diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2011-01-26 14:52:04 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2011-01-26 14:52:04 +0000 |
| commit | 4ead4e5241bd08989f9d6305ff21f9da0614f955 (patch) | |
| tree | 7ab5cd279985cae9e80ebd564c2b996f86379d43 /crypto/rand | |
| parent | 1ab2f7f1cb6c9fa2747c39e60b5fe7e8ba15acef (diff) | |
| download | openssl-4ead4e5241bd08989f9d6305ff21f9da0614f955.tar.gz | |
FIPS mode changes to make RNG compile (this will need updating later as we
need a whole new PRNG for FIPS).
1. avoid use of ERR_peek().
2. If compiling with FIPS use small FIPS EVP and disable ENGINE
Diffstat (limited to 'crypto/rand')
| -rw-r--r-- | crypto/rand/md_rand.c | 31 | ||||
| -rw-r--r-- | crypto/rand/rand_lib.c | 6 |
2 files changed, 21 insertions, 16 deletions
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 943c936483..a06fd209d9 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -109,6 +109,8 @@ * */ +#define OPENSSL_FIPSEVP + #ifdef MD_RAND_DEBUG # ifndef NDEBUG # define NDEBUG @@ -157,13 +159,14 @@ const char RAND_version[]="RAND" OPENSSL_VERSION_PTEXT; static void ssleay_rand_cleanup(void); static int ssleay_rand_seed(const void *buf, int num); static int ssleay_rand_add(const void *buf, int num, double add_entropy); -static int ssleay_rand_bytes(unsigned char *buf, int num); +static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo); +static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num); static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num); static int ssleay_rand_status(void); RAND_METHOD rand_ssleay_meth={ ssleay_rand_seed, - ssleay_rand_bytes, + ssleay_rand_nopseudo_bytes, ssleay_rand_cleanup, ssleay_rand_add, ssleay_rand_pseudo_bytes, @@ -340,7 +343,7 @@ static int ssleay_rand_seed(const void *buf, int num) return ssleay_rand_add(buf, num, (double)num); } -static int ssleay_rand_bytes(unsigned char *buf, int num) +static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo) { static volatile int stirred_pool = 0; int i,j,k,st_num,st_idx; @@ -542,7 +545,9 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) EVP_MD_CTX_cleanup(&m); if (ok) return(1); - else + else if (pseudo) + return 0; + else { RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED); ERR_add_error_data(1, "You need to read the OpenSSL FAQ, " @@ -556,22 +561,16 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) } +static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num) + { + return ssleay_rand_bytes(buf, num, 0); + } + /* pseudo-random bytes that are guaranteed to be unique but not unpredictable */ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) { - int ret; - unsigned long err; - - ret = RAND_bytes(buf, num); - if (ret == 0) - { - err = ERR_peek_error(); - if (ERR_GET_LIB(err) == ERR_LIB_RAND && - ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED) - ERR_clear_error(); - } - return (ret); + return ssleay_rand_bytes(buf, num, 1); } static int ssleay_rand_status(void) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 513e338985..3cf9ed5050 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -60,6 +60,12 @@ #include <time.h> #include "cryptlib.h" #include <openssl/rand.h> + +#ifdef OPENSSL_FIPSCANISTER +#define OPENSSL_NO_ENGINE +#include <openssl/fips.h> +#endif + #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif |