pool/libgcrypt
SHA256
3
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c941c8db1e
libgcrypt/libgcrypt-FIPS-fix-regression-tests.patch

449 lines
13 KiB
Diff
Raw Normal View History

Accepting request 950433 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - FIPS: Disable DSA in FIPS mode [bsc#1195385] * Upstream task: https://dev.gnupg.org/T5710 * Add libgcrypt-FIPS-disable-DSA.patch - FIPS: Service level indicator [bsc#1190700] * Provide an indicator to check wether the service utilizes an approved cryptographic algorithm or not. * Add patches: - libgcrypt-FIPS-service-indicators.patch - libgcrypt-FIPS-verify-unsupported-KDF-test.patch - libgcrypt-FIPS-HMAC-short-keylen.patch - FIPS: Define an entropy source SP800-90B compliant [bsc#1185140] * Disable jitter entropy by default in random.conf * Disable only-urandom option by default in random.conf - FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192240] * rsa: Check RSA keylen constraints for key operations. * rsa: Fix regression in not returning an error for prime generation. * tests: Add 2k RSA key working in FIPS mode. * tests: pubkey: Replace RSA key to one of 2k. * tests: pkcs1v2: Skip tests with small keys in FIPS. * Add patches: - libgcrypt-FIPS-RSA-keylen.patch - libgcrypt-FIPS-RSA-keylen-tests.patch - FIPS: Disable 3DES/Triple-DES in FIPS mode [bsc#1185138] * Add libgcrypt-FIPS-disable-3DES.patch - FIPS: PBKDF requirements [bsc#1185137] OBS-URL: https://build.opensuse.org/request/show/950433 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=153
2022-02-01 14:12:14 +01:00
Index: libgcrypt-1.9.4/cipher/pubkey.c
===================================================================
--- libgcrypt-1.9.4.orig/cipher/pubkey.c
+++ libgcrypt-1.9.4/cipher/pubkey.c
@@ -224,7 +224,7 @@ check_pubkey_algo (int algo, unsigned us
gcry_pk_spec_t *spec;
spec = spec_from_algo (algo);
- if (spec)
+ if (spec && !spec->flags.disabled)
{
if (((use & GCRY_PK_USAGE_SIGN)
&& (! (spec->use & GCRY_PK_USAGE_SIGN)))
From 44c7c41af21c668826280abfee1257853020ba2d Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Mon, 16 Aug 2021 12:41:11 +0900
Subject: [PATCH 161/200] tests: Skip tests when FIPS for keygrip computations.
* tests/keygrip.c (check): Skip non-FIPS curves when FIPS.
(main): Check if FIPS is enabled.
--
GnuPG-bug-id: 5520
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
tests/keygrip.c | 37 ++++++++++++++++++++++++++++---------
1 file changed, 28 insertions(+), 9 deletions(-)
diff --git a/tests/keygrip.c b/tests/keygrip.c
index cfccc06e..49bd71bc 100644
--- a/tests/keygrip.c
+++ b/tests/keygrip.c
@@ -33,6 +33,9 @@
static int repetitions;
+/* Whether fips mode was active at startup. */
+static int in_fips_mode;
+
static void
@@ -54,6 +57,7 @@ static struct
int algo;
const char *key;
const unsigned char grip[20];
+ int skip_when_fips;
} key_grips[] =
{
{
@@ -155,7 +159,8 @@ static struct
/* */"436DD11A1756AFE56CD93408410FCDA9"
/* */"BA95024EB613BD481A14FCFEC27A448A#)))",
"\x52\xBA\xD4\xB4\xA3\x2D\x32\xA1\xDD\x06"
- "\x5E\x99\x0B\xF1\xAB\xC1\x13\x3D\x84\xD4"
+ "\x5E\x99\x0B\xF1\xAB\xC1\x13\x3D\x84\xD4",
+ 1
},
{ /* Compressed form of above. */
GCRY_PK_ECC,
@@ -165,7 +170,8 @@ static struct
" (q #022ECD8679930BE2DB4AD42B8600BA3F80"
/* */"2D4D539BFF2F69B83EC9B7BBAA7F3406#)))",
"\x52\xBA\xD4\xB4\xA3\x2D\x32\xA1\xDD\x06"
- "\x5E\x99\x0B\xF1\xAB\xC1\x13\x3D\x84\xD4"
+ "\x5E\x99\x0B\xF1\xAB\xC1\x13\x3D\x84\xD4",
+ 1
},
{
GCRY_PK_ECC,
@@ -177,7 +183,8 @@ static struct
/* */"9EBBA41915313417BA54218EB0569C59"
/* */"0B156C76DBCAB6E84575E6EF68CE7B87#)))",
"\x99\x38\x6A\x82\x41\x96\x29\x9C\x89\x74"
- "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F"
+ "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F",
+ 1
},
{ /* Compressed form of above. */
GCRY_PK_ECC,
@@ -187,7 +194,8 @@ static struct
" (q #035B784CA008EE64AB3D85017EE0D2BE87"
/* */"558762C7300E0C8E06B1F9AF7C031458#)))",
"\x99\x38\x6A\x82\x41\x96\x29\x9C\x89\x74"
- "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F"
+ "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F",
+ 1
},
{ /* Ed25519 standard */
GCRY_PK_ECC,
@@ -199,7 +207,8 @@ static struct
" 47BD24842905C049257673B3F5249524E0A41FAA17B25B818D0F97E625F1A1D0#)"
" ))",
"\x0C\xCA\xB2\xFD\x48\x9A\x33\x40\x2C\xE8"
- "\xE0\x4A\x1F\xB2\x45\xEA\x80\x3D\x0A\xF1"
+ "\xE0\x4A\x1F\xB2\x45\xEA\x80\x3D\x0A\xF1",
+ 1
},
{ /* Ed25519+EdDSA */
GCRY_PK_ECC,
@@ -209,7 +218,8 @@ static struct
" (q #773E72848C1FD5F9652B29E2E7AF79571A04990E96F2016BF4E0EC1890C2B7DB#)"
" ))",
"\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70"
- "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47"
+ "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47",
+ 1
},
{ /* Ed25519+EdDSA (with compression prefix) */
GCRY_PK_ECC,
@@ -220,7 +230,8 @@ static struct
" 773E72848C1FD5F9652B29E2E7AF79571A04990E96F2016BF4E0EC1890C2B7DB#)"
" ))",
"\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70"
- "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47"
+ "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47",
+ 1
},
{ /* Ed25519+EdDSA (same but uncompressed)*/
GCRY_PK_ECC,
@@ -232,7 +243,8 @@ static struct
" 5bb7c29018ece0f46b01f2960e99041a5779afe7e2292b65f9d51f8c84723e77#)"
" ))",
"\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70"
- "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47"
+ "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47",
+ 1
},
{ /* Cv25519 */
GCRY_PK_ECC,
@@ -243,7 +255,8 @@ static struct
" 918C1733127F6BF2646FAE3D081A18AE77111C903B906310B077505EFFF12740#)"
" ))",
"\x0F\x89\xA5\x65\xD3\xEA\x18\x7C\xE8\x39"
- "\x33\x23\x98\xF5\xD4\x80\x67\x7D\xF4\x9C"
+ "\x33\x23\x98\xF5\xD4\x80\x67\x7D\xF4\x9C",
+ 1
},
{ /* Random key */
GCRY_PK_RSA,
@@ -280,6 +293,9 @@ check (void)
for (i = 0; i < (sizeof (key_grips) / sizeof (*key_grips)); i++)
{
+ if (in_fips_mode && key_grips[i].skip_when_fips)
+ continue;
+
if (gcry_pk_test_algo (key_grips[i].algo))
{
if (verbose)
@@ -379,6 +395,9 @@ main (int argc, char **argv)
if (debug)
xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0));
+ if (gcry_fips_mode_active ())
+ in_fips_mode = 1;
+
check ();
return 0;
--
2.33.0
From 3026148331523ec7ca81031339b5629431cafa23 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Jul 2021 09:20:18 +0200
Subject: tests: Expect curves 25519/448 to fail in FIPS mode
* tests/t-cv25519.c (test_cv_hl): Expect the operation to fail in FIPS
mode.
(test_cv_x25519, test_it): Ditto.
(main) Detect FIPS mode.
* tests/t-ed25519.c (one_test): Expect the operation to fail in FIPS
mode.
(main) Detect FIPS mode.
* tests/t-ed448.c (one_test): Expect the operation to fail in FIPS
mode.
(main) Detect FIPS mode.
* tests/t-x448.c (test_cv_hl): Expect the operation to fail in FIPS
mode.
(test_cv_x448, test_cv): Ditto.
(main) Detect FIPS mode.
--
The ed25519, ed448, cv25519 and cv448 curves are not available in FIPS
mode. Some of the tests already skipped these, but it is always better
to make sure thy are failing, rather than just skipping these.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/t-cv25519.c | 37 +++++++++++++++++++++++++++++++++++--
tests/t-ed25519.c | 18 ++++++++++++++----
tests/t-ed448.c | 18 ++++++++++++++----
tests/t-x448.c | 41 +++++++++++++++++++++++++++++++++++++----
4 files changed, 100 insertions(+), 14 deletions(-)
diff --git a/tests/t-cv25519.c b/tests/t-cv25519.c
index 0de50a02..b4126f4c 100644
--- a/tests/t-cv25519.c
+++ b/tests/t-cv25519.c
@@ -33,6 +33,7 @@
#include "t-common.h"
#define N_TESTS 18
+static int in_fips_mode = 0;
static void
print_mpi (const char *text, gcry_mpi_t a)
@@ -188,7 +189,17 @@ test_cv_hl (int testno, const char *k_str, const char *u_str,
xfree (buffer);
buffer = NULL;
- if ((err = gcry_pk_encrypt (&s_result, s_data, s_pk)))
+ err = gcry_pk_encrypt (&s_result, s_data, s_pk);
+ if (in_fips_mode)
+ {
+ if (!err)
+ fail ("gcry_pk_encrypt is not expected to work in FIPS mode for test %d",
+ testno);
+ if (verbose > 1)
+ info ("not executed in FIPS mode\n");
+ goto leave;
+ }
+ if (err)
fail ("gcry_pk_encrypt failed for test %d: %s", testno,
gpg_strerror (err));
@@ -281,7 +292,17 @@ test_cv_x25519 (int testno, const char *k_str, const char *u_str,
goto leave;
}
- if ((err = gcry_ecc_mul_point (algo, result, scalar, point)))
+ err = gcry_ecc_mul_point (algo, result, scalar, point);
+ if (in_fips_mode)
+ {
+ if (!err)
+ fail ("gcry_ecc_mul_point is not expected to work in FIPS mode for test %d",
+ testno);
+ if (verbose > 1)
+ info ("not executed in FIPS mode\n");
+ goto leave;
+ }
+ if (err)
fail ("gcry_ecc_mul_point failed for test %d: %s", testno,
gpg_strerror (err));
@@ -335,6 +356,15 @@ test_it (int testno, const char *k_str, int iter, const char *result_str)
info ("Running test %d: iteration=%d\n", testno, iter);
gcry_mpi_ec_new (&ctx, NULL, "Curve25519");
+ if (in_fips_mode)
+ {
+ if (ctx)
+ fail ("gcry_mpi_ec_new should fail in FIPS mode for test %d",
+ testno);
+ if (verbose > 1)
+ info ("not executed in FIPS mode\n");
+ return;
+ }
Q = gcry_mpi_point_new (0);
if (!(buffer = hex2buffer (k_str, &buflen)) || buflen != 32)
@@ -640,6 +670,9 @@ main (int argc, char **argv)
xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0));
xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
+ if (gcry_fips_mode_active ())
+ in_fips_mode = 1;
+
start_timer ();
check_cv25519 ();
stop_timer ();
diff --git a/tests/t-ed25519.c b/tests/t-ed25519.c
index a5271c25..567bc797 100644
--- a/tests/t-ed25519.c
+++ b/tests/t-ed25519.c
@@ -36,6 +36,7 @@
static int sign_with_pk;
static int no_verify;
static int custom_data_file;
+static int in_fips_mode = 0;
static void
@@ -271,7 +272,17 @@ one_test (int testno, const char *sk, const char *pk,
goto leave;
}
- if ((err = gcry_pk_sign (&s_sig, s_msg, s_sk)))
+ err = gcry_pk_sign (&s_sig, s_msg, s_sk);
+ if (in_fips_mode)
+ {
+ if (!err)
+ fail ("gcry_pk_sign is not expected to work in FIPS mode for test %d",
+ testno);
+ if (verbose > 1)
+ info ("not executed in FIPS mode\n");
+ goto leave;
+ }
+ if (err)
fail ("gcry_pk_sign failed for test %d: %s", testno, gpg_strerror (err));
if (debug)
show_sexp ("sig=", s_sig);
@@ -481,9 +492,8 @@ main (int argc, char **argv)
xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0));
xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
- /* Ed25519 isn't supported in fips mode */
- if (gcry_fips_mode_active())
- return 77;
+ if (gcry_fips_mode_active ())
+ in_fips_mode = 1;
start_timer ();
check_ed25519 (fname);
diff --git a/tests/t-ed448.c b/tests/t-ed448.c
index 1f445ffc..f38cd10c 100644
--- a/tests/t-ed448.c
+++ b/tests/t-ed448.c
@@ -36,6 +36,7 @@
static int sign_with_pk;
static int no_verify;
static int custom_data_file;
+static int in_fips_mode = 0;
static void
@@ -302,7 +303,17 @@ one_test (int testno, int ph, const char *sk, const char *pk,
}
}
- if ((err = gcry_pk_sign (&s_sig, s_msg, s_sk)))
+ err = gcry_pk_sign (&s_sig, s_msg, s_sk);
+ if (in_fips_mode)
+ {
+ if (!err)
+ fail ("gcry_pk_sign is not expected to work in FIPS mode for test %d",
+ testno);
+ if (verbose > 1)
+ info ("not executed in FIPS mode\n");
+ goto leave;
+ }
+ if (err)
fail ("gcry_pk_sign failed for test %d: %s", testno, gpg_strerror (err));
if (debug)
show_sexp ("sig=", s_sig);
@@ -521,9 +532,8 @@ main (int argc, char **argv)
xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0));
xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
- /* Ed448 isn't supported in fips mode */
- if (gcry_fips_mode_active())
- return 77;
+ if (gcry_fips_mode_active ())
+ in_fips_mode = 1;
start_timer ();
check_ed448 (fname);
diff --git a/tests/t-x448.c b/tests/t-x448.c
index 5c3cbeb9..cc4b10fc 100644
--- a/tests/t-x448.c
+++ b/tests/t-x448.c
@@ -34,6 +34,7 @@
#include "t-common.h"
#define N_TESTS 9
+static int in_fips_mode = 0;
static void
print_mpi (const char *text, gcry_mpi_t a)
@@ -179,8 +180,18 @@ test_cv_hl (int testno, const char *k_str, const char *u_str,
xfree (buffer);
buffer = NULL;
- if ((err = gcry_pk_encrypt (&s_result, s_data, s_pk)))
- fail ("gcry_pk_encrypt failed for test %d: %s", testno,
+ err = gcry_pk_encrypt (&s_result, s_data, s_pk);
+ if (in_fips_mode)
+ {
+ if (!err)
+ fail ("gcry_pk_encrypt is not expected to work in FIPS mode for test %d",
+ testno);
+ if (verbose > 1)
+ info ("not executed in FIPS mode\n");
+ goto leave;
+ }
+ if (err)
+ fail ("gcry_pk_encrypt goto leavefailed for test %d: %s", testno,
gpg_strerror (err));
s_tmp = gcry_sexp_find_token (s_result, "s", 0);
@@ -257,7 +268,17 @@ test_cv_x448 (int testno, const char *k_str, const char *u_str,
goto leave;
}
- if ((err = gcry_ecc_mul_point (GCRY_ECC_CURVE448, result, scalar, point)))
+ err = gcry_ecc_mul_point (GCRY_ECC_CURVE448, result, scalar, point);
+ if (in_fips_mode)
+ {
+ if (err != GPG_ERR_NOT_SUPPORTED)
+ fail ("gcry_ecc_mul_point is not expected to work in FIPS mode for test %d: %s",
+ testno, gpg_strerror (err));
+ if (verbose > 1)
+ info ("not executed in FIPS mode\n");
+ goto leave;
+ }
+ if (err)
fail ("gcry_ecc_mul_point failed for test %d: %s", testno,
gpg_strerror (err));
@@ -296,7 +317,7 @@ test_cv (int testno, const char *k_str, const char *u_str,
static void
test_it (int testno, const char *k_str, int iter, const char *result_str)
{
- gcry_ctx_t ctx;
+ gcry_ctx_t ctx = NULL;
gpg_error_t err;
void *buffer = NULL;
size_t buflen;
@@ -311,6 +332,15 @@ test_it (int testno, const char *k_str, int iter, const char *result_str)
info ("Running test %d: iteration=%d\n", testno, iter);
gcry_mpi_ec_new (&ctx, NULL, "X448");
+ if (in_fips_mode)
+ {
+ if (ctx)
+ fail ("gcry_mpi_ec_new should fail in FIPS mode for test %d",
+ testno);
+ if (verbose > 1)
+ info ("not executed in FIPS mode\n");
+ return;
+ }
Q = gcry_mpi_point_new (0);
if (!(buffer = hex2buffer (k_str, &buflen)) || buflen != 56)
@@ -583,6 +613,9 @@ main (int argc, char **argv)
xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0));
xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
+ if (gcry_fips_mode_active ())
+ in_fips_mode = 1;
+
start_timer ();
check_x448 ();
stop_timer ();
--
2.33.0
Reference in New Issue Copy Permalink