Avoid unnecessary reseeding in BN_rand in FIPS mode.

This commit is contained in:
Tomas Mraz 2014-02-13 16:54:43 +01:00
parent 165cee17b3
commit 3f8863c3cd

View File

@ -1,3 +1,22 @@
diff -up openssl-1.0.1e/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1e/crypto/bn/bn_rand.c
--- openssl-1.0.1e/crypto/bn/bn_rand.c.fips-reqs 2013-02-11 16:02:47.000000000 +0100
+++ openssl-1.0.1e/crypto/bn/bn_rand.c 2014-02-13 16:50:34.280893285 +0100
@@ -138,9 +138,12 @@ static int bnrand(int pseudorand, BIGNUM
goto err;
}
- /* make a random number and set the top and bottom bits */
- time(&tim);
- RAND_add(&tim,sizeof(tim),0.0);
+ if (!FIPS_mode()) /* in FIPS mode the RNG is always properly seeded or the module fails */
+ {
+ /* make a random number and set the top and bottom bits */
+ time(&tim);
+ RAND_add(&tim,sizeof(tim),0.0);
+ }
if (pseudorand)
{
diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1e/crypto/dh/dh_gen.c
--- openssl-1.0.1e/crypto/dh/dh_gen.c.fips-reqs 2013-12-18 12:17:09.748636614 +0100
+++ openssl-1.0.1e/crypto/dh/dh_gen.c 2013-12-18 12:17:09.798637687 +0100