1 files changed, 13 insertions, 2 deletions

diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index deb3cffabeb5..44248ba55941 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -125,6 +125,7 @@
 #include <openssl/krb5_asn.h>
 #endif
 #include <openssl/md5.h>
+#include <openssl/fips.h>
 
 static SSL_METHOD *ssl3_get_server_method(int ver);
 static int ssl3_get_client_hello(SSL *s);
@@ -955,7 +956,8 @@ static int ssl3_send_server_hello(SSL *s)
 		p=s->s3->server_random;
 		Time=time(NULL);			/* Time */
 		l2n(Time,p);
-		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+		if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)) <= 0)
+			return -1;
 		/* Do the message type and length last */
 		d=p= &(buf[4]);
 
@@ -1216,8 +1218,16 @@ static int ssl3_send_server_key_exchange(SSL *s)
 					EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
 					EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
 					EVP_DigestUpdate(&md_ctx,&(d[4]),n);
+#ifdef OPENSSL_FIPS
+					if(s->version == TLS1_VERSION && num == 2)
+						FIPS_allow_md5(1);
+#endif
 					EVP_DigestFinal_ex(&md_ctx,q,
 						(unsigned int *)&i);
+#ifdef OPENSSL_FIPS
+					if(s->version == TLS1_VERSION && num == 2)
+						FIPS_allow_md5(0);
+#endif
 					q+=i;
 					j+=i;
 					}
@@ -1491,7 +1501,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
 			i = SSL_MAX_MASTER_KEY_LENGTH;
 			p[0] = s->client_version >> 8;
 			p[1] = s->client_version & 0xff;
-			RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
+			if(RAND_pseudo_bytes(p+2, i-2) <= 0)  /* should be RAND_bytes, but we cannot work around a failure */
+				goto err;
 			}
 	
 		s->session->master_key_length=