ANDROID: fips140: test all implementations

Browse Source

Test all implementations of each algorithm rather than just the highest
priority implementation.  This aligns with the revised guidance we have
received from the lab.

We can still skip some tests in some cases, as per the FIPS 140-2
Implementation Guidance document.  See the comments for details.

To align with the new scope of the tests, the fips140.broken_alg module
parameter now must specify an implementation (e.g. "sha256-ce") rather
than an algorithm (e.g. "sha256").

No change to the DRBG tests is required, as it turns out the module only
includes HMAC_DRBG.  However, clarify the comment about the DRBG tests.

On a Pixel device, this increases the running time of the fips140 tests
from 0.5ms to 3.1 ms (very roughly; there's a lot of variation).  This
is still very fast, so it isn't expected to be a problem.

Bug: 153614920
Bug: 173104584
Bug: 188620248
Change-Id: I555b535dd45f0164b7744a2c9338c501bb88de86
Signed-off-by: Eric Biggers <ebiggers@google.com>
(cherry picked from commit abe07806964be48e8d0005e26f33632ace5e4152)

...

This commit is contained in:

Eric Biggers

2021-08-03 23:06:26 -07:00

parent 82c940e0e1

commit b397a0387c

1 changed files with 359 additions and 238 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

597

crypto/fips140-selftests.c

File diff suppressed because it is too large Load Diff