1 files changed, 11 insertions, 6 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index deb3cffabe..c4a1a71523 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -125,6 +125,7 @@
 #include <openssl/krb5_asn.h>
 #endif
 #include <openssl/md5.h>
+#include <openssl/fips.h>
 static SSL_METHOD *ssl3_get_server_method(int ver);
 static int ssl3_get_client_hello(SSL *s);
@@ -955,7 +956,8 @@ static int ssl3_send_server_hello(SSL *s)
                p=s->s3->server_random;
                Time=time(NULL);                        /* Time */
                l2n(Time,p);
-                RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+                if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+                        return -1;
                /* Do the message type and length last */
                d=p= &(buf[4]);
@@ -1211,6 +1213,8 @@ static int ssl3_send_server_key_exchange(SSL *s)
                                j=0;
                                for (num=2; num > 0; num--)
                                        {
+                                        EVP_MD_CTX_set_flags(&md_ctx,
+                                                EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                        EVP_DigestInit_ex(&md_ctx,(num == 2)
                                                ?s->ctx->md5:s->ctx->sha1, NULL);
                                        EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1491,7 +1495,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
                        i = SSL_MAX_MASTER_KEY_LENGTH;
                        p[0] = s->client_version >> 8;
                        p[1] = s->client_version & 0xff;
-                        RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
+                        if(RAND_pseudo_bytes(p+2, i-2) <= 0)  /* should be RAND_bytes, but we cannot work around a failure */
+                                goto err;
                        }
        
                s->session->master_key_length=
@@ -1589,7 +1594,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                enc_ticket.length = i;
-                if (n < enc_ticket.length + 6)
+                if (n < (long)enc_ticket.length + 6)
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1602,7 +1607,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                authenticator.length = i;
-                if (n < enc_ticket.length + authenticator.length + 6)
+                if (n < (long)(enc_ticket.length + authenticator.length + 6))
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1627,8 +1632,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
                        goto err;
                        }
-                if (n != enc_ticket.length + authenticator.length +
+                if (n != (long)(enc_ticket.length + authenticator.length +
-                                                enc_pms.length + 6)
+                                                enc_pms.length + 6))
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                SSL_R_DATA_LENGTH_TOO_LONG);