You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
170 lines
6.4 KiB
170 lines
6.4 KiB
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c |
|
--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200 |
|
+++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c 2020-06-22 13:32:47.675852917 +0200 |
|
@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx, |
|
int FIPS_drbg_reseed(DRBG_CTX *dctx, |
|
const unsigned char *adin, size_t adinlen) |
|
{ |
|
+ int len = (int)adinlen; |
|
+ |
|
+ if (len < 0 || (size_t)len != adinlen) { |
|
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); |
|
+ return 0; |
|
+ } |
|
+ RAND_seed(adin, len); |
|
+ return 1; |
|
+} |
|
+ |
|
+int FIPS_drbg_reseed_internal(DRBG_CTX *dctx, |
|
+ const unsigned char *adin, size_t adinlen) |
|
+{ |
|
return drbg_reseed(dctx, adin, adinlen, 1); |
|
} |
|
|
|
@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u |
|
int prediction_resistance, |
|
const unsigned char *adin, size_t adinlen) |
|
{ |
|
+ int len = (int)outlen; |
|
+ |
|
+ if (len < 0 || (size_t)len != outlen) { |
|
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG); |
|
+ return 0; |
|
+ } |
|
+ return RAND_bytes(out, len); |
|
+} |
|
+ |
|
+int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen, |
|
+ int prediction_resistance, |
|
+ const unsigned char *adin, size_t adinlen) |
|
+{ |
|
int r = 0; |
|
|
|
if (FIPS_selftest_failed()) { |
|
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c |
|
--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200 |
|
+++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c 2020-06-22 13:32:47.675852917 +0200 |
|
@@ -57,6 +57,8 @@ |
|
#include <openssl/err.h> |
|
#include <openssl/rand.h> |
|
#include <openssl/fips.h> |
|
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal |
|
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal |
|
#include <openssl/fips_rand.h> |
|
#include "fips_rand_lcl.h" |
|
|
|
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c |
|
--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg 2020-06-22 13:32:47.612852927 +0200 |
|
+++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-06-22 13:32:47.675852917 +0200 |
|
@@ -55,6 +55,8 @@ |
|
#include <openssl/crypto.h> |
|
#include <openssl/err.h> |
|
#include <openssl/fips.h> |
|
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal |
|
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal |
|
#include <openssl/fips_rand.h> |
|
#include "fips_rand_lcl.h" |
|
#include "fips_locl.h" |
|
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c |
|
--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200 |
|
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-22 13:32:47.675852917 +0200 |
|
@@ -79,8 +79,6 @@ int FIPS_selftest(void) |
|
ERR_add_error_data(2, "Type=", "rand_drbg_selftest"); |
|
rv = 0; |
|
} |
|
- if (!FIPS_selftest_drbg()) |
|
- rv = 0; |
|
if (!FIPS_selftest_sha1()) |
|
rv = 0; |
|
if (!FIPS_selftest_sha2()) |
|
diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c |
|
--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.613852927 +0200 |
|
+++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c 2020-06-22 13:36:28.722817967 +0200 |
|
@@ -120,6 +120,7 @@ void FIPS_rand_reset(void) |
|
|
|
int FIPS_rand_seed(const void *buf, int num) |
|
{ |
|
+#if 0 |
|
if (!fips_approved_rand_meth && FIPS_module_mode()) { |
|
FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); |
|
return 0; |
|
@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int |
|
if (fips_rand_meth && fips_rand_meth->seed) |
|
fips_rand_meth->seed(buf, num); |
|
return 1; |
|
+#else |
|
+ RAND_seed(buf, num); |
|
+ return 1; |
|
+#endif |
|
} |
|
|
|
int FIPS_rand_bytes(unsigned char *buf, int num) |
|
{ |
|
+#if 0 |
|
if (!fips_approved_rand_meth && FIPS_module_mode()) { |
|
FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); |
|
return 0; |
|
@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf, |
|
if (fips_rand_meth && fips_rand_meth->bytes) |
|
return fips_rand_meth->bytes(buf, num); |
|
return 0; |
|
+#else |
|
+ return RAND_bytes(buf, num); |
|
+#endif |
|
} |
|
|
|
int FIPS_rand_status(void) |
|
{ |
|
+#if 0 |
|
if (!fips_approved_rand_meth && FIPS_module_mode()) { |
|
FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); |
|
return 0; |
|
@@ -149,6 +159,9 @@ int FIPS_rand_status(void) |
|
if (fips_rand_meth && fips_rand_meth->status) |
|
return fips_rand_meth->status(); |
|
return 0; |
|
+#else |
|
+ return RAND_status(); |
|
+#endif |
|
} |
|
|
|
/* Return instantiated strength of PRNG. For DRBG this is an internal |
|
diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h |
|
--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200 |
|
+++ openssl-1.1.1g/include/openssl/fips.h 2020-06-22 13:32:47.675852917 +0200 |
|
@@ -64,6 +64,11 @@ extern "C" { |
|
|
|
int FIPS_selftest(void); |
|
int FIPS_selftest_failed(void); |
|
+ |
|
+ /* |
|
+ * This function is deprecated as it performs selftest of the old FIPS drbg |
|
+ * implementation that is not validated. |
|
+ */ |
|
int FIPS_selftest_drbg_all(void); |
|
|
|
int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, |
|
diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h |
|
--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg 2020-06-22 13:32:47.617852926 +0200 |
|
+++ openssl-1.1.1g/include/openssl/fips_rand.h 2020-06-22 13:32:47.675852917 +0200 |
|
@@ -60,6 +60,20 @@ |
|
# ifdef __cplusplus |
|
extern "C" { |
|
# endif |
|
+ |
|
+/* |
|
+ * IMPORTANT NOTE: |
|
+ * All functions in this header file are deprecated and should not be used |
|
+ * as they use the old FIPS_drbg implementation that is not FIPS validated |
|
+ * anymore. |
|
+ * To provide backwards compatibility for applications that need FIPS compliant |
|
+ * RNG number generation and use FIPS_drbg_generate, this function was |
|
+ * re-wired to call the FIPS validated DRBG instance instead through |
|
+ * the RAND_bytes() call. |
|
+ * |
|
+ * All these functions will be removed in future. |
|
+ */ |
|
+ |
|
typedef struct drbg_ctx_st DRBG_CTX; |
|
/* DRBG external flags */ |
|
/* Flag for CTR mode only: use derivation function ctr_df */
|
|
|