Add ECDSA verify KAT to FIPS self-tests.

Change-Id: Ib67cd8c10df837687da7864a3f65456b2611d0f9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43687 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
4 years ago · 7c4a3f7d3e
parent 83a3f462cf
commit 7c4a3f7d3e
1 changed files with 8 additions and 2 deletions
--- a/crypto/fipsmodule/self_check/self_check.c
+++ b/crypto/fipsmodule/self_check/self_check.c
@ -611,7 +611,7 @@ int boringssl_fips_self_test(
    goto err;
  }

-  // ECDSA Sign/Verify PWCT
+  // ECDSA Sign/Verify KAT

  // The 'k' value for ECDSA is fixed to avoid an entropy draw.
  ec_key->fixed_k = BN_new();
@ -632,7 +632,13 @@ int boringssl_fips_self_test(
      !BN_bn2bin(sig->s, ecdsa_s_bytes) ||
      !check_test(kECDSASigR, ecdsa_r_bytes, sizeof(kECDSASigR), "ECDSA R") ||
      !check_test(kECDSASigS, ecdsa_s_bytes, sizeof(kECDSASigS), "ECDSA S")) {
-    fprintf(stderr, "ECDSA KAT failed.\n");
+    fprintf(stderr, "ECDSA signature KAT failed.\n");
+    goto err;
+  }
+
+  if (!ECDSA_do_verify(kPlaintextSHA256, sizeof(kPlaintextSHA256), sig,
+                       ec_key)) {
+    fprintf(stderr, "ECDSA verification KAT failed.\n");
    goto err;
  }