Perform health check on all reseed operations not associated with

author Dr. Stephen Henson <steve@openssl.org>

Wed, 21 Sep 2011 18:24:12 +0000 (18:24 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Wed, 21 Sep 2011 18:24:12 +0000 (18:24 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Wed, 21 Sep 2011 18:24:12 +0000 (18:24 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Wed, 21 Sep 2011 18:24:12 +0000 (18:24 +0000)
diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c

index c2e42896d1abc6d8b4785b5e434eed97d5ecf6f0..9873742c4535967abebd6947ac80c589d0469a56 100644 (file)
--- a/fips/rand/fips_drbg_lib.c
+++ b/fips/rand/fips_drbg_lib.c
@@ -273,8 +273,8 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
  
         }
  
  
         }
  
-int FIPS_drbg_reseed(DRBG_CTX *dctx,
-                       const unsigned char *adin, size_t adinlen)
+static int drbg_reseed(DRBG_CTX *dctx,
+                       const unsigned char *adin, size_t adinlen, int hcheck)
         {
         unsigned char *entropy = NULL;
         size_t entlen;
         {
         unsigned char *entropy = NULL;
         size_t entlen;
@@ -303,6 +303,17 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
                 }
  
         dctx->status = DRBG_STATUS_ERROR;
                 }
  
         dctx->status = DRBG_STATUS_ERROR;
+       /* Peform health check on all reseed operations if not a prediction
+        * resistance request and not in test mode.
+        */
+       if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST))
+               {
+               if (!FIPS_drbg_test(dctx))
+                       {
+                       r = FIPS_R_SELFTEST_FAILURE;
+                       goto end;
+                       }
+               }
  
         entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
                                 dctx->min_entropy, dctx->max_entropy);
  
         entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
                                 dctx->min_entropy, dctx->max_entropy);
@@ -333,6 +344,12 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
         return 0;
         }
  
         return 0;
         }
  
+int FIPS_drbg_reseed(DRBG_CTX *dctx,
+                       const unsigned char *adin, size_t adinlen)
+       {
+       return drbg_reseed(dctx, adin, adinlen, 1);
+       }
+
  static int fips_drbg_check(DRBG_CTX *dctx)
         {
         if (dctx->xflags & DRBG_FLAG_TEST)
  static int fips_drbg_check(DRBG_CTX *dctx)
         {
         if (dctx->xflags & DRBG_FLAG_TEST)
@@ -340,7 +357,7 @@ static int fips_drbg_check(DRBG_CTX *dctx)
         dctx->health_check_cnt++;
         if (dctx->health_check_cnt >= dctx->health_check_interval)
                 {
         dctx->health_check_cnt++;
         if (dctx->health_check_cnt >= dctx->health_check_interval)
                 {
-               if (FIPS_drbg_test(dctx) <= 0)
+               if (!FIPS_drbg_test(dctx))
                         {
                         FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
                         dctx->status = DRBG_STATUS_ERROR;
                         {
                         FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
                         dctx->status = DRBG_STATUS_ERROR;
@@ -389,7 +406,10 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
  
         if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
                 {
  
         if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
                 {
-               if (!FIPS_drbg_reseed(dctx, adin, adinlen))
+               /* If prediction resistance request don't do health check */
+               int hcheck = prediction_resistance ? 0 : 1;
+               
+               if (!drbg_reseed(dctx, adin, adinlen, hcheck))
                         {
                         r = FIPS_R_RESEED_ERROR;
                         goto end;
                         {
                         r = FIPS_R_RESEED_ERROR;
                         goto end;
diff --git a/fips/rand/fips_drbg_selftest.c b/fips/rand/fips_drbg_selftest.c

index 76667a0167e4d6302b1e69a3175b0e35d36f450a..3bc7eab95ca77ddd9305de8f8be206c547eb0358 100644 (file)
--- a/fips/rand/fips_drbg_selftest.c
+++ b/fips/rand/fips_drbg_selftest.c
@@ -772,9 +772,8 @@ int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
                 {
                 if (td->nid == nid && td->flags == flags)
                         {
                 {
                 if (td->nid == nid && td->flags == flags)
                         {
-                       rv = fips_drbg_single_kat(dctx, td, 0);
-                       if (rv <= 0)
-                               return rv;
+                       if (!fips_drbg_single_kat(dctx, td, 0))
+                               return 0;
                         return fips_drbg_health_check(dctx, td);
                         }
                 }
                         return fips_drbg_health_check(dctx, td);
                         }
                 }
author	Dr. Stephen Henson <steve@openssl.org>
	Wed, 21 Sep 2011 18:24:12 +0000 (18:24 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Wed, 21 Sep 2011 18:24:12 +0000 (18:24 +0000)
fips/rand/fips_drbg_lib.c		patch \| blob \| history
fips/rand/fips_drbg_selftest.c		patch \| blob \| history