From 55e328f58064d7e66e0840bdcb35492824208686 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 9 Apr 2011 17:46:31 +0000 Subject: [PATCH] Add error for health check failure. Rebuild all FIPS error codes to clean out old obsolete codes. --- crypto/fips_err.h | 14 +-- fips/fips.h | 176 ++++++++++++++++++-------------------- fips/rand/fips_drbg_lib.c | 6 +- 3 files changed, 88 insertions(+), 108 deletions(-) diff --git a/crypto/fips_err.h b/crypto/fips_err.h index d63e869d2..9c235080a 100644 --- a/crypto/fips_err.h +++ b/crypto/fips_err.h @@ -71,13 +71,10 @@ static ERR_STRING_DATA FIPS_str_functs[]= { {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"}, -{ERR_FUNC(FIPS_F_DRBG_CPRNG_TEST), "DRBG_CPRNG_TEST"}, {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN), "DSA_BUILTIN_PARAMGEN"}, {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "DSA_BUILTIN_PARAMGEN2"}, {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"}, {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"}, -{ERR_FUNC(FIPS_F_EVP_CIPHERINIT_EX), "EVP_CipherInit_ex"}, -{ERR_FUNC(FIPS_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "FIPS_CHECK_DSA"}, {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "FIPS_CHECK_EC"}, {ERR_FUNC(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT), "FIPS_check_incore_fingerprint"}, @@ -85,15 +82,14 @@ static ERR_STRING_DATA FIPS_str_functs[]= {ERR_FUNC(FIPS_F_FIPS_CIPHERINIT), "FIPS_CIPHERINIT"}, {ERR_FUNC(FIPS_F_FIPS_DIGESTINIT), "FIPS_DIGESTINIT"}, {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "FIPS_DRBG_BYTES"}, +{ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "FIPS_DRBG_CPRNG_TEST"}, {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"}, -{ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE_INTERNAL), "FIPS_DRBG_GENERATE_INTERNAL"}, {ERR_FUNC(FIPS_F_FIPS_DRBG_HEALTH_CHECK), "FIPS_DRBG_HEALTH_CHECK"}, {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"}, {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"}, {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"}, {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"}, {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"}, -{ERR_FUNC(FIPS_F_FIPS_DSA_CHECK), "FIPS_DSA_CHECK"}, {ERR_FUNC(FIPS_F_FIPS_MODE_SET), "FIPS_mode_set"}, {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"}, {ERR_FUNC(FIPS_F_FIPS_RAND_ADD), "FIPS_rand_add"}, @@ -109,7 +105,6 @@ static ERR_STRING_DATA FIPS_str_functs[]= {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, -{ERR_FUNC(FIPS_F_FIPS_SELFTEST_RNG), "FIPS_selftest_rng"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_X931), "FIPS_selftest_x931"}, {ERR_FUNC(FIPS_F_HASH_FINAL), "HASH_FINAL"}, @@ -119,7 +114,6 @@ static ERR_STRING_DATA FIPS_str_functs[]= {ERR_FUNC(FIPS_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"}, {ERR_FUNC(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"}, {ERR_FUNC(FIPS_F_RSA_X931_GENERATE_KEY_EX), "RSA_X931_generate_key_ex"}, -{ERR_FUNC(FIPS_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"}, {0,NULL} }; @@ -127,8 +121,6 @@ static ERR_STRING_DATA FIPS_str_reasons[]= { {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG),"additional input too long"}, {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED) ,"already instantiated"}, -{ERR_REASON(FIPS_R_CANNOT_READ_EXE) ,"cannot read exe"}, -{ERR_REASON(FIPS_R_CANNOT_READ_EXE_DIGEST),"cannot read exe digest"}, {ERR_REASON(FIPS_R_CONTRADICTING_EVIDENCE),"contradicting evidence"}, {ERR_REASON(FIPS_R_DRBG_STUCK) ,"drbg stuck"}, {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED),"entropy error undetected"}, @@ -138,7 +130,6 @@ static ERR_STRING_DATA FIPS_str_reasons[]= {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT),"error retrieving additional input"}, {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY),"error retrieving entropy"}, {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE),"error retrieving nonce"}, -{ERR_REASON(FIPS_R_EXE_DIGEST_DOES_NOT_MATCH),"exe digest does not match"}, {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),"fingerprint does not match"}, {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED),"fingerprint does not match nonpic relocated"}, {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING),"fingerprint does not match segment aliasing"}, @@ -162,9 +153,8 @@ static ERR_STRING_DATA FIPS_str_reasons[]= {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG),"request too large for drbg"}, {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR) ,"reseed counter error"}, {ERR_REASON(FIPS_R_RESEED_ERROR) ,"reseed error"}, -{ERR_REASON(FIPS_R_RSA_DECRYPT_ERROR) ,"rsa decrypt error"}, -{ERR_REASON(FIPS_R_RSA_ENCRYPT_ERROR) ,"rsa encrypt error"}, {ERR_REASON(FIPS_R_SELFTEST_FAILED) ,"selftest failed"}, +{ERR_REASON(FIPS_R_SELFTEST_FAILURE) ,"selftest failure"}, {ERR_REASON(FIPS_R_STRENGTH_ERROR_UNDETECTED),"strength error undetected"}, {ERR_REASON(FIPS_R_TEST_FAILURE) ,"test failure"}, {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR),"uninstantiate zeroise error"}, diff --git a/fips/fips.h b/fips/fips.h index 29fd81435..92f61a89a 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -197,102 +197,92 @@ void ERR_load_FIPS_strings(void); /* Function codes. */ #define FIPS_F_DH_BUILTIN_GENPARAMS 100 -#define FIPS_F_DRBG_CPRNG_TEST 141 #define FIPS_F_DSA_BUILTIN_PARAMGEN 101 -#define FIPS_F_DSA_BUILTIN_PARAMGEN2 126 -#define FIPS_F_DSA_DO_SIGN 102 -#define FIPS_F_DSA_DO_VERIFY 103 -#define FIPS_F_EVP_CIPHERINIT_EX 124 -#define FIPS_F_EVP_DIGESTINIT_EX 125 -#define FIPS_F_FIPS_CHECK_DSA 104 -#define FIPS_F_FIPS_CHECK_EC 129 -#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105 -#define FIPS_F_FIPS_CHECK_RSA 106 -#define FIPS_F_FIPS_CIPHERINIT 128 -#define FIPS_F_FIPS_DIGESTINIT 127 -#define FIPS_F_FIPS_DRBG_BYTES 142 -#define FIPS_F_FIPS_DRBG_GENERATE 132 -#define FIPS_F_FIPS_DRBG_GENERATE_INTERNAL 138 -#define FIPS_F_FIPS_DRBG_HEALTH_CHECK 137 -#define FIPS_F_FIPS_DRBG_INIT 136 -#define FIPS_F_FIPS_DRBG_INSTANTIATE 133 -#define FIPS_F_FIPS_DRBG_NEW 134 -#define FIPS_F_FIPS_DRBG_RESEED 135 -#define FIPS_F_FIPS_DRBG_SINGLE_KAT 140 -#define FIPS_F_FIPS_DSA_CHECK 107 -#define FIPS_F_FIPS_MODE_SET 108 -#define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 -#define FIPS_F_FIPS_RAND_ADD 143 -#define FIPS_F_FIPS_RAND_BYTES 144 -#define FIPS_F_FIPS_RAND_PSEUDO_BYTES 145 -#define FIPS_F_FIPS_RAND_SEED 148 -#define FIPS_F_FIPS_RAND_SET_METHOD 146 -#define FIPS_F_FIPS_RAND_STATUS 147 -#define FIPS_F_FIPS_SELFTEST_AES 110 -#define FIPS_F_FIPS_SELFTEST_AES_GCM 130 -#define FIPS_F_FIPS_SELFTEST_CMAC 139 -#define FIPS_F_FIPS_SELFTEST_DES 111 -#define FIPS_F_FIPS_SELFTEST_DSA 112 -#define FIPS_F_FIPS_SELFTEST_ECDSA 131 -#define FIPS_F_FIPS_SELFTEST_HMAC 113 -#define FIPS_F_FIPS_SELFTEST_RNG 114 -#define FIPS_F_FIPS_SELFTEST_SHA1 115 -#define FIPS_F_FIPS_SELFTEST_X931 149 -#define FIPS_F_HASH_FINAL 123 -#define FIPS_F_RSA_BUILTIN_KEYGEN 116 -#define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117 -#define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118 -#define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119 -#define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120 -#define FIPS_F_RSA_X931_GENERATE_KEY_EX 121 -#define FIPS_F_SSLEAY_RAND_BYTES 122 +#define FIPS_F_DSA_BUILTIN_PARAMGEN2 102 +#define FIPS_F_DSA_DO_SIGN 103 +#define FIPS_F_DSA_DO_VERIFY 104 +#define FIPS_F_FIPS_CHECK_DSA 105 +#define FIPS_F_FIPS_CHECK_EC 106 +#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 107 +#define FIPS_F_FIPS_CHECK_RSA 108 +#define FIPS_F_FIPS_CIPHERINIT 109 +#define FIPS_F_FIPS_DIGESTINIT 110 +#define FIPS_F_FIPS_DRBG_BYTES 111 +#define FIPS_F_FIPS_DRBG_CPRNG_TEST 112 +#define FIPS_F_FIPS_DRBG_GENERATE 113 +#define FIPS_F_FIPS_DRBG_HEALTH_CHECK 114 +#define FIPS_F_FIPS_DRBG_INIT 115 +#define FIPS_F_FIPS_DRBG_INSTANTIATE 116 +#define FIPS_F_FIPS_DRBG_NEW 117 +#define FIPS_F_FIPS_DRBG_RESEED 118 +#define FIPS_F_FIPS_DRBG_SINGLE_KAT 119 +#define FIPS_F_FIPS_MODE_SET 120 +#define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 121 +#define FIPS_F_FIPS_RAND_ADD 122 +#define FIPS_F_FIPS_RAND_BYTES 123 +#define FIPS_F_FIPS_RAND_PSEUDO_BYTES 124 +#define FIPS_F_FIPS_RAND_SEED 125 +#define FIPS_F_FIPS_RAND_SET_METHOD 126 +#define FIPS_F_FIPS_RAND_STATUS 127 +#define FIPS_F_FIPS_SELFTEST_AES 128 +#define FIPS_F_FIPS_SELFTEST_AES_GCM 129 +#define FIPS_F_FIPS_SELFTEST_CMAC 130 +#define FIPS_F_FIPS_SELFTEST_DES 131 +#define FIPS_F_FIPS_SELFTEST_DSA 132 +#define FIPS_F_FIPS_SELFTEST_ECDSA 133 +#define FIPS_F_FIPS_SELFTEST_HMAC 134 +#define FIPS_F_FIPS_SELFTEST_SHA1 135 +#define FIPS_F_FIPS_SELFTEST_X931 136 +#define FIPS_F_HASH_FINAL 137 +#define FIPS_F_RSA_BUILTIN_KEYGEN 138 +#define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 139 +#define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 140 +#define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 141 +#define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 142 +#define FIPS_F_RSA_X931_GENERATE_KEY_EX 143 /* Reason codes. */ -#define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 118 -#define FIPS_R_ALREADY_INSTANTIATED 119 -#define FIPS_R_CANNOT_READ_EXE 103 -#define FIPS_R_CANNOT_READ_EXE_DIGEST 104 -#define FIPS_R_CONTRADICTING_EVIDENCE 114 -#define FIPS_R_DRBG_STUCK 142 -#define FIPS_R_ENTROPY_ERROR_UNDETECTED 133 -#define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 134 -#define FIPS_R_ERROR_INITIALISING_DRBG 120 -#define FIPS_R_ERROR_INSTANTIATING_DRBG 121 -#define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 144 -#define FIPS_R_ERROR_RETRIEVING_ENTROPY 122 -#define FIPS_R_ERROR_RETRIEVING_NONCE 123 -#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH 105 -#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110 -#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111 -#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112 -#define FIPS_R_FIPS_MODE_ALREADY_SET 102 -#define FIPS_R_FIPS_SELFTEST_FAILED 106 -#define FIPS_R_FUNCTION_ERROR 135 -#define FIPS_R_GENERATE_ERROR 124 -#define FIPS_R_GENERATE_ERROR_UNDETECTED 136 -#define FIPS_R_INSTANTIATE_ERROR 125 -#define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 132 -#define FIPS_R_INTERNAL_ERROR 143 -#define FIPS_R_INVALID_KEY_LENGTH 109 -#define FIPS_R_IN_ERROR_STATE 126 -#define FIPS_R_KEY_TOO_SHORT 108 -#define FIPS_R_NON_FIPS_METHOD 100 -#define FIPS_R_NOT_INSTANTIATED 127 -#define FIPS_R_PAIRWISE_TEST_FAILED 107 -#define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 137 -#define FIPS_R_PERSONALISATION_STRING_TOO_LONG 128 -#define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 138 -#define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 129 -#define FIPS_R_RESEED_COUNTER_ERROR 139 -#define FIPS_R_RESEED_ERROR 130 -#define FIPS_R_RSA_DECRYPT_ERROR 115 -#define FIPS_R_RSA_ENCRYPT_ERROR 116 -#define FIPS_R_SELFTEST_FAILED 101 -#define FIPS_R_STRENGTH_ERROR_UNDETECTED 140 -#define FIPS_R_TEST_FAILURE 117 -#define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 141 -#define FIPS_R_UNSUPPORTED_DRBG_TYPE 131 -#define FIPS_R_UNSUPPORTED_PLATFORM 113 +#define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 100 +#define FIPS_R_ALREADY_INSTANTIATED 101 +#define FIPS_R_CONTRADICTING_EVIDENCE 102 +#define FIPS_R_DRBG_STUCK 103 +#define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 +#define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 +#define FIPS_R_ERROR_INITIALISING_DRBG 106 +#define FIPS_R_ERROR_INSTANTIATING_DRBG 107 +#define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 108 +#define FIPS_R_ERROR_RETRIEVING_ENTROPY 109 +#define FIPS_R_ERROR_RETRIEVING_NONCE 110 +#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 111 +#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 112 +#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 113 +#define FIPS_R_FIPS_MODE_ALREADY_SET 114 +#define FIPS_R_FIPS_SELFTEST_FAILED 115 +#define FIPS_R_FUNCTION_ERROR 116 +#define FIPS_R_GENERATE_ERROR 117 +#define FIPS_R_GENERATE_ERROR_UNDETECTED 118 +#define FIPS_R_INSTANTIATE_ERROR 119 +#define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 120 +#define FIPS_R_INTERNAL_ERROR 121 +#define FIPS_R_INVALID_KEY_LENGTH 122 +#define FIPS_R_IN_ERROR_STATE 123 +#define FIPS_R_KEY_TOO_SHORT 124 +#define FIPS_R_NON_FIPS_METHOD 125 +#define FIPS_R_NOT_INSTANTIATED 126 +#define FIPS_R_PAIRWISE_TEST_FAILED 127 +#define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 +#define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 +#define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130 +#define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131 +#define FIPS_R_RESEED_COUNTER_ERROR 132 +#define FIPS_R_RESEED_ERROR 133 +#define FIPS_R_SELFTEST_FAILED 134 +#define FIPS_R_SELFTEST_FAILURE 135 +#define FIPS_R_STRENGTH_ERROR_UNDETECTED 136 +#define FIPS_R_TEST_FAILURE 137 +#define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138 +#define FIPS_R_UNSUPPORTED_DRBG_TYPE 139 +#define FIPS_R_UNSUPPORTED_PLATFORM 140 #ifdef __cplusplus } diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c index 92488767e..60c83240c 100644 --- a/fips/rand/fips_drbg_lib.c +++ b/fips/rand/fips_drbg_lib.c @@ -91,7 +91,7 @@ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags) DRBG_CTX tctx; if (!fips_drbg_kat(&tctx, type, flags | DRBG_FLAG_TEST)) { - /*FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);*/ + FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); return 0; } } @@ -426,7 +426,7 @@ int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out) /* Check block is valid: should never happen */ if (dctx->lb_valid == 0) { - FIPSerr(FIPS_F_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR); + FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR); fips_set_selftest_fail(); return 0; } @@ -435,7 +435,7 @@ int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out) /* Check against last block: fail if match */ if (!memcmp(dctx->lb, out, dctx->blocklength)) { - FIPSerr(FIPS_F_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK); + FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK); fips_set_selftest_fail(); return 0; }