Redirect RAND to FIPS module in FIPS mode.

crypto/rand/rand.h

@@ -136,6 +136,7 @@ void ERR_load_RAND_strings(void);
 #define RAND_F_SSLEAY_RAND_BYTES			 100
 
 /* Reason codes. */
+#define RAND_R_NO_FIPS_RANDOM_METHOD_SET		 101
 #define RAND_R_PRNG_NOT_SEEDED				 100
 
 #ifdef  __cplusplus

crypto/rand/rand_err.c

@@ -1,6 +1,6 @@
 /* crypto/rand/rand_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -77,6 +77,7 @@ static ERR_STRING_DATA RAND_str_functs[]=
 
 static ERR_STRING_DATA RAND_str_reasons[]=
 	{
+{ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},
 {ERR_REASON(RAND_R_PRNG_NOT_SEEDED)      ,"PRNG not seeded"},
 {0,NULL}
 	};

crypto/rand/rand_lib.c

@@ -61,11 +61,6 @@
 #include "cryptlib.h"
 #include <openssl/rand.h>
 
-#ifdef OPENSSL_FIPSCANISTER
-#define OPENSSL_NO_ENGINE
-#include <openssl/fips.h>
-#endif
-
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
@@ -116,6 +111,18 @@ const RAND_METHOD *RAND_get_rand_method(void)
 		if(e)
 			funct_ref = e;
 		else
+#endif
+#ifdef OPENSSL_FIPS
+		if (FIPS_mode())
+			{
+			default_RAND_meth = FIPS_rand_get_method();
+			if (default_RAND_meth == NULL)
+				{
+				RANDerr(RAND_F_RAND_GET_RAND_METHOD,
+					RAND_R_NO_FIPS_RANDOM_METHOD_SET);
+				}
+			}
+		else
 #endif
 			default_RAND_meth = RAND_SSLeay();
 		}