int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length);
int crypt_hmac_destroy(struct crypt_hmac *ctx);
-/* RNG (must be usable in FIPS mode) */
+/* RNG (if fips paramater set, must provide FIPS compliance) */
enum { CRYPT_RND_NORMAL = 0, CRYPT_RND_KEY = 1, CRYPT_RND_SALT = 2 };
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality);
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips);
#endif /* _CRYPTO_BACKEND_H */
return 0;
}
-/* RNG */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
{
switch(quality) {
case CRYPT_RND_NORMAL:
}
/* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
{
return -EINVAL;
}
}
/* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
{
return -EINVAL;
}
static int crypto_backend_initialised = 0;
static char version[64];
-
struct hash_alg {
const char *name;
SECOidTag oid;
return 0;
}
-/* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
{
- return -EINVAL;
+ if (fips)
+ return -EINVAL;
+
+ if (PK11_GenerateRandom((unsigned char *)buffer, length) != SECSuccess)
+ return -EINVAL;
+
+ return 0;
}
#include <errno.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
+#include <openssl/rand.h>
#include "crypto_backend.h"
static int crypto_backend_initialised = 0;
return 0;
}
-/* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
{
- return -EINVAL;
+ if (fips)
+ return -EINVAL;
+
+ if (RAND_bytes((unsigned char *)buffer, length) != 1)
+ return -EINVAL;
+
+ return 0;
}
break;
case CRYPT_RND_SALT:
if (crypt_fips_mode())
- status = crypt_backend_fips_rng(buf, len, quality);
+ status = crypt_backend_rng(buf, len, quality, 1);
else
status = _get_urandom(ctx, buf, len);
break;
case CRYPT_RND_KEY:
if (crypt_fips_mode()) {
- status = crypt_backend_fips_rng(buf, len, quality);
+ status = crypt_backend_rng(buf, len, quality, 1);
break;
}
rng_type = ctx ? crypt_get_rng_type(ctx) :