fips140: Run ECDSA self-test in startup for FIPS

When in FIPS mode, run a known answer test in startup for at least one selected curve. The selected curve is secp256r1. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
author: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> 2019-02-08 11:07:22 +0100
committer: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> 2019-02-08 11:07:22 +0100
commit: 277dec94e525460a98f6315e58a7f94d4a86a18c (patch)
tree: 61b07743ec9a502f1d10fffa920b959578835bfa
parent: cd91840c564751924837ccdc9648d9a83a0b7601 (diff)
download: gnutls-277dec94e525460a98f6315e58a7f94d4a86a18c.tar.gz
1 files changed, 23 insertions, 21 deletions
diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
index 31afb0be14..8f54e272da 100644
--- a/lib/crypto-selftests-pk.c
+++ b/lib/crypto-selftests-pk.c
@@ -731,30 +731,9 @@ int gnutls_pk_self_test(unsigned all, gnutls_pk_algorithm_t pk)
 			goto cleanup;
 		}
 
-		if (all == 0)
-			return 0;
 #endif
 
 		/* Test ECDSA */
-#ifdef ENABLE_NON_SUITEB_CURVES
-		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
-			      GNUTLS_CURVE_TO_BITS
-			      (GNUTLS_ECC_CURVE_SECP192R1),
-			      GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey,
-			      ecdsa_secp192r1_sig);
-		PK_TEST(GNUTLS_PK_EC, test_sig,
-			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1),
-			GNUTLS_DIG_SHA256);
-
-		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
-			      GNUTLS_CURVE_TO_BITS
-			      (GNUTLS_ECC_CURVE_SECP224R1),
-			      GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey,
-			      ecdsa_secp224r1_sig);
-		PK_TEST(GNUTLS_PK_EC, test_sig,
-			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1),
-			GNUTLS_DIG_SHA256);
-#endif
 		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
 			      GNUTLS_CURVE_TO_BITS
 			      (GNUTLS_ECC_CURVE_SECP256R1),
@@ -764,6 +743,9 @@ int gnutls_pk_self_test(unsigned all, gnutls_pk_algorithm_t pk)
 			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1),
 			GNUTLS_DIG_SHA256);
 
+		if (all == 0)
+			return 0;
+
 		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
 			      GNUTLS_CURVE_TO_BITS
 			      (GNUTLS_ECC_CURVE_SECP384R1),
@@ -782,6 +764,26 @@ int gnutls_pk_self_test(unsigned all, gnutls_pk_algorithm_t pk)
 			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1),
 			GNUTLS_DIG_SHA512);
 
+#ifdef ENABLE_NON_SUITEB_CURVES
+		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
+			      GNUTLS_CURVE_TO_BITS
+			      (GNUTLS_ECC_CURVE_SECP192R1),
+			      GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey,
+			      ecdsa_secp192r1_sig);
+		PK_TEST(GNUTLS_PK_EC, test_sig,
+			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1),
+			GNUTLS_DIG_SHA256);
+
+		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
+			      GNUTLS_CURVE_TO_BITS
+			      (GNUTLS_ECC_CURVE_SECP224R1),
+			      GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey,
+			      ecdsa_secp224r1_sig);
+		PK_TEST(GNUTLS_PK_EC, test_sig,
+			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1),
+			GNUTLS_DIG_SHA256);
+#endif
+
 		break;
 
 	default:
author	Anderson Toshiyuki Sasaki <ansasaki@redhat.com>	2019-02-08 11:07:22 +0100
committer	Anderson Toshiyuki Sasaki <ansasaki@redhat.com>	2019-02-08 11:07:22 +0100
commit	277dec94e525460a98f6315e58a7f94d4a86a18c (patch)
tree	61b07743ec9a502f1d10fffa920b959578835bfa
parent	cd91840c564751924837ccdc9648d9a83a0b7601 (diff)
download	gnutls-277dec94e525460a98f6315e58a7f94d4a86a18c.tar.gz