From: Pauli <paul.dale@oracle.com>
Date: Tue, 30 Jun 2020 03:15:05 +0000 (+1000)
Subject: rand: detect if FIPS approved randomness sources are being used.
X-Git-Tag: openssl-3.0.0-alpha6~110
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45554b5c71403fec547fe0f56be558cc615c6966;p=thirdparty%2Fopenssl.git

rand: detect if FIPS approved randomness sources are being used.

This boils down to the operating system sources and RDRAND.
All other sources are not available in the FIPS module.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12325)
---

diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
index 69fa3f841e3..26d81d60540 100644
--- a/providers/implementations/rands/seeding/rand_unix.c
+++ b/providers/implementations/rands/seeding/rand_unix.c
@@ -37,6 +37,36 @@
 # include <sys/param.h>
 #endif
 
+/*
+ * Provide a compile time error if the FIPS module is being built and none
+ * of the supported entropy sources are available.
+ */
+#if defined(FIPS_MODULE)
+# if !defined(OPENSSL_RAND_SEED_GETRANDOM) \
+     && !defined(OPENSSL_RAND_SEED_DEVRANDOM) \
+     && !defined(OPENSSL_RAND_SEED_RDCPU) \
+     && !defined(OPENSSL_RAND_SEED_OS)
+#  error FIPS mode without supported randomness source
+# endif
+/* Remove the sources that are not permitted in FIPS */
+# ifdef OPENSSL_RAND_SEED_LIBRANDOM
+#  undef OPENSSL_RAND_SEED_LIBRANDOM
+#  warning FIPS mode does not support the _librandom_ randomness source
+# endif
+# ifdef OPENSSL_RAND_SEED_RDTSC
+#  undef OPENSSL_RAND_SEED_RDTSC
+#  warning FIPS mode does not support the _RDTSC_ randomness source
+# endif
+# ifdef OPENSSL_RAND_SEED_EGD
+#  undef OPENSSL_RAND_SEED_EGD
+#  warning FIPS mode does not support the _EGD_ randomness source
+# endif
+# ifdef OPENSSL_RAND_SEED_NONE
+#  undef OPENSSL_RAND_SEED_NONE
+#  warning FIPS mode does not support the _none_ randomness source
+# endif
+#endif
+
 #if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \
      || defined(__DJGPP__)
 # include <sys/types.h>
@@ -609,7 +639,9 @@ size_t prov_pool_acquire_entropy(RAND_POOL *pool)
 #  if defined(OPENSSL_RAND_SEED_NONE)
     return rand_pool_entropy_available(pool);
 #  else
-    size_t entropy_available;
+    size_t entropy_available = 0;
+
+    (void)entropy_available;    /* avoid compiler warning */
 
 #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
     {