Fix regressions from the FIPS randlock patch.
This commit is contained in:
parent
d3eb330a7e
commit
10d3d0df07
|
@ -1,6 +1,6 @@
|
||||||
diff -up openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock openssl-1.0.2k/crypto/fips/fips_drbg_lib.c
|
diff -up openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock openssl-1.0.2k/crypto/fips/fips_drbg_lib.c
|
||||||
--- openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock 2017-03-09 17:59:26.249231181 +0100
|
--- openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock 2017-03-09 17:59:26.249231181 +0100
|
||||||
+++ openssl-1.0.2k/crypto/fips/fips_drbg_lib.c 2017-11-07 10:06:11.666777108 +0100
|
+++ openssl-1.0.2k/crypto/fips/fips_drbg_lib.c 2017-11-16 09:16:06.188098078 +0100
|
||||||
@@ -338,6 +338,12 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
|
@@ -338,6 +338,12 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
|
||||||
return drbg_reseed(dctx, adin, adinlen, 1);
|
return drbg_reseed(dctx, adin, adinlen, 1);
|
||||||
}
|
}
|
||||||
|
@ -8,7 +8,7 @@ diff -up openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock openssl-1.0.2k
|
||||||
+void FIPS_drbg_set_reseed(DRBG_CTX *dctx)
|
+void FIPS_drbg_set_reseed(DRBG_CTX *dctx)
|
||||||
+{
|
+{
|
||||||
+ if (dctx->status == DRBG_STATUS_READY)
|
+ if (dctx->status == DRBG_STATUS_READY)
|
||||||
+ dctx->status = DRBG_STATUS_RESEED;
|
+ dctx->reseed_counter = dctx->reseed_interval;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
static int fips_drbg_check(DRBG_CTX *dctx)
|
static int fips_drbg_check(DRBG_CTX *dctx)
|
||||||
|
@ -27,31 +27,18 @@ diff -up openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock openssl-1.0.2k/cry
|
||||||
const unsigned char *adin, size_t adinlen);
|
const unsigned char *adin, size_t adinlen);
|
||||||
diff -up openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock openssl-1.0.2k/crypto/rand/md_rand.c
|
diff -up openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock openssl-1.0.2k/crypto/rand/md_rand.c
|
||||||
--- openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock 2017-03-09 17:59:26.255231320 +0100
|
--- openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock 2017-03-09 17:59:26.255231320 +0100
|
||||||
+++ openssl-1.0.2k/crypto/rand/md_rand.c 2017-10-23 17:28:00.999638475 +0200
|
+++ openssl-1.0.2k/crypto/rand/md_rand.c 2017-12-06 09:20:23.615879425 +0100
|
||||||
@@ -365,6 +365,14 @@ int ssleay_rand_bytes(unsigned char *buf
|
@@ -391,10 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf
|
||||||
num_ceil =
|
|
||||||
(1 + (num - 1) / (MD_DIGEST_LENGTH / 2)) * (MD_DIGEST_LENGTH / 2);
|
|
||||||
|
|
||||||
+ /* always poll for external entropy in FIPS mode, drbg provides the
|
|
||||||
+ * expansion
|
|
||||||
+ */
|
|
||||||
+ if (FIPS_module_mode()) {
|
|
||||||
+ RAND_poll();
|
|
||||||
+ initialized = 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* (Based on the rand(3) manpage:)
|
|
||||||
*
|
|
||||||
@@ -391,10 +399,7 @@ int ssleay_rand_bytes(unsigned char *buf
|
|
||||||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
|
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
|
||||||
crypto_lock_rand = 1;
|
crypto_lock_rand = 1;
|
||||||
|
|
||||||
- /* always poll for external entropy in FIPS mode, drbg provides the
|
- /* always poll for external entropy in FIPS mode, drbg provides the
|
||||||
- * expansion
|
- * expansion
|
||||||
- */
|
+ /* always poll for external entropy in FIPS mode, if run as seed
|
||||||
|
+ * source, drbg provides the expansion
|
||||||
|
*/
|
||||||
- if (!initialized || FIPS_module_mode()) {
|
- if (!initialized || FIPS_module_mode()) {
|
||||||
+ if (!initialized) {
|
+ if (!initialized || (!lock && FIPS_module_mode())) {
|
||||||
RAND_poll();
|
RAND_poll();
|
||||||
initialized = 1;
|
initialized = 1;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue