From fc4552015087145d0dcb7b6036075f0609e174be Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Tue, 2 Aug 2022 18:32:36 +0200
Subject: [PATCH] Reseed all the parent DRBGs in chain on reseeding a DRBG

Related: rhbz#2102541
---
 0076-FIPS-140-3-DRBG.patch | 129 +++++++++++++++++++++++++++++++++++++
 openssl.spec               |   5 ++
 2 files changed, 134 insertions(+)
 create mode 100644 0076-FIPS-140-3-DRBG.patch

diff --git a/0076-FIPS-140-3-DRBG.patch b/0076-FIPS-140-3-DRBG.patch
new file mode 100644
index 0000000..0d91598
--- /dev/null
+++ b/0076-FIPS-140-3-DRBG.patch
@@ -0,0 +1,129 @@
+diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
+--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand	2022-08-03 11:09:01.301637515 +0200
++++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c	2022-08-03 11:13:00.058688605 +0200
+@@ -48,6 +48,8 @@
+ # include <fcntl.h>
+ # include <unistd.h>
+ # include <sys/time.h>
++# include <sys/random.h>
++# include <openssl/evp.h>
+ 
+ static uint64_t get_time_stamp(void);
+ static uint64_t get_timer_bits(void);
+@@ -342,66 +342,8 @@ static ssize_t syscall_random(void *buf,
+      * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
+      * between size_t and ssize_t is safe even without a range check.
+      */
+-
+-    /*
+-     * Do runtime detection to find getentropy().
+-     *
+-     * Known OSs that should support this:
+-     * - Darwin since 16 (OSX 10.12, IOS 10.0).
+-     * - Solaris since 11.3
+-     * - OpenBSD since 5.6
+-     * - Linux since 3.17 with glibc 2.25
+-     * - FreeBSD since 12.0 (1200061)
+-     *
+-     * Note: Sometimes getentropy() can be provided but not implemented
+-     * internally. So we need to check errno for ENOSYS
+-     */
+-#  if !defined(__DragonFly__) && !defined(__NetBSD__)
+-#    if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
+-    extern int getentropy(void *buffer, size_t length) __attribute__((weak));
+-
+-    if (getentropy != NULL) {
+-        if (getentropy(buf, buflen) == 0)
+-            return (ssize_t)buflen;
+-        if (errno != ENOSYS)
+-            return -1;
+-    }
+-#    elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
+-
+-    if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
+-	    return (ssize_t)buflen;
+-
+-    return -1;
+-#    else
+-    union {
+-        void *p;
+-        int (*f)(void *buffer, size_t length);
+-    } p_getentropy;
+-
+-    /*
+-     * We could cache the result of the lookup, but we normally don't
+-     * call this function often.
+-     */
+-    ERR_set_mark();
+-    p_getentropy.p = DSO_global_lookup("getentropy");
+-    ERR_pop_to_mark();
+-    if (p_getentropy.p != NULL)
+-        return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
+-#    endif
+-#  endif /* !__DragonFly__ */
+-
+-    /* Linux supports this since version 3.17 */
+-#  if defined(__linux) && defined(__NR_getrandom)
+-    return syscall(__NR_getrandom, buf, buflen, 0);
+-#  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
+-    return sysctl_random(buf, buflen);
+-#  elif (defined(__DragonFly__)  && __DragonFly_version >= 500700) \
+-     || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000)
+-    return getrandom(buf, buflen, 0);
+-#  else
+-    errno = ENOSYS;
+-    return -1;
+-#  endif
++    /* Red Hat uses downstream patch to always seed from getrandom() */
++    return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
+ }
+ #  endif    /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
+ 
+diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
+--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand	2022-08-03 12:14:39.409370134 +0200
++++ openssl-3.0.1/providers/implementations/rands/drbg.c	2022-08-03 12:19:06.320700346 +0200
+@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
+ #endif
+     }
+ 
++#ifdef FIPS_MODULE
++    prediction_resistance = 1;
++#endif
+     /* Reseed using our sources in addition */
+     entropylen = get_entropy(drbg, &entropy, drbg->strength,
+                              drbg->min_entropylen, drbg->max_entropylen,
+diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
+--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand	2022-08-04 12:17:52.148556301 +0200
++++ openssl-3.0.1/crypto/rand/prov_seed.c	2022-08-04 12:19:41.783533552 +0200
+@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
+     size_t entropy_available;
+     RAND_POOL *pool;
+ 
+-    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
++    /*
++     * OpenSSL still implements an internal entropy pool of
++     * some size that is hashed to get seed data.
++     * Note that this is a conditioning step for which SP800-90C requires
++     * 64 additional bits from the entropy source to claim the requested
++     * amount of entropy.
++     */
++    pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
+     if (pool == NULL) {
+         ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE);
+         return 0;
+diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
+--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand	2022-08-04 11:56:10.100950299 +0200
++++ openssl-3.0.1/providers/implementations/rands/crngt.c	2022-08-04 11:59:11.241564925 +0200
+@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
+      * to the nearest byte.  If the entropy is of less than full quality,
+      * the amount required should be scaled up appropriately here.
+      */
+-    bytes_needed = (entropy + 7) / 8;
++    /*
++     * FIPS 140-3: the yet draft SP800-90C requires requested entropy
++     * + 128 bits during initial seeding
++     */
++    bytes_needed = (entropy + 128 + 7) / 8;
+     if (bytes_needed < min_len)
+         bytes_needed = min_len;
+     if (bytes_needed > max_len)
diff --git a/openssl.spec b/openssl.spec
index ed6475a..29dbd89 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -155,6 +155,9 @@ Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
 Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
 Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
+# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
+# https://bugzilla.redhat.com/show_bug.cgi?id=2102541
+Patch76: 0076-FIPS-140-3-DRBG.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -492,6 +495,8 @@ install -m644 %{SOURCE9} \
   Related: rhbz#2102537
 - Use signature for RSA pairwise test according FIPS-140-3 requirements
   Related: rhbz#2102540
+- Reseed all the parent DRBGs in chain on reseeding a DRBG
+  Related: rhbz#2102541
 
 * Mon Aug 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-39
 - Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test