Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
openssl-1_1
openssl-1_1-FIPS_drbg-rewire.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-1_1-FIPS_drbg-rewire.patch of Package openssl-1_1
Index: openssl-1.1.1l/crypto/fips/fips_drbg_lib.c =================================================================== --- openssl-1.1.1l.orig/crypto/fips/fips_drbg_lib.c +++ openssl-1.1.1l/crypto/fips/fips_drbg_lib.c @@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx, int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen) { + int len = (int)adinlen; + + if (len < 0 || (size_t)len != adinlen) { + FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); + return 0; + } + RAND_seed(adin, len); + return 1; +} + +int FIPS_drbg_reseed_internal(DRBG_CTX *dctx, + const unsigned char *adin, size_t adinlen) +{ return drbg_reseed(dctx, adin, adinlen, 1); } @@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u int prediction_resistance, const unsigned char *adin, size_t adinlen) { + int len = (int)outlen; + + if (len < 0 || (size_t)len != outlen) { + FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG); + return 0; + } + return RAND_bytes(out, len); +} + +int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen, + int prediction_resistance, + const unsigned char *adin, size_t adinlen) +{ int r = 0; if (FIPS_selftest_failed()) { Index: openssl-1.1.1l/crypto/fips/fips_drbg_rand.c =================================================================== --- openssl-1.1.1l.orig/crypto/fips/fips_drbg_rand.c +++ openssl-1.1.1l/crypto/fips/fips_drbg_rand.c @@ -57,6 +57,8 @@ #include <openssl/err.h> #include <openssl/rand.h> #include <openssl/fips.h> +#define FIPS_DRBG_generate FIPS_DRBG_generate_internal +#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal #include <openssl/fips_rand.h> #include "fips_rand_lcl.h" Index: openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c =================================================================== --- openssl-1.1.1l.orig/crypto/fips/fips_drbg_selftest.c +++ openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c @@ -55,6 +55,8 @@ #include <openssl/crypto.h> #include <openssl/err.h> #include <openssl/fips.h> +#define FIPS_DRBG_generate FIPS_DRBG_generate_internal +#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal #include <openssl/fips_rand.h> #include "fips_rand_lcl.h" #include "fips_locl.h" Index: openssl-1.1.1l/crypto/fips/fips_rand_lib.c =================================================================== --- openssl-1.1.1l.orig/crypto/fips/fips_rand_lib.c +++ openssl-1.1.1l/crypto/fips/fips_rand_lib.c @@ -120,6 +120,7 @@ void FIPS_rand_reset(void) int FIPS_rand_seed(const void *buf, int num) { +#if 0 if (!fips_approved_rand_meth && FIPS_module_mode()) { FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); return 0; @@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int if (fips_rand_meth && fips_rand_meth->seed) fips_rand_meth->seed(buf, num); return 1; +#else + RAND_seed(buf, num); + return 1; +#endif } int FIPS_rand_bytes(unsigned char *buf, int num) { +#if 0 if (!fips_approved_rand_meth && FIPS_module_mode()) { FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); return 0; @@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf, if (fips_rand_meth && fips_rand_meth->bytes) return fips_rand_meth->bytes(buf, num); return 0; +#else + return RAND_bytes(buf, num); +#endif } int FIPS_rand_status(void) { +#if 0 if (!fips_approved_rand_meth && FIPS_module_mode()) { FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); return 0; @@ -149,6 +159,9 @@ int FIPS_rand_status(void) if (fips_rand_meth && fips_rand_meth->status) return fips_rand_meth->status(); return 0; +#else + return RAND_status(); +#endif } /* Return instantiated strength of PRNG. For DRBG this is an internal Index: openssl-1.1.1l/include/openssl/fips.h =================================================================== --- openssl-1.1.1l.orig/include/openssl/fips.h +++ openssl-1.1.1l/include/openssl/fips.h @@ -64,6 +64,11 @@ extern "C" { int FIPS_selftest(void); int FIPS_selftest_failed(void); + + /* + * This function is deprecated as it performs selftest of the old FIPS drbg + * implementation that is not validated. + */ int FIPS_selftest_drbg_all(void); void NONFIPS_selftest_check(void); Index: openssl-1.1.1l/include/openssl/fips_rand.h =================================================================== --- openssl-1.1.1l.orig/include/openssl/fips_rand.h +++ openssl-1.1.1l/include/openssl/fips_rand.h @@ -60,6 +60,20 @@ # ifdef __cplusplus extern "C" { # endif + +/* + * IMPORTANT NOTE: + * All functions in this header file are deprecated and should not be used + * as they use the old FIPS_drbg implementation that is not FIPS validated + * anymore. + * To provide backwards compatibility for applications that need FIPS compliant + * RNG number generation and use FIPS_drbg_generate, this function was + * re-wired to call the FIPS validated DRBG instance instead through + * the RAND_bytes() call. + * + * All these functions will be removed in future. + */ + typedef struct drbg_ctx_st DRBG_CTX; /* DRBG external flags */ /* Flag for CTR mode only: use derivation function ctr_df */ Index: openssl-1.1.1l/crypto/fips/fips_post.c =================================================================== --- openssl-1.1.1l.orig/crypto/fips/fips_post.c +++ openssl-1.1.1l/crypto/fips/fips_post.c @@ -72,8 +72,13 @@ int FIPS_selftest(void) { int rv = 1; +#if 0 + /* This selftest is deprecated as it uses the old FIPS_drbg + * implementation that is not FIPS validated. + */ if (!FIPS_selftest_drbg_all()) rv = 0; +#endif if (!FIPS_selftest_sha1()) rv = 0; if (!FIPS_selftest_sha2())
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor