gnutls_session_ticket_key_generate: fixed operation under FIPS140-2 mode

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
index feb650706f22b6af5e3eb00c301e1ec6c4a73d30..9747177b54f7a31240f2e2ad0ac67ffbbd8747b2 100644 (file)
--- a/lib/ext/session_ticket.c
+++ b/lib/ext/session_ticket.c
@@ -506,7 +506,27 @@ session_ticket_unpack(gnutls_buffer_st * ps, extension_priv_data_t * _priv)
  **/
 int gnutls_session_ticket_key_generate(gnutls_datum_t * key)
 {
-       return gnutls_key_generate(key, SESSION_KEY_SIZE);
+       if (_gnutls_fips_mode_enabled()) {
+               int ret;
+               /* in FIPS140-2 mode gnutls_key_generate imposes
+                * some limits on allowed key size, thus it is not
+                * used. These limits do not affect this function as
+                * it does not generate a "key" but rather key material
+                * that includes nonces and other stuff. */
+               key->data = gnutls_malloc(SESSION_KEY_SIZE);
+               if (key->data == NULL)
+                       return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+               key->size = SESSION_KEY_SIZE;
+               ret = gnutls_rnd(GNUTLS_RND_RANDOM, key->data, key->size);
+               if (ret < 0) {
+                       gnutls_free(key->data);
+                       return ret;
+               }
+               return 0;
+       } else {
+               return gnutls_key_generate(key, SESSION_KEY_SIZE);
+       }
 }
 
 /**