RAND library FIPS merge.

2008-09-16 11:50:05 +00:00 · 2008-09-16 11:50:05 +00:00 · f4179bead4
commit f4179bead4
parent fced277486
6 changed files with 142 additions and 5 deletions
--- a/crypto/rand/Makefile
+++ b/crypto/rand/Makefile
@ -17,9 +17,9 @@ TEST= randtest.c
 APPS=

 LIB=$(TOP)/libcrypto.a
-LIBSRC=md_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \
+LIBSRC=md_rand.c randfile.c rand_lib.c rand_eng.c rand_err.c rand_egd.c \
 	rand_win.c rand_unix.c rand_os2.c rand_nw.c
-LIBOBJ=md_rand.o randfile.o rand_lib.o rand_err.o rand_egd.o \
+LIBOBJ=md_rand.o randfile.o rand_lib.o rand_eng.o rand_err.o rand_egd.o \
 	rand_win.o rand_unix.o rand_os2.o rand_nw.o

 SRC= $(LIBSRC)
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@ -126,6 +126,10 @@

 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+

 #ifdef BN_DEBUG
 # define PREDICT
@ -332,6 +336,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 #endif
 	int do_stir_pool = 0;

+#ifdef OPENSSL_FIPS
+	if(FIPS_mode())
+	    {
+	    FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD);
+	    return 0;
+	    }
+#endif
+
 #ifdef PREDICT
 	if (rand_predictable)
 		{
--- a/crypto/rand/rand.h
+++ b/crypto/rand/rand.h
@ -72,7 +72,7 @@ extern "C" {
 #endif

 #if defined(OPENSSL_FIPS)
-#define FIPS_RAND_SIZE_T size_t
+#define FIPS_RAND_SIZE_T int
 #endif

 /* Already defined in ossl_typ.h */
@ -111,6 +111,15 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes);
 int RAND_egd(const char *path);
 int RAND_egd_bytes(const char *path,int bytes);
 int RAND_poll(void);
+#ifndef OPENSSL_NO_ENGINE
+#ifdef OPENSSL_FIPS
+void int_RAND_init_engine_callbacks(void);
+void int_RAND_set_callbacks(
+	int (*set_rand_func)(const RAND_METHOD *meth,
+						const RAND_METHOD **pmeth),
+	const RAND_METHOD *(*get_rand_func)(const RAND_METHOD **pmeth));
+#endif
+#endif

 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)

@ -128,11 +137,29 @@ void ERR_load_RAND_strings(void);
 /* Error codes for the RAND functions. */

 /* Function codes. */
+#define RAND_F_ENG_RAND_GET_RAND_METHOD			 108
+#define RAND_F_FIPS_RAND				 103
+#define RAND_F_FIPS_RAND_BYTES				 102
+#define RAND_F_FIPS_RAND_GET_RAND_METHOD		 109
+#define RAND_F_FIPS_RAND_SET_DT				 106
+#define RAND_F_FIPS_SET_DT				 104
+#define RAND_F_FIPS_SET_PRNG_SEED			 107
+#define RAND_F_FIPS_SET_TEST_MODE			 105
 #define RAND_F_RAND_GET_RAND_METHOD			 101
 #define RAND_F_SSLEAY_RAND_BYTES			 100

 /* Reason codes. */
+#define RAND_R_NON_FIPS_METHOD				 105
+#define RAND_R_NOT_IN_TEST_MODE				 106
+#define RAND_R_NO_KEY_SET				 107
+#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH			 101
+#define RAND_R_PRNG_ERROR				 108
+#define RAND_R_PRNG_KEYED				 109
+#define RAND_R_PRNG_NOT_REKEYED				 102
+#define RAND_R_PRNG_NOT_RESEEDED			 103
 #define RAND_R_PRNG_NOT_SEEDED				 100
+#define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY		 110
+#define RAND_R_PRNG_STUCK				 104

 #ifdef  __cplusplus
 }
--- a/crypto/rand/rand_err.c
+++ b/crypto/rand/rand_err.c
@ -1,6 +1,6 @@
 /* crypto/rand/rand_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@ -70,6 +70,14 @@

 static ERR_STRING_DATA RAND_str_functs[]=
 	{
+{ERR_FUNC(RAND_F_ENG_RAND_GET_RAND_METHOD),	"ENG_RAND_GET_RAND_METHOD"},
+{ERR_FUNC(RAND_F_FIPS_RAND),	"FIPS_RAND"},
+{ERR_FUNC(RAND_F_FIPS_RAND_BYTES),	"FIPS_RAND_BYTES"},
+{ERR_FUNC(RAND_F_FIPS_RAND_GET_RAND_METHOD),	"FIPS_RAND_GET_RAND_METHOD"},
+{ERR_FUNC(RAND_F_FIPS_RAND_SET_DT),	"FIPS_RAND_SET_DT"},
+{ERR_FUNC(RAND_F_FIPS_SET_DT),	"FIPS_SET_DT"},
+{ERR_FUNC(RAND_F_FIPS_SET_PRNG_SEED),	"FIPS_SET_PRNG_SEED"},
+{ERR_FUNC(RAND_F_FIPS_SET_TEST_MODE),	"FIPS_SET_TEST_MODE"},
 {ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD),	"RAND_get_rand_method"},
 {ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES),	"SSLEAY_RAND_BYTES"},
 {0,NULL}
@ -77,7 +85,17 @@ static ERR_STRING_DATA RAND_str_functs[]=

 static ERR_STRING_DATA RAND_str_reasons[]=
 	{
+{ERR_REASON(RAND_R_NON_FIPS_METHOD)      ,"non fips method"},
+{ERR_REASON(RAND_R_NOT_IN_TEST_MODE)     ,"not in test mode"},
+{ERR_REASON(RAND_R_NO_KEY_SET)           ,"no key set"},
+{ERR_REASON(RAND_R_PRNG_ASKING_FOR_TOO_MUCH),"prng asking for too much"},
+{ERR_REASON(RAND_R_PRNG_ERROR)           ,"prng error"},
+{ERR_REASON(RAND_R_PRNG_KEYED)           ,"prng keyed"},
+{ERR_REASON(RAND_R_PRNG_NOT_REKEYED)     ,"prng not rekeyed"},
+{ERR_REASON(RAND_R_PRNG_NOT_RESEEDED)    ,"prng not reseeded"},
 {ERR_REASON(RAND_R_PRNG_NOT_SEEDED)      ,"PRNG not seeded"},
+{ERR_REASON(RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY),"prng seed must not match key"},
+{ERR_REASON(RAND_R_PRNG_STUCK)           ,"prng stuck"},
 {0,NULL}
 	};

--- a/crypto/rand/rand_lcl.h
+++ b/crypto/rand/rand_lcl.h
@ -154,5 +154,16 @@
 #define	MD(a,b,c)		EVP_Digest(a,b,c,NULL,EVP_md2(), NULL)
 #endif

+#ifndef OPENSSL_NO_ENGINE
+void int_RAND_set_callbacks(
+	int (*set_rand_func)(const RAND_METHOD *meth,
+						const RAND_METHOD **pmeth),
+	const RAND_METHOD *(*get_rand_func)
+						(const RAND_METHOD **pmeth));
+int eng_RAND_set_rand_method(const RAND_METHOD *meth,
+				const RAND_METHOD **pmeth);
+const RAND_METHOD *eng_RAND_get_rand_method(const RAND_METHOD **pmeth);
+#endif
+

 #endif
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@ -60,15 +60,82 @@
 #include <time.h>
 #include "cryptlib.h"
 #include <openssl/rand.h>
+#include "rand_lcl.h"
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#endif
+
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif

+static const RAND_METHOD *default_RAND_meth = NULL;
+
+#ifdef OPENSSL_FIPS
+
+static int fips_RAND_set_rand_method(const RAND_METHOD *meth,
+					const RAND_METHOD **pmeth)
+	{
+	*pmeth = meth;
+	return 1;
+	}
+
+static const RAND_METHOD *fips_RAND_get_rand_method(const RAND_METHOD **pmeth)
+	{
+	if (!*pmeth)
+		{
+		if(FIPS_mode())
+			*pmeth=FIPS_rand_method();
+		else
+			*pmeth = RAND_SSLeay();
+		}
+
+	if(FIPS_mode()
+		&& *pmeth != FIPS_rand_check())
+	    {
+	    RANDerr(RAND_F_FIPS_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
+	    return 0;
+	    }
+
+	return *pmeth;
+	}
+
+static int (*RAND_set_rand_method_func)(const RAND_METHOD *meth,
+						const RAND_METHOD **pmeth)
+	= fips_RAND_set_rand_method;
+static const RAND_METHOD *(*RAND_get_rand_method_func)
+						(const RAND_METHOD **pmeth)
+	= fips_RAND_get_rand_method;
+
+#ifndef OPENSSL_NO_ENGINE
+void int_RAND_set_callbacks(
+	int (*set_rand_func)(const RAND_METHOD *meth,
+						const RAND_METHOD **pmeth),
+	const RAND_METHOD *(*get_rand_func)
+						(const RAND_METHOD **pmeth))
+	{
+	RAND_set_rand_method_func = set_rand_func;
+	RAND_get_rand_method_func = get_rand_func;
+	}
+#endif
+
+int RAND_set_rand_method(const RAND_METHOD *meth)
+	{
+	return RAND_set_rand_method_func(meth, &default_RAND_meth);
+	}
+
+const RAND_METHOD *RAND_get_rand_method(void)
+	{
+	return RAND_get_rand_method_func(&default_RAND_meth);
+	}
+
+#else
+
 #ifndef OPENSSL_NO_ENGINE
 /* non-NULL if default_RAND_meth is ENGINE-provided */
 static ENGINE *funct_ref =NULL;
 #endif
-static const RAND_METHOD *default_RAND_meth = NULL;

 int RAND_set_rand_method(const RAND_METHOD *meth)
 	{
@ -129,6 +196,8 @@ int RAND_set_rand_engine(ENGINE *engine)
 	}
 #endif

+#endif
+
 void RAND_cleanup(void)
 	{
 	const RAND_METHOD *meth = RAND_get_rand_method();