Commit a4870de5 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Disable Dual EC DRBG. 

Return an error if an attempt is made to enable the Dual EC DRBG: it
is not used by default.
parent 39aabe59

crypto/rand/rand.h

+1 −0
Original line number Diff line number Diff line
@@ -138,6 +138,7 @@ void ERR_load_RAND_strings(void); 
#define RAND_F_SSLEAY_RAND_BYTES			 100



/* Reason codes. */

#define RAND_R_DUAL_EC_DRBG_DISABLED			 104

#define RAND_R_ERROR_INITIALISING_DRBG			 102

#define RAND_R_ERROR_INSTANTIATING_DRBG			 103

#define RAND_R_NO_FIPS_RANDOM_METHOD_SET		 101

crypto/rand/rand_err.c

+1 −0
Original line number Diff line number Diff line
@@ -78,6 +78,7 @@ static ERR_STRING_DATA RAND_str_functs[]= 


static ERR_STRING_DATA RAND_str_reasons[]=

	{

{ERR_REASON(RAND_R_DUAL_EC_DRBG_DISABLED),"dual ec drbg disabled"},

{ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},

{ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},

{ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},

crypto/rand/rand_lib.c

+8 −0
Original line number Diff line number Diff line
@@ -269,6 +269,14 @@ int RAND_init_fips(void) 
	DRBG_CTX *dctx;

	size_t plen;

	unsigned char pers[32], *p;

#ifndef OPENSSL_ALLOW_DUAL_EC_DRBG

	if (fips_drbg_type >> 16)

		{

		RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_DUAL_EC_DRBG_DISABLED);

		return 0;

		}

#endif

		

	dctx = FIPS_get_default_drbg();

        if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)

		{