From f4179bead44fc43734db4efcfcfa01478d161b28 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 16 Sep 2008 11:50:05 +0000 Subject: [PATCH] RAND library FIPS merge. --- crypto/rand/Makefile | 4 +-- crypto/rand/md_rand.c | 12 +++++++ crypto/rand/rand.h | 29 ++++++++++++++++- crypto/rand/rand_err.c | 20 +++++++++++- crypto/rand/rand_lcl.h | 11 +++++++ crypto/rand/rand_lib.c | 71 +++++++++++++++++++++++++++++++++++++++++- 6 files changed, 142 insertions(+), 5 deletions(-) diff --git a/crypto/rand/Makefile b/crypto/rand/Makefile index 27694aa664..665020da4c 100644 --- a/crypto/rand/Makefile +++ b/crypto/rand/Makefile @@ -17,9 +17,9 @@ TEST= randtest.c APPS= LIB=$(TOP)/libcrypto.a -LIBSRC=md_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \ +LIBSRC=md_rand.c randfile.c rand_lib.c rand_eng.c rand_err.c rand_egd.c \ rand_win.c rand_unix.c rand_os2.c rand_nw.c -LIBOBJ=md_rand.o randfile.o rand_lib.o rand_err.o rand_egd.o \ +LIBOBJ=md_rand.o randfile.o rand_lib.o rand_eng.o rand_err.o rand_egd.o \ rand_win.o rand_unix.o rand_os2.o rand_nw.o SRC= $(LIBSRC) diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 9783d0c23e..0f8dd3e00f 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -126,6 +126,10 @@ #include #include +#ifdef OPENSSL_FIPS +#include +#endif + #ifdef BN_DEBUG # define PREDICT @@ -332,6 +336,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) #endif int do_stir_pool = 0; +#ifdef OPENSSL_FIPS + if(FIPS_mode()) + { + FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD); + return 0; + } +#endif + #ifdef PREDICT if (rand_predictable) { diff --git a/crypto/rand/rand.h b/crypto/rand/rand.h index ac6c021763..ea89153cba 100644 --- a/crypto/rand/rand.h +++ b/crypto/rand/rand.h @@ -72,7 +72,7 @@ extern "C" { #endif #if defined(OPENSSL_FIPS) -#define FIPS_RAND_SIZE_T size_t +#define FIPS_RAND_SIZE_T int #endif /* Already defined in ossl_typ.h */ @@ -111,6 +111,15 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes); int RAND_egd(const char *path); int RAND_egd_bytes(const char *path,int bytes); int RAND_poll(void); +#ifndef OPENSSL_NO_ENGINE +#ifdef OPENSSL_FIPS +void int_RAND_init_engine_callbacks(void); +void int_RAND_set_callbacks( + int (*set_rand_func)(const RAND_METHOD *meth, + const RAND_METHOD **pmeth), + const RAND_METHOD *(*get_rand_func)(const RAND_METHOD **pmeth)); +#endif +#endif #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) @@ -128,11 +137,29 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ /* Function codes. */ +#define RAND_F_ENG_RAND_GET_RAND_METHOD 108 +#define RAND_F_FIPS_RAND 103 +#define RAND_F_FIPS_RAND_BYTES 102 +#define RAND_F_FIPS_RAND_GET_RAND_METHOD 109 +#define RAND_F_FIPS_RAND_SET_DT 106 +#define RAND_F_FIPS_SET_DT 104 +#define RAND_F_FIPS_SET_PRNG_SEED 107 +#define RAND_F_FIPS_SET_TEST_MODE 105 #define RAND_F_RAND_GET_RAND_METHOD 101 #define RAND_F_SSLEAY_RAND_BYTES 100 /* Reason codes. */ +#define RAND_R_NON_FIPS_METHOD 105 +#define RAND_R_NOT_IN_TEST_MODE 106 +#define RAND_R_NO_KEY_SET 107 +#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101 +#define RAND_R_PRNG_ERROR 108 +#define RAND_R_PRNG_KEYED 109 +#define RAND_R_PRNG_NOT_REKEYED 102 +#define RAND_R_PRNG_NOT_RESEEDED 103 #define RAND_R_PRNG_NOT_SEEDED 100 +#define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110 +#define RAND_R_PRNG_STUCK 104 #ifdef __cplusplus } diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c index 386934dcd1..829fb44d77 100644 --- a/crypto/rand/rand_err.c +++ b/crypto/rand/rand_err.c @@ -1,6 +1,6 @@ /* crypto/rand/rand_err.c */ /* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -70,6 +70,14 @@ static ERR_STRING_DATA RAND_str_functs[]= { +{ERR_FUNC(RAND_F_ENG_RAND_GET_RAND_METHOD), "ENG_RAND_GET_RAND_METHOD"}, +{ERR_FUNC(RAND_F_FIPS_RAND), "FIPS_RAND"}, +{ERR_FUNC(RAND_F_FIPS_RAND_BYTES), "FIPS_RAND_BYTES"}, +{ERR_FUNC(RAND_F_FIPS_RAND_GET_RAND_METHOD), "FIPS_RAND_GET_RAND_METHOD"}, +{ERR_FUNC(RAND_F_FIPS_RAND_SET_DT), "FIPS_RAND_SET_DT"}, +{ERR_FUNC(RAND_F_FIPS_SET_DT), "FIPS_SET_DT"}, +{ERR_FUNC(RAND_F_FIPS_SET_PRNG_SEED), "FIPS_SET_PRNG_SEED"}, +{ERR_FUNC(RAND_F_FIPS_SET_TEST_MODE), "FIPS_SET_TEST_MODE"}, {ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD), "RAND_get_rand_method"}, {ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"}, {0,NULL} @@ -77,7 +85,17 @@ static ERR_STRING_DATA RAND_str_functs[]= static ERR_STRING_DATA RAND_str_reasons[]= { +{ERR_REASON(RAND_R_NON_FIPS_METHOD) ,"non fips method"}, +{ERR_REASON(RAND_R_NOT_IN_TEST_MODE) ,"not in test mode"}, +{ERR_REASON(RAND_R_NO_KEY_SET) ,"no key set"}, +{ERR_REASON(RAND_R_PRNG_ASKING_FOR_TOO_MUCH),"prng asking for too much"}, +{ERR_REASON(RAND_R_PRNG_ERROR) ,"prng error"}, +{ERR_REASON(RAND_R_PRNG_KEYED) ,"prng keyed"}, +{ERR_REASON(RAND_R_PRNG_NOT_REKEYED) ,"prng not rekeyed"}, +{ERR_REASON(RAND_R_PRNG_NOT_RESEEDED) ,"prng not reseeded"}, {ERR_REASON(RAND_R_PRNG_NOT_SEEDED) ,"PRNG not seeded"}, +{ERR_REASON(RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY),"prng seed must not match key"}, +{ERR_REASON(RAND_R_PRNG_STUCK) ,"prng stuck"}, {0,NULL} }; diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h index 618a8ec899..18cc9b1e4a 100644 --- a/crypto/rand/rand_lcl.h +++ b/crypto/rand/rand_lcl.h @@ -154,5 +154,16 @@ #define MD(a,b,c) EVP_Digest(a,b,c,NULL,EVP_md2(), NULL) #endif +#ifndef OPENSSL_NO_ENGINE +void int_RAND_set_callbacks( + int (*set_rand_func)(const RAND_METHOD *meth, + const RAND_METHOD **pmeth), + const RAND_METHOD *(*get_rand_func) + (const RAND_METHOD **pmeth)); +int eng_RAND_set_rand_method(const RAND_METHOD *meth, + const RAND_METHOD **pmeth); +const RAND_METHOD *eng_RAND_get_rand_method(const RAND_METHOD **pmeth); +#endif + #endif diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 513e338985..da6b4e0e86 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -60,15 +60,82 @@ #include #include "cryptlib.h" #include +#include "rand_lcl.h" +#ifdef OPENSSL_FIPS +#include +#include +#endif + #ifndef OPENSSL_NO_ENGINE #include #endif +static const RAND_METHOD *default_RAND_meth = NULL; + +#ifdef OPENSSL_FIPS + +static int fips_RAND_set_rand_method(const RAND_METHOD *meth, + const RAND_METHOD **pmeth) + { + *pmeth = meth; + return 1; + } + +static const RAND_METHOD *fips_RAND_get_rand_method(const RAND_METHOD **pmeth) + { + if (!*pmeth) + { + if(FIPS_mode()) + *pmeth=FIPS_rand_method(); + else + *pmeth = RAND_SSLeay(); + } + + if(FIPS_mode() + && *pmeth != FIPS_rand_check()) + { + RANDerr(RAND_F_FIPS_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD); + return 0; + } + + return *pmeth; + } + +static int (*RAND_set_rand_method_func)(const RAND_METHOD *meth, + const RAND_METHOD **pmeth) + = fips_RAND_set_rand_method; +static const RAND_METHOD *(*RAND_get_rand_method_func) + (const RAND_METHOD **pmeth) + = fips_RAND_get_rand_method; + +#ifndef OPENSSL_NO_ENGINE +void int_RAND_set_callbacks( + int (*set_rand_func)(const RAND_METHOD *meth, + const RAND_METHOD **pmeth), + const RAND_METHOD *(*get_rand_func) + (const RAND_METHOD **pmeth)) + { + RAND_set_rand_method_func = set_rand_func; + RAND_get_rand_method_func = get_rand_func; + } +#endif + +int RAND_set_rand_method(const RAND_METHOD *meth) + { + return RAND_set_rand_method_func(meth, &default_RAND_meth); + } + +const RAND_METHOD *RAND_get_rand_method(void) + { + return RAND_get_rand_method_func(&default_RAND_meth); + } + +#else + #ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ static ENGINE *funct_ref =NULL; #endif -static const RAND_METHOD *default_RAND_meth = NULL; int RAND_set_rand_method(const RAND_METHOD *meth) { @@ -129,6 +196,8 @@ int RAND_set_rand_engine(ENGINE *engine) } #endif +#endif + void RAND_cleanup(void) { const RAND_METHOD *meth = RAND_get_rand_method(); -- 2.25.1