Check requested security strength in DRBG. Add function to retrieve the
authorDr. Stephen Henson <steve@openssl.org>
Fri, 11 Mar 2011 17:42:11 +0000 (17:42 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 11 Mar 2011 17:42:11 +0000 (17:42 +0000)
security strength.

crypto/fips_err.h
fips/fips.h
fips/rand/fips_drbg_lib.c
fips/rand/fips_drbgvs.c
fips/rand/fips_rand.h

index 8bde7e8..07a13e2 100644 (file)
@@ -128,6 +128,7 @@ static ERR_STRING_DATA FIPS_str_reasons[]=
 {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED) ,"fips selftest failed"},
 {ERR_REASON(FIPS_R_GENERATE_ERROR)       ,"generate error"},
 {ERR_REASON(FIPS_R_INSTANTIATE_ERROR)    ,"instantiate error"},
+{ERR_REASON(FIPS_R_INSUFFICIENT_SECURITY_STRENGTH),"insufficient security strength"},
 {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH)   ,"invalid key length"},
 {ERR_REASON(FIPS_R_IN_ERROR_STATE)       ,"in error state"},
 {ERR_REASON(FIPS_R_KEY_TOO_SHORT)        ,"key too short"},
index fa4f680..ee144a1 100644 (file)
@@ -233,6 +233,7 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_R_FIPS_SELFTEST_FAILED                     106
 #define FIPS_R_GENERATE_ERROR                           124
 #define FIPS_R_INSTANTIATE_ERROR                        125
+#define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH           132
 #define FIPS_R_INVALID_KEY_LENGTH                       109
 #define FIPS_R_IN_ERROR_STATE                           126
 #define FIPS_R_KEY_TOO_SHORT                            108
index fd154c0..1c8712e 100644 (file)
@@ -145,6 +145,12 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
                goto end;
                }
 
+       if (strength > dctx->strength)
+               {
+               r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
+               goto end;
+               }
+
        dctx->status = DRBG_STATUS_ERROR;
 
        entlen = dctx->get_entropy(dctx, dctx->entropy, dctx->strength,
@@ -261,7 +267,7 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
 
 
 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-                       int prediction_resistance,
+                       int strength, int prediction_resistance,
                        const unsigned char *adin, size_t adinlen)
        {
        int r = 0;
@@ -270,6 +276,13 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
                r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
                return 0;
                }
+
+       if (strength > dctx->strength)
+               {
+               r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
+               goto end;
+               }
+
        if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
                {
                if (!FIPS_drbg_reseed(dctx, adin, adinlen))
@@ -351,3 +364,8 @@ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
        {
        return dctx->blocklength;
        }
+
+int FIPS_drbg_get_strength(DRBG_CTX *dctx)
+       {
+       return dctx->strength;
+       }
index 3f6a2a5..c60b80b 100644 (file)
@@ -269,7 +269,7 @@ int main(int argc,char **argv)
                        adin = hex2bin_m(value, &adinlen);
                        if (pr)
                                continue;
-                       r = FIPS_drbg_generate(dctx, randout, randoutlen, 0,
+                       r = FIPS_drbg_generate(dctx, randout, randoutlen, 0, 0,
                                                                adin, adinlen);
                        if (!r)
                                {
@@ -291,8 +291,8 @@ int main(int argc,char **argv)
                                t.ent = ent;
                                t.entlen = entlen;
                                r = FIPS_drbg_generate(dctx,
-                                                       randout, randoutlen, 1,
-                                                       adin, adinlen);
+                                                       randout, randoutlen,
+                                                       0, 1, adin, adinlen);
                                if (!r)
                                        {
                                        fprintf(stderr,
index e9e2afb..6a0b672 100644 (file)
@@ -80,7 +80,7 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx, int strength,
                                const unsigned char *pers, size_t perslen);
 int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-                       int prediction_resistance,
+                       int strength, int prediction_resistance,
                        const unsigned char *adin, size_t adinlen);
 
 int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
@@ -95,6 +95,7 @@ int FIPS_drbg_set_test_mode(DRBG_CTX *dctx,
 void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
 void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
 size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
+int FIPS_drbg_get_strength(DRBG_CTX *dctx);
 
 #ifdef  __cplusplus
 }