Bug 1706915

Summary: OpenSSL should implement continuous random test or use the kernel AF_ALG interface for random
Product: Red Hat Enterprise Linux 8 Reporter: Simo Sorce <ssorce>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: bsmejkal
Severity: high Docs Contact:
Priority: high    
Version: ---CC: bsmejkal, hkario
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-1.1.1b-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:40:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1591661    

Description Simo Sorce 2019-05-06 13:57:31 UTC 
FIPS requires continuous tests of the input to the libraries CSPRNG but the kernel getrandom() (or /dev[u]random) interface does not do it.

Available options is to implement tests in the library or use the kernel AF_ALG DRBG source which wil have these tests implemented in kernel.
Comment 1 Tomas Mraz 2019-05-06 14:00:40 UTC 
This should apply in the FIPS mode.
Comment 2 Tomas Mraz 2019-05-07 08:51:51 UTC 
I've backported an upstream patch that implements the continuous random test.
Comment 6 bsmejkal 2019-06-26 13:22:15 UTC 
Patch is present and correctly applied in openssl-1.1.1c
Marking as Verified:SanityOnly.
Comment 8 errata-xmlrpc 2019-11-05 22:40:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3700