Add the self test type OSSL_SELF_TEST_TYPE_PCT_SIGNATURE
Fixes #16457
The ECDSA and DSA signature tests use Pairwise tests instead of KATS.
Note there is a seperate type used by the keygen for conditional Pairwise Tests.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16461)
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
index 62e495a..0eac85b 100644
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -214,6 +214,10 @@
Known answer test for a signature.
+=item "PCT_Signature" (B<OSSL_SELF_TEST_TYPE_PCT_SIGNATURE>)
+
+Pairwise Consistency check for a signature.
+
=item "KAT_KDF" (B<OSSL_SELF_TEST_TYPE_KAT_KDF>)
Known answer test for a key derivation function.
@@ -226,7 +230,7 @@
Known answer test for a Deterministic Random Bit Generator.
-=item "Pairwise_Consistency_Test" (B<OSSL_SELF_TEST_TYPE_PCT>)
+=item "Conditional_PCT" (B<OSSL_SELF_TEST_TYPE_PCT>)
Conditional test that is run during the generation of key pairs.
diff --git a/include/openssl/self_test.h b/include/openssl/self_test.h
index 564fc95..77c600a 100644
--- a/include/openssl/self_test.h
+++ b/include/openssl/self_test.h
@@ -29,11 +29,12 @@
# define OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY "Module_Integrity"
# define OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY "Install_Integrity"
# define OSSL_SELF_TEST_TYPE_CRNG "Continuous_RNG_Test"
-# define OSSL_SELF_TEST_TYPE_PCT "Pairwise_Consistency_Test"
+# define OSSL_SELF_TEST_TYPE_PCT "Conditional_PCT"
# define OSSL_SELF_TEST_TYPE_KAT_CIPHER "KAT_Cipher"
# define OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER "KAT_AsymmetricCipher"
# define OSSL_SELF_TEST_TYPE_KAT_DIGEST "KAT_Digest"
# define OSSL_SELF_TEST_TYPE_KAT_SIGNATURE "KAT_Signature"
+# define OSSL_SELF_TEST_TYPE_PCT_SIGNATURE "PCT_Signature"
# define OSSL_SELF_TEST_TYPE_KAT_KDF "KAT_KDF"
# define OSSL_SELF_TEST_TYPE_KAT_KA "KAT_KA"
# define OSSL_SELF_TEST_TYPE_DRBG "DRBG"
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index d411767..81f7226 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -452,8 +452,12 @@
0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
};
+ const char *typ = OSSL_SELF_TEST_TYPE_KAT_SIGNATURE;
- OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_SIGNATURE, t->desc);
+ if (t->sig_expected == NULL)
+ typ = OSSL_SELF_TEST_TYPE_PCT_SIGNATURE;
+
+ OSSL_SELF_TEST_onbegin(st, typ, t->desc);
bnctx = BN_CTX_new_ex(libctx);
if (bnctx == NULL)
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index db64362..d99974e 100644
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -235,7 +235,7 @@
'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_sect',
'-corrupt_desc', 'DSA',
- '-corrupt_type', 'KAT_Signature'])),
+ '-corrupt_type', 'PCT_Signature'])),
"fipsinstall fails when the signature result is corrupted");
}
