[openssl] Avoid unnecessary reseeding in BN_rand in FIPS mode.
Tomáš Mráz
tmraz at fedoraproject.org
Thu Feb 13 15:54:31 UTC 2014
commit 3f8863c3cd5bbc0ef1556a8f5ad16b0414f2683c
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Thu Feb 13 16:54:43 2014 +0100
Avoid unnecessary reseeding in BN_rand in FIPS mode.
openssl-1.0.1e-new-fips-reqs.patch | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)
---
diff --git a/openssl-1.0.1e-new-fips-reqs.patch b/openssl-1.0.1e-new-fips-reqs.patch
index 7054955..055a087 100644
--- a/openssl-1.0.1e-new-fips-reqs.patch
+++ b/openssl-1.0.1e-new-fips-reqs.patch
@@ -1,3 +1,22 @@
+diff -up openssl-1.0.1e/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1e/crypto/bn/bn_rand.c
+--- openssl-1.0.1e/crypto/bn/bn_rand.c.fips-reqs 2013-02-11 16:02:47.000000000 +0100
++++ openssl-1.0.1e/crypto/bn/bn_rand.c 2014-02-13 16:50:34.280893285 +0100
+@@ -138,9 +138,12 @@ static int bnrand(int pseudorand, BIGNUM
+ goto err;
+ }
+
+- /* make a random number and set the top and bottom bits */
+- time(&tim);
+- RAND_add(&tim,sizeof(tim),0.0);
++ if (!FIPS_mode()) /* in FIPS mode the RNG is always properly seeded or the module fails */
++ {
++ /* make a random number and set the top and bottom bits */
++ time(&tim);
++ RAND_add(&tim,sizeof(tim),0.0);
++ }
+
+ if (pseudorand)
+ {
diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1e/crypto/dh/dh_gen.c
--- openssl-1.0.1e/crypto/dh/dh_gen.c.fips-reqs 2013-12-18 12:17:09.748636614 +0100
+++ openssl-1.0.1e/crypto/dh/dh_gen.c 2013-12-18 12:17:09.798637687 +0100
More information about the scm-commits
mailing list