diff options
| author | pohsingwu <pohsingwu@synology.com> | 2024-01-28 18:18:02 +0800 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-03-01 11:06:03 +0100 |
| commit | fbce6ebf706cdd273f2569edfea7ade106426e0b (patch) | |
| tree | 2d598acb71f57e2fe8af34857e00126020e8cbb6 /test | |
| parent | c18c301deb44deb27f35c199e8bf44ca8b80e579 (diff) | |
Implement PCT for EDDSA
According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be
performed consistent with the intended use of the keys.
This commit implements PCT for EDDSA via performing sign and verify
operations after key generated.
Also use the same pairwise test logic in EVP_PKEY_keygen and
EVP_PKEY_pairwise_check for EDDSA in FIPS_MODULE.
Add OSSL_SELF_TEST_DESC_PCT_EDDSA to OSSL_PROVIDER-FIPS page.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23408)
Diffstat (limited to 'test')
| -rw-r--r-- | test/pairwise_fail_test.c | 11 | ||||
| -rw-r--r-- | test/recipes/30-test_pairwise_fail.t | 16 |
2 files changed, 26 insertions, 1 deletions
diff --git a/test/pairwise_fail_test.c b/test/pairwise_fail_test.c index d37898338e..9ce11a15fc 100644 --- a/test/pairwise_fail_test.c +++ b/test/pairwise_fail_test.c @@ -122,6 +122,17 @@ static int test_keygen_pairwise_failure(void) goto err; if (!TEST_ptr_null(pkey)) goto err; + } else if (strncmp(pairwise_name, "eddsa", 5) == 0) { + if (!TEST_true(setup_selftest_pairwise_failure(type))) + goto err; + if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "ED25519", NULL))) + goto err; + if (!TEST_int_eq(EVP_PKEY_keygen_init(ctx), 1)) + goto err; + if (!TEST_int_le(EVP_PKEY_keygen(ctx, &pkey), 0)) + goto err; + if (!TEST_ptr_null(pkey)) + goto err; } ret = 1; err: diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t index c837d48fb4..6bdf04d37c 100644 --- a/test/recipes/30-test_pairwise_fail.t +++ b/test/recipes/30-test_pairwise_fail.t @@ -22,7 +22,7 @@ use lib bldtop_dir('.'); plan skip_all => "These tests are unsupported in a non fips build" if disabled("fips"); -plan tests => 5; +plan tests => 6; my $provconf = srctop_file("test", "fips-and-base.cnf"); run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), @@ -63,3 +63,17 @@ SKIP: { "-pairwise", "dsakat", "-dsaparam", data_file("dsaparam.pem")])), "fips provider dsa keygen kat failure test"); } + +SKIP: { + skip "Skip EDDSA test because of no ecx in this build", 1 + if disabled("ecx"); + + run(test(["fips_version_test", "-config", $provconf, ">=3.3.0"]), + capture => 1, statusvar => \my $exit); + skip "FIPS provider version is too old", 1 + if !$exit; + + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "eddsa"])), + "fips provider eddsa keygen pairwise failure test"); +} |