|
 |
e62613 |
diff -up openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock openssl-1.0.2k/crypto/fips/fips_drbg_lib.c
|
|
|
e62613 |
--- openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock 2017-03-09 17:59:26.249231181 +0100
|
|
|
e62613 |
+++ openssl-1.0.2k/crypto/fips/fips_drbg_lib.c 2017-11-16 09:16:06.188098078 +0100
|
|
|
e62613 |
@@ -338,6 +338,12 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
|
|
|
e62613 |
return drbg_reseed(dctx, adin, adinlen, 1);
|
|
|
e62613 |
}
|
|
|
e62613 |
|
|
|
e62613 |
+void FIPS_drbg_set_reseed(DRBG_CTX *dctx)
|
|
|
e62613 |
+{
|
|
|
e62613 |
+ if (dctx->status == DRBG_STATUS_READY)
|
|
|
e62613 |
+ dctx->reseed_counter = dctx->reseed_interval;
|
|
|
e62613 |
+}
|
|
|
e62613 |
+
|
|
|
e62613 |
static int fips_drbg_check(DRBG_CTX *dctx)
|
|
|
e62613 |
{
|
|
|
e62613 |
if (dctx->xflags & DRBG_FLAG_TEST)
|
|
|
e62613 |
diff -up openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock openssl-1.0.2k/crypto/fips/fips_rand.h
|
|
|
e62613 |
--- openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock 2017-03-09 17:59:26.252231250 +0100
|
|
|
e62613 |
+++ openssl-1.0.2k/crypto/fips/fips_rand.h 2017-11-07 10:06:40.241450151 +0100
|
|
|
e62613 |
@@ -86,6 +86,7 @@ extern "C" {
|
|
|
e62613 |
const unsigned char *pers, size_t perslen);
|
|
|
e62613 |
int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
|
|
|
e62613 |
size_t adinlen);
|
|
|
e62613 |
+ void FIPS_drbg_set_reseed(DRBG_CTX *dctx);
|
|
|
e62613 |
int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
|
|
|
e62613 |
int prediction_resistance,
|
|
|
e62613 |
const unsigned char *adin, size_t adinlen);
|
|
|
e62613 |
diff -up openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock openssl-1.0.2k/crypto/rand/md_rand.c
|
|
|
e62613 |
--- openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock 2017-03-09 17:59:26.255231320 +0100
|
|
|
e62613 |
+++ openssl-1.0.2k/crypto/rand/md_rand.c 2017-12-06 09:20:23.615879425 +0100
|
|
|
e62613 |
@@ -391,10 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf
|
|
|
e62613 |
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
|
|
|
e62613 |
crypto_lock_rand = 1;
|
|
|
e62613 |
|
|
|
e62613 |
- /* always poll for external entropy in FIPS mode, drbg provides the
|
|
|
e62613 |
- * expansion
|
|
|
e62613 |
+ /* always poll for external entropy in FIPS mode, if run as seed
|
|
|
e62613 |
+ * source, drbg provides the expansion
|
|
|
e62613 |
*/
|
|
|
e62613 |
- if (!initialized || FIPS_module_mode()) {
|
|
|
e62613 |
+ if (!initialized || (!lock && FIPS_module_mode())) {
|
|
|
e62613 |
RAND_poll();
|
|
|
e62613 |
initialized = 1;
|
|
|
e62613 |
}
|
|
|
e62613 |
diff -up openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock openssl-1.0.2k/crypto/rand/rand_lib.c
|
|
|
e62613 |
--- openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock 2017-03-09 17:59:26.292232183 +0100
|
|
|
e62613 |
+++ openssl-1.0.2k/crypto/rand/rand_lib.c 2017-11-07 10:20:08.050403861 +0100
|
|
|
e62613 |
@@ -238,7 +238,7 @@ static int drbg_rand_add(DRBG_CTX *ctx,
|
|
|
e62613 |
RAND_SSLeay()->add(in, inlen, entropy);
|
|
|
e62613 |
if (FIPS_rand_status()) {
|
|
|
e62613 |
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
|
|
|
e62613 |
- FIPS_drbg_reseed(ctx, NULL, 0);
|
|
|
e62613 |
+ FIPS_drbg_set_reseed(ctx);
|
|
|
e62613 |
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
|
|
|
e62613 |
}
|
|
|
e62613 |
return 1;
|
|
|
e62613 |
@@ -249,7 +249,7 @@ static int drbg_rand_seed(DRBG_CTX *ctx,
|
|
|
e62613 |
RAND_SSLeay()->seed(in, inlen);
|
|
|
e62613 |
if (FIPS_rand_status()) {
|
|
|
e62613 |
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
|
|
|
e62613 |
- FIPS_drbg_reseed(ctx, NULL, 0);
|
|
|
e62613 |
+ FIPS_drbg_set_reseed(ctx);
|
|
|
e62613 |
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
|
|
|
e62613 |
}
|
|
|
e62613 |
return 1;
|