Add error codes for DRBG KAT failures.
authorDr. Stephen Henson <steve@openssl.org>
Tue, 6 Sep 2011 20:46:27 +0000 (20:46 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 6 Sep 2011 20:46:27 +0000 (20:46 +0000)
Add abbreviated DRBG KAT for POST which only performs a single generate
operations instead of four.

crypto/fips_err.h
fips/fips.h
fips/rand/fips_drbg_selftest.c

index 21b820c..a70a52f 100644 (file)
@@ -1,6 +1,6 @@
 /* crypto/fips_err.h */
 /* ====================================================================
- * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -83,12 +83,12 @@ static ERR_STRING_DATA FIPS_str_functs[]=
 {ERR_FUNC(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT),       "FIPS_check_incore_fingerprint"},
 {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA),      "fips_check_rsa"},
 {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA_PRNG), "fips_check_rsa_prng"},
-{ERR_FUNC(FIPS_F_FIPS_CIPHER), "FIPS_CIPHER"},
-{ERR_FUNC(FIPS_F_FIPS_CIPHERINIT),     "FIPS_CIPHERINIT"},
+{ERR_FUNC(FIPS_F_FIPS_CIPHER), "FIPS_cipher"},
+{ERR_FUNC(FIPS_F_FIPS_CIPHERINIT),     "FIPS_cipherinit"},
 {ERR_FUNC(FIPS_F_FIPS_CIPHER_CTX_CTRL),        "FIPS_CIPHER_CTX_CTRL"},
-{ERR_FUNC(FIPS_F_FIPS_DIGESTFINAL),    "FIPS_DIGESTFINAL"},
-{ERR_FUNC(FIPS_F_FIPS_DIGESTINIT),     "FIPS_DIGESTINIT"},
-{ERR_FUNC(FIPS_F_FIPS_DIGESTUPDATE),   "FIPS_DIGESTUPDATE"},
+{ERR_FUNC(FIPS_F_FIPS_DIGESTFINAL),    "FIPS_digestfinal"},
+{ERR_FUNC(FIPS_F_FIPS_DIGESTINIT),     "FIPS_digestinit"},
+{ERR_FUNC(FIPS_F_FIPS_DIGESTUPDATE),   "FIPS_digestupdate"},
 {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES),     "FIPS_DRBG_BYTES"},
 {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK),     "FIPS_DRBG_CHECK"},
 {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST),        "FIPS_DRBG_CPRNG_TEST"},
@@ -165,11 +165,15 @@ static ERR_STRING_DATA FIPS_str_reasons[]=
 {ERR_REASON(FIPS_R_IN_ERROR_STATE)       ,"in error state"},
 {ERR_REASON(FIPS_R_KEY_TOO_SHORT)        ,"key too short"},
 {ERR_REASON(FIPS_R_NON_FIPS_METHOD)      ,"non fips method"},
+{ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE)   ,"nopr test1 failure"},
+{ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE)   ,"nopr test2 failure"},
 {ERR_REASON(FIPS_R_NOT_INSTANTIATED)     ,"not instantiated"},
 {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED) ,"pairwise test failed"},
 {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED),"personalisation error undetected"},
 {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG),"personalisation string too long"},
 {ERR_REASON(FIPS_R_PRNG_STRENGTH_TOO_LOW),"prng strength too low"},
+{ERR_REASON(FIPS_R_PR_TEST1_FAILURE)     ,"pr test1 failure"},
+{ERR_REASON(FIPS_R_PR_TEST2_FAILURE)     ,"pr test2 failure"},
 {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED),"request length error undetected"},
 {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG),"request too large for drbg"},
 {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR) ,"reseed counter error"},
index c8a766e..8f94167 100644 (file)
@@ -425,11 +425,15 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_R_IN_ERROR_STATE                           123
 #define FIPS_R_KEY_TOO_SHORT                            124
 #define FIPS_R_NON_FIPS_METHOD                          125
+#define FIPS_R_NOPR_TEST1_FAILURE                       145
+#define FIPS_R_NOPR_TEST2_FAILURE                       146
 #define FIPS_R_NOT_INSTANTIATED                                 126
 #define FIPS_R_PAIRWISE_TEST_FAILED                     127
 #define FIPS_R_PERSONALISATION_ERROR_UNDETECTED                 128
 #define FIPS_R_PERSONALISATION_STRING_TOO_LONG          129
 #define FIPS_R_PRNG_STRENGTH_TOO_LOW                    143
+#define FIPS_R_PR_TEST1_FAILURE                                 147
+#define FIPS_R_PR_TEST2_FAILURE                                 148
 #define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED          130
 #define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG               131
 #define FIPS_R_RESEED_COUNTER_ERROR                     132
index e38ba63..3e18c98 100644 (file)
@@ -181,7 +181,8 @@ static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
        return t->noncelen;
        }
 
-static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
+                                                               int quick)
        {
        TEST_ENT t;
        int rv = 0;
@@ -220,7 +221,10 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
                goto err;
 
        if (memcmp(randout, td->kat, td->katlen))
-               goto err;
+               {
+               FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
+               goto err2;
+               }
 
        t.ent = td->entreseed;
        t.entlen = td->entreseedlen;
@@ -233,7 +237,10 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
                goto err;
 
        if (memcmp(randout, td->kat2, td->kat2len))
-               goto err;
+               {
+               FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
+               goto err2;
+               }
 
        FIPS_drbg_uninstantiate(dctx);
 
@@ -271,7 +278,16 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
                goto err;
 
        if (memcmp(randout, td->kat_pr, td->katlen_pr))
+               {
+               FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
+               goto err2;
+               }
+
+       if (quick)
+               {
+               rv = 1;
                goto err;
+               }
 
        t.ent = td->entg_pr;
        t.entlen = td->entglen_pr;
@@ -281,13 +297,17 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
                goto err;
 
        if (memcmp(randout, td->kat2_pr, td->kat2len_pr))
-               goto err;
+               {
+               FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
+               goto err2;
+               }
 
        rv = 1;
 
        err:
        if (rv == 0)
                FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
+       err2:
        FIPS_drbg_uninstantiate(dctx);
        
        return rv;
@@ -489,7 +509,7 @@ int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
                {
                if (td->nid == nid && td->flags == flags)
                        {
-                       rv = fips_drbg_single_kat(dctx, td);
+                       rv = fips_drbg_single_kat(dctx, td, 0);
                        if (rv <= 0)
                                return rv;
                        return fips_drbg_health_check(dctx, td);
@@ -512,7 +532,7 @@ int FIPS_selftest_drbg(void)
                        continue;
                if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
                        return 1;
-               if (!fips_drbg_single_kat(dctx, td))
+               if (!fips_drbg_single_kat(dctx, td, 1))
                        {
                        fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
                        rv = 0;