Implement more RNG backend wrappers.

author Milan Broz <gmazyland@gmail.com>

Sat, 26 May 2012 23:09:40 +0000 (01:09 +0200)

committer Milan Broz <gmazyland@gmail.com>

Sat, 26 May 2012 23:09:40 +0000 (01:09 +0200)
author Milan Broz <gmazyland@gmail.com>
Sat, 26 May 2012 23:09:40 +0000 (01:09 +0200)
committer Milan Broz <gmazyland@gmail.com>
Sat, 26 May 2012 23:09:40 +0000 (01:09 +0200)
diff --git a/lib/crypto_backend/crypto_backend.h b/lib/crypto_backend/crypto_backend.h

index 23192df..c7f30cb 100644 (file)
--- a/lib/crypto_backend/crypto_backend.h
+++ b/lib/crypto_backend/crypto_backend.h
@@ -48,8 +48,8 @@ int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length);
  int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length);
  int crypt_hmac_destroy(struct crypt_hmac *ctx);
  
-/* RNG (must be usable in FIPS mode) */
+/* RNG (if fips paramater set, must provide FIPS compliance) */
  enum { CRYPT_RND_NORMAL = 0, CRYPT_RND_KEY = 1, CRYPT_RND_SALT = 2 };
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality);
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips);
  
  #endif /* _CRYPTO_BACKEND_H */
diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c

index f0c9bec..ee14198 100644 (file)
--- a/lib/crypto_backend/crypto_gcrypt.c
+++ b/lib/crypto_backend/crypto_gcrypt.c
@@ -236,8 +236,8 @@ int crypt_hmac_destroy(struct crypt_hmac *ctx)
         return 0;
  }
  
-/* RNG  */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
  {
         switch(quality) {
         case CRYPT_RND_NORMAL:
diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c

index b0eb042..50e7167 100644 (file)
--- a/lib/crypto_backend/crypto_kernel.c
+++ b/lib/crypto_backend/crypto_kernel.c
@@ -298,7 +298,7 @@ int crypt_hmac_destroy(struct crypt_hmac *ctx)
  }
  
  /* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
  {
         return -EINVAL;
  }
diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c

index f41ae7c..2fc2ce6 100644 (file)
--- a/lib/crypto_backend/crypto_nettle.c
+++ b/lib/crypto_backend/crypto_nettle.c
@@ -270,7 +270,7 @@ int crypt_hmac_destroy(struct crypt_hmac *ctx)
  }
  
  /* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
  {
         return -EINVAL;
  }
diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c

index dca9171..bc81973 100644 (file)
--- a/lib/crypto_backend/crypto_nss.c
+++ b/lib/crypto_backend/crypto_nss.c
@@ -28,7 +28,6 @@
  static int crypto_backend_initialised = 0;
  static char version[64];
  
-
  struct hash_alg {
         const char *name;
         SECOidTag oid;
@@ -284,8 +283,14 @@ int crypt_hmac_destroy(struct crypt_hmac *ctx)
         return 0;
  }
  
-/* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
  {
-       return -EINVAL;
+       if (fips)
+               return -EINVAL;
+
+       if (PK11_GenerateRandom((unsigned char *)buffer, length) != SECSuccess)
+               return -EINVAL;
+
+       return 0;
  }
diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c

index 3efd815..bbd35bf 100644 (file)
--- a/lib/crypto_backend/crypto_openssl.c
+++ b/lib/crypto_backend/crypto_openssl.c
@@ -30,6 +30,7 @@
  #include <errno.h>
  #include <openssl/evp.h>
  #include <openssl/hmac.h>
+#include <openssl/rand.h>
  #include "crypto_backend.h"
  
  static int crypto_backend_initialised = 0;
@@ -218,8 +219,14 @@ int crypt_hmac_destroy(struct crypt_hmac *ctx)
         return 0;
  }
  
-/* RNG - N/A */
-int crypt_backend_fips_rng(char *buffer, size_t length, int quality)
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
  {
-       return -EINVAL;
+       if (fips)
+               return -EINVAL;
+
+       if (RAND_bytes((unsigned char *)buffer, length) != 1)
+               return -EINVAL;
+
+       return 0;
  }
diff --git a/lib/random.c b/lib/random.c

index 5aa95e0..5de4214 100644 (file)
--- a/lib/random.c
+++ b/lib/random.c
@@ -178,13 +178,13 @@ int crypt_random_get(struct crypt_device *ctx, char *buf, size_t len, int qualit
                 break;
         case CRYPT_RND_SALT:
                 if (crypt_fips_mode())
-                       status = crypt_backend_fips_rng(buf, len, quality);
+                       status = crypt_backend_rng(buf, len, quality, 1);
                 else
                         status = _get_urandom(ctx, buf, len);
                 break;
         case CRYPT_RND_KEY:
                 if (crypt_fips_mode()) {
-                       status = crypt_backend_fips_rng(buf, len, quality);
+                       status = crypt_backend_rng(buf, len, quality, 1);
                         break;
                 }
                 rng_type = ctx ? crypt_get_rng_type(ctx) :
author	Milan Broz <gmazyland@gmail.com>
	Sat, 26 May 2012 23:09:40 +0000 (01:09 +0200)
committer	Milan Broz <gmazyland@gmail.com>
	Sat, 26 May 2012 23:09:40 +0000 (01:09 +0200)
lib/crypto_backend/crypto_backend.h		patch \| blob \| history
lib/crypto_backend/crypto_gcrypt.c		patch \| blob \| history
lib/crypto_backend/crypto_kernel.c		patch \| blob \| history
lib/crypto_backend/crypto_nettle.c		patch \| blob \| history
lib/crypto_backend/crypto_nss.c		patch \| blob \| history
lib/crypto_backend/crypto_openssl.c		patch \| blob \| history
lib/random.c		patch \| blob \| history