diff options
author | Matt Caswell <matt@openssl.org> | 2019-05-30 15:42:32 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2019-06-12 09:16:43 +0100 |
commit | 4ac6227621255ecde99aff3b11737c912f7a499b (patch) | |
tree | d29638c96714e9bf78f5a9bc236b1d38f852dee4 /crypto/bn | |
parent | 9632bd0e1d80ac4d38a3add1de192386fe1a0fd4 (diff) |
Temporarily disable RAND call in FIPS_MODE until RAND is available
Other commits will enable the RAND code in FIPS_MODE. Until those commits
are in place we temporarily disable making RAND calls while in FIPS_MODE.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9130)
Diffstat (limited to 'crypto/bn')
-rw-r--r-- | crypto/bn/bn_rand.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index f33c856eb5..6967627732 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -45,7 +45,16 @@ static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom) } /* make a random number and set the top and bottom bits */ + /* + * TODO(3.0): Temporarily disable RAND code in the FIPS module until we + * have made it available there. + */ +#if defined(FIPS_MODE) + BNerr(BN_F_BNRAND, ERR_R_INTERNAL_ERROR); + goto err; +#else b = flag == NORMAL ? RAND_bytes(buf, bytes) : RAND_priv_bytes(buf, bytes); +#endif if (b <= 0) goto err; @@ -57,8 +66,14 @@ static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom) unsigned char c; for (i = 0; i < bytes; i++) { + /* + * TODO(3.0): Temporarily disable RAND code in the FIPS module until we + * have made it available there. + */ +#if !defined(FIPS_MODE) if (RAND_bytes(&c, 1) <= 0) goto err; +#endif if (c >= 128 && i > 0) buf[i] = buf[i - 1]; else if (c < 42) @@ -223,7 +238,15 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, int ret = 0; EVP_MD *md = NULL; OPENSSL_CTX *libctx = (ctx != NULL) ? bn_get_lib_ctx(ctx) : NULL; + /* + * TODO(3.0): Temporarily disable RAND code in the FIPS module until we + * have made it available there. + */ +#ifdef FIPS_MODE + RAND_DRBG *privdrbg = NULL; +#else RAND_DRBG *privdrbg = OPENSSL_CTX_get0_private_drbg(libctx); +#endif if (mdctx == NULL || privdrbg == NULL) goto err; @@ -252,8 +275,14 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, goto err; } for (done = 0; done < num_k_bytes;) { + /* + * TODO(3.0): Temporarily disable RAND code in the FIPS module until we + * have made it available there. + */ +#if !defined(FIPS_MODE) if (!RAND_DRBG_bytes(privdrbg, random_bytes, sizeof(random_bytes))) goto err; +#endif if (!EVP_DigestInit_ex(mdctx, md, NULL) || !EVP_DigestUpdate(mdctx, &done, sizeof(done)) |