diff options
| -rw-r--r-- | fips/rand/fips_drbg_ctr.c | 7 | ||||
| -rw-r--r-- | fips/rand/fips_drbg_hash.c | 8 | ||||
| -rw-r--r-- | fips/rand/fips_drbg_lib.c | 45 | ||||
| -rw-r--r-- | fips/rand/fips_drbgvs.c | 2 | ||||
| -rw-r--r-- | fips/rand/fips_rand.h | 3 |
5 files changed, 54 insertions, 11 deletions
diff --git a/fips/rand/fips_drbg_ctr.c b/fips/rand/fips_drbg_ctr.c index 2b2d226c53..738abdd835 100644 --- a/fips/rand/fips_drbg_ctr.c +++ b/fips/rand/fips_drbg_ctr.c @@ -350,6 +350,12 @@ static int drbg_ctr_generate(DRBG_CTX *dctx, } +static int drbg_ctr_uninstantiate(DRBG_CTX *dctx) + { + OPENSSL_cleanse(&dctx->d.ctr, sizeof(DRBG_CTR_CTX)); + return 1; + } + int fips_drbg_ctr_init(DRBG_CTX *dctx) { DRBG_CTR_CTX *cctx = &dctx->d.ctr; @@ -377,6 +383,7 @@ int fips_drbg_ctr_init(DRBG_CTX *dctx) dctx->instantiate = drbg_ctr_instantiate; dctx->reseed = drbg_ctr_reseed; dctx->generate = drbg_ctr_generate; + dctx->uninstantiate = drbg_ctr_uninstantiate; cctx->keylen = keylen; diff --git a/fips/rand/fips_drbg_hash.c b/fips/rand/fips_drbg_hash.c index 4dbcdb6a7b..ca3bce7320 100644 --- a/fips/rand/fips_drbg_hash.c +++ b/fips/rand/fips_drbg_hash.c @@ -306,6 +306,13 @@ static int drbg_hash_generate(DRBG_CTX *dctx, return 1; } +static int drbg_hash_uninstantiate(DRBG_CTX *dctx) + { + EVP_MD_CTX_cleanup(&dctx->d.hash.mctx); + OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX)); + return 1; + } + int fips_drbg_hash_init(DRBG_CTX *dctx) { const EVP_MD *md; @@ -346,6 +353,7 @@ int fips_drbg_hash_init(DRBG_CTX *dctx) dctx->instantiate = drbg_hash_instantiate; dctx->reseed = drbg_hash_reseed; dctx->generate = drbg_hash_generate; + dctx->uninstantiate = drbg_hash_uninstantiate; dctx->d.hash.md = md; EVP_MD_CTX_init(&hctx->mctx); diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c index 9b497b54cc..0bf30f0314 100644 --- a/fips/rand/fips_drbg_lib.c +++ b/fips/rand/fips_drbg_lib.c @@ -62,30 +62,41 @@ /* Support framework for SP800-90 DRBGs */ -DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags) +static int fips_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags) { int rv; - DRBG_CTX *dctx; - dctx = OPENSSL_malloc(sizeof(DRBG_CTX)); memset(dctx, 0, sizeof(DRBG_CTX)); dctx->status = DRBG_STATUS_UNINITIALISED; dctx->flags = flags; dctx->type = type; + rv = fips_drbg_hash_init(dctx); + if (rv == -2) rv = fips_drbg_ctr_init(dctx); - if (rv <= 0) + + return rv; + } + +DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags) + { + DRBG_CTX *dctx; + dctx = OPENSSL_malloc(sizeof(DRBG_CTX)); + if (!dctx) + return NULL; + if (fips_drbg_init(dctx, type, flags) <= 0) { - /* Fatal: cannot initialiase DRBG */ - goto err; + OPENSSL_free(dctx); + return NULL; } - return dctx; + } - err: - if (dctx) - OPENSSL_free(dctx); - return NULL; +void FIPS_drbg_free(DRBG_CTX *dctx) + { + dctx->uninstantiate(dctx); + OPENSSL_cleanse(dctx, sizeof(DRBG_CTX)); + OPENSSL_free(dctx); } int FIPS_drbg_instantiate(DRBG_CTX *dctx, @@ -224,6 +235,18 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, return 1; } +int FIPS_drbg_uninstantiate(DRBG_CTX *dctx) + { + int save_type, save_flags, rv; + save_type = dctx->type; + save_flags = dctx->flags; + rv = dctx->uninstantiate(dctx); + OPENSSL_cleanse(dctx, sizeof(DRBG_CTX)); + /* If method has problems uninstantiating, return error */ + if (rv <= 0) + return rv; + return fips_drbg_init(dctx, save_type, save_flags); + } int FIPS_drbg_set_test_mode(DRBG_CTX *dctx, size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char *out, diff --git a/fips/rand/fips_drbgvs.c b/fips/rand/fips_drbgvs.c index a599233908..325925072e 100644 --- a/fips/rand/fips_drbgvs.c +++ b/fips/rand/fips_drbgvs.c @@ -294,6 +294,8 @@ int main(int argc,char **argv) if (gen == 2) { OutputValue("ReturnedBits", out, outlen, stdout, 0); + FIPS_drbg_free(dctx); + dctx = NULL; gen = 0; } diff --git a/fips/rand/fips_rand.h b/fips/rand/fips_rand.h index e0cc8c9da5..e9e2afbbaa 100644 --- a/fips/rand/fips_rand.h +++ b/fips/rand/fips_rand.h @@ -83,6 +83,9 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, int prediction_resistance, const unsigned char *adin, size_t adinlen); +int FIPS_drbg_uninstantiate(DRBG_CTX *dctx); +void FIPS_drbg_free(DRBG_CTX *dctx); + int FIPS_drbg_set_test_mode(DRBG_CTX *dctx, size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char *out, int entropy, size_t min_len, size_t max_len), |