Closed Bug 499385 Opened 12 years ago Closed 12 years ago

DRBG Reseed function needs to be tested on POST

Categories

(NSS :: Libraries, defect, P1)

3.12.4
defect

Tracking

(Not tracked)

RESOLVED FIXED
3.12.4

People

(Reporter: rrelyea, Assigned: rrelyea)

Details

(Whiteboard: FIPS Thaw)

Attachments

(1 file)

In FIPS mode, the DRBG reseed function needs to be tested on Powerup along with the other functions.
Whiteboard: FIPS Thaw
Attachment #384170 - Flags: review?(nelson)
Priority: -- → P1
Comment on attachment 384170 [details] [diff] [review]
Add reseed tests.

Bob, here is a question for you about your intention for this patch.
Please answer this question with re-reading the patch first. :)

Given that the size of the array entropy[]          is 80 bytes,
           the size of the array reseed_entropy[]   is 32 bytes, 
           the size of the array additional_input[] is 32 bytes, 
what sizes did you intend for these arrays?:
           rng_known_result[]
           rng_reseed_result[]
           result[] 

Did you intend them to be 64?  32?  a power of 2?  a multiple of 8? 

Would you be surprised to learn that it is an ODD number, and 
is not merely one greater or one less than a power of 2?  

(Answer that now, and then go look at the patch.)

If you actually intended for those result arrays to have length of 
fifty five bytes, then this patch is OK, otherwise ...

Please advise.
result rng_known_result and rng_reseed_result are 440 bits (the length of the internal state of the prng).

The original inputs were taken from a standard sha256 sample test given to us by the lab. That test had an output of 3000 some bits. When I added the prng I shrunk that down to 440 since I was adding a second test, and I figured 440 is enough bits to be confident the internal state was really correct.

440 buts are 55 bytes, so thus the odd number

bob
Comment on attachment 384170 [details] [diff] [review]
Add reseed tests.

ok, thanks.  r=nelson
Attachment #384170 - Flags: review?(nelson) → review+
Checking in fipstest.c;
/cvsroot/mozilla/security/nss/lib/softoken/fipstest.c,v  <--  fipstest.c
new revision: 1.27; previous revision: 1.26
done
arg, I forgot to mark it closed...
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.