Extensive reorganisation of PRNG handling in FIPS module: all calls (05e24c87) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+8 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,14 @@

		Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]

		*) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
		to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
		performs algorithm blocking for unapproved PRNG types. Also do not
		set PRNG type in FIPS_mode_set(): leave this to the application.
		Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
		the standard OpenSSL PRNG.
		[Steve Henson]

		) Rename old X9.31 PRNG functions of the form FIPS_rand to FIPS_x931*.
		This shouldn't present any incompatibility problems because applications
		shouldn't be using these directly and any that are will need to rethink

+2 −0

Original line number	Diff line number	Diff line
		@@ -56,6 +56,8 @@
		* [including the GNU Public Licence.]
		*/

		#define OPENSSL_FIPSAPI

		#include <stdio.h>
		#include "cryptlib.h"
		#ifndef OPENSSL_NO_DES

+7 −0

Original line number	Diff line number	Diff line
		@@ -96,6 +96,12 @@ static ERR_STRING_DATA FIPS_str_functs[]=
		{ERR_FUNC(FIPS_F_FIPS_DSA_CHECK), "FIPS_DSA_CHECK"},
		{ERR_FUNC(FIPS_F_FIPS_MODE_SET), "FIPS_mode_set"},
		{ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"},
		{ERR_FUNC(FIPS_F_FIPS_RAND_ADD), "FIPS_rand_add"},
		{ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"},
		{ERR_FUNC(FIPS_F_FIPS_RAND_PSEUDO_BYTES), "FIPS_rand_pseudo_bytes"},
		{ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"},
		{ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"},
		{ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"},
		{ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"},
		{ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"},
		{ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"},
		@@ -105,6 +111,7 @@ static ERR_STRING_DATA FIPS_str_functs[]=
		{ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
		{ERR_FUNC(FIPS_F_FIPS_SELFTEST_RNG), "FIPS_selftest_rng"},
		{ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
		{ERR_FUNC(FIPS_F_FIPS_SELFTEST_X931), "FIPS_selftest_x931"},
		{ERR_FUNC(FIPS_F_HASH_FINAL), "HASH_FINAL"},
		{ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
		{ERR_FUNC(FIPS_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},

+2 −0

Original line number	Diff line number	Diff line
		@@ -56,6 +56,7 @@
		#include <openssl/err.h>
		#ifdef OPENSSL_FIPS
		#include <openssl/fips.h>
		#include <openssl/rand.h>
		#endif

		#if defined(__GNUC__) && __GNUC__>=2
		@@ -123,6 +124,7 @@ void OPENSSL_init(void)
		FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
		FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
		FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
		RAND_init_fips();
		#endif
		#if 0
		fprintf(stderr, "Called OPENSSL_init\n");

+6 −1

Original line number	Diff line number	Diff line
		@@ -94,7 +94,7 @@ extern int rand_predictable;

		int RAND_set_rand_method(const RAND_METHOD *meth);
		const RAND_METHOD *RAND_get_rand_method(void);
		#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_FIPS)
		#ifndef OPENSSL_NO_ENGINE
		int RAND_set_rand_engine(ENGINE *engine);
		#endif
		RAND_METHOD *RAND_SSLeay(void);
		@@ -119,6 +119,10 @@ int RAND_event(UINT, WPARAM, LPARAM);

		#endif

		#ifdef OPENSSL_FIPS
		int RAND_init_fips(void);
		#endif

		/* BEGIN ERROR CODES */
		/* The following lines are auto generated by the script mkerr.pl. Any changes
		* made after this point may be overwritten when the script is next run.
		@@ -132,6 +136,7 @@ void ERR_load_RAND_strings(void);
		#define RAND_F_FIPS_RAND_SET_DT 103
		#define RAND_F_FIPS_SET_PRNG_SEED 104
		#define RAND_F_FIPS_SET_TEST_MODE 105
		#define RAND_F_FIPS_X931_SET_DT 106
		#define RAND_F_RAND_GET_RAND_METHOD 101
		#define RAND_F_SSLEAY_RAND_BYTES 100