diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2021-04-12 02:38:16 +0200 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2021-04-13 05:06:37 +0200 |
| commit | 3fed27181a9b5e26216b3cad679b0f601c90ac2a (patch) | |
| tree | 1cc60dadeae990c97162117d857442f2332d971a /test | |
| parent | Remove the function EVP_PKEY_set_alias_type (diff) | |
| download | openssl-3fed27181a9b5e26216b3cad679b0f601c90ac2a.tar.xz openssl-3fed27181a9b5e26216b3cad679b0f601c90ac2a.zip | |
Add FIPS Self test for AES_ECB decrypt
Fixes #14807
Compliance with IG 9.4 requires that an inverse cipher function be
tested if one is implemented. Just running AES_GCM encrypt/decrypt does not meet this
requirement (Since only ECB, CBC, XTS, KW, KWP support the inverse
function during decryption mode).
Added a mode to the cipher test so that the AES_GCM only does an encrypt
and AES_ECB only does a decrypt. TDES still does both.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14825)
Diffstat (limited to 'test')
| -rw-r--r-- | test/recipes/03-test_fipsinstall.t | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t index 9ba6d2eb85..bc0c94cc97 100644 --- a/test/recipes/03-test_fipsinstall.t +++ b/test/recipes/03-test_fipsinstall.t @@ -24,7 +24,7 @@ use platform; plan skip_all => "Test only supported in a fips build" if disabled("fips"); -plan tests => 24; +plan tests => 26; my $infile = bldtop_file('providers', platform->dso('fips')); my $fipskey = $ENV{FIPSKEY} // '00'; @@ -191,6 +191,20 @@ ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infi '-section_name', 'fips_sect', '-corrupt_desc', 'SHA3'])), "fipsinstall fails when the digest result is corrupted"); +# corrupt cipher encrypt test +ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile, + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", + '-section_name', 'fips_sect', '-corrupt_desc', 'AES_GCM_Encrypt'])), + "fipsinstall fails when the AES_GCM result is corrupted"); + +# corrupt cipher decrypt test +ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile, + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", + '-section_name', 'fips_sect', '-corrupt_desc', 'AES_ECB_Decrypt'])), + "fipsinstall fails when the AES_ECB result is corrupted"); + # corrupt DRBG ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile, '-provider_name', 'fips', '-mac_name', 'HMAC', |