Dr. Stephen Henson | 17 Sep 01:12 2011
Picon

[CVS] OpenSSL: OpenSSL_1_0_1-stable: openssl/crypto/rand/ rand.h rand_...

  OpenSSL CVS Repository
  http://cvs.openssl.org/
  ____________________________________________________________________________

  Server: cvs.openssl.org                  Name:   Dr. Stephen Henson
  Root:   /v/openssl/cvs                   Email:  steve <at> openssl.org
  Module: openssl                          Date:   17-Sep-2011 01:12:34
  Branch: OpenSSL_1_0_1-stable             Handle: 2011091623123400

  Modified files:           (Branch: OpenSSL_1_0_1-stable)
    openssl/crypto/rand     rand.h rand_err.c rand_lib.c

  Log:
    Improved error checking for DRBG calls.

    New functionality to allow default DRBG type to be set during compilation or during runtime.

  Summary:
    Revision    Changes     Path
    1.34.4.3    +4  -0      openssl/crypto/rand/rand.h
    1.8.4.2     +3  -0      openssl/crypto/rand/rand_err.c
    1.20.4.6    +27 -2      openssl/crypto/rand/rand_lib.c
  ____________________________________________________________________________

  patch -p0 <<' <at>  <at>  .'
  Index: openssl/crypto/rand/rand.h
  ============================================================================
  $ cvs diff -u -r1.34.4.2 -r1.34.4.3 rand.h
  --- openssl/crypto/rand/rand.h	13 Jun 2011 20:40:52 -0000	1.34.4.2
  +++ openssl/crypto/rand/rand.h	16 Sep 2011 23:12:34 -0000	1.34.4.3
   <at>  <at>  -120,6 +120,7  <at>  <at> 
   #endif

   #ifdef OPENSSL_FIPS
  +void RAND_set_fips_drbg_type(int type, int flags);
   int RAND_init_fips(void);
   #endif

   <at>  <at>  -133,9 +134,12  <at>  <at> 

   /* Function codes. */
   #define RAND_F_RAND_GET_RAND_METHOD			 101
  +#define RAND_F_RAND_INIT_FIPS				 102
   #define RAND_F_SSLEAY_RAND_BYTES			 100

   /* Reason codes. */
  +#define RAND_R_ERROR_INITIALISING_DRBG			 102
  +#define RAND_R_ERROR_INSTANTIATING_DRBG			 103
   #define RAND_R_NO_FIPS_RANDOM_METHOD_SET		 101
   #define RAND_R_PRNG_NOT_SEEDED				 100

   <at>  <at>  .
  patch -p0 <<' <at>  <at>  .'
  Index: openssl/crypto/rand/rand_err.c
  ============================================================================
  $ cvs diff -u -r1.8.4.1 -r1.8.4.2 rand_err.c
  --- openssl/crypto/rand/rand_err.c	13 Jun 2011 20:40:52 -0000	1.8.4.1
  +++ openssl/crypto/rand/rand_err.c	16 Sep 2011 23:12:34 -0000	1.8.4.2
   <at>  <at>  -71,12 +71,15  <at>  <at> 
   static ERR_STRING_DATA RAND_str_functs[]=
   	{
   {ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD),	"RAND_get_rand_method"},
  +{ERR_FUNC(RAND_F_RAND_INIT_FIPS),	"RAND_init_fips"},
   {ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES),	"SSLEAY_RAND_BYTES"},
   {0,NULL}
   	};

   static ERR_STRING_DATA RAND_str_reasons[]=
   	{
  +{ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},
  +{ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},
   {ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},
   {ERR_REASON(RAND_R_PRNG_NOT_SEEDED)      ,"PRNG not seeded"},
   {0,NULL}
   <at>  <at>  .
  patch -p0 <<' <at>  <at>  .'
  Index: openssl/crypto/rand/rand_lib.c
  ============================================================================
  $ cvs diff -u -r1.20.4.5 -r1.20.4.6 rand_lib.c
  --- openssl/crypto/rand/rand_lib.c	21 Jun 2011 17:08:25 -0000	1.20.4.5
  +++ openssl/crypto/rand/rand_lib.c	16 Sep 2011 23:12:34 -0000	1.20.4.6
   <at>  <at>  -245,13 +245,34  <at>  <at> 
   	return 1;
   	}

  +#ifndef OPENSSL_DRBG_DEFAULT_TYPE
  +#define OPENSSL_DRBG_DEFAULT_TYPE	NID_aes_256_ctr
  +#endif
  +#ifndef OPENSSL_DRBG_DEFAULT_FLAGS
  +#define OPENSSL_DRBG_DEFAULT_FLAGS	DRBG_FLAG_CTR_USE_DF
  +#endif 
  +
  +static int fips_drbg_type = OPENSSL_DRBG_DEFAULT_TYPE;
  +static int fips_drbg_flags = OPENSSL_DRBG_DEFAULT_FLAGS;
  +
  +void RAND_set_fips_drbg_type(int type, int flags)
  +	{
  +	fips_drbg_type = type;
  +	fips_drbg_flags = flags;
  +	}
  +
   int RAND_init_fips(void)
   	{
   	DRBG_CTX *dctx;
   	size_t plen;
   	unsigned char pers[32], *p;
   	dctx = FIPS_get_default_drbg();
  -        FIPS_drbg_init(dctx, NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);
  +        if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)
  +		{
  +		RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INITIALISING_DRBG);
  +		return 0;
  +		}
  +		
           FIPS_drbg_set_callbacks(dctx,
   				drbg_get_entropy, drbg_free_entropy, 20,
   				drbg_get_entropy, drbg_free_entropy);
   <at>  <at>  -262,7 +283,11  <at>  <at> 
   	plen = drbg_get_adin(dctx, &p);
   	memcpy(pers + 16, p, plen);

  -        FIPS_drbg_instantiate(dctx, pers, sizeof(pers));
  +        if (FIPS_drbg_instantiate(dctx, pers, sizeof(pers)) <= 0)
  +		{
  +		RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INSTANTIATING_DRBG);
  +		return 0;
  +		}
           FIPS_rand_set_method(FIPS_drbg_method());
   	return 1;
   	}
   <at>  <at>  .
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
CVS Repository Commit List                     openssl-cvs <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org


Gmane