From cc3571a1f2244bdf829d7d16dd546131711eb8a9 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Mon, 8 Nov 2021 13:57:18 +0900 Subject: tests: Expect errors from algorithms not supported in FIPS mode. * tests/basic.c (FLAG_NOFIPS): New. (check_pubkey_sign): Pass and handle NOFIPS flag. (check_pubkey_sign_ecdsa): Likewise. (check_pubkey_crypt): Likewise. (do_check_one_pubkey): Pass flags. (check_pubkey): Mark explicitly algorithms expected not to work in FIPS mode and make sure they fail. -- Co-authored-by: NIIBE Yutaka Signed-off-by: Jakub Jelen --- tests/basic.c | 65 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 46 insertions(+), 19 deletions(-) Index: libgcrypt-1.9.4/tests/basic.c =================================================================== --- libgcrypt-1.9.4.orig/tests/basic.c +++ libgcrypt-1.9.4/tests/basic.c @@ -55,9 +55,10 @@ typedef struct test_spec_pubkey } test_spec_pubkey_t; -#define FLAG_CRYPT (1 << 0) -#define FLAG_SIGN (1 << 1) -#define FLAG_GRIP (1 << 2) +#define FLAG_CRYPT (1 << 0) +#define FLAG_SIGN (1 << 1) +#define FLAG_GRIP (1 << 2) +#define FLAG_NOFIPS (1 << 3) static int in_fips_mode; @@ -13509,7 +13510,8 @@ verify_one_signature (gcry_sexp_t pkey, /* Test the public key sign function using the private key SKEY. PKEY is used for verification. */ static void -check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo) +check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, + int flags) { gcry_error_t rc; gcry_sexp_t sig, badhash, hash; @@ -13588,6 +13590,7 @@ check_pubkey_sign (int n, gcry_sexp_t sk if (rc) die ("converting data failed: %s\n", gpg_strerror (rc)); + sig = NULL; for (dataidx = 0; datas[dataidx].data; dataidx++) { if (datas[dataidx].algo && datas[dataidx].algo != algo) @@ -13603,12 +13606,19 @@ check_pubkey_sign (int n, gcry_sexp_t sk die ("converting data failed: %s\n", gpg_strerror (rc)); rc = gcry_pk_sign (&sig, hash, skey); + if (in_fips_mode && (flags & FLAG_NOFIPS)) + { + if (!rc) + fail ("gcry_pk_sign did not fail as expected in FIPS mode\n"); + goto next; + } if (gcry_err_code (rc) != datas[dataidx].expected_rc) fail ("gcry_pk_sign failed: %s\n", gpg_strerror (rc)); if (!rc) verify_one_signature (pkey, hash, badhash, sig); + next: gcry_sexp_release (sig); sig = NULL; gcry_sexp_release (hash); @@ -13622,7 +13632,8 @@ check_pubkey_sign (int n, gcry_sexp_t sk /* Test the public key sign function using the private key SKEY. PKEY is used for verification. This variant is only used for ECDSA. */ static void -check_pubkey_sign_ecdsa (int n, gcry_sexp_t skey, gcry_sexp_t pkey) +check_pubkey_sign_ecdsa (int n, gcry_sexp_t skey, gcry_sexp_t pkey, + int flags) { gcry_error_t rc; gcry_sexp_t sig, badhash, hash; @@ -13704,6 +13715,7 @@ check_pubkey_sign_ecdsa (int n, gcry_sex nbits = gcry_pk_get_nbits (skey); + sig = NULL; for (dataidx = 0; datas[dataidx].data; dataidx++) { if (datas[dataidx].nbits != nbits) @@ -13723,6 +13735,12 @@ check_pubkey_sign_ecdsa (int n, gcry_sex die ("converting data failed: %s\n", gpg_strerror (rc)); rc = gcry_pk_sign (&sig, hash, skey); + if (in_fips_mode && (flags & FLAG_NOFIPS)) + { + if (!rc) + fail ("gcry_pk_sign did not fail as expected in FIPS mode\n"); + goto next; + } if (gcry_err_code (rc) != datas[dataidx].expected_rc) fail ("gcry_pk_sign failed: %s\n", gpg_strerror (rc)); @@ -13732,6 +13750,7 @@ check_pubkey_sign_ecdsa (int n, gcry_sex if (!rc) verify_one_signature (pkey, hash, badhash, sig); + next: gcry_sexp_release (sig); sig = NULL; gcry_sexp_release (badhash); @@ -13743,7 +13762,8 @@ check_pubkey_sign_ecdsa (int n, gcry_sex static void -check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo) +check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, + int flags) { gcry_error_t rc; gcry_sexp_t plain = NULL; @@ -13876,6 +13896,12 @@ check_pubkey_crypt (int n, gcry_sexp_t s die ("converting data failed: %s\n", gpg_strerror (rc)); rc = gcry_pk_encrypt (&ciph, data, pkey); + if (in_fips_mode && (flags & FLAG_NOFIPS)) + { + if (!rc) + fail ("gcry_pk_encrypt did not fail as expected in FIPS mode\n"); + goto next; + } if (gcry_err_code (rc) != datas[dataidx].encrypt_expected_rc) fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (rc)); @@ -13974,6 +14000,7 @@ check_pubkey_crypt (int n, gcry_sexp_t s } } + next: gcry_sexp_release (plain); plain = NULL; gcry_sexp_release (ciph); @@ -14005,17 +14032,17 @@ static void do_check_one_pubkey (int n, gcry_sexp_t skey, gcry_sexp_t pkey, const unsigned char *grip, int algo, int flags) { - if (flags & FLAG_SIGN) + if ((flags & FLAG_SIGN)) { if (algo == GCRY_PK_ECDSA) - check_pubkey_sign_ecdsa (n, skey, pkey); + check_pubkey_sign_ecdsa (n, skey, pkey, flags); else - check_pubkey_sign (n, skey, pkey, algo); + check_pubkey_sign (n, skey, pkey, algo, flags); } - if (flags & FLAG_CRYPT) - check_pubkey_crypt (n, skey, pkey, algo); - if (grip && (flags & FLAG_GRIP)) - check_pubkey_grip (n, grip, skey, pkey, algo); + if ((flags & FLAG_CRYPT)) + check_pubkey_crypt (n, skey, pkey, algo, flags); + if (grip && (flags & FLAG_GRIP)) + check_pubkey_grip (n, grip, skey, pkey, algo); } static void @@ -14089,7 +14116,7 @@ check_pubkey (void) { static const test_spec_pubkey_t pubkeys[] = { { - GCRY_PK_RSA, FLAG_CRYPT | FLAG_SIGN | FLAG_GRIP, + GCRY_PK_RSA, FLAG_CRYPT | FLAG_SIGN | FLAG_GRIP | FLAG_NOFIPS, /* 1k RSA */ { "(private-key\n" " (rsa\n" @@ -14228,7 +14255,7 @@ check_pubkey (void) "\x47\xdd\x69\x55\xdb\x3a\xac\x89\x6e\x40"} }, { - GCRY_PK_ELG, FLAG_SIGN | FLAG_CRYPT | FLAG_GRIP, + GCRY_PK_ELG, FLAG_SIGN | FLAG_CRYPT | FLAG_GRIP | FLAG_NOFIPS, { "(private-key\n" " (ELG\n" @@ -14360,7 +14387,7 @@ check_pubkey (void) "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" } }, { /* GOST R 34.10-2001/2012 test 256 bit. */ - GCRY_PK_ECDSA, FLAG_SIGN, + GCRY_PK_ECDSA, FLAG_SIGN | FLAG_NOFIPS, { "(private-key\n" " (ecc\n" @@ -14382,7 +14409,7 @@ check_pubkey (void) "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" } }, { /* GOST R 34.10-2012 test 512 bit. */ - GCRY_PK_ECDSA, FLAG_SIGN, + GCRY_PK_ECDSA, FLAG_SIGN | FLAG_NOFIPS, { "(private-key\n" " (ecc\n" @@ -14433,7 +14460,7 @@ check_pubkey (void) "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" } }, { /* sm2 test */ - GCRY_PK_ECDSA, FLAG_SIGN, + GCRY_PK_ECDSA, FLAG_SIGN | FLAG_NOFIPS, { "(private-key\n" " (ecc\n" From 66119e0c1a024f7cf059393c3db827eb338339b0 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Thu, 11 Nov 2021 13:03:58 +0900 Subject: tests:pubkey: Replace RSA key to one of 2k. * tests/pubkey.c (sample_private_key_1): Use 2k key from basic.c. (sample_private_key_1_1): Likewise. (sample_private_key_1_2): Likewise. -- GnuPG-bug-id: 5512 Signed-off-by: NIIBE Yutaka --- tests/pubkey.c | 126 ++++++++++++++++++++++++++++++++++--------------- 1 file changed, 88 insertions(+), 38 deletions(-) diff --git a/tests/pubkey.c b/tests/pubkey.c index 8a482dc3..51ef0f51 100644 --- a/tests/pubkey.c +++ b/tests/pubkey.c @@ -36,21 +36,40 @@ static int in_fips_mode; static const char sample_private_key_1[] = "(private-key\n" " (openpgp-rsa\n" -" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa" - "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291" - "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7" - "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n" +" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC" +" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8" +" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C" +" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917" +" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613" +" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C" +" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918" +" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6" +" CB#)\n" " (e #010001#)\n" -" (d #046129F2489D71579BE0A75FE029BD6CDB574EBF57EA8A5B0FDA942CAB943B11" - "7D7BB95E5D28875E0F9FC5FCC06A72F6D502464DABDED78EF6B716177B83D5BD" - "C543DC5D3FED932E59F5897E92E6F58A0F33424106A3B6FA2CBF877510E4AC21" - "C3EE47851E97D12996222AC3566D4CCB0B83D164074ABF7DE655FC2446DA1781#)\n" -" (p #00e861b700e17e8afe6837e7512e35b6ca11d0ae47d8b85161c67baf64377213" - "fe52d772f2035b3ca830af41d8a4120e1c1c70d12cc22f00d28d31dd48a8d424f1#)\n" -" (q #00f7a7ca5367c661f8e62df34f0d05c10c88e5492348dd7bddc942c9a8f369f9" - "35a07785d2db805215ed786e4285df1658eed3ce84f469b81b50d358407b4ad361#)\n" -" (u #304559a9ead56d2309d203811a641bb1a09626bc8eb36fffa23c968ec5bd891e" - "ebbafc73ae666e01ba7c8990bae06cc2bbe10b75e69fcacb353a6473079d8e9b#)\n" +" (d #07EF82500C403899934FE993AC5A36F14FF2DF38CF1EF315F205EE4C83EDAA19" +" 8890FC23DE9AA933CAFB37B6A8A8DBA675411958337287310D3FF2F1DDC0CB93" +" 7E70F57F75F833C021852B631D2B9A520E4431A03C5C3FCB5742DCD841D9FB12" +" 771AA1620DCEC3F1583426066ED9DC3F7028C5B59202C88FDF20396E2FA0EC4F" +" 5A22D9008F3043673931BC14A5046D6327398327900867E39CC61B2D1AFE2F48" +" EC8E1E3861C68D257D7425F4E6F99ABD77D61F10CA100EFC14389071831B33DD" +" 69CC8EABEF860D1DC2AAA84ABEAE5DFC91BC124DAF0F4C8EF5BBEA436751DE84" +" 3A8063E827A024466F44C28614F93B0732A100D4A0D86D532FE1E22C7725E401" +" #)\n" +" (p #00C29D438F115825779631CD665A5739367F3E128ADC29766483A46CA80897E0" +" 79B32881860B8F9A6A04C2614A904F6F2578DAE13EA67CD60AE3D0AA00A1FF9B" +" 441485E44B2DC3D0B60260FBFE073B5AC72FAF67964DE15C8212C389D20DB9CF" +" 54AF6AEF5C4196EAA56495DD30CF709F499D5AB30CA35E086C2A1589D6283F17" +" 83#)\n" +" (q #00D1984135231CB243FE959C0CBEF551EDD986AD7BEDF71EDF447BE3DA27AF46" +" 79C974A6FA69E4D52FE796650623DE70622862713932AA2FD9F2EC856EAEAA77" +" 88B4EA6084DC81C902F014829B18EA8B2666EC41586818E0589E18876065F97E" +" 8D22CE2DA53A05951EC132DCEF41E70A9C35F4ACC268FFAC2ADF54FA1DA110B9" +" 19#)\n" +" (u #67CF0FD7635205DD80FA814EE9E9C267C17376BF3209FB5D1BC42890D2822A04" +" 479DAF4D5B6ED69D0F8D1AF94164D07F8CD52ECEFE880641FA0F41DDAB1785E4" +" A37A32F997A516480B4CD4F6482B9466A1765093ED95023CA32D5EDC1E34CEE9" +" AF595BC51FE43C4BF810FA225AF697FB473B83815966188A4312C048B885E3F7" +" #)\n" " )\n" ")\n"; @@ -58,15 +77,25 @@ static const char sample_private_key_1[] = static const char sample_private_key_1_1[] = "(private-key\n" " (openpgp-rsa\n" -" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa" - "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291" - "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7" - "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n" +" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC" +" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8" +" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C" +" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917" +" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613" +" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C" +" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918" +" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6" +" CB#)\n" " (e #010001#)\n" -" (d #046129F2489D71579BE0A75FE029BD6CDB574EBF57EA8A5B0FDA942CAB943B11" - "7D7BB95E5D28875E0F9FC5FCC06A72F6D502464DABDED78EF6B716177B83D5BD" - "C543DC5D3FED932E59F5897E92E6F58A0F33424106A3B6FA2CBF877510E4AC21" - "C3EE47851E97D12996222AC3566D4CCB0B83D164074ABF7DE655FC2446DA1781#)\n" +" (d #07EF82500C403899934FE993AC5A36F14FF2DF38CF1EF315F205EE4C83EDAA19" +" 8890FC23DE9AA933CAFB37B6A8A8DBA675411958337287310D3FF2F1DDC0CB93" +" 7E70F57F75F833C021852B631D2B9A520E4431A03C5C3FCB5742DCD841D9FB12" +" 771AA1620DCEC3F1583426066ED9DC3F7028C5B59202C88FDF20396E2FA0EC4F" +" 5A22D9008F3043673931BC14A5046D6327398327900867E39CC61B2D1AFE2F48" +" EC8E1E3861C68D257D7425F4E6F99ABD77D61F10CA100EFC14389071831B33DD" +" 69CC8EABEF860D1DC2AAA84ABEAE5DFC91BC124DAF0F4C8EF5BBEA436751DE84" +" 3A8063E827A024466F44C28614F93B0732A100D4A0D86D532FE1E22C7725E401" +" #)\n" " )\n" ")\n"; @@ -75,29 +104,50 @@ static const char sample_private_key_1_1[] = static const char sample_private_key_1_2[] = "(private-key\n" " (openpgp-rsa\n" -" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa" - "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291" - "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7" - "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n" +" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC" +" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8" +" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C" +" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917" +" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613" +" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C" +" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918" +" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6" +" CB#)\n" " (e #010001#)\n" -" (d #046129F2489D71579BE0A75FE029BD6CDB574EBF57EA8A5B0FDA942CAB943B11" - "7D7BB95E5D28875E0F9FC5FCC06A72F6D502464DABDED78EF6B716177B83D5BD" - "C543DC5D3FED932E59F5897E92E6F58A0F33424106A3B6FA2CBF877510E4AC21" - "C3EE47851E97D12996222AC3566D4CCB0B83D164074ABF7DE655FC2446DA1781#)\n" -" (p #00e861b700e17e8afe6837e7512e35b6ca11d0ae47d8b85161c67baf64377213" - "fe52d772f2035b3ca830af41d8a4120e1c1c70d12cc22f00d28d31dd48a8d424f1#)\n" -" (u #304559a9ead56d2309d203811a641bb1a09626bc8eb36fffa23c968ec5bd891e" - "ebbafc73ae666e01ba7c8990bae06cc2bbe10b75e69fcacb353a6473079d8e9b#)\n" +" (d #07EF82500C403899934FE993AC5A36F14FF2DF38CF1EF315F205EE4C83EDAA19" +" 8890FC23DE9AA933CAFB37B6A8A8DBA675411958337287310D3FF2F1DDC0CB93" +" 7E70F57F75F833C021852B631D2B9A520E4431A03C5C3FCB5742DCD841D9FB12" +" 771AA1620DCEC3F1583426066ED9DC3F7028C5B59202C88FDF20396E2FA0EC4F" +" 5A22D9008F3043673931BC14A5046D6327398327900867E39CC61B2D1AFE2F48" +" EC8E1E3861C68D257D7425F4E6F99ABD77D61F10CA100EFC14389071831B33DD" +" 69CC8EABEF860D1DC2AAA84ABEAE5DFC91BC124DAF0F4C8EF5BBEA436751DE84" +" 3A8063E827A024466F44C28614F93B0732A100D4A0D86D532FE1E22C7725E401" +" #)\n" +" (p #00C29D438F115825779631CD665A5739367F3E128ADC29766483A46CA80897E0" +" 79B32881860B8F9A6A04C2614A904F6F2578DAE13EA67CD60AE3D0AA00A1FF9B" +" 441485E44B2DC3D0B60260FBFE073B5AC72FAF67964DE15C8212C389D20DB9CF" +" 54AF6AEF5C4196EAA56495DD30CF709F499D5AB30CA35E086C2A1589D6283F17" +" 83#)\n" +" (u #67CF0FD7635205DD80FA814EE9E9C267C17376BF3209FB5D1BC42890D2822A04" +" 479DAF4D5B6ED69D0F8D1AF94164D07F8CD52ECEFE880641FA0F41DDAB1785E4" +" A37A32F997A516480B4CD4F6482B9466A1765093ED95023CA32D5EDC1E34CEE9" +" AF595BC51FE43C4BF810FA225AF697FB473B83815966188A4312C048B885E3F7" +" #)\n" " )\n" ")\n"; static const char sample_public_key_1[] = "(public-key\n" " (rsa\n" -" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa" - "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291" - "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7" - "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n" +" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC" +" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8" +" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C" +" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917" +" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613" +" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C" +" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918" +" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6" +" CB#)\n" " (e #010001#)\n" " )\n" ")\n"; -- 2.33.1 From 1481607cb9db977468a75f9f4638dc1cf3ade007 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Thu, 11 Nov 2021 13:44:40 +0900 Subject: tests:pkcs1v2: Skip tests with small keys in FIPS mode. * tests/pkcs1v2.c (in_fips_mode): New. (check_oaep): Skip when key size is less than 2048 in FIPS mode. (check_pss, check_v15crypt, check_v15sign): Likewise. -- GnuPG-bug-id: 5512 Signed-off-by: NIIBE Yutaka --- tests/pkcs1v2.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 75 insertions(+), 3 deletions(-) diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c index 968d3fea..f26e779b 100644 --- a/tests/pkcs1v2.c +++ b/tests/pkcs1v2.c @@ -36,6 +36,8 @@ #include "t-common.h" +static int in_fips_mode; + static void show_sexp (const char *prefix, gcry_sexp_t a) { @@ -147,6 +149,18 @@ check_oaep (void) gcry_free (rsa_e); gcry_free (rsa_d); + if (in_fips_mode) + { + unsigned int nbits = gcry_pk_get_nbits (pub_key); + + if (nbits < 2048) + { + if (verbose > 1) + info ("... skipped\n"); + goto next; + } + } + for (mno = 0; mno < DIM (tbl[0].m); mno++) { void *mesg, *seed, *encr; @@ -225,6 +239,7 @@ check_oaep (void) ciph = NULL; } + next: gcry_sexp_release (sec_key); gcry_sexp_release (pub_key); } @@ -269,6 +284,18 @@ check_pss (void) gcry_free (rsa_e); gcry_free (rsa_d); + if (in_fips_mode) + { + unsigned int nbits = gcry_pk_get_nbits (pub_key); + + if (nbits < 2048) + { + if (verbose > 1) + info ("... skipped\n"); + goto next; + } + } + for (mno = 0; mno < DIM (tbl[0].m); mno++) { void *mesg, *salt, *sign; @@ -347,6 +374,7 @@ check_pss (void) sigtmpl = NULL; } + next: gcry_sexp_release (sec_key); gcry_sexp_release (pub_key); } @@ -391,6 +419,18 @@ check_v15crypt (void) gcry_free (rsa_e); gcry_free (rsa_d); + if (in_fips_mode) + { + unsigned int nbits = gcry_pk_get_nbits (pub_key); + + if (nbits < 2048) + { + if (verbose > 1) + info ("... skipped\n"); + goto next; + } + } + for (mno = 0; mno < DIM (tbl[0].m); mno++) { void *mesg, *seed, *encr; @@ -469,6 +509,7 @@ check_v15crypt (void) ciph = NULL; } + next: gcry_sexp_release (sec_key); gcry_sexp_release (pub_key); } @@ -513,6 +554,18 @@ check_v15sign (void) gcry_free (rsa_e); gcry_free (rsa_d); + if (in_fips_mode) + { + unsigned int nbits = gcry_pk_get_nbits (pub_key); + + if (nbits < 2048) + { + if (verbose > 1) + info ("... skipped\n"); + goto next; + } + } + for (mno = 0; mno < DIM (tbl[0].m); mno++) { void *mesg, *sign; @@ -583,6 +636,7 @@ check_v15sign (void) sigtmpl = NULL; } + next: gcry_sexp_release (sec_key); gcry_sexp_release (pub_key); } @@ -597,6 +651,7 @@ main (int argc, char **argv) int run_pss = 0; int run_v15c = 0; int run_v15s = 0; + int use_fips = 0; if (argc) { argc--; argv++; } @@ -625,6 +680,11 @@ main (int argc, char **argv) die_on_error = 1; argc--; argv++; } + else if (!strcmp (*argv, "--fips")) + { + use_fips = 1; + argc--; argv++; + } else if (!strcmp (*argv, "--oaep")) { run_oaep = 1; @@ -651,9 +711,21 @@ main (int argc, char **argv) run_oaep = run_pss = run_v15c = run_v15s = 1; xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose)); - xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); - if (!gcry_check_version ("1.5.0")) - die ("version mismatch\n"); + + if (use_fips) + xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); + + /* Check that we test exactly our version - including the patchlevel. */ + if (strcmp (GCRYPT_VERSION, gcry_check_version (NULL))) + die ("version mismatch; pgm=%s, library=%s\n", + GCRYPT_VERSION,gcry_check_version (NULL)); + + if ( gcry_fips_mode_active () ) + in_fips_mode = 1; + + if (!in_fips_mode) + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); -- 2.33.1