From: Pauli <paul.dale@oracle.com>
Date: Wed, 9 Sep 2020 21:09:16 +0000 (+1000)
Subject: CRNGT: enter FIPS error state if the test fails
X-Git-Tag: openssl-3.0.0-alpha7~279
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=801ed9edbad11b3f0646b396c672dbae33353de2;p=thirdparty%2Fopenssl.git

CRNGT: enter FIPS error state if the test fails

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
---

diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c
index 538de37468b..9a9e9c703b7 100644
--- a/providers/implementations/rands/crngt.c
+++ b/providers/implementations/rands/crngt.c
@@ -92,6 +92,17 @@ static const OPENSSL_CTX_METHOD rand_crng_ossl_ctx_method = {
     rand_crng_ossl_ctx_free,
 };
 
+static int prov_crngt_compare_previous(const unsigned char *prev,
+                                        const unsigned char *cur,
+                                        size_t sz)
+{
+    const int res = memcmp(prev, cur, sz) != 0;
+
+    if (!res)
+        ossl_set_error_state();
+    return res;
+}
+
 size_t prov_crngt_get_entropy(PROV_DRBG *drbg,
                               unsigned char **pout,
                               int entropy, size_t min_len, size_t max_len,
@@ -117,7 +128,7 @@ size_t prov_crngt_get_entropy(PROV_DRBG *drbg,
         s = q > sizeof(buf) ? sizeof(buf) : q;
         if (!crngt_get_entropy(libctx, crngt_glob->crngt_pool, buf, md,
                                &sz)
-            || memcmp(crngt_glob->crngt_prev, md, sz) == 0
+            || !prov_crngt_compare_previous(crngt_glob->crngt_prev, md, sz)
             || !rand_pool_add(pool, buf, s, s * 8))
             goto err;
         memcpy(crngt_glob->crngt_prev, md, sz);