diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2011-09-06 20:46:27 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2011-09-06 20:46:27 +0000 |
| commit | bbb19418e672007590c65a12aa24e1b59927b2cc (patch) | |
| tree | 2a000ddfa9e73c0db22008e25b6e16a0fc2c9edd /fips | |
| parent | ed28aef8b455be436f252dfceac49a958a92e53b (diff) | |
Add error codes for DRBG KAT failures.
Add abbreviated DRBG KAT for POST which only performs a single generate
operations instead of four.
Diffstat (limited to 'fips')
| -rw-r--r-- | fips/fips.h | 4 | ||||
| -rw-r--r-- | fips/rand/fips_drbg_selftest.c | 32 |
2 files changed, 30 insertions, 6 deletions
diff --git a/fips/fips.h b/fips/fips.h index c8a766e37a..8f94167ee0 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -425,11 +425,15 @@ void ERR_load_FIPS_strings(void); #define FIPS_R_IN_ERROR_STATE 123 #define FIPS_R_KEY_TOO_SHORT 124 #define FIPS_R_NON_FIPS_METHOD 125 +#define FIPS_R_NOPR_TEST1_FAILURE 145 +#define FIPS_R_NOPR_TEST2_FAILURE 146 #define FIPS_R_NOT_INSTANTIATED 126 #define FIPS_R_PAIRWISE_TEST_FAILED 127 #define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 #define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 #define FIPS_R_PRNG_STRENGTH_TOO_LOW 143 +#define FIPS_R_PR_TEST1_FAILURE 147 +#define FIPS_R_PR_TEST2_FAILURE 148 #define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130 #define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131 #define FIPS_R_RESEED_COUNTER_ERROR 132 diff --git a/fips/rand/fips_drbg_selftest.c b/fips/rand/fips_drbg_selftest.c index e38ba63c9e..3e18c98609 100644 --- a/fips/rand/fips_drbg_selftest.c +++ b/fips/rand/fips_drbg_selftest.c @@ -181,7 +181,8 @@ static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout, return t->noncelen; } -static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td) +static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, + int quick) { TEST_ENT t; int rv = 0; @@ -220,7 +221,10 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td) goto err; if (memcmp(randout, td->kat, td->katlen)) - goto err; + { + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE); + goto err2; + } t.ent = td->entreseed; t.entlen = td->entreseedlen; @@ -233,7 +237,10 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td) goto err; if (memcmp(randout, td->kat2, td->kat2len)) - goto err; + { + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE); + goto err2; + } FIPS_drbg_uninstantiate(dctx); @@ -271,7 +278,16 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td) goto err; if (memcmp(randout, td->kat_pr, td->katlen_pr)) + { + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE); + goto err2; + } + + if (quick) + { + rv = 1; goto err; + } t.ent = td->entg_pr; t.entlen = td->entglen_pr; @@ -281,13 +297,17 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td) goto err; if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) - goto err; + { + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE); + goto err2; + } rv = 1; err: if (rv == 0) FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED); + err2: FIPS_drbg_uninstantiate(dctx); return rv; @@ -489,7 +509,7 @@ int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags) { if (td->nid == nid && td->flags == flags) { - rv = fips_drbg_single_kat(dctx, td); + rv = fips_drbg_single_kat(dctx, td, 0); if (rv <= 0) return rv; return fips_drbg_health_check(dctx, td); @@ -512,7 +532,7 @@ int FIPS_selftest_drbg(void) continue; if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) return 1; - if (!fips_drbg_single_kat(dctx, td)) + if (!fips_drbg_single_kat(dctx, td, 1)) { fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); rv = 0; |