To protect FIPS-related global variables, add locking mechanisms

around them.

NOTE: because two new locks are added, this adds potential binary
incompatibility with earlier versions in the 0.9.7 series.  However,
those locks will only ever be touched when FIPS_mode_set() is called
and after, thanks to a variable that's only changed from 0 to 1 once
(when FIPS_mode_set() is called).  So basically, as long as FIPS mode
hasn't been engaged explicitely by the calling application, the new
locks are treated as if they didn't exist at all, thus not becoming a
problem.  Applications that are built or rebuilt to use FIPS
functionality will need to be recompiled in any case, thus not being a
problem either.

2 files changed, 3 insertions, 2 deletions

diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 24e590ab64..c84968df88 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -334,7 +334,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 	int do_stir_pool = 0;
 
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode)
+	if(FIPS_mode())
 	    {
 	    FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD);
 	    return 0;
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 869d11cab6..88f1b56d91 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -88,7 +88,8 @@ int RAND_set_rand_method(const RAND_METHOD *meth)
 const RAND_METHOD *RAND_get_rand_method(void)
 	{
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode && default_RAND_meth != FIPS_rand_check)
+	if(FIPS_mode()
+		&& default_RAND_meth != FIPS_rand_check())
 	    {
 	    RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
 	    return 0;