Avoid unnecessary reseeding in BN_rand in FIPS mode.

2014-02-13 16:54:43 +01:00 · 2014-02-13 16:54:43 +01:00 · 3f8863c3cd
commit 3f8863c3cd
parent 165cee17b3
1 changed files with 19 additions and 0 deletions
--- a/openssl-1.0.1e-new-fips-reqs.patch
+++ b/openssl-1.0.1e-new-fips-reqs.patch
@ -1,3 +1,22 @@
+diff -up openssl-1.0.1e/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1e/crypto/bn/bn_rand.c
+--- openssl-1.0.1e/crypto/bn/bn_rand.c.fips-reqs	2013-02-11 16:02:47.000000000 +0100
+++ openssl-1.0.1e/crypto/bn/bn_rand.c	2014-02-13 16:50:34.280893285 +0100
+@@ -138,9 +138,12 @@ static int bnrand(int pseudorand, BIGNUM
+ 		goto err;
+ 		}
+ 
+-	/* make a random number and set the top and bottom bits */
+-	time(&tim);
+-	RAND_add(&tim,sizeof(tim),0.0);
+	if (!FIPS_mode()) /* in FIPS mode the RNG is always properly seeded or the module fails */
+		{
+		/* make a random number and set the top and bottom bits */
+		time(&tim);
+		RAND_add(&tim,sizeof(tim),0.0);
+		}
+ 
+ 	if (pseudorand)
+ 		{
 diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1e/crypto/dh/dh_gen.c
 --- openssl-1.0.1e/crypto/dh/dh_gen.c.fips-reqs	2013-12-18 12:17:09.748636614 +0100
 +++ openssl-1.0.1e/crypto/dh/dh_gen.c	2013-12-18 12:17:09.798637687 +0100