Delete strength parameter from FIPS_drbg_generate. It isn't very useful

(strength can be queried using FIPS_drbg_get_strength ) and adds a substantial extra overhead to health check (need to check every combination of parameters).
author: Dr. Stephen Henson <steve@openssl.org> 2011-09-12 13:20:57 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2011-09-12 13:20:57 +0000
commit: de2132de937217353d0a4a0aafa087d263a23ba0 (patch)
tree: 44e96ace4a85e94d60149f8c8f8df00613efadea /fips
parent: 9e56c99e1adda3717eace86f9baae423e4d58196 (diff)
5 files changed, 14 insertions, 30 deletions
diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c
index ddbb99df66..98bd10bce3 100644
--- a/fips/rand/fips_drbg_lib.c
+++ b/fips/rand/fips_drbg_lib.c
@@ -353,7 +353,7 @@ static int fips_drbg_check(DRBG_CTX *dctx)
 	}
 
 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-			int strength, int prediction_resistance,
+			int prediction_resistance,
 			const unsigned char *adin, size_t adinlen)
 	{
 	int r = 0;
@@ -377,12 +377,6 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
 		return 0;
 		}
 
-	if (strength > dctx->strength)
-		{
-		r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
-		goto end;
-		}
-
 	if (dctx->flags & DRBG_CUSTOM_RESEED)
 		dctx->generate(dctx, NULL, outlen, NULL, 0);
 	else if (dctx->reseed_counter >= dctx->reseed_interval)
diff --git a/fips/rand/fips_drbg_rand.c b/fips/rand/fips_drbg_rand.c
index 22377573c0..764a78cbfd 100644
--- a/fips/rand/fips_drbg_rand.c
+++ b/fips/rand/fips_drbg_rand.c
@@ -96,7 +96,7 @@ static int fips_drbg_bytes(unsigned char *out, int count)
 				goto err;
 				}
 			}
-		rv = FIPS_drbg_generate(dctx, out, rcnt, 0, 0, adin, adinlen);
+		rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
 		if (adin)
 			{
 			if (dctx->cleanup_adin)
diff --git a/fips/rand/fips_drbg_selftest.c b/fips/rand/fips_drbg_selftest.c
index 40a3ca8162..b1a1d52bef 100644
--- a/fips/rand/fips_drbg_selftest.c
+++ b/fips/rand/fips_drbg_selftest.c
@@ -231,7 +231,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
 		adinlen = td->adinlen / 2;
 	else
 		adinlen = td->adinlen;
-	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
 				td->adin, adinlen))
 		goto err;
 
@@ -253,7 +253,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
 	if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
 		goto err;
 
-	if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0, 0,
+	if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
 				td->adin2, td->adin2len))
 		goto err;
 
@@ -294,7 +294,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
 		adinlen = td->adinlen_pr / 2;
 	else
 		adinlen = td->adinlen_pr;
-	if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 0, 1,
+	if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
 				td->adin_pr, adinlen))
 		goto err;
 
@@ -307,7 +307,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
 	t.ent = td->entg_pr;
 	t.entlen = td->entglen_pr;
 
-	if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 0, 1,
+	if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
 				td->ading_pr, td->adinglen_pr))
 		goto err;
 
@@ -378,7 +378,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 		}
 
 	/* Try to generate output from uninstantiated DRBG */
-	if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+	if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
 				td->adin, td->adinlen))
 		{
 		FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
@@ -404,7 +404,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 		goto err;
 
 	/* Check generation is now OK */
-	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
 				td->adin, td->adinlen))
 		goto err;
 
@@ -412,19 +412,9 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 	 */
 
 	dctx->flags |= DRBG_FLAG_NOERR;
-	if (dctx->strength != 256)
-		{
-		if (FIPS_drbg_generate(dctx, randout, td->katlen, 256, 0,
-					td->adin, td->adinlen))
-			{
-			FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_STRENGTH_ERROR_UNDETECTED);
-
-			goto err;
-			}
-		}
 
 	/* Request too much data for one request */
-	if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, 0,
+	if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
 				td->adin, td->adinlen))
 		{
 		FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
@@ -437,7 +427,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 
 	t.entlen = 0;
 
-	if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
+	if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
 				td->adin, td->adinlen))
 		{
 		FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
@@ -472,7 +462,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 
 	/* Generate output and check entropy has been requested for reseed */
 	t.entcnt = 0;
-	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
 				td->adin, td->adinlen))
 		goto err;
 	if (t.entcnt != 1)
diff --git a/fips/rand/fips_drbgvs.c b/fips/rand/fips_drbgvs.c
index 4d84884e36..4d3f0cfee0 100644
--- a/fips/rand/fips_drbgvs.c
+++ b/fips/rand/fips_drbgvs.c
@@ -344,7 +344,7 @@ int main(int argc,char **argv)
 			adin = hex2bin_m(value, &adinlen);
 			if (pr)
 				continue;
-			r = FIPS_drbg_generate(dctx, randout, randoutlen, 0, 0,
+			r = FIPS_drbg_generate(dctx, randout, randoutlen, 0,
 								adin, adinlen);
 			if (!r)
 				{
@@ -367,7 +367,7 @@ int main(int argc,char **argv)
 				t.entlen = entlen;
 				r = FIPS_drbg_generate(dctx,
 							randout, randoutlen,
-							0, 1, adin, adinlen);
+							1, adin, adinlen);
 				if (!r)
 					{
 					fprintf(stderr,
diff --git a/fips/rand/fips_rand.h b/fips/rand/fips_rand.h
index a6a8641d33..faba6f4ff9 100644
--- a/fips/rand/fips_rand.h
+++ b/fips/rand/fips_rand.h
@@ -86,7 +86,7 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
 				const unsigned char *pers, size_t perslen);
 int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-			int strength, int prediction_resistance,
+			int prediction_resistance,
 			const unsigned char *adin, size_t adinlen);
 
 int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
author	Dr. Stephen Henson <steve@openssl.org>	2011-09-12 13:20:57 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2011-09-12 13:20:57 +0000
commit	de2132de937217353d0a4a0aafa087d263a23ba0 (patch)
tree	44e96ace4a85e94d60149f8c8f8df00613efadea /fips
parent	9e56c99e1adda3717eace86f9baae423e4d58196 (diff)