Delete strength parameter from FIPS_drbg_generate. It isn't very useful
authorDr. Stephen Henson <steve@openssl.org>
Mon, 12 Sep 2011 13:20:57 +0000 (13:20 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 12 Sep 2011 13:20:57 +0000 (13:20 +0000)
(strength can be queried using FIPS_drbg_get_strength ) and adds a
substantial extra overhead to health check (need to check every combination
of parameters).

fips/rand/fips_drbg_lib.c
fips/rand/fips_drbg_rand.c
fips/rand/fips_drbg_selftest.c
fips/rand/fips_drbgvs.c
fips/rand/fips_rand.h

index ddbb99d..98bd10b 100644 (file)
@@ -353,7 +353,7 @@ static int fips_drbg_check(DRBG_CTX *dctx)
        }
 
 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-                       int strength, int prediction_resistance,
+                       int prediction_resistance,
                        const unsigned char *adin, size_t adinlen)
        {
        int r = 0;
@@ -377,12 +377,6 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
                return 0;
                }
 
-       if (strength > dctx->strength)
-               {
-               r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
-               goto end;
-               }
-
        if (dctx->flags & DRBG_CUSTOM_RESEED)
                dctx->generate(dctx, NULL, outlen, NULL, 0);
        else if (dctx->reseed_counter >= dctx->reseed_interval)
index 2237757..764a78c 100644 (file)
@@ -96,7 +96,7 @@ static int fips_drbg_bytes(unsigned char *out, int count)
                                goto err;
                                }
                        }
-               rv = FIPS_drbg_generate(dctx, out, rcnt, 0, 0, adin, adinlen);
+               rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
                if (adin)
                        {
                        if (dctx->cleanup_adin)
index 40a3ca8..b1a1d52 100644 (file)
@@ -231,7 +231,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
                adinlen = td->adinlen / 2;
        else
                adinlen = td->adinlen;
-       if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+       if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
                                td->adin, adinlen))
                goto err;
 
@@ -253,7 +253,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
        if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
                goto err;
 
-       if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0, 0,
+       if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
                                td->adin2, td->adin2len))
                goto err;
 
@@ -294,7 +294,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
                adinlen = td->adinlen_pr / 2;
        else
                adinlen = td->adinlen_pr;
-       if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 0, 1,
+       if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
                                td->adin_pr, adinlen))
                goto err;
 
@@ -307,7 +307,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
        t.ent = td->entg_pr;
        t.entlen = td->entglen_pr;
 
-       if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 0, 1,
+       if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
                                td->ading_pr, td->adinglen_pr))
                goto err;
 
@@ -378,7 +378,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
                }
 
        /* Try to generate output from uninstantiated DRBG */
-       if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+       if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
                                td->adin, td->adinlen))
                {
                FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
@@ -404,7 +404,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
                goto err;
 
        /* Check generation is now OK */
-       if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+       if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
                                td->adin, td->adinlen))
                goto err;
 
@@ -412,19 +412,9 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
         */
 
        dctx->flags |= DRBG_FLAG_NOERR;
-       if (dctx->strength != 256)
-               {
-               if (FIPS_drbg_generate(dctx, randout, td->katlen, 256, 0,
-                                       td->adin, td->adinlen))
-                       {
-                       FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_STRENGTH_ERROR_UNDETECTED);
-
-                       goto err;
-                       }
-               }
 
        /* Request too much data for one request */
-       if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, 0,
+       if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
                                td->adin, td->adinlen))
                {
                FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
@@ -437,7 +427,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 
        t.entlen = 0;
 
-       if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
+       if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
                                td->adin, td->adinlen))
                {
                FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
@@ -472,7 +462,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 
        /* Generate output and check entropy has been requested for reseed */
        t.entcnt = 0;
-       if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+       if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
                                td->adin, td->adinlen))
                goto err;
        if (t.entcnt != 1)
index 4d84884..4d3f0cf 100644 (file)
@@ -344,7 +344,7 @@ int main(int argc,char **argv)
                        adin = hex2bin_m(value, &adinlen);
                        if (pr)
                                continue;
-                       r = FIPS_drbg_generate(dctx, randout, randoutlen, 0, 0,
+                       r = FIPS_drbg_generate(dctx, randout, randoutlen, 0,
                                                                adin, adinlen);
                        if (!r)
                                {
@@ -367,7 +367,7 @@ int main(int argc,char **argv)
                                t.entlen = entlen;
                                r = FIPS_drbg_generate(dctx,
                                                        randout, randoutlen,
-                                                       0, 1, adin, adinlen);
+                                                       1, adin, adinlen);
                                if (!r)
                                        {
                                        fprintf(stderr,
index a6a8641..faba6f4 100644 (file)
@@ -86,7 +86,7 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
                                const unsigned char *pers, size_t perslen);
 int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-                       int strength, int prediction_resistance,
+                       int prediction_resistance,
                        const unsigned char *adin, size_t adinlen);
 
 int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);