From 11ee2876a6946b6f67925daa4e175d90ed2ff20b Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Sun, 27 May 2012 01:09:40 +0200
Subject: [PATCH] Implement more RNG backend wrappers.

---
 lib/crypto_backend/crypto_backend.h |  4 ++--
 lib/crypto_backend/crypto_gcrypt.c  |  4 ++--
 lib/crypto_backend/crypto_kernel.c  |  2 +-
 lib/crypto_backend/crypto_nettle.c  |  2 +-
 lib/crypto_backend/crypto_nss.c     | 13 +++++++++----
 lib/crypto_backend/crypto_openssl.c | 13 ++++++++++---
 lib/random.c                        |  4 ++--
 7 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/lib/crypto_backend/crypto_backend.h b/lib/crypto_backend/crypto_backend.h
index 23192df..c7f30cb 100644
--- a/lib/crypto_backend/crypto_backend.h
+++ b/lib/crypto_backend/crypto_backend.h
@@ -48,8 +48,8 @@ int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length);
 int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length);
 int crypt_hmac_destroy(struct crypt_hmac *ctx);
 
-/* RNG (must be usable in FIPS mode) */
+/* RNG (if fips paramater set, must provide FIPS compliance) */
 enum { CRYPT_RND_NORMAL = 0, CRYPT_RND_KEY = 1, CRYPT_RND_SALT = 2 };
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality);
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips);
 
 #endif /* _CRYPTO_BACKEND_H */
diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c
index f0c9bec..ee14198 100644
--- a/lib/crypto_backend/crypto_gcrypt.c
+++ b/lib/crypto_backend/crypto_gcrypt.c
@@ -236,8 +236,8 @@ int crypt_hmac_destroy(struct crypt_hmac *ctx)
 	return 0;
 }
 
-/* RNG  */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
 {
 	switch(quality) {
 	case CRYPT_RND_NORMAL:
diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c
index b0eb042..50e7167 100644
--- a/lib/crypto_backend/crypto_kernel.c
+++ b/lib/crypto_backend/crypto_kernel.c
@@ -298,7 +298,7 @@ int crypt_hmac_destroy(struct crypt_hmac *ctx)
 }
 
 /* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
 {
 	return -EINVAL;
 }
diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c
index f41ae7c..2fc2ce6 100644
--- a/lib/crypto_backend/crypto_nettle.c
+++ b/lib/crypto_backend/crypto_nettle.c
@@ -270,7 +270,7 @@ int crypt_hmac_destroy(struct crypt_hmac *ctx)
 }
 
 /* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
 {
 	return -EINVAL;
 }
diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c
index dca9171..bc81973 100644
--- a/lib/crypto_backend/crypto_nss.c
+++ b/lib/crypto_backend/crypto_nss.c
@@ -28,7 +28,6 @@
 static int crypto_backend_initialised = 0;
 static char version[64];
 
-
 struct hash_alg {
 	const char *name;
 	SECOidTag oid;
@@ -284,8 +283,14 @@ int crypt_hmac_destroy(struct crypt_hmac *ctx)
 	return 0;
 }
 
-/* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
 {
-	return -EINVAL;
+	if (fips)
+		return -EINVAL;
+
+	if (PK11_GenerateRandom((unsigned char *)buffer, length) != SECSuccess)
+		return -EINVAL;
+
+	return 0;
 }
diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
index 3efd815..bbd35bf 100644
--- a/lib/crypto_backend/crypto_openssl.c
+++ b/lib/crypto_backend/crypto_openssl.c
@@ -30,6 +30,7 @@
 #include <errno.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
+#include <openssl/rand.h>
 #include "crypto_backend.h"
 
 static int crypto_backend_initialised = 0;
@@ -218,8 +219,14 @@ int crypt_hmac_destroy(struct crypt_hmac *ctx)
 	return 0;
 }
 
-/* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
 {
-	return -EINVAL;
+	if (fips)
+		return -EINVAL;
+
+	if (RAND_bytes((unsigned char *)buffer, length) != 1)
+		return -EINVAL;
+
+	return 0;
 }
diff --git a/lib/random.c b/lib/random.c
index 5aa95e0..5de4214 100644
--- a/lib/random.c
+++ b/lib/random.c
@@ -178,13 +178,13 @@ int crypt_random_get(struct crypt_device *ctx, char *buf, size_t len, int qualit
 		break;
 	case CRYPT_RND_SALT:
 		if (crypt_fips_mode())
-			status = crypt_backend_fips_rng(buf, len, quality);
+			status = crypt_backend_rng(buf, len, quality, 1);
 		else
 			status = _get_urandom(ctx, buf, len);
 		break;
 	case CRYPT_RND_KEY:
 		if (crypt_fips_mode()) {
-			status = crypt_backend_fips_rng(buf, len, quality);
+			status = crypt_backend_rng(buf, len, quality, 1);
 			break;
 		}
 		rng_type = ctx ? crypt_get_rng_type(ctx) :
-- 
2.7.4