Check requested security strength in DRBG. Add function to retrieve the

security strength.

diff --git a/crypto/fips_err.h b/crypto/fips_err.h
index 8bde7e8712d784468668f53244510ebec4b92739..07a13e208e441d044ad6045dfaa38ffd56bd1a38 100644 (file)
--- a/crypto/fips_err.h
+++ b/crypto/fips_err.h
@@ -128,6 +128,7 @@ static ERR_STRING_DATA FIPS_str_reasons[]=
 {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED) ,"fips selftest failed"},
 {ERR_REASON(FIPS_R_GENERATE_ERROR)       ,"generate error"},
 {ERR_REASON(FIPS_R_INSTANTIATE_ERROR)    ,"instantiate error"},
+{ERR_REASON(FIPS_R_INSUFFICIENT_SECURITY_STRENGTH),"insufficient security strength"},
 {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH)   ,"invalid key length"},
 {ERR_REASON(FIPS_R_IN_ERROR_STATE)       ,"in error state"},
 {ERR_REASON(FIPS_R_KEY_TOO_SHORT)        ,"key too short"},

diff --git a/fips/fips.h b/fips/fips.h
index fa4f68087d95c55b5d7eec62c7cc0ce14fb6daf0..ee144a1b2e946aa26dd5e71876607c3d1a45d0f4 100644 (file)
--- a/fips/fips.h
+++ b/fips/fips.h
@@ -233,6 +233,7 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_R_FIPS_SELFTEST_FAILED                     106
 #define FIPS_R_GENERATE_ERROR                           124
 #define FIPS_R_INSTANTIATE_ERROR                        125
+#define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH           132
 #define FIPS_R_INVALID_KEY_LENGTH                       109
 #define FIPS_R_IN_ERROR_STATE                           126
 #define FIPS_R_KEY_TOO_SHORT                            108

diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c
index fd154c034679f66fead5dd5ad42bfd460921f26c..1c8712e7a5255d3d36f94b4a4ad8dc0d670d4ee6 100644 (file)
--- a/fips/rand/fips_drbg_lib.c
+++ b/fips/rand/fips_drbg_lib.c
@@ -145,6 +145,12 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
                goto end;
                }
 
+       if (strength > dctx->strength)
+               {
+               r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
+               goto end;
+               }
+
        dctx->status = DRBG_STATUS_ERROR;
 
        entlen = dctx->get_entropy(dctx, dctx->entropy, dctx->strength,
@@ -261,7 +267,7 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
 
 
 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-                       int prediction_resistance,
+                       int strength, int prediction_resistance,
                        const unsigned char *adin, size_t adinlen)
        {
        int r = 0;
@@ -270,6 +276,13 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
                r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
                return 0;
                }
+
+       if (strength > dctx->strength)
+               {
+               r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
+               goto end;
+               }
+
        if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
                {
                if (!FIPS_drbg_reseed(dctx, adin, adinlen))
@@ -351,3 +364,8 @@ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
        {
        return dctx->blocklength;
        }
+
+int FIPS_drbg_get_strength(DRBG_CTX *dctx)
+       {
+       return dctx->strength;
+       }

diff --git a/fips/rand/fips_drbgvs.c b/fips/rand/fips_drbgvs.c
index 3f6a2a54e97167948a4d512fe3cc5e81a2ce61a1..c60b80bf2f1a2bcad6dc3535e35fe6e8fa6ad03a 100644 (file)
--- a/fips/rand/fips_drbgvs.c
+++ b/fips/rand/fips_drbgvs.c
@@ -269,7 +269,7 @@ int main(int argc,char **argv)
                        adin = hex2bin_m(value, &adinlen);
                        if (pr)
                                continue;
-                       r = FIPS_drbg_generate(dctx, randout, randoutlen, 0,
+                       r = FIPS_drbg_generate(dctx, randout, randoutlen, 0, 0,
                                                                adin, adinlen);
                        if (!r)
                                {
@@ -291,8 +291,8 @@ int main(int argc,char **argv)
                                t.ent = ent;
                                t.entlen = entlen;
                                r = FIPS_drbg_generate(dctx,
-                                                       randout, randoutlen, 1,
-                                                       adin, adinlen);
+                                                       randout, randoutlen,
+                                                       0, 1, adin, adinlen);
                                if (!r)
                                        {
                                        fprintf(stderr,

diff --git a/fips/rand/fips_rand.h b/fips/rand/fips_rand.h
index e9e2afbbaa07841fcef6b9fd4ef91963b4511cbf..6a0b6729a7b53240990d0b2ad82d9f8161ad7d20 100644 (file)
--- a/fips/rand/fips_rand.h
+++ b/fips/rand/fips_rand.h
@@ -80,7 +80,7 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx, int strength,
                                const unsigned char *pers, size_t perslen);
 int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-                       int prediction_resistance,
+                       int strength, int prediction_resistance,
                        const unsigned char *adin, size_t adinlen);
 
 int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
@@ -95,6 +95,7 @@ int FIPS_drbg_set_test_mode(DRBG_CTX *dctx,
 void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
 void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
 size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
+int FIPS_drbg_get_strength(DRBG_CTX *dctx);
 
 #ifdef  __cplusplus
 }