aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/rand
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2014-01-22 19:27:13 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2014-01-22 19:27:13 +0000
commit2dc7f78169ea4545102b8d9b0604f785cdc798f5 (patch)
tree916b5f4a06b1f51b6af3e4437ab74e3d27e9cdd9 /crypto/rand
parentcbbee3a581d0bbf1b738c0805da55a438c265a20 (diff)
downloadsrc-2dc7f78169ea4545102b8d9b0604f785cdc798f5.tar.gz
src-2dc7f78169ea4545102b8d9b0604f785cdc798f5.zip
Import OpenSSL 1.0.1f.vendor/openssl/1.0.1f
Approved by: so (delphij), benl (silence)
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=261035 svn path=/vendor-crypto/openssl/1.0.1f/; revision=261036; tag=vendor/openssl/1.0.1f
Diffstat (limited to 'crypto/rand')
-rw-r--r--crypto/rand/md_rand.c22
-rw-r--r--crypto/rand/rand.h1
-rw-r--r--crypto/rand/rand_err.c1
-rw-r--r--crypto/rand/rand_lib.c8
4 files changed, 27 insertions, 5 deletions
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 1e3bcb9bc426..dd291637275d 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -380,8 +380,11 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
* are fed into the hash function and the results are kept in the
* global 'md'.
*/
-
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+ /* NB: in FIPS mode we are already under a lock */
+ if (!FIPS_mode())
+#endif
+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
@@ -460,7 +463,10 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
/* before unlocking, we must clear 'crypto_lock_rand' */
crypto_lock_rand = 0;
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode())
+#endif
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
while (num > 0)
{
@@ -512,10 +518,16 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
MD_Init(&m);
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
MD_Update(&m,local_md,MD_DIGEST_LENGTH);
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode())
+#endif
+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
MD_Update(&m,md,MD_DIGEST_LENGTH);
MD_Final(&m,md);
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode())
+#endif
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
EVP_MD_CTX_cleanup(&m);
if (ok)
diff --git a/crypto/rand/rand.h b/crypto/rand/rand.h
index dc8fcf94c5aa..bb5520e80ac1 100644
--- a/crypto/rand/rand.h
+++ b/crypto/rand/rand.h
@@ -138,6 +138,7 @@ void ERR_load_RAND_strings(void);
#define RAND_F_SSLEAY_RAND_BYTES 100
/* Reason codes. */
+#define RAND_R_DUAL_EC_DRBG_DISABLED 104
#define RAND_R_ERROR_INITIALISING_DRBG 102
#define RAND_R_ERROR_INSTANTIATING_DRBG 103
#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c
index b8586c8f4a9c..c4c80fc8ccad 100644
--- a/crypto/rand/rand_err.c
+++ b/crypto/rand/rand_err.c
@@ -78,6 +78,7 @@ static ERR_STRING_DATA RAND_str_functs[]=
static ERR_STRING_DATA RAND_str_reasons[]=
{
+{ERR_REASON(RAND_R_DUAL_EC_DRBG_DISABLED),"dual ec drbg disabled"},
{ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},
{ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},
{ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 476a0cd187ee..5ac0e14caf00 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -269,6 +269,14 @@ int RAND_init_fips(void)
DRBG_CTX *dctx;
size_t plen;
unsigned char pers[32], *p;
+#ifndef OPENSSL_ALLOW_DUAL_EC_DRBG
+ if (fips_drbg_type >> 16)
+ {
+ RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_DUAL_EC_DRBG_DISABLED);
+ return 0;
+ }
+#endif
+
dctx = FIPS_get_default_drbg();
if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)
{