From: Simo Sorce <simo@redhat.com>
Date: Thu, 2 Oct 2025 21:57:42 +0000 (-0400)
Subject: Run on-demand self-tests when requested
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=43305ad7ae888bef3cf8617daccd75c11617a9a1;p=thirdparty%2Fopenssl.git

Run on-demand self-tests when requested

The `on_demand_test` flag passed to `SELF_TEST_post` was not being honored by
the Known Answer Test (KAT) runner. Tests marked as 'deferred' were always
skipped.

This change passes the `on_demand_test` flag through to the KAT functions,
ensuring that when an on-demand test is requested, the full suite of self-
tests is executed as intended.

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28725)
---

diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index 9fb23e44c35..7043fc777a3 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -381,7 +381,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
         goto end;
     }
 
-    if (!SELF_TEST_kats(ev, st->libctx)) {
+    if (!SELF_TEST_kats(ev, st->libctx, on_demand_test)) {
         ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
         goto end;
     }
diff --git a/providers/fips/self_test.h b/providers/fips/self_test.h
index 99b1a28a92e..f521258ad8b 100644
--- a/providers/fips/self_test.h
+++ b/providers/fips/self_test.h
@@ -31,7 +31,7 @@ typedef struct self_test_post_params_st {
 } SELF_TEST_POST_PARAMS;
 
 int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test);
-int SELF_TEST_kats(OSSL_SELF_TEST *event, OSSL_LIB_CTX *libctx);
+int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx, int do_deferred);
 int SELF_TEST_kats_single(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
                           int type, const char *alg_name);
 
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 2e94219bc5c..539c5f88ca9 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -951,12 +951,13 @@ err:
  * All tests are run regardless of if they fail or not.
  * Return 0 if any test fails.
  */
-static int self_test_digests(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+static int self_test_digests(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
+                             int do_deferred)
 {
     int i, ret = 1;
 
     for (i = 0; i < (int)OSSL_NELEM(st_kat_digest_tests); ++i) {
-        if (st_kat_digest_tests[i].deferred)
+        if (st_kat_digest_tests[i].deferred && !do_deferred)
             continue;
         if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
             ret = 0;
@@ -964,12 +965,13 @@ static int self_test_digests(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
     return ret;
 }
 
-static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
+                             int do_deferred)
 {
     int i, ret = 1;
 
     for (i = 0; i < (int)OSSL_NELEM(st_kat_cipher_tests); ++i) {
-        if (st_kat_cipher_tests[i].base.deferred)
+        if (st_kat_cipher_tests[i].base.deferred && !do_deferred)
             continue;
         if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx))
             ret = 0;
@@ -977,14 +979,15 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
     return ret;
 }
 
-static int self_test_kems(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+static int self_test_kems(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
+                          int do_deferred)
 {
     int ret = 1;
 #ifndef OPENSSL_NO_ML_KEM
     int i;
 
     for (i = 0; i < (int)OSSL_NELEM(st_kat_kem_tests); ++i) {
-        if (st_kat_kem_tests[i].deferred)
+        if (st_kat_kem_tests[i].deferred && !do_deferred)
             continue;
         if (!self_test_kem(&st_kat_kem_tests[i], st, libctx))
             ret = 0;
@@ -993,12 +996,13 @@ static int self_test_kems(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
     return ret;
 }
 
-static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
+                                  int do_deferred)
 {
     int i, ret = 1;
 
     for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
-        if (st_kat_asym_cipher_tests[i].deferred)
+        if (st_kat_asym_cipher_tests[i].deferred && !do_deferred)
             continue;
         if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
             ret = 0;
@@ -1006,12 +1010,13 @@ static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
     return ret;
 }
 
-static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
+                          int do_deferred)
 {
     int i, ret = 1;
 
     for (i = 0; i < (int)OSSL_NELEM(st_kat_kdf_tests); ++i) {
-        if (st_kat_kdf_tests[i].deferred)
+        if (st_kat_kdf_tests[i].deferred && !do_deferred)
             continue;
         if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx))
             ret = 0;
@@ -1019,12 +1024,13 @@ static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
     return ret;
 }
 
-static int self_test_drbgs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+static int self_test_drbgs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
+                           int do_deferred)
 {
     int i, ret = 1;
 
     for (i = 0; i < (int)OSSL_NELEM(st_kat_drbg_tests); ++i) {
-        if (st_kat_drbg_tests[i].deferred)
+        if (st_kat_drbg_tests[i].deferred && !do_deferred)
             continue;
         if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx))
             ret = 0;
@@ -1032,14 +1038,15 @@ static int self_test_drbgs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
     return ret;
 }
 
-static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
+                         int do_deferred)
 {
     int ret = 1;
 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
     int i;
 
     for (i = 0; i < (int)OSSL_NELEM(st_kat_kas_tests); ++i) {
-        if (st_kat_kas_tests[i].deferred)
+        if (st_kat_kas_tests[i].deferred && !do_deferred)
             continue;
         if (!self_test_ka(&st_kat_kas_tests[i], st, libctx))
             ret = 0;
@@ -1049,12 +1056,13 @@ static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
     return ret;
 }
 
-static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
+                                int do_deferred)
 {
     int i, ret = 1;
 
     for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {
-        if (st_kat_sign_tests[i].deferred)
+        if (st_kat_sign_tests[i].deferred && !do_deferred)
             continue;
         if (!self_test_digest_sign(&st_kat_sign_tests[i], st, libctx))
             ret = 0;
@@ -1202,13 +1210,14 @@ static int setup_main_random(OSSL_LIB_CTX *libctx)
     return 0;
 }
 
-static int self_test_asym_keygens(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+static int self_test_asym_keygens(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
+                                  int do_deferred)
 {
 #if !defined(OPENSSL_NO_ML_DSA) || !defined(OPENSSL_NO_SLH_DSA)
     int i, ret = 1;
 
     for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_keygen_tests); ++i) {
-        if (st_kat_asym_keygen_tests[i].deferred)
+        if (st_kat_asym_keygen_tests[i].deferred && !do_deferred)
             continue;
         if (!self_test_asym_keygen(&st_kat_asym_keygen_tests[i], st, libctx))
             ret = 0;
@@ -1223,8 +1232,9 @@ static int self_test_asym_keygens(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
  * Run the algorithm KAT's.
  * Return 1 is successful, otherwise return 0.
  * This runs all the tests regardless of if any fail.
+ * when do_deferred is 1 also run deferred tests, they are normally skipped
  */
-int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx, int do_deferred)
 {
     EVP_RAND_CTX *saved_rand = ossl_rand_get0_private_noncreating(libctx);
     int ret = 1;
@@ -1239,9 +1249,9 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
         return 0;
     }
 
-    if (!self_test_digests(st, libctx))
+    if (!self_test_digests(st, libctx, do_deferred))
         ret = 0;
-    if (!self_test_ciphers(st, libctx))
+    if (!self_test_ciphers(st, libctx, do_deferred))
         ret = 0;
 #ifndef OPENSSL_NO_LMS
     /*
@@ -1256,19 +1266,19 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
     if (!self_test_LMS(st, libctx))
         ret = 0;
 #endif  /* OPENSSL_NO_LMS */
-    if (!self_test_signatures(st, libctx))
+    if (!self_test_signatures(st, libctx, do_deferred))
         ret = 0;
-    if (!self_test_kdfs(st, libctx))
+    if (!self_test_kdfs(st, libctx, do_deferred))
         ret = 0;
-    if (!self_test_drbgs(st, libctx))
+    if (!self_test_drbgs(st, libctx, do_deferred))
         ret = 0;
-    if (!self_test_kas(st, libctx))
+    if (!self_test_kas(st, libctx, do_deferred))
         ret = 0;
-    if (!self_test_asym_keygens(st, libctx))
+    if (!self_test_asym_keygens(st, libctx, do_deferred))
         ret = 0;
-    if (!self_test_kems(st, libctx))
+    if (!self_test_kems(st, libctx, do_deferred))
         ret = 0;
-    if (!self_test_asym_ciphers(st, libctx))
+    if (!self_test_asym_ciphers(st, libctx, do_deferred))
         ret = 0;
 
     RAND_set0_private(libctx, saved_rand);