Stop everlasting RNG reseeding

Resolves: rhbz#2168224
epel8
Dmitry Belyavskiy 2 years ago
parent 9d8f618208
commit 9ebabfa10a

@ -92,6 +92,22 @@ diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3
/* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen, drbg->max_entropylen,
@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
reseed_required = 1;
}
if (drbg->parent != NULL
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
+#ifdef FIPS_MODULE
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
+#else
reseed_required = 1;
+#endif
+ }
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0,
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.7
Release: 5%{?dist}
Release: 6%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -494,6 +494,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
- Fixes RNG slowdown in FIPS mode
Resolves: rhbz#2168224
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-5
- Fixed X.509 Name Constraints Read Buffer Overflow
Resolves: CVE-2022-4203

Loading…
Cancel
Save