Add error codes for DRBG KAT failures.

Add abbreviated DRBG KAT for POST which only performs a single generate
operations instead of four.

crypto/fips_err.h

@@ -1,6 +1,6 @@
 /* crypto/fips_err.h */
 /* ====================================================================
- * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -83,12 +83,12 @@ static ERR_STRING_DATA FIPS_str_functs[]=
 {ERR_FUNC(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT),	"FIPS_check_incore_fingerprint"},
 {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA),	"fips_check_rsa"},
 {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA_PRNG),	"fips_check_rsa_prng"},
-{ERR_FUNC(FIPS_F_FIPS_CIPHER),	"FIPS_CIPHER"},
+{ERR_FUNC(FIPS_F_FIPS_CIPHER),	"FIPS_cipher"},
-{ERR_FUNC(FIPS_F_FIPS_CIPHERINIT),	"FIPS_CIPHERINIT"},
+{ERR_FUNC(FIPS_F_FIPS_CIPHERINIT),	"FIPS_cipherinit"},
 {ERR_FUNC(FIPS_F_FIPS_CIPHER_CTX_CTRL),	"FIPS_CIPHER_CTX_CTRL"},
-{ERR_FUNC(FIPS_F_FIPS_DIGESTFINAL),	"FIPS_DIGESTFINAL"},
+{ERR_FUNC(FIPS_F_FIPS_DIGESTFINAL),	"FIPS_digestfinal"},
-{ERR_FUNC(FIPS_F_FIPS_DIGESTINIT),	"FIPS_DIGESTINIT"},
+{ERR_FUNC(FIPS_F_FIPS_DIGESTINIT),	"FIPS_digestinit"},
-{ERR_FUNC(FIPS_F_FIPS_DIGESTUPDATE),	"FIPS_DIGESTUPDATE"},
+{ERR_FUNC(FIPS_F_FIPS_DIGESTUPDATE),	"FIPS_digestupdate"},
 {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES),	"FIPS_DRBG_BYTES"},
 {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK),	"FIPS_DRBG_CHECK"},
 {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST),	"FIPS_DRBG_CPRNG_TEST"},
@@ -165,11 +165,15 @@ static ERR_STRING_DATA FIPS_str_reasons[]=
 {ERR_REASON(FIPS_R_IN_ERROR_STATE)       ,"in error state"},
 {ERR_REASON(FIPS_R_KEY_TOO_SHORT)        ,"key too short"},
 {ERR_REASON(FIPS_R_NON_FIPS_METHOD)      ,"non fips method"},
+{ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE)   ,"nopr test1 failure"},
+{ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE)   ,"nopr test2 failure"},
 {ERR_REASON(FIPS_R_NOT_INSTANTIATED)     ,"not instantiated"},
 {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED) ,"pairwise test failed"},
 {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED),"personalisation error undetected"},
 {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG),"personalisation string too long"},
 {ERR_REASON(FIPS_R_PRNG_STRENGTH_TOO_LOW),"prng strength too low"},
+{ERR_REASON(FIPS_R_PR_TEST1_FAILURE)     ,"pr test1 failure"},
+{ERR_REASON(FIPS_R_PR_TEST2_FAILURE)     ,"pr test2 failure"},
 {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED),"request length error undetected"},
 {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG),"request too large for drbg"},
 {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR) ,"reseed counter error"},

fips/fips.h

@@ -425,11 +425,15 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_R_IN_ERROR_STATE				 123
 #define FIPS_R_KEY_TOO_SHORT				 124
 #define FIPS_R_NON_FIPS_METHOD				 125
+#define FIPS_R_NOPR_TEST1_FAILURE			 145
+#define FIPS_R_NOPR_TEST2_FAILURE			 146
 #define FIPS_R_NOT_INSTANTIATED				 126
 #define FIPS_R_PAIRWISE_TEST_FAILED			 127
 #define FIPS_R_PERSONALISATION_ERROR_UNDETECTED		 128
 #define FIPS_R_PERSONALISATION_STRING_TOO_LONG		 129
 #define FIPS_R_PRNG_STRENGTH_TOO_LOW			 143
+#define FIPS_R_PR_TEST1_FAILURE				 147
+#define FIPS_R_PR_TEST2_FAILURE				 148
 #define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED		 130
 #define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG		 131
 #define FIPS_R_RESEED_COUNTER_ERROR			 132

fips/rand/fips_drbg_selftest.c

@@ -181,7 +181,8 @@ static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
 	return t->noncelen;
 	}
 
-static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
+								int quick)
 	{
 	TEST_ENT t;
 	int rv = 0;
@@ -220,7 +221,10 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 		goto err;
 
 	if (memcmp(randout, td->kat, td->katlen))
-		goto err;
+		{
+		FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
+		goto err2;
+		}
 
 	t.ent = td->entreseed;
 	t.entlen = td->entreseedlen;
@@ -233,7 +237,10 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 		goto err;
 
 	if (memcmp(randout, td->kat2, td->kat2len))
-		goto err;
+		{
+		FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
+		goto err2;
+		}
 
 	FIPS_drbg_uninstantiate(dctx);
 
@@ -271,7 +278,16 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 		goto err;
 
 	if (memcmp(randout, td->kat_pr, td->katlen_pr))
+		{
+		FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
+		goto err2;
+		}
+
+	if (quick)
+		{
+		rv = 1;
 		goto err;
+		}
 
 	t.ent = td->entg_pr;
 	t.entlen = td->entglen_pr;
@@ -281,13 +297,17 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 		goto err;
 
 	if (memcmp(randout, td->kat2_pr, td->kat2len_pr))
-		goto err;
+		{
+		FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
+		goto err2;
+		}
 
 	rv = 1;
 
 	err:
 	if (rv == 0)
 		FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
+	err2:
 	FIPS_drbg_uninstantiate(dctx);
 	
 	return rv;
@@ -489,7 +509,7 @@ int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
 		{
 		if (td->nid == nid && td->flags == flags)
 			{
-			rv = fips_drbg_single_kat(dctx, td);
+			rv = fips_drbg_single_kat(dctx, td, 0);
 			if (rv <= 0)
 				return rv;
 			return fips_drbg_health_check(dctx, td);
@@ -512,7 +532,7 @@ int FIPS_selftest_drbg(void)
 			continue;
 		if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
 			return 1;
-		if (!fips_drbg_single_kat(dctx, td))
+		if (!fips_drbg_single_kat(dctx, td, 1))
 			{
 			fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
 			rv = 0;