| 1 |
wellsi |
1.1 |
Seed the FIPS rng directly from the kernel random device. |
| 2 |
|
|
diff -up openssl-fips-0.9.8e/crypto/rand/rand_lcl.h.rng-seed openssl-fips-0.9.8e/crypto/rand/rand_lcl.h |
| 3 |
|
|
--- openssl-fips-0.9.8e/crypto/rand/rand_lcl.h.rng-seed 2009-04-15 13:48:50.000000000 +0200 |
| 4 |
|
|
+++ openssl-fips-0.9.8e/crypto/rand/rand_lcl.h 2009-04-15 13:48:51.000000000 +0200 |
| 5 |
|
|
@@ -112,7 +112,7 @@ |
| 6 |
|
|
#ifndef HEADER_RAND_LCL_H |
| 7 |
|
|
#define HEADER_RAND_LCL_H |
| 8 |
|
|
|
| 9 |
|
|
-#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */ |
| 10 |
|
|
+#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */ |
| 11 |
|
|
|
| 12 |
|
|
|
| 13 |
|
|
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) |
| 14 |
|
|
diff -up openssl-fips-0.9.8e/fips/fips.c.rng-seed openssl-fips-0.9.8e/fips/fips.c |
| 15 |
|
|
--- openssl-fips-0.9.8e/fips/fips.c.rng-seed 2009-04-15 13:48:51.000000000 +0200 |
| 16 |
|
|
+++ openssl-fips-0.9.8e/fips/fips.c 2009-04-15 13:48:51.000000000 +0200 |
| 17 |
|
|
@@ -508,22 +508,22 @@ int FIPS_mode_set(int onoff) |
| 18 |
|
|
goto end; |
| 19 |
|
|
} |
| 20 |
|
|
|
| 21 |
|
|
+ /* now switch into FIPS mode */ |
| 22 |
|
|
+ fips_set_rand_check(FIPS_rand_method()); |
| 23 |
|
|
+ RAND_set_rand_method(FIPS_rand_method()); |
| 24 |
|
|
+ |
| 25 |
|
|
/* automagically seed PRNG if not already seeded */ |
| 26 |
|
|
if(!FIPS_rand_status()) |
| 27 |
|
|
{ |
| 28 |
|
|
- if(RAND_bytes(buf,sizeof buf) <= 0) |
| 29 |
|
|
+ RAND_poll(); |
| 30 |
|
|
+ if (!FIPS_rand_status()) |
| 31 |
|
|
{ |
| 32 |
|
|
fips_selftest_fail = 1; |
| 33 |
|
|
ret = 0; |
| 34 |
|
|
goto end; |
| 35 |
|
|
} |
| 36 |
|
|
- FIPS_rand_set_key(buf,32); |
| 37 |
|
|
- FIPS_rand_seed(buf+32,16); |
| 38 |
|
|
} |
| 39 |
|
|
|
| 40 |
|
|
- /* now switch into FIPS mode */ |
| 41 |
|
|
- fips_set_rand_check(FIPS_rand_method()); |
| 42 |
|
|
- RAND_set_rand_method(FIPS_rand_method()); |
| 43 |
|
|
if(FIPS_selftest()) |
| 44 |
|
|
fips_set_mode(1); |
| 45 |
|
|
else |
| 46 |
|
|
diff -up openssl-fips-0.9.8e/fips/rand/fips_rand.c.rng-seed openssl-fips-0.9.8e/fips/rand/fips_rand.c |
| 47 |
|
|
--- openssl-fips-0.9.8e/fips/rand/fips_rand.c.rng-seed 2007-09-12 19:46:05.000000000 +0200 |
| 48 |
|
|
+++ openssl-fips-0.9.8e/fips/rand/fips_rand.c 2009-06-29 18:34:00.000000000 +0200 |
| 49 |
|
|
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_ |
| 50 |
|
|
{ |
| 51 |
|
|
int i; |
| 52 |
|
|
if (!ctx->keyed) |
| 53 |
|
|
- return 0; |
| 54 |
|
|
+ { |
| 55 |
|
|
+ FIPS_RAND_SIZE_T keylen = 16; |
| 56 |
|
|
+ |
| 57 |
|
|
+ if (seedlen - keylen < AES_BLOCK_LENGTH) |
| 58 |
|
|
+ return 0; |
| 59 |
|
|
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH) |
| 60 |
|
|
+ keylen += 8; |
| 61 |
|
|
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH) |
| 62 |
|
|
+ keylen += 8; |
| 63 |
|
|
+ seedlen -= keylen; |
| 64 |
|
|
+ fips_set_prng_key(ctx, seed+seedlen, keylen); |
| 65 |
|
|
+ } |
| 66 |
|
|
/* In test mode seed is just supplied data */ |
| 67 |
|
|
if (ctx->test_mode) |
| 68 |
|
|
{ |
| 69 |
|
|
@@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx, |
| 70 |
|
|
unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH]; |
| 71 |
|
|
unsigned char tmp[AES_BLOCK_LENGTH]; |
| 72 |
|
|
int i; |
| 73 |
|
|
+ FIPS_selftest_check(); |
| 74 |
|
|
if (ctx->error) |
| 75 |
|
|
{ |
| 76 |
|
|
RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR); |
Parent Directory
| 
Revision Log
| 
Revision Graph
