|
 |
2ccfa6b |
diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips.c
|
|
|
2ccfa6b |
--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng 2009-08-11 18:12:14.000000000 +0200
|
|
|
2ccfa6b |
+++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-11 18:14:36.000000000 +0200
|
|
|
2ccfa6b |
@@ -427,22 +427,22 @@ int FIPS_mode_set(int onoff)
|
|
|
07bd81d |
goto end;
|
|
|
07bd81d |
}
|
|
|
07bd81d |
|
|
|
2ccfa6b |
+ /* now switch the RNG into FIPS mode */
|
|
|
07bd81d |
+ fips_set_rand_check(FIPS_rand_method());
|
|
|
07bd81d |
+ RAND_set_rand_method(FIPS_rand_method());
|
|
|
07bd81d |
+
|
|
|
07bd81d |
/* automagically seed PRNG if not already seeded */
|
|
|
07bd81d |
if(!FIPS_rand_status())
|
|
|
07bd81d |
{
|
|
|
07bd81d |
- if(RAND_bytes(buf,sizeof buf) <= 0)
|
|
|
07bd81d |
+ RAND_poll();
|
|
|
07bd81d |
+ if (!FIPS_rand_status())
|
|
|
07bd81d |
{
|
|
|
07bd81d |
fips_selftest_fail = 1;
|
|
|
07bd81d |
ret = 0;
|
|
|
07bd81d |
goto end;
|
|
|
07bd81d |
}
|
|
|
07bd81d |
- FIPS_rand_set_key(buf,32);
|
|
|
07bd81d |
- FIPS_rand_seed(buf+32,16);
|
|
|
07bd81d |
}
|
|
|
07bd81d |
|
|
|
07bd81d |
- /* now switch into FIPS mode */
|
|
|
07bd81d |
- fips_set_rand_check(FIPS_rand_method());
|
|
|
07bd81d |
- RAND_set_rand_method(FIPS_rand_method());
|
|
|
07bd81d |
if(FIPS_selftest())
|
|
|
07bd81d |
fips_set_mode(1);
|
|
|
07bd81d |
else
|
|
|
2ccfa6b |
diff -up openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips_rand.c
|
|
|
2ccfa6b |
--- openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng 2009-08-11 18:12:14.000000000 +0200
|
|
|
2ccfa6b |
+++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c 2009-08-11 18:16:48.000000000 +0200
|
|
|
44abf9d |
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
|
|
|
44abf9d |
{
|
|
|
44abf9d |
int i;
|
|
|
44abf9d |
if (!ctx->keyed)
|
|
|
44abf9d |
- return 0;
|
|
|
44abf9d |
+ {
|
|
|
44abf9d |
+ FIPS_RAND_SIZE_T keylen = 16;
|
|
|
44abf9d |
+
|
|
|
44abf9d |
+ if (seedlen - keylen < AES_BLOCK_LENGTH)
|
|
|
44abf9d |
+ return 0;
|
|
|
44abf9d |
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
|
|
|
44abf9d |
+ keylen += 8;
|
|
|
44abf9d |
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
|
|
|
44abf9d |
+ keylen += 8;
|
|
|
44abf9d |
+ seedlen -= keylen;
|
|
|
44abf9d |
+ fips_set_prng_key(ctx, seed+seedlen, keylen);
|
|
|
44abf9d |
+ }
|
|
|
44abf9d |
/* In test mode seed is just supplied data */
|
|
|
44abf9d |
if (ctx->test_mode)
|
|
|
44abf9d |
{
|
|
|
44abf9d |
@@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx,
|
|
|
44abf9d |
unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
|
|
|
44abf9d |
unsigned char tmp[AES_BLOCK_LENGTH];
|
|
|
44abf9d |
int i;
|
|
|
44abf9d |
+ FIPS_selftest_check();
|
|
|
44abf9d |
if (ctx->error)
|
|
|
44abf9d |
{
|
|
|
44abf9d |
RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
|
|
|
2ccfa6b |
diff -up openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng openssl-1.0.0-beta3/crypto/rand/rand_lcl.h
|
|
|
2ccfa6b |
--- openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng 2009-08-11 18:12:13.000000000 +0200
|
|
|
2ccfa6b |
+++ openssl-1.0.0-beta3/crypto/rand/rand_lcl.h 2009-08-11 18:18:13.000000000 +0200
|
|
|
2ccfa6b |
@@ -112,8 +112,11 @@
|
|
|
2ccfa6b |
#ifndef HEADER_RAND_LCL_H
|
|
|
2ccfa6b |
#define HEADER_RAND_LCL_H
|
|
|
2ccfa6b |
|
|
|
2ccfa6b |
+#ifndef OPENSSL_FIPS
|
|
|
2ccfa6b |
#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
|
|
|
2ccfa6b |
-
|
|
|
2ccfa6b |
+#else
|
|
|
2ccfa6b |
+#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */
|
|
|
2ccfa6b |
+#endif
|
|
|
2ccfa6b |
|
|
|
2ccfa6b |
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
|
|
|
2ccfa6b |
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
|