fips selftest: avoid relying on a real RNG for self tests

Rather than instantiate the private and primary DRBGs during the
selftest, instead use a test RNG.  This leaves the DRBG setup
pristine and permits later replacement of the seed source despite
the very early running power up self tests.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22210)

2 files changed, 5 insertions, 0 deletions

diff --git a/include/crypto/rand.h b/include/crypto/rand.h
index 6a71a339c8..3b6ccecc06 100644
--- a/include/crypto/rand.h
+++ b/include/crypto/rand.h
@@ -125,4 +125,8 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle,
 size_t ossl_pool_acquire_entropy(RAND_POOL *pool);
 int ossl_pool_add_nonce_data(RAND_POOL *pool);
 
+# ifdef FIPS_MODULE
+EVP_RAND_CTX *ossl_rand_get0_private_noncreating(OSSL_LIB_CTX *ctx);
+# endif
+
 #endif
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 5e3c132f5b..0a6ec1bbba 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -248,6 +248,7 @@ extern "C" {
 #define OSSL_RAND_PARAM_MAX_REQUEST             "max_request"
 #define OSSL_RAND_PARAM_TEST_ENTROPY            "test_entropy"
 #define OSSL_RAND_PARAM_TEST_NONCE              "test_nonce"
+#define OSSL_RAND_PARAM_GENERATE                "generate"
 
 /* RAND/DRBG names */
 #define OSSL_DRBG_PARAM_RESEED_REQUESTS         "reseed_requests"