6 files changed, 39 insertions, 9 deletions
diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c
index fcdd3f2a84..aee1c30b0a 100644
--- a/src/lib/libcrypto/rand/md_rand.c
+++ b/src/lib/libcrypto/rand/md_rand.c
@@ -123,10 +123,10 @@
 #include "e_os.h"
+#include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include "rand_lcl.h"
-#include <openssl/crypto.h>
 #include <openssl/err.h>
 #ifdef BN_DEBUG
@@ -198,6 +198,9 @@ static void ssleay_rand_add(const void *buf, int num, double add)
        EVP_MD_CTX m;
        int do_not_lock;
+        if (!num)
+                return;
        /*
         * (Based on the rand(3) manpage)
         *
@@ -380,8 +383,11 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
         * are fed into the hash function and the results are kept in the
         * global 'md'.
         */
+#ifdef OPENSSL_FIPS
-        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+        /* NB: in FIPS mode we are already under a lock */
+        if (!FIPS_mode())
+#endif
+                CRYPTO_w_lock(CRYPTO_LOCK_RAND);
        /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
        CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
@@ -460,7 +466,10 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
        /* before unlocking, we must clear 'crypto_lock_rand' */
        crypto_lock_rand = 0;
-        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+        if (!FIPS_mode())
+#endif
+                CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
        while (num > 0)
                {
@@ -512,10 +521,16 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
        MD_Init(&m);
        MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
        MD_Update(&m,local_md,MD_DIGEST_LENGTH);
-        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+        if (!FIPS_mode())
+#endif
+                CRYPTO_w_lock(CRYPTO_LOCK_RAND);
        MD_Update(&m,md,MD_DIGEST_LENGTH);
        MD_Final(&m,md);
-        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+        if (!FIPS_mode())
+#endif
+                CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
        EVP_MD_CTX_cleanup(&m);
        if (ok)
diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h
index dc8fcf94c5..bb5520e80a 100644
--- a/src/lib/libcrypto/rand/rand.h
+++ b/src/lib/libcrypto/rand/rand.h
@@ -138,6 +138,7 @@ void ERR_load_RAND_strings(void);
 #define RAND_F_SSLEAY_RAND_BYTES                         100
 /* Reason codes. */
+#define RAND_R_DUAL_EC_DRBG_DISABLED                     104
 #define RAND_R_ERROR_INITIALISING_DRBG                   102
 #define RAND_R_ERROR_INSTANTIATING_DRBG                  103
 #define RAND_R_NO_FIPS_RANDOM_METHOD_SET                 101
diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c
index b8586c8f4a..c4c80fc8cc 100644
--- a/src/lib/libcrypto/rand/rand_err.c
+++ b/src/lib/libcrypto/rand/rand_err.c
@@ -78,6 +78,7 @@ static ERR_STRING_DATA RAND_str_functs[]=
 static ERR_STRING_DATA RAND_str_reasons[]=
        {
+{ERR_REASON(RAND_R_DUAL_EC_DRBG_DISABLED),"dual ec drbg disabled"},
 {ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},
 {ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},
 {ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},
diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c
index daf1dab973..5ac0e14caf 100644
--- a/src/lib/libcrypto/rand/rand_lib.c
+++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -210,8 +210,11 @@ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
 static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen)
        {
-        OPENSSL_cleanse(out, olen);
+        if (out)
-        OPENSSL_free(out);
+                {
+                OPENSSL_cleanse(out, olen);
+                OPENSSL_free(out);
+                }
        }
 /* Set "additional input" when generating random data. This uses the
@@ -266,6 +269,14 @@ int RAND_init_fips(void)
        DRBG_CTX *dctx;
        size_t plen;
        unsigned char pers[32], *p;
+#ifndef OPENSSL_ALLOW_DUAL_EC_DRBG
+        if (fips_drbg_type >> 16)
+                {
+                RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_DUAL_EC_DRBG_DISABLED);
+                return 0;
+                }
+#endif
+                
        dctx = FIPS_get_default_drbg();
        if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)
                {
diff --git a/src/lib/libcrypto/rand/rand_win.c b/src/lib/libcrypto/rand/rand_win.c
index 5d134e186b..34ffcd23f9 100644
--- a/src/lib/libcrypto/rand/rand_win.c
+++ b/src/lib/libcrypto/rand/rand_win.c
@@ -750,7 +750,7 @@ static void readscreen(void)
  int           y;              /* y-coordinate of screen lines to grab */
  int           n = 16;         /* number of screen lines to grab at a time */
-  if (GetVersion() < 0x80000000 && OPENSSL_isservice()>0)
+  if (check_winnt() && OPENSSL_isservice()>0)
    return;
  /* Create a screen DC and a memory DC compatible to screen DC */
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index 030e07f418..7f1428072d 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -57,7 +57,9 @@
 */
 /* We need to define this to get macros like S_IFBLK and S_IFCHR */
+#if !defined(OPENSSL_SYS_VXWORKS)
 #define _XOPEN_SOURCE 500
+#endif
 #include <errno.h>
 #include <stdio.h>

diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c index fcdd3f2a84..aee1c30b0a 100644 --- a/src/lib/libcrypto/rand/md_rand.c +++ b/src/lib/libcrypto/rand/md_rand.c
@@ -123,10 +123,10 @@
123		123
124	#include "e_os.h"	124	#include "e_os.h"
125		125
		126	#include <openssl/crypto.h>
126	#include <openssl/rand.h>	127	#include <openssl/rand.h>
127	#include "rand_lcl.h"	128	#include "rand_lcl.h"
128		129
129	#include <openssl/crypto.h>
130	#include <openssl/err.h>	130	#include <openssl/err.h>
131		131
132	#ifdef BN_DEBUG	132	#ifdef BN_DEBUG
@@ -198,6 +198,9 @@ static void ssleay_rand_add(const void *buf, int num, double add)
198	EVP_MD_CTX m;	198	EVP_MD_CTX m;
199	int do_not_lock;	199	int do_not_lock;
200		200
		201	if (!num)
		202	return;
		203
201	/*	204	/*
202	* (Based on the rand(3) manpage)	205	* (Based on the rand(3) manpage)
203	*	206	*
@@ -380,8 +383,11 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
380	* are fed into the hash function and the results are kept in the	383	* are fed into the hash function and the results are kept in the
381	* global 'md'.	384	* global 'md'.
382	*/	385	*/
383		386	#ifdef OPENSSL_FIPS
384	CRYPTO_w_lock(CRYPTO_LOCK_RAND);	387	/* NB: in FIPS mode we are already under a lock */
		388	if (!FIPS_mode())
		389	#endif
		390	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
385		391
386	/* prevent ssleay_rand_bytes() from trying to obtain the lock again */	392	/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
387	CRYPTO_w_lock(CRYPTO_LOCK_RAND2);	393	CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
@@ -460,7 +466,10 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
460		466
461	/* before unlocking, we must clear 'crypto_lock_rand' */	467	/* before unlocking, we must clear 'crypto_lock_rand' */
462	crypto_lock_rand = 0;	468	crypto_lock_rand = 0;
463	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);	469	#ifdef OPENSSL_FIPS
		470	if (!FIPS_mode())
		471	#endif
		472	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
464		473
465	while (num > 0)	474	while (num > 0)
466	{	475	{
@@ -512,10 +521,16 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
512	MD_Init(&m);	521	MD_Init(&m);
513	MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));	522	MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
514	MD_Update(&m,local_md,MD_DIGEST_LENGTH);	523	MD_Update(&m,local_md,MD_DIGEST_LENGTH);
515	CRYPTO_w_lock(CRYPTO_LOCK_RAND);	524	#ifdef OPENSSL_FIPS
		525	if (!FIPS_mode())
		526	#endif
		527	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
516	MD_Update(&m,md,MD_DIGEST_LENGTH);	528	MD_Update(&m,md,MD_DIGEST_LENGTH);
517	MD_Final(&m,md);	529	MD_Final(&m,md);
518	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);	530	#ifdef OPENSSL_FIPS
		531	if (!FIPS_mode())
		532	#endif
		533	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
519		534
520	EVP_MD_CTX_cleanup(&m);	535	EVP_MD_CTX_cleanup(&m);
521	if (ok)	536	if (ok)


diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h index dc8fcf94c5..bb5520e80a 100644 --- a/src/lib/libcrypto/rand/rand.h +++ b/src/lib/libcrypto/rand/rand.h
@@ -138,6 +138,7 @@ void ERR_load_RAND_strings(void);
138	#define RAND_F_SSLEAY_RAND_BYTES 100	138	#define RAND_F_SSLEAY_RAND_BYTES 100
139		139
140	/* Reason codes. */	140	/* Reason codes. */
		141	#define RAND_R_DUAL_EC_DRBG_DISABLED 104
141	#define RAND_R_ERROR_INITIALISING_DRBG 102	142	#define RAND_R_ERROR_INITIALISING_DRBG 102
142	#define RAND_R_ERROR_INSTANTIATING_DRBG 103	143	#define RAND_R_ERROR_INSTANTIATING_DRBG 103
143	#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101	144	#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101


diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c index b8586c8f4a..c4c80fc8cc 100644 --- a/src/lib/libcrypto/rand/rand_err.c +++ b/src/lib/libcrypto/rand/rand_err.c
@@ -78,6 +78,7 @@ static ERR_STRING_DATA RAND_str_functs[]=
78		78
79	static ERR_STRING_DATA RAND_str_reasons[]=	79	static ERR_STRING_DATA RAND_str_reasons[]=
80	{	80	{
		81	{ERR_REASON(RAND_R_DUAL_EC_DRBG_DISABLED),"dual ec drbg disabled"},
81	{ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},	82	{ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},
82	{ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},	83	{ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},
83	{ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},	84	{ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},


diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c index daf1dab973..5ac0e14caf 100644 --- a/src/lib/libcrypto/rand/rand_lib.c +++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -210,8 +210,11 @@ static size_t drbg_get_entropy(DRBG_CTX ctx, unsigned char *pout,
210		210
211	static void drbg_free_entropy(DRBG_CTX ctx, unsigned char out, size_t olen)	211	static void drbg_free_entropy(DRBG_CTX ctx, unsigned char out, size_t olen)
212	{	212	{
213	OPENSSL_cleanse(out, olen);	213	if (out)
214	OPENSSL_free(out);	214	{
		215	OPENSSL_cleanse(out, olen);
		216	OPENSSL_free(out);
		217	}
215	}	218	}
216		219
217	/* Set "additional input" when generating random data. This uses the	220	/* Set "additional input" when generating random data. This uses the
@@ -266,6 +269,14 @@ int RAND_init_fips(void)
266	DRBG_CTX *dctx;	269	DRBG_CTX *dctx;
267	size_t plen;	270	size_t plen;
268	unsigned char pers[32], *p;	271	unsigned char pers[32], *p;
		272	#ifndef OPENSSL_ALLOW_DUAL_EC_DRBG
		273	if (fips_drbg_type >> 16)
		274	{
		275	RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_DUAL_EC_DRBG_DISABLED);
		276	return 0;
		277	}
		278	#endif
		279
269	dctx = FIPS_get_default_drbg();	280	dctx = FIPS_get_default_drbg();
270	if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)	281	if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)
271	{	282	{


diff --git a/src/lib/libcrypto/rand/rand_win.c b/src/lib/libcrypto/rand/rand_win.c index 5d134e186b..34ffcd23f9 100644 --- a/src/lib/libcrypto/rand/rand_win.c +++ b/src/lib/libcrypto/rand/rand_win.c
@@ -750,7 +750,7 @@ static void readscreen(void)
750	int y; /* y-coordinate of screen lines to grab */	750	int y; /* y-coordinate of screen lines to grab */
751	int n = 16; /* number of screen lines to grab at a time */	751	int n = 16; /* number of screen lines to grab at a time */
752		752
753	if (GetVersion() < 0x80000000 && OPENSSL_isservice()>0)	753	if (check_winnt() && OPENSSL_isservice()>0)
754	return;	754	return;
755		755
756	/* Create a screen DC and a memory DC compatible to screen DC */	756	/* Create a screen DC and a memory DC compatible to screen DC */


diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c index 030e07f418..7f1428072d 100644 --- a/src/lib/libcrypto/rand/randfile.c +++ b/src/lib/libcrypto/rand/randfile.c
@@ -57,7 +57,9 @@
57	*/	57	*/
58		58
59	/* We need to define this to get macros like S_IFBLK and S_IFCHR */	59	/* We need to define this to get macros like S_IFBLK and S_IFCHR */
		60	#if !defined(OPENSSL_SYS_VXWORKS)
60	#define _XOPEN_SOURCE 500	61	#define _XOPEN_SOURCE 500
		62	#endif
61		63
62	#include <errno.h>	64	#include <errno.h>
63	#include <stdio.h>	65	#include <stdio.h>