Add the self test type OSSL_SELF_TEST_TYPE_PCT_SIGNATURE

Fixes #16457

The ECDSA and DSA signature tests use Pairwise tests instead of KATS.
Note there is a seperate type used by the keygen for conditional Pairwise Tests.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16461)

diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
index 62e495aef1948d8d246e49fef2cda3dab97770ef..0eac85b324bb4b1b9b267d2bc7d683cb75f77e59 100644 (file)
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -214,6 +214,10 @@ Known answer test for a digest.
 
 Known answer test for a signature.
 
+=item "PCT_Signature" (B<OSSL_SELF_TEST_TYPE_PCT_SIGNATURE>)      
+
+Pairwise Consistency check for a signature.
+
 =item "KAT_KDF" (B<OSSL_SELF_TEST_TYPE_KAT_KDF>)
 
 Known answer test for a key derivation function.
@@ -226,7 +230,7 @@ Known answer test for key agreement.
 
 Known answer test for a Deterministic Random Bit Generator.
 
-=item "Pairwise_Consistency_Test" (B<OSSL_SELF_TEST_TYPE_PCT>)
+=item "Conditional_PCT" (B<OSSL_SELF_TEST_TYPE_PCT>)
 
 Conditional test that is run during the generation of key pairs.
 

diff --git a/include/openssl/self_test.h b/include/openssl/self_test.h
index 564fc9508889f805ce027e620d1e87fdb4cd1603..77c600a0d13b7c3a20a41eeac3924dec64850383 100644 (file)
--- a/include/openssl/self_test.h
+++ b/include/openssl/self_test.h
@@ -29,11 +29,12 @@ extern "C" {
 # define OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY   "Module_Integrity"
 # define OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY  "Install_Integrity"
 # define OSSL_SELF_TEST_TYPE_CRNG               "Continuous_RNG_Test"
-# define OSSL_SELF_TEST_TYPE_PCT                "Pairwise_Consistency_Test"
+# define OSSL_SELF_TEST_TYPE_PCT                "Conditional_PCT"
 # define OSSL_SELF_TEST_TYPE_KAT_CIPHER         "KAT_Cipher"
 # define OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER    "KAT_AsymmetricCipher"
 # define OSSL_SELF_TEST_TYPE_KAT_DIGEST         "KAT_Digest"
 # define OSSL_SELF_TEST_TYPE_KAT_SIGNATURE      "KAT_Signature"
+# define OSSL_SELF_TEST_TYPE_PCT_SIGNATURE      "PCT_Signature"
 # define OSSL_SELF_TEST_TYPE_KAT_KDF            "KAT_KDF"
 # define OSSL_SELF_TEST_TYPE_KAT_KA             "KAT_KA"
 # define OSSL_SELF_TEST_TYPE_DRBG               "DRBG"

diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index d411767205541999b701b86d58c16872538246b7..81f7226ba194f81ba081774127e751d2792cdddb 100644 (file)
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -452,8 +452,12 @@ static int self_test_sign(const ST_KAT_SIGN *t,
         0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
         0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
     };
+    const char *typ = OSSL_SELF_TEST_TYPE_KAT_SIGNATURE;
 
-    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_SIGNATURE, t->desc);
+    if (t->sig_expected == NULL)
+        typ = OSSL_SELF_TEST_TYPE_PCT_SIGNATURE;
+
+    OSSL_SELF_TEST_onbegin(st, typ, t->desc);
 
     bnctx = BN_CTX_new_ex(libctx);
     if (bnctx == NULL)

diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index db64362538109f4e30a4a3ca8a6145ef80d5188d..d99974e46748271873f7a2d595b0981a6546044c 100644 (file)
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -235,7 +235,7 @@ SKIP: {
                 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
                 '-section_name', 'fips_sect',
                 '-corrupt_desc', 'DSA',
-                '-corrupt_type', 'KAT_Signature'])),
+                '-corrupt_type', 'PCT_Signature'])),
        "fipsinstall fails when the signature result is corrupted");
 }