Skip to content

Commit

Permalink
Disable Dual EC DRBG.
Browse files Browse the repository at this point in the history
Return an error if an attempt is made to enable the Dual EC DRBG: it
is not used by default.
  • Loading branch information
snhenson committed Sep 22, 2013
1 parent 39aabe5 commit a4870de
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 0 deletions.
1 change: 1 addition & 0 deletions crypto/rand/rand.h
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@ void ERR_load_RAND_strings(void);
#define RAND_F_SSLEAY_RAND_BYTES 100

/* Reason codes. */
#define RAND_R_DUAL_EC_DRBG_DISABLED 104
#define RAND_R_ERROR_INITIALISING_DRBG 102
#define RAND_R_ERROR_INSTANTIATING_DRBG 103
#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
Expand Down
1 change: 1 addition & 0 deletions crypto/rand/rand_err.c
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ static ERR_STRING_DATA RAND_str_functs[]=

static ERR_STRING_DATA RAND_str_reasons[]=
{
{ERR_REASON(RAND_R_DUAL_EC_DRBG_DISABLED),"dual ec drbg disabled"},
{ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},
{ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},
{ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},
Expand Down
8 changes: 8 additions & 0 deletions crypto/rand/rand_lib.c
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,14 @@ int RAND_init_fips(void)
DRBG_CTX *dctx;
size_t plen;
unsigned char pers[32], *p;
#ifndef OPENSSL_ALLOW_DUAL_EC_DRBG
if (fips_drbg_type >> 16)
{
RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_DUAL_EC_DRBG_DISABLED);
return 0;
}
#endif

dctx = FIPS_get_default_drbg();
if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)
{
Expand Down

0 comments on commit a4870de

Please sign in to comment.