Overview

File openssl-1_1-FIPS-140-3-DRBG-prediction-resistance.patch of Package openssl-1_1.37526

Index: openssl-1.1.1w/crypto/rand/drbg_lib.c
===================================================================
--- openssl-1.1.1w.orig/crypto/rand/drbg_lib.c
+++ openssl-1.1.1w/crypto/rand/drbg_lib.c
@@ -426,6 +426,13 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
         return 0;
     }
 
+#ifdef OPENSSL_FIPS
+    /* Enable prediction resistance to comply with requirements on
+     * conditioning component chaining for IG D.K.
+     */
+     prediction_resistance = 1;
+#endif
+
     drbg->state = DRBG_ERROR;
     if (drbg->get_entropy != NULL)
         entropylen = drbg->get_entropy(drbg, &entropy, drbg->strength,
Index: openssl-1.1.1w/crypto/rand/rand_lib.c
===================================================================
--- openssl-1.1.1w.orig/crypto/rand/rand_lib.c
+++ openssl-1.1.1w/crypto/rand/rand_lib.c
@@ -185,6 +185,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *
         }
 
     } else {
+#ifndef OPENSSL_FIPS
         if (prediction_resistance) {
             /*
              * We don't have any entropy sources that comply with the NIST
@@ -195,6 +196,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *
                     RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED);
             goto err;
         }
+#endif
 
         /* Get entropy by polling system entropy sources. */
         entropy_available = rand_pool_acquire_entropy(pool);
Index: openssl-1.1.1w/test/drbgtest.c
===================================================================
--- openssl-1.1.1w.orig/test/drbgtest.c
+++ openssl-1.1.1w/test/drbgtest.c
@@ -662,6 +662,8 @@ static int test_drbg_reseed(int expect_s
         || !TEST_int_eq(private->state, expected_state))
         return 0;
 
+#ifndef OPENSSL_FIPS
+    /* Do not check reseeding counters if prediction_resistance is enabled */
     if (expect_master_reseed >= 0) {
         /* Test whether master DRBG was reseeded as expected */
         if (!TEST_int_eq(master_ctx.reseed_count, expect_master_reseed))
@@ -679,12 +681,17 @@ static int test_drbg_reseed(int expect_s
         if (!TEST_int_eq(private_ctx.reseed_count, expect_private_reseed))
             return 0;
     }
+#endif
 
     if (expect_success == 1) {
+#ifndef OPENSSL_FIPS
+        /* Do not check reseeding counters if prediction_resistance is enabled */
+
         /* Test whether all three reseed counters are synchronized */
         if (!TEST_int_eq(public->reseed_counter, master->reseed_counter)
             || !TEST_int_eq(private->reseed_counter, master->reseed_counter))
             return 0;
+#endif
 
         /* Test whether reseed time of master DRBG is set correctly */
         if (!TEST_time_t_le(before_reseed, master->reseed_time)
openSUSE Build Service is sponsored by
Places