Initial switch to DRBG base PRNG in FIPS mode. Include bogus seeding for

test applications.

diff --git a/fips/fips.c b/fips/fips.c
index 5ea4be1e08b3c3a9d47a6e848de6ea8aec52aada..2b66160bb51de24d234de3c9b4d9402ce6680e75 100644 (file)
--- a/fips/fips.c
+++ b/fips/fips.c
@@ -277,7 +277,6 @@ int FIPS_mode_set(int onoff)
 
     if(onoff)
        {
-       unsigned char buf[48];
 
        fips_selftest_fail = 0;
 
@@ -330,10 +329,11 @@ int FIPS_mode_set(int onoff)
            ret = 0;
            goto end;
            }
-
+#if 0
        /* automagically seed PRNG if not already seeded */
        if(!FIPS_rand_status())
            {
+           unsigned char buf[48];
            if(RAND_bytes(buf,sizeof buf) <= 0)
                {
                fips_selftest_fail = 1;
@@ -347,6 +347,10 @@ int FIPS_mode_set(int onoff)
        /* now switch into FIPS mode */
        fips_set_rand_check(FIPS_rand_method());
        RAND_set_rand_method(FIPS_rand_method());
+#else
+       fips_set_rand_check(FIPS_drbg_method());
+       RAND_set_rand_method(FIPS_drbg_method());
+#endif
        if(FIPS_selftest())
            fips_set_mode(1);
        else

diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c
index 89914d721c42b445e7547926309b514498f56a1f..6addef6386649108e5949a307fdad89a603c9ef3 100644 (file)
--- a/fips/fips_test_suite.c
+++ b/fips/fips_test_suite.c
@@ -673,7 +673,7 @@ int main(int argc,char **argv)
     int do_rng_stick = 0;
     int no_exit = 0;
 
-    fips_set_error_print();
+    fips_algtest_init_nofips();
 
     printf("\tFIPS-mode test application\n\n");
 

diff --git a/fips/fips_utl.h b/fips/fips_utl.h
index 3deb406cf419eb8ee9912c93d61f238dfe48e0a3..4810566c2f712d9f897c2c2161205390c9a3e051 100644 (file)
--- a/fips/fips_utl.h
+++ b/fips/fips_utl.h
@@ -49,6 +49,9 @@
 
 #define OPENSSL_FIPSAPI
 
+#include <openssl/fips_rand.h>
+#include <openssl/objects.h>
+
 int hex2bin(const char *in, unsigned char *out);
 unsigned char *hex2bin_m(const char *in, long *plen);
 int do_hex2bn(BIGNUM **pr, const char *in);
@@ -93,14 +96,33 @@ static void add_err_cb(int num, va_list args)
        fputs("\n", stderr);
        }
 
-static void fips_set_error_print(void)
+/* Dummy Entropy to keep DRBG happy. WARNING: THIS IS TOTALLY BOGUS
+ * HAS ZERO SECURITY AND MUST NOT BE USED IN REAL APPLICATIONS.
+ */
+
+static unsigned char dummy_entropy[1024];
+
+static size_t dummy_cb(DRBG_CTX *ctx, unsigned char **pout,
+                                int entropy, size_t min_len, size_t max_len)
+       {
+       *pout = dummy_entropy;
+       return min_len;
+       }
+
+static void fips_algtest_init_nofips(void)
        {
+       DRBG_CTX *ctx;
        FIPS_set_error_callbacks(put_err_cb, add_err_cb);
+       OPENSSL_cleanse(dummy_entropy, 1024);
+       ctx = FIPS_get_default_drbg();
+       FIPS_drbg_init(ctx, NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);
+       FIPS_drbg_set_callbacks(ctx, dummy_cb, 0, dummy_cb, 0);
+       FIPS_drbg_instantiate(ctx, dummy_entropy, 10);
        }
 
 void fips_algtest_init(void)
        {
-       fips_set_error_print();
+       fips_algtest_init_nofips();
        if (!FIPS_mode_set(1))
                {
                fprintf(stderr, "Error entering FIPS mode\n");

diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c
index 761b0fcc2ba4e91ff3425ea3a0fd5d3fce43605f..61caca79e601be38831c542c10e43d1cb753426e 100644 (file)
--- a/fips/rand/fips_drbg_lib.c
+++ b/fips/rand/fips_drbg_lib.c
@@ -274,6 +274,17 @@ static int fips_drbg_generate_internal(DRBG_CTX *dctx,
                        const unsigned char *adin, size_t adinlen)
        {
        int r = 0;
+
+       if (dctx->status != DRBG_STATUS_READY
+               && dctx->status != DRBG_STATUS_RESEED)
+               {
+               if (dctx->status == DRBG_STATUS_ERROR)
+                       r = FIPS_R_IN_ERROR_STATE;
+               else if(dctx->status == DRBG_STATUS_UNINITIALISED)
+                       r = FIPS_R_NOT_INSTANTIATED;
+               goto end;
+               }
+
        if (outlen > dctx->max_request)
                {
                r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
@@ -296,14 +307,7 @@ static int fips_drbg_generate_internal(DRBG_CTX *dctx,
                adin = NULL;
                adinlen = 0;
                }
-       if (dctx->status != DRBG_STATUS_READY)
-               {
-               if (dctx->status == DRBG_STATUS_ERROR)
-                       r = FIPS_R_IN_ERROR_STATE;
-               else if(dctx->status == DRBG_STATUS_UNINITIALISED)
-                       r = FIPS_R_NOT_INSTANTIATED;
-               goto end;
-               }
+
        if (!dctx->generate(dctx, out, outlen, adin, adinlen))
                {
                r = FIPS_R_GENERATE_ERROR;