File openssl-1.1.1-fips-crng-test.patch of Package openssl-1_1
409
1
diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info2
--- openssl-1.1.1g/crypto/rand/build.info.crng-test 2020-04-23 13:30:45.863389837 +02003
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:31:55.847069892 +02004
5
LIBS=../../libcrypto6
SOURCE[../../libcrypto]=\7
- randfile.c rand_lib.c rand_err.c rand_egd.c \8
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \9
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c10
11
INCLUDE[drbg_ctr.o]=../modes12
diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c13
--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test 2020-04-23 13:30:45.818390686 +020014
+++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-23 13:30:45.864389819 +020015
16
17
18
/* NIST SP 800-90A DRBG recommends the use of a personalization string. */19
-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";20
+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;21
22
static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;23
24
25
drbg->parent = parent;26
27
if (parent == NULL) {28
+#ifdef OPENSSL_FIPS29
+ drbg->get_entropy = rand_crngt_get_entropy;30
+ drbg->cleanup_entropy = rand_crngt_cleanup_entropy;31
+#else32
drbg->get_entropy = rand_drbg_get_entropy;33
drbg->cleanup_entropy = rand_drbg_cleanup_entropy;34
+#endif35
#ifndef RAND_DRBG_GET_RANDOM_NONCE36
drbg->get_nonce = rand_drbg_get_nonce;37
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;38
diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c39
--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test 2020-04-23 13:30:45.864389819 +020040
+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-23 13:30:45.864389819 +020041
42
+/*43
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.44
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.45
+ *46
+ * Licensed under the Apache License 2.0 (the "License"). You may not use47
+ * this file except in compliance with the License. You can obtain a copy48
+ * in the file LICENSE in the source distribution or at49
+ * https://www.openssl.org/source/license.html50
+ */51
+52
+/*53
+ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.54
+ */55
+56
+#include <string.h>57
+#include <openssl/evp.h>58
+#include "crypto/rand.h"59
+#include "internal/thread_once.h"60
+#include "rand_local.h"61
+62
+static RAND_POOL *crngt_pool;63
+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];64
+65
+int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)66
+ = &rand_crngt_get_entropy_cb;67
+68
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,69
+ unsigned int *md_size)70
+{71
+ int r;72
+ size_t n;73
+ unsigned char *p;74
+75
+ n = rand_pool_acquire_entropy(crngt_pool);76
+ if (n >= CRNGT_BUFSIZ) {77
+ p = rand_pool_detach(crngt_pool);78
+ r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);79
+ if (r != 0)80
+ memcpy(buf, p, CRNGT_BUFSIZ);81
+ rand_pool_reattach(crngt_pool, p);82
+ return r;83
+ }84
+ return 0;85
+}86
+87
+void rand_crngt_cleanup(void)88
+{89
+ rand_pool_free(crngt_pool);90
+ crngt_pool = NULL;91
+}92
+93
+int rand_crngt_init(void)94
+{95
+ unsigned char buf[CRNGT_BUFSIZ];96
+97
+ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)98
+ return 0;99
+ if (crngt_get_entropy(buf, crngt_prev, NULL)) {100
+ OPENSSL_cleanse(buf, sizeof(buf));101
+ return 1;102
+ }103
+ rand_crngt_cleanup();104
+ return 0;105
+}106
+107
+static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;108
+DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)109
+{110
+ return OPENSSL_init_crypto(0, NULL)111
+ && rand_crngt_init()112
+ && OPENSSL_atexit(&rand_crngt_cleanup);113
+}114
+115
+int rand_crngt_single_init(void)116
+{117
+ return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);118
+}119
+120
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,121
+ unsigned char **pout,122
+ int entropy, size_t min_len, size_t max_len,123
+ int prediction_resistance)124
+{125
+ unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];126
+ unsigned int sz;127
+ RAND_POOL *pool;128
+ size_t q, r = 0, s, t = 0;129
+ int attempts = 3;130
+131
+ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))132
+ return 0;133
+134
+ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)135
+ return 0;136
+137
+ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {138
+ s = q > sizeof(buf) ? sizeof(buf) : q;139
+ if (!crngt_get_entropy(buf, md, &sz)140
+ || memcmp(crngt_prev, md, sz) == 0141
+ || !rand_pool_add(pool, buf, s, s * 8))142
+ goto err;143
+ memcpy(crngt_prev, md, sz);144
+ t += s;145
+ attempts++;146
+ }147
+ r = t;148
+ *pout = rand_pool_detach(pool);149
+err:150
+ OPENSSL_cleanse(buf, sizeof(buf));151
+ rand_pool_free(pool);152
+ return r;153
+}154
+155
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,156
+ unsigned char *out, size_t outlen)157
+{158
+ OPENSSL_secure_clear_free(out, outlen);159
+}160
diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h161
--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test 2020-04-23 13:30:45.470397250 +0200162
+++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-23 13:30:45.864389819 +0200163
164
# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */165
# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */166
167
-168
+/*169
+ * The number of bytes that constitutes an atomic lump of entropy with respect170
+ * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat171
+ * arbitrary, the smaller the value, the less entropy is consumed on first172
+ * read but the higher the probability of the test failing by accident.173
+ *174
+ * The value is in bytes.175
+ */176
+#define CRNGT_BUFSIZ 16177
178
/*179
* Maximum input size for the DRBG (entropy, nonce, personalization string)180
181
*/182
# define DRBG_MAX_LENGTH INT32_MAX183
184
+/* The default nonce */185
+# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"186
187
/*188
* Maximum allocation size for RANDOM_POOL buffers189
190
/* initializes the AES-CTR DRBG implementation */191
int drbg_ctr_init(RAND_DRBG *drbg);192
193
+/*194
+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.195
+ * These need to be exposed for the unit tests.196
+ */197
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,198
+ unsigned int *md_size);199
+extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,200
+ unsigned int *md_size);201
+int rand_crngt_init(void);202
+void rand_crngt_cleanup(void);203
+204
+/*205
+ * Expose the run once initialisation function for the unit tests because.206
+ * they need to restart from scratch to validate the first block is skipped207
+ * properly.208
+ */209
+int rand_crngt_single_init(void);210
+211
#endif212
diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h213
--- openssl-1.1.1g/include/crypto/rand.h.crng-test 2020-04-23 13:30:45.824390573 +0200214
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:30:45.864389819 +0200215
216
217
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);218
219
+/* CRNG test entropy filter callbacks. */220
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,221
+ unsigned char **pout,222
+ int entropy, size_t min_len, size_t max_len,223
+ int prediction_resistance);224
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,225
+ unsigned char *out, size_t outlen);226
+227
/*228
* RAND_POOL functions229
*/230
diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c231
--- openssl-1.1.1g/test/drbgtest.c.crng-test 2020-04-21 14:22:39.000000000 +0200232
+++ openssl-1.1.1g/test/drbgtest.c 2020-04-23 13:30:45.865389800 +0200233
234
return t->noncelen;235
}236
237
+ /*238
+ * Disable CRNG testing if it is enabled.239
+ * If the DRBG is ready or in an error state, this means an instantiate cycle240
+ * for which the default personalisation string is used.241
+ */242
+static int disable_crngt(RAND_DRBG *drbg)243
+{244
+ static const char pers[] = DRBG_DEFAULT_PERS_STRING;245
+ const int instantiate = drbg->state != DRBG_UNINITIALISED;246
+247
+ if (drbg->get_entropy != rand_crngt_get_entropy)248
+ return 1;249
+250
+ if ((instantiate && !RAND_DRBG_uninstantiate(drbg))251
+ || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,252
+ &rand_drbg_cleanup_entropy,253
+ &rand_drbg_get_nonce,254
+ &rand_drbg_cleanup_nonce))255
+ || (instantiate256
+ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,257
+ sizeof(pers) - 1)))258
+ return 0;259
+ return 1;260
+}261
+262
static int uninstantiate(RAND_DRBG *drbg)263
{264
int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);265
266
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))267
return 0;268
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,269
- kat_nonce, NULL))) {270
+ kat_nonce, NULL))271
+ || !TEST_true(disable_crngt(drbg))) {272
failures++;273
goto err;274
}275
276
unsigned int reseed_counter_tmp;277
int ret = 0;278
279
- if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))280
+ if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))281
+ || !TEST_true(disable_crngt(drbg)))282
goto err;283
284
/*285
286
|| !TEST_ptr_eq(private->parent, master))287
return 0;288
289
+ /* Disable CRNG testing for the master DRBG */290
+ if (!TEST_true(disable_crngt(master)))291
+ return 0;292
+293
/* uninstantiate the three global DRBGs */294
RAND_DRBG_uninstantiate(private);295
RAND_DRBG_uninstantiate(public);296
297
size_t rand_buflen;298
size_t required_seed_buflen = 0;299
300
- if (!TEST_ptr(master = RAND_DRBG_get0_master()))301
+ if (!TEST_ptr(master = RAND_DRBG_get0_master())302
+ || !TEST_true(disable_crngt(master)))303
return 0;304
305
#ifdef OPENSSL_RAND_SEED_NONE306
307
return 1;308
}309
310
+/*311
+ * A list of the FIPS DRGB types.312
+ */313
+static const struct s_drgb_types {314
+ int nid;315
+ int flags;316
+} drgb_types[] = {317
+ { NID_aes_128_ctr, 0 },318
+ { NID_aes_192_ctr, 0 },319
+ { NID_aes_256_ctr, 0 },320
+};321
+322
+/* Six cases for each covers seed sizes up to 32 bytes */323
+static const size_t crngt_num_cases = 6;324
+325
+static size_t crngt_case, crngt_idx;326
+327
+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,328
+ unsigned int *md_size)329
+{330
+ size_t i, z;331
+332
+ if (!TEST_int_lt(crngt_idx, crngt_num_cases))333
+ return 0;334
+ /* Generate a block of unique data unless this is the duplication point */335
+ z = crngt_idx++;336
+ if (z > 0 && crngt_case == z)337
+ z--;338
+ for (i = 0; i < CRNGT_BUFSIZ; i++)339
+ buf[i] = (unsigned char)(i + 'A' + z);340
+ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);341
+}342
+343
+static int test_crngt(int n)344
+{345
+ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;346
+ RAND_DRBG *drbg = NULL;347
+ unsigned char buff[100];348
+ size_t ent;349
+ int res = 0;350
+ int expect;351
+352
+ if (!TEST_true(rand_crngt_single_init()))353
+ return 0;354
+ rand_crngt_cleanup();355
+356
+ if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))357
+ return 0;358
+ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;359
+ crngt_case = n % crngt_num_cases;360
+ crngt_idx = 0;361
+ crngt_get_entropy = &crngt_entropy_cb;362
+ if (!TEST_true(rand_crngt_init()))363
+ goto err;364
+#ifndef OPENSSL_FIPS365
+ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,366
+ &rand_crngt_cleanup_entropy,367
+ &rand_drbg_get_nonce,368
+ &rand_drbg_cleanup_nonce)))369
+ goto err;370
+#endif371
+ expect = crngt_case == 0 || crngt_case > ent;372
+ if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))373
+ goto err;374
+ if (!expect)375
+ goto fin;376
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))377
+ goto err;378
+379
+ expect = crngt_case == 0 || crngt_case > 2 * ent;380
+ if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))381
+ goto err;382
+ if (!expect)383
+ goto fin;384
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))385
+ goto err;386
+387
+fin:388
+ res = 1;389
+err:390
+ if (!res)391
+ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,392
+ crngt_case, crngt_idx);393
+ uninstantiate(drbg);394
+ RAND_DRBG_free(drbg);395
+ crngt_get_entropy = &rand_crngt_get_entropy_cb;396
+ return res;397
+}398
+399
int setup_tests(void)400
{401
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);402
403
#if defined(OPENSSL_THREADS)404
ADD_TEST(test_multi_thread);405
#endif406
+ ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));407
return 1;408
}409