static const RAND_METHOD *fips_rand_meth = NULL;
static int fips_approved_rand_meth = 0;
+static int fips_rand_bits = 0;
-int FIPS_rand_set_method(const RAND_METHOD *meth)
+/* Allows application to override number of bits and uses non-FIPS methods */
+void FIPS_rand_set_bits(int nbits)
{
- if (meth == FIPS_drbg_method())
- fips_approved_rand_meth = 1;
- else if (meth == FIPS_x931_method())
- fips_approved_rand_meth = 2;
- else
- fips_approved_rand_meth = 0;
+ fips_rand_bits = nbits;
+ }
- if (!fips_approved_rand_meth && FIPS_mode())
+int FIPS_rand_set_method(const RAND_METHOD *meth)
+ {
+ if (!fips_rand_bits)
{
- FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
- return 0;
+ if (meth == FIPS_drbg_method())
+ fips_approved_rand_meth = 1;
+ else if (meth == FIPS_x931_method())
+ fips_approved_rand_meth = 2;
+ else
+ {
+ fips_approved_rand_meth = 0;
+ if (FIPS_module_mode())
+ {
+ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD,
+ FIPS_R_NON_FIPS_METHOD);
+ return 0;
+ }
+ }
}
fips_rand_meth = meth;
return 1;
}
+const RAND_METHOD *FIPS_rand_get_method(void)
+ {
+ return fips_rand_meth;
+ }
+
void FIPS_rand_seed(const void *buf, int num)
{
- if (!fips_approved_rand_meth && FIPS_mode())
+ if (!fips_approved_rand_meth && FIPS_module_mode())
{
FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
return;
void FIPS_rand_add(const void *buf, int num, double entropy)
{
- if (!fips_approved_rand_meth && FIPS_mode())
+ if (!fips_approved_rand_meth && FIPS_module_mode())
{
FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
return;
int FIPS_rand_bytes(unsigned char *buf, int num)
{
- if (!fips_approved_rand_meth && FIPS_mode())
+ if (!fips_approved_rand_meth && FIPS_module_mode())
{
FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
return 0;
int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
{
- if (!fips_approved_rand_meth && FIPS_mode())
+ if (!fips_approved_rand_meth && FIPS_module_mode())
{
FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
return 0;
int FIPS_rand_status(void)
{
- if (!fips_approved_rand_meth && FIPS_mode())
+ if (!fips_approved_rand_meth && FIPS_module_mode())
{
FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
return 0;
return fips_rand_meth->status();
return 0;
}
+
+/* Return instantiated strength of PRNG. For DRBG this is an internal
+ * parameter. For X9.31 PRNG it is 80 bits (from SP800-131). Any other
+ * type of PRNG is not approved and returns 0 in FIPS mode and maximum
+ * 256 outside FIPS mode.
+ */
+
+int FIPS_rand_strength(void)
+ {
+ if (fips_rand_bits)
+ return fips_rand_bits;
+ if (fips_approved_rand_meth == 1)
+ return FIPS_drbg_get_strength(FIPS_get_default_drbg());
+ else if (fips_approved_rand_meth == 2)
+ return 80;
+ else if (fips_approved_rand_meth == 0)
+ {
+ if (FIPS_module_mode())
+ return 0;
+ else
+ return 256;
+ }
+ return 0;
+ }
projects / openssl.git / blobdiff