Delete strength parameter from FIPS_drbg_generate. It isn't very useful

(strength can be queried using FIPS_drbg_get_strength ) and adds a substantial extra overhead to health check (need to check every combination of parameters).
2025-02-17 14:32:04 +08:00 · 2011-09-12 13:20:57 +00:00 · 2011-09-12 13:20:57 +00:00 · de2132de93
commit de2132de93
parent 9e56c99e1a
5 changed files with 14 additions and 30 deletions
--- a/fips/rand/fips_drbg_lib.c
+++ b/fips/rand/fips_drbg_lib.c
@ -353,7 +353,7 @@ static int fips_drbg_check(DRBG_CTX *dctx)
 	}

 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-			int strength, int prediction_resistance,
+			int prediction_resistance,
 			const unsigned char *adin, size_t adinlen)
 	{
 	int r = 0;
@ -377,12 +377,6 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
 		return 0;
 		}

-	if (strength > dctx->strength)
-		{
-		r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
-		goto end;
-		}
-
 	if (dctx->flags & DRBG_CUSTOM_RESEED)
 		dctx->generate(dctx, NULL, outlen, NULL, 0);
 	else if (dctx->reseed_counter >= dctx->reseed_interval)
--- a/fips/rand/fips_drbg_rand.c
+++ b/fips/rand/fips_drbg_rand.c
@ -96,7 +96,7 @@ static int fips_drbg_bytes(unsigned char *out, int count)
 				goto err;
 				}
 			}
-		rv = FIPS_drbg_generate(dctx, out, rcnt, 0, 0, adin, adinlen);
+		rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
 		if (adin)
 			{
 			if (dctx->cleanup_adin)
--- a/fips/rand/fips_drbg_selftest.c
+++ b/fips/rand/fips_drbg_selftest.c
@ -231,7 +231,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
 		adinlen = td->adinlen / 2;
 	else
 		adinlen = td->adinlen;
-	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
 				td->adin, adinlen))
 		goto err;

@ -253,7 +253,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
 	if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
 		goto err;

-	if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0, 0,
+	if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
 				td->adin2, td->adin2len))
 		goto err;

@ -294,7 +294,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
 		adinlen = td->adinlen_pr / 2;
 	else
 		adinlen = td->adinlen_pr;
-	if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 0, 1,
+	if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
 				td->adin_pr, adinlen))
 		goto err;

@ -307,7 +307,7 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
 	t.ent = td->entg_pr;
 	t.entlen = td->entglen_pr;

-	if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 0, 1,
+	if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
 				td->ading_pr, td->adinglen_pr))
 		goto err;

@ -378,7 +378,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 		}

 	/* Try to generate output from uninstantiated DRBG */
-	if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+	if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
 				td->adin, td->adinlen))
 		{
 		FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
@ -404,7 +404,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 		goto err;

 	/* Check generation is now OK */
-	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
 				td->adin, td->adinlen))
 		goto err;

@ -412,19 +412,9 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 	 */

 	dctx->flags |= DRBG_FLAG_NOERR;
-	if (dctx->strength != 256)
-		{
-		if (FIPS_drbg_generate(dctx, randout, td->katlen, 256, 0,
-					td->adin, td->adinlen))
-			{
-			FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_STRENGTH_ERROR_UNDETECTED);
-
-			goto err;
-			}
-		}

 	/* Request too much data for one request */
-	if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, 0,
+	if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
 				td->adin, td->adinlen))
 		{
 		FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
@ -437,7 +427,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)

 	t.entlen = 0;

-	if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
+	if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
 				td->adin, td->adinlen))
 		{
 		FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
@ -472,7 +462,7 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)

 	/* Generate output and check entropy has been requested for reseed */
 	t.entcnt = 0;
-	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+	if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
 				td->adin, td->adinlen))
 		goto err;
 	if (t.entcnt != 1)
--- a/fips/rand/fips_drbgvs.c
+++ b/fips/rand/fips_drbgvs.c
@ -344,7 +344,7 @@ int main(int argc,char **argv)
 			adin = hex2bin_m(value, &adinlen);
 			if (pr)
 				continue;
-			r = FIPS_drbg_generate(dctx, randout, randoutlen, 0, 0,
+			r = FIPS_drbg_generate(dctx, randout, randoutlen, 0,
 								adin, adinlen);
 			if (!r)
 				{
@ -367,7 +367,7 @@ int main(int argc,char **argv)
 				t.entlen = entlen;
 				r = FIPS_drbg_generate(dctx,
 							randout, randoutlen,
-							0, 1, adin, adinlen);
+							1, adin, adinlen);
 				if (!r)
 					{
 					fprintf(stderr,
--- a/fips/rand/fips_rand.h
+++ b/fips/rand/fips_rand.h
@ -86,7 +86,7 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
 				const unsigned char *pers, size_t perslen);
 int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-			int strength, int prediction_resistance,
+			int prediction_resistance,
 			const unsigned char *adin, size_t adinlen);

 int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);