FIPS mode changes to make RNG compile (this will need updating later as we

need a whole new PRNG for FIPS). 1. avoid use of ERR_peek(). 2. If compiling with FIPS use small FIPS EVP and disable ENGINE
2011-01-26 14:52:04 +00:00 · 2011-01-26 14:52:04 +00:00 · 4ead4e5241
commit 4ead4e5241
parent 1ab2f7f1cb
2 changed files with 21 additions and 16 deletions
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@ -109,6 +109,8 @@
 *
 */

+#define OPENSSL_FIPSEVP
+
 #ifdef MD_RAND_DEBUG
 # ifndef NDEBUG
 #   define NDEBUG
@ -157,13 +159,14 @@ const char RAND_version[]="RAND" OPENSSL_VERSION_PTEXT;
 static void ssleay_rand_cleanup(void);
 static int ssleay_rand_seed(const void *buf, int num);
 static int ssleay_rand_add(const void *buf, int num, double add_entropy);
-static int ssleay_rand_bytes(unsigned char *buf, int num);
+static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo);
+static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num);
 static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
 static int ssleay_rand_status(void);

 RAND_METHOD rand_ssleay_meth={
 	ssleay_rand_seed,
-	ssleay_rand_bytes,
+	ssleay_rand_nopseudo_bytes,
 	ssleay_rand_cleanup,
 	ssleay_rand_add,
 	ssleay_rand_pseudo_bytes,
@ -340,7 +343,7 @@ static int ssleay_rand_seed(const void *buf, int num)
 	return ssleay_rand_add(buf, num, (double)num);
 	}

-static int ssleay_rand_bytes(unsigned char *buf, int num)
+static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 	{
 	static volatile int stirred_pool = 0;
 	int i,j,k,st_num,st_idx;
@ -542,7 +545,9 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 	EVP_MD_CTX_cleanup(&m);
 	if (ok)
 		return(1);
-	else
+	else if (pseudo)
+		return 0;
+	else 
 		{
 		RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
 		ERR_add_error_data(1, "You need to read the OpenSSL FAQ, "
@ -556,22 +561,16 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)

 	}

+static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num)
+	{
+	return ssleay_rand_bytes(buf, num, 0);
+	}
+
 /* pseudo-random bytes that are guaranteed to be unique but not
   unpredictable */
 static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) 
 	{
-	int ret;
-	unsigned long err;
-
-	ret = RAND_bytes(buf, num);
-	if (ret == 0)
-		{
-		err = ERR_peek_error();
-		if (ERR_GET_LIB(err) == ERR_LIB_RAND &&
-		    ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED)
-			ERR_clear_error();
-		}
-	return (ret);
+	return ssleay_rand_bytes(buf, num, 1);
 	}

 static int ssleay_rand_status(void)
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@ -60,6 +60,12 @@
 #include <time.h>
 #include "cryptlib.h"
 #include <openssl/rand.h>
+
+#ifdef OPENSSL_FIPSCANISTER
+#define OPENSSL_NO_ENGINE
+#include <openssl/fips.h>
+#endif
+
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif