt_cleanup_entropy,
371
+ &rand_drbg_get_nonce,
372
+ &rand_drbg_cleanup_nonce)))
373
+ goto err;
374
+#endif
375
+ expect = crngt_case == 0 || crngt_case > ent;
376
+ if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))
377
+ goto err;
378
+ if (!expect)
379
+ goto fin;
380
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
381
+ goto err;
382
+
383
+ expect = crngt_case == 0 || crngt_case > 2 * ent;
384
+ if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))
385
+ goto err;
386
+ if (!expect)
387
+ goto fin;
388
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
389
+ goto err;
390
+
391
+fin:
392
+ res = 1;
393
+err:
394
+ if (!res)
395
+ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
396
+ crngt_case, crngt_idx);
397
+ uninstantiate(drbg);
398
+ RAND_DRBG_free(drbg);
399
+ crngt_get_entropy = &rand_crngt_get_entropy_cb;
400
+ return res;
401
+}
402
+
403
int setup_tests(void)
404
{
405
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
406
407
#if defined(OPENSSL_THREADS)
408
ADD_TEST(test_multi_thread);
409
#endif
410
+ ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));
411
return 1;
412
}
413