[openssl/openssl] 830a47: seed_src_jitter: prevent hypothetical getrandom fa...
0 views
Skip to first unread message
Dimitri John Ledkov
Dec 4, 2025, 4:18:37 PM (2 days ago) Dec 4
to openssl...@openssl.org
Branch: refs/heads/openssl-3.5
Home: https://github.com/openssl/openssl
Commit: 830a476451ff3d0a9a02a2430bb60da4e981541e
https://github.com/openssl/openssl/commit/830a476451ff3d0a9a02a2430bb60da4e981541e
Author: Dimitri John Ledkov <dimitri...@surgut.co.uk>
Date: 2025-12-05 (Fri, 05 Dec 2025)
Changed paths:
M providers/implementations/rands/seed_src_jitter.c
Log Message:
-----------
seed_src_jitter: prevent hypothetical getrandom fallback
In a hypothetical scenario that jent_entropy_init_ex fails, or if
get_jitter_random-value fails, there are a few unexpected
posibilities.
If jent_entropy_init_ex fails, the seed initialisation may return NULL
and then DRBG will be initiated with NULL seed, which will
automatically fallback to os-seed, which will escape module boundary
(if this jitter rng is from the fips module), and call getrandom
syscall.
And separately if get_jitter_random_value fails, it may put DRBG in an
error state, but it might not put the FIPS module in error state, like
it should as per the ISO standard.
To instrument these things, I had to create tampered
jitterentropy-library that always returns errors for init_ex and
read_entropy apis, and then use gdb tracing on both libcrypto.so and
fips.so.
The most minimal solution to above hypothetical error code paths, is
to simply call ossl_set_error_state. It is either harmless, or in case
of fips-jitter will correctly put the FIPS module into error state and
prevent any further operation; and cruitially prevent silent fallback
to getrandom syscall.
Note it is unlikely that this ever was out of compliance, as often
enough getrandom syscall goes to a kernel with validated entropy
source; and openssl fips module still did reject sampling which is too
entropy source compliant.
Nonetheless it is good to fix this hypothetical error path, and
backport this to 3.5 and up.
This is similar / additional fixes, to this previous change:
- https://github.com/openssl/openssl/pull/25957
- https://github.com/openssl/openssl/commit/b9886a6f3483e0525596d3b3956416282038da82
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Paul Dale <paul...@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29226)
(cherry picked from commit 21069c983bc385f46c522e0bf7edbefabc6d4d19)
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Home: https://github.com/openssl/openssl
Commit: 830a476451ff3d0a9a02a2430bb60da4e981541e
https://github.com/openssl/openssl/commit/830a476451ff3d0a9a02a2430bb60da4e981541e
Author: Dimitri John Ledkov <dimitri...@surgut.co.uk>
Date: 2025-12-05 (Fri, 05 Dec 2025)
Changed paths:
M providers/implementations/rands/seed_src_jitter.c
Log Message:
-----------
seed_src_jitter: prevent hypothetical getrandom fallback
In a hypothetical scenario that jent_entropy_init_ex fails, or if
get_jitter_random-value fails, there are a few unexpected
posibilities.
If jent_entropy_init_ex fails, the seed initialisation may return NULL
and then DRBG will be initiated with NULL seed, which will
automatically fallback to os-seed, which will escape module boundary
(if this jitter rng is from the fips module), and call getrandom
syscall.
And separately if get_jitter_random_value fails, it may put DRBG in an
error state, but it might not put the FIPS module in error state, like
it should as per the ISO standard.
To instrument these things, I had to create tampered
jitterentropy-library that always returns errors for init_ex and
read_entropy apis, and then use gdb tracing on both libcrypto.so and
fips.so.
The most minimal solution to above hypothetical error code paths, is
to simply call ossl_set_error_state. It is either harmless, or in case
of fips-jitter will correctly put the FIPS module into error state and
prevent any further operation; and cruitially prevent silent fallback
to getrandom syscall.
Note it is unlikely that this ever was out of compliance, as often
enough getrandom syscall goes to a kernel with validated entropy
source; and openssl fips module still did reject sampling which is too
entropy source compliant.
Nonetheless it is good to fix this hypothetical error path, and
backport this to 3.5 and up.
This is similar / additional fixes, to this previous change:
- https://github.com/openssl/openssl/pull/25957
- https://github.com/openssl/openssl/commit/b9886a6f3483e0525596d3b3956416282038da82
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Paul Dale <paul...@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29226)
(cherry picked from commit 21069c983bc385f46c522e0bf7edbefabc6d4d19)
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Reply all
Reply to author
Forward
0 new messages