Pedro Monreal Gonzalez
c941c8db1e
- FIPS: Disable DSA in FIPS mode [bsc#1195385] * Upstream task: https://dev.gnupg.org/T5710 * Add libgcrypt-FIPS-disable-DSA.patch - FIPS: Service level indicator [bsc#1190700] * Provide an indicator to check wether the service utilizes an approved cryptographic algorithm or not. * Add patches: - libgcrypt-FIPS-service-indicators.patch - libgcrypt-FIPS-verify-unsupported-KDF-test.patch - libgcrypt-FIPS-HMAC-short-keylen.patch - FIPS: Define an entropy source SP800-90B compliant [bsc#1185140] * Disable jitter entropy by default in random.conf * Disable only-urandom option by default in random.conf - FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192240] * rsa: Check RSA keylen constraints for key operations. * rsa: Fix regression in not returning an error for prime generation. * tests: Add 2k RSA key working in FIPS mode. * tests: pubkey: Replace RSA key to one of 2k. * tests: pkcs1v2: Skip tests with small keys in FIPS. * Add patches: - libgcrypt-FIPS-RSA-keylen.patch - libgcrypt-FIPS-RSA-keylen-tests.patch - FIPS: Disable 3DES/Triple-DES in FIPS mode [bsc#1185138] * Add libgcrypt-FIPS-disable-3DES.patch - FIPS: PBKDF requirements [bsc#1185137] OBS-URL: https://build.opensuse.org/request/show/950433 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=153
586 lines
21 KiB
Diff
586 lines
21 KiB
Diff
From cc3571a1f2244bdf829d7d16dd546131711eb8a9 Mon Sep 17 00:00:00 2001
|
|
From: NIIBE Yutaka <gniibe@fsij.org>
|
|
Date: Mon, 8 Nov 2021 13:57:18 +0900
|
|
Subject: tests: Expect errors from algorithms not supported in
|
|
FIPS mode.
|
|
|
|
* tests/basic.c (FLAG_NOFIPS): New.
|
|
(check_pubkey_sign): Pass and handle NOFIPS flag.
|
|
(check_pubkey_sign_ecdsa): Likewise.
|
|
(check_pubkey_crypt): Likewise.
|
|
(do_check_one_pubkey): Pass flags.
|
|
(check_pubkey): Mark explicitly algorithms expected not to work in
|
|
FIPS mode and make sure they fail.
|
|
|
|
--
|
|
|
|
Co-authored-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
---
|
|
tests/basic.c | 65 ++++++++++++++++++++++++++++++++++++---------------
|
|
1 file changed, 46 insertions(+), 19 deletions(-)
|
|
|
|
Index: libgcrypt-1.9.4/tests/basic.c
|
|
===================================================================
|
|
--- libgcrypt-1.9.4.orig/tests/basic.c
|
|
+++ libgcrypt-1.9.4/tests/basic.c
|
|
@@ -55,9 +55,10 @@ typedef struct test_spec_pubkey
|
|
}
|
|
test_spec_pubkey_t;
|
|
|
|
-#define FLAG_CRYPT (1 << 0)
|
|
-#define FLAG_SIGN (1 << 1)
|
|
-#define FLAG_GRIP (1 << 2)
|
|
+#define FLAG_CRYPT (1 << 0)
|
|
+#define FLAG_SIGN (1 << 1)
|
|
+#define FLAG_GRIP (1 << 2)
|
|
+#define FLAG_NOFIPS (1 << 3)
|
|
|
|
static int in_fips_mode;
|
|
|
|
@@ -13509,7 +13510,8 @@ verify_one_signature (gcry_sexp_t pkey,
|
|
/* Test the public key sign function using the private key SKEY. PKEY
|
|
is used for verification. */
|
|
static void
|
|
-check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo)
|
|
+check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
|
|
+ int flags)
|
|
{
|
|
gcry_error_t rc;
|
|
gcry_sexp_t sig, badhash, hash;
|
|
@@ -13588,6 +13590,7 @@ check_pubkey_sign (int n, gcry_sexp_t sk
|
|
if (rc)
|
|
die ("converting data failed: %s\n", gpg_strerror (rc));
|
|
|
|
+ sig = NULL;
|
|
for (dataidx = 0; datas[dataidx].data; dataidx++)
|
|
{
|
|
if (datas[dataidx].algo && datas[dataidx].algo != algo)
|
|
@@ -13603,12 +13606,19 @@ check_pubkey_sign (int n, gcry_sexp_t sk
|
|
die ("converting data failed: %s\n", gpg_strerror (rc));
|
|
|
|
rc = gcry_pk_sign (&sig, hash, skey);
|
|
+ if (in_fips_mode && (flags & FLAG_NOFIPS))
|
|
+ {
|
|
+ if (!rc)
|
|
+ fail ("gcry_pk_sign did not fail as expected in FIPS mode\n");
|
|
+ goto next;
|
|
+ }
|
|
if (gcry_err_code (rc) != datas[dataidx].expected_rc)
|
|
fail ("gcry_pk_sign failed: %s\n", gpg_strerror (rc));
|
|
|
|
if (!rc)
|
|
verify_one_signature (pkey, hash, badhash, sig);
|
|
|
|
+ next:
|
|
gcry_sexp_release (sig);
|
|
sig = NULL;
|
|
gcry_sexp_release (hash);
|
|
@@ -13622,7 +13632,8 @@ check_pubkey_sign (int n, gcry_sexp_t sk
|
|
/* Test the public key sign function using the private key SKEY. PKEY
|
|
is used for verification. This variant is only used for ECDSA. */
|
|
static void
|
|
-check_pubkey_sign_ecdsa (int n, gcry_sexp_t skey, gcry_sexp_t pkey)
|
|
+check_pubkey_sign_ecdsa (int n, gcry_sexp_t skey, gcry_sexp_t pkey,
|
|
+ int flags)
|
|
{
|
|
gcry_error_t rc;
|
|
gcry_sexp_t sig, badhash, hash;
|
|
@@ -13704,6 +13715,7 @@ check_pubkey_sign_ecdsa (int n, gcry_sex
|
|
|
|
nbits = gcry_pk_get_nbits (skey);
|
|
|
|
+ sig = NULL;
|
|
for (dataidx = 0; datas[dataidx].data; dataidx++)
|
|
{
|
|
if (datas[dataidx].nbits != nbits)
|
|
@@ -13723,6 +13735,12 @@ check_pubkey_sign_ecdsa (int n, gcry_sex
|
|
die ("converting data failed: %s\n", gpg_strerror (rc));
|
|
|
|
rc = gcry_pk_sign (&sig, hash, skey);
|
|
+ if (in_fips_mode && (flags & FLAG_NOFIPS))
|
|
+ {
|
|
+ if (!rc)
|
|
+ fail ("gcry_pk_sign did not fail as expected in FIPS mode\n");
|
|
+ goto next;
|
|
+ }
|
|
if (gcry_err_code (rc) != datas[dataidx].expected_rc)
|
|
fail ("gcry_pk_sign failed: %s\n", gpg_strerror (rc));
|
|
|
|
@@ -13732,6 +13750,7 @@ check_pubkey_sign_ecdsa (int n, gcry_sex
|
|
if (!rc)
|
|
verify_one_signature (pkey, hash, badhash, sig);
|
|
|
|
+ next:
|
|
gcry_sexp_release (sig);
|
|
sig = NULL;
|
|
gcry_sexp_release (badhash);
|
|
@@ -13743,7 +13762,8 @@ check_pubkey_sign_ecdsa (int n, gcry_sex
|
|
|
|
|
|
static void
|
|
-check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo)
|
|
+check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
|
|
+ int flags)
|
|
{
|
|
gcry_error_t rc;
|
|
gcry_sexp_t plain = NULL;
|
|
@@ -13876,6 +13896,12 @@ check_pubkey_crypt (int n, gcry_sexp_t s
|
|
die ("converting data failed: %s\n", gpg_strerror (rc));
|
|
|
|
rc = gcry_pk_encrypt (&ciph, data, pkey);
|
|
+ if (in_fips_mode && (flags & FLAG_NOFIPS))
|
|
+ {
|
|
+ if (!rc)
|
|
+ fail ("gcry_pk_encrypt did not fail as expected in FIPS mode\n");
|
|
+ goto next;
|
|
+ }
|
|
if (gcry_err_code (rc) != datas[dataidx].encrypt_expected_rc)
|
|
fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (rc));
|
|
|
|
@@ -13974,6 +14000,7 @@ check_pubkey_crypt (int n, gcry_sexp_t s
|
|
}
|
|
}
|
|
|
|
+ next:
|
|
gcry_sexp_release (plain);
|
|
plain = NULL;
|
|
gcry_sexp_release (ciph);
|
|
@@ -14005,17 +14032,17 @@ static void
|
|
do_check_one_pubkey (int n, gcry_sexp_t skey, gcry_sexp_t pkey,
|
|
const unsigned char *grip, int algo, int flags)
|
|
{
|
|
- if (flags & FLAG_SIGN)
|
|
+ if ((flags & FLAG_SIGN))
|
|
{
|
|
if (algo == GCRY_PK_ECDSA)
|
|
- check_pubkey_sign_ecdsa (n, skey, pkey);
|
|
+ check_pubkey_sign_ecdsa (n, skey, pkey, flags);
|
|
else
|
|
- check_pubkey_sign (n, skey, pkey, algo);
|
|
+ check_pubkey_sign (n, skey, pkey, algo, flags);
|
|
}
|
|
- if (flags & FLAG_CRYPT)
|
|
- check_pubkey_crypt (n, skey, pkey, algo);
|
|
- if (grip && (flags & FLAG_GRIP))
|
|
- check_pubkey_grip (n, grip, skey, pkey, algo);
|
|
+ if ((flags & FLAG_CRYPT))
|
|
+ check_pubkey_crypt (n, skey, pkey, algo, flags);
|
|
+ if (grip && (flags & FLAG_GRIP))
|
|
+ check_pubkey_grip (n, grip, skey, pkey, algo);
|
|
}
|
|
|
|
static void
|
|
@@ -14089,7 +14116,7 @@ check_pubkey (void)
|
|
{
|
|
static const test_spec_pubkey_t pubkeys[] = {
|
|
{
|
|
- GCRY_PK_RSA, FLAG_CRYPT | FLAG_SIGN | FLAG_GRIP,
|
|
+ GCRY_PK_RSA, FLAG_CRYPT | FLAG_SIGN | FLAG_GRIP | FLAG_NOFIPS, /* 1k RSA */
|
|
{
|
|
"(private-key\n"
|
|
" (rsa\n"
|
|
@@ -14228,7 +14255,7 @@ check_pubkey (void)
|
|
"\x47\xdd\x69\x55\xdb\x3a\xac\x89\x6e\x40"}
|
|
},
|
|
{
|
|
- GCRY_PK_ELG, FLAG_SIGN | FLAG_CRYPT | FLAG_GRIP,
|
|
+ GCRY_PK_ELG, FLAG_SIGN | FLAG_CRYPT | FLAG_GRIP | FLAG_NOFIPS,
|
|
{
|
|
"(private-key\n"
|
|
" (ELG\n"
|
|
@@ -14360,7 +14387,7 @@ check_pubkey (void)
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" }
|
|
},
|
|
{ /* GOST R 34.10-2001/2012 test 256 bit. */
|
|
- GCRY_PK_ECDSA, FLAG_SIGN,
|
|
+ GCRY_PK_ECDSA, FLAG_SIGN | FLAG_NOFIPS,
|
|
{
|
|
"(private-key\n"
|
|
" (ecc\n"
|
|
@@ -14382,7 +14409,7 @@ check_pubkey (void)
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" }
|
|
},
|
|
{ /* GOST R 34.10-2012 test 512 bit. */
|
|
- GCRY_PK_ECDSA, FLAG_SIGN,
|
|
+ GCRY_PK_ECDSA, FLAG_SIGN | FLAG_NOFIPS,
|
|
{
|
|
"(private-key\n"
|
|
" (ecc\n"
|
|
@@ -14433,7 +14460,7 @@ check_pubkey (void)
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" }
|
|
},
|
|
{ /* sm2 test */
|
|
- GCRY_PK_ECDSA, FLAG_SIGN,
|
|
+ GCRY_PK_ECDSA, FLAG_SIGN | FLAG_NOFIPS,
|
|
{
|
|
"(private-key\n"
|
|
" (ecc\n"
|
|
From 66119e0c1a024f7cf059393c3db827eb338339b0 Mon Sep 17 00:00:00 2001
|
|
From: NIIBE Yutaka <gniibe@fsij.org>
|
|
Date: Thu, 11 Nov 2021 13:03:58 +0900
|
|
Subject: tests:pubkey: Replace RSA key to one of 2k.
|
|
|
|
* tests/pubkey.c (sample_private_key_1): Use 2k key from basic.c.
|
|
(sample_private_key_1_1): Likewise.
|
|
(sample_private_key_1_2): Likewise.
|
|
|
|
--
|
|
|
|
GnuPG-bug-id: 5512
|
|
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
---
|
|
tests/pubkey.c | 126 ++++++++++++++++++++++++++++++++++---------------
|
|
1 file changed, 88 insertions(+), 38 deletions(-)
|
|
|
|
diff --git a/tests/pubkey.c b/tests/pubkey.c
|
|
index 8a482dc3..51ef0f51 100644
|
|
--- a/tests/pubkey.c
|
|
+++ b/tests/pubkey.c
|
|
@@ -36,21 +36,40 @@ static int in_fips_mode;
|
|
static const char sample_private_key_1[] =
|
|
"(private-key\n"
|
|
" (openpgp-rsa\n"
|
|
-" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
|
|
- "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
|
|
- "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
|
|
- "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n"
|
|
+" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC"
|
|
+" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8"
|
|
+" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C"
|
|
+" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917"
|
|
+" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613"
|
|
+" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C"
|
|
+" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918"
|
|
+" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6"
|
|
+" CB#)\n"
|
|
" (e #010001#)\n"
|
|
-" (d #046129F2489D71579BE0A75FE029BD6CDB574EBF57EA8A5B0FDA942CAB943B11"
|
|
- "7D7BB95E5D28875E0F9FC5FCC06A72F6D502464DABDED78EF6B716177B83D5BD"
|
|
- "C543DC5D3FED932E59F5897E92E6F58A0F33424106A3B6FA2CBF877510E4AC21"
|
|
- "C3EE47851E97D12996222AC3566D4CCB0B83D164074ABF7DE655FC2446DA1781#)\n"
|
|
-" (p #00e861b700e17e8afe6837e7512e35b6ca11d0ae47d8b85161c67baf64377213"
|
|
- "fe52d772f2035b3ca830af41d8a4120e1c1c70d12cc22f00d28d31dd48a8d424f1#)\n"
|
|
-" (q #00f7a7ca5367c661f8e62df34f0d05c10c88e5492348dd7bddc942c9a8f369f9"
|
|
- "35a07785d2db805215ed786e4285df1658eed3ce84f469b81b50d358407b4ad361#)\n"
|
|
-" (u #304559a9ead56d2309d203811a641bb1a09626bc8eb36fffa23c968ec5bd891e"
|
|
- "ebbafc73ae666e01ba7c8990bae06cc2bbe10b75e69fcacb353a6473079d8e9b#)\n"
|
|
+" (d #07EF82500C403899934FE993AC5A36F14FF2DF38CF1EF315F205EE4C83EDAA19"
|
|
+" 8890FC23DE9AA933CAFB37B6A8A8DBA675411958337287310D3FF2F1DDC0CB93"
|
|
+" 7E70F57F75F833C021852B631D2B9A520E4431A03C5C3FCB5742DCD841D9FB12"
|
|
+" 771AA1620DCEC3F1583426066ED9DC3F7028C5B59202C88FDF20396E2FA0EC4F"
|
|
+" 5A22D9008F3043673931BC14A5046D6327398327900867E39CC61B2D1AFE2F48"
|
|
+" EC8E1E3861C68D257D7425F4E6F99ABD77D61F10CA100EFC14389071831B33DD"
|
|
+" 69CC8EABEF860D1DC2AAA84ABEAE5DFC91BC124DAF0F4C8EF5BBEA436751DE84"
|
|
+" 3A8063E827A024466F44C28614F93B0732A100D4A0D86D532FE1E22C7725E401"
|
|
+" #)\n"
|
|
+" (p #00C29D438F115825779631CD665A5739367F3E128ADC29766483A46CA80897E0"
|
|
+" 79B32881860B8F9A6A04C2614A904F6F2578DAE13EA67CD60AE3D0AA00A1FF9B"
|
|
+" 441485E44B2DC3D0B60260FBFE073B5AC72FAF67964DE15C8212C389D20DB9CF"
|
|
+" 54AF6AEF5C4196EAA56495DD30CF709F499D5AB30CA35E086C2A1589D6283F17"
|
|
+" 83#)\n"
|
|
+" (q #00D1984135231CB243FE959C0CBEF551EDD986AD7BEDF71EDF447BE3DA27AF46"
|
|
+" 79C974A6FA69E4D52FE796650623DE70622862713932AA2FD9F2EC856EAEAA77"
|
|
+" 88B4EA6084DC81C902F014829B18EA8B2666EC41586818E0589E18876065F97E"
|
|
+" 8D22CE2DA53A05951EC132DCEF41E70A9C35F4ACC268FFAC2ADF54FA1DA110B9"
|
|
+" 19#)\n"
|
|
+" (u #67CF0FD7635205DD80FA814EE9E9C267C17376BF3209FB5D1BC42890D2822A04"
|
|
+" 479DAF4D5B6ED69D0F8D1AF94164D07F8CD52ECEFE880641FA0F41DDAB1785E4"
|
|
+" A37A32F997A516480B4CD4F6482B9466A1765093ED95023CA32D5EDC1E34CEE9"
|
|
+" AF595BC51FE43C4BF810FA225AF697FB473B83815966188A4312C048B885E3F7"
|
|
+" #)\n"
|
|
" )\n"
|
|
")\n";
|
|
|
|
@@ -58,15 +77,25 @@ static const char sample_private_key_1[] =
|
|
static const char sample_private_key_1_1[] =
|
|
"(private-key\n"
|
|
" (openpgp-rsa\n"
|
|
-" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
|
|
- "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
|
|
- "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
|
|
- "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n"
|
|
+" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC"
|
|
+" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8"
|
|
+" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C"
|
|
+" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917"
|
|
+" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613"
|
|
+" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C"
|
|
+" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918"
|
|
+" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6"
|
|
+" CB#)\n"
|
|
" (e #010001#)\n"
|
|
-" (d #046129F2489D71579BE0A75FE029BD6CDB574EBF57EA8A5B0FDA942CAB943B11"
|
|
- "7D7BB95E5D28875E0F9FC5FCC06A72F6D502464DABDED78EF6B716177B83D5BD"
|
|
- "C543DC5D3FED932E59F5897E92E6F58A0F33424106A3B6FA2CBF877510E4AC21"
|
|
- "C3EE47851E97D12996222AC3566D4CCB0B83D164074ABF7DE655FC2446DA1781#)\n"
|
|
+" (d #07EF82500C403899934FE993AC5A36F14FF2DF38CF1EF315F205EE4C83EDAA19"
|
|
+" 8890FC23DE9AA933CAFB37B6A8A8DBA675411958337287310D3FF2F1DDC0CB93"
|
|
+" 7E70F57F75F833C021852B631D2B9A520E4431A03C5C3FCB5742DCD841D9FB12"
|
|
+" 771AA1620DCEC3F1583426066ED9DC3F7028C5B59202C88FDF20396E2FA0EC4F"
|
|
+" 5A22D9008F3043673931BC14A5046D6327398327900867E39CC61B2D1AFE2F48"
|
|
+" EC8E1E3861C68D257D7425F4E6F99ABD77D61F10CA100EFC14389071831B33DD"
|
|
+" 69CC8EABEF860D1DC2AAA84ABEAE5DFC91BC124DAF0F4C8EF5BBEA436751DE84"
|
|
+" 3A8063E827A024466F44C28614F93B0732A100D4A0D86D532FE1E22C7725E401"
|
|
+" #)\n"
|
|
" )\n"
|
|
")\n";
|
|
|
|
@@ -75,29 +104,50 @@ static const char sample_private_key_1_1[] =
|
|
static const char sample_private_key_1_2[] =
|
|
"(private-key\n"
|
|
" (openpgp-rsa\n"
|
|
-" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
|
|
- "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
|
|
- "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
|
|
- "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n"
|
|
+" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC"
|
|
+" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8"
|
|
+" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C"
|
|
+" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917"
|
|
+" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613"
|
|
+" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C"
|
|
+" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918"
|
|
+" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6"
|
|
+" CB#)\n"
|
|
" (e #010001#)\n"
|
|
-" (d #046129F2489D71579BE0A75FE029BD6CDB574EBF57EA8A5B0FDA942CAB943B11"
|
|
- "7D7BB95E5D28875E0F9FC5FCC06A72F6D502464DABDED78EF6B716177B83D5BD"
|
|
- "C543DC5D3FED932E59F5897E92E6F58A0F33424106A3B6FA2CBF877510E4AC21"
|
|
- "C3EE47851E97D12996222AC3566D4CCB0B83D164074ABF7DE655FC2446DA1781#)\n"
|
|
-" (p #00e861b700e17e8afe6837e7512e35b6ca11d0ae47d8b85161c67baf64377213"
|
|
- "fe52d772f2035b3ca830af41d8a4120e1c1c70d12cc22f00d28d31dd48a8d424f1#)\n"
|
|
-" (u #304559a9ead56d2309d203811a641bb1a09626bc8eb36fffa23c968ec5bd891e"
|
|
- "ebbafc73ae666e01ba7c8990bae06cc2bbe10b75e69fcacb353a6473079d8e9b#)\n"
|
|
+" (d #07EF82500C403899934FE993AC5A36F14FF2DF38CF1EF315F205EE4C83EDAA19"
|
|
+" 8890FC23DE9AA933CAFB37B6A8A8DBA675411958337287310D3FF2F1DDC0CB93"
|
|
+" 7E70F57F75F833C021852B631D2B9A520E4431A03C5C3FCB5742DCD841D9FB12"
|
|
+" 771AA1620DCEC3F1583426066ED9DC3F7028C5B59202C88FDF20396E2FA0EC4F"
|
|
+" 5A22D9008F3043673931BC14A5046D6327398327900867E39CC61B2D1AFE2F48"
|
|
+" EC8E1E3861C68D257D7425F4E6F99ABD77D61F10CA100EFC14389071831B33DD"
|
|
+" 69CC8EABEF860D1DC2AAA84ABEAE5DFC91BC124DAF0F4C8EF5BBEA436751DE84"
|
|
+" 3A8063E827A024466F44C28614F93B0732A100D4A0D86D532FE1E22C7725E401"
|
|
+" #)\n"
|
|
+" (p #00C29D438F115825779631CD665A5739367F3E128ADC29766483A46CA80897E0"
|
|
+" 79B32881860B8F9A6A04C2614A904F6F2578DAE13EA67CD60AE3D0AA00A1FF9B"
|
|
+" 441485E44B2DC3D0B60260FBFE073B5AC72FAF67964DE15C8212C389D20DB9CF"
|
|
+" 54AF6AEF5C4196EAA56495DD30CF709F499D5AB30CA35E086C2A1589D6283F17"
|
|
+" 83#)\n"
|
|
+" (u #67CF0FD7635205DD80FA814EE9E9C267C17376BF3209FB5D1BC42890D2822A04"
|
|
+" 479DAF4D5B6ED69D0F8D1AF94164D07F8CD52ECEFE880641FA0F41DDAB1785E4"
|
|
+" A37A32F997A516480B4CD4F6482B9466A1765093ED95023CA32D5EDC1E34CEE9"
|
|
+" AF595BC51FE43C4BF810FA225AF697FB473B83815966188A4312C048B885E3F7"
|
|
+" #)\n"
|
|
" )\n"
|
|
")\n";
|
|
|
|
static const char sample_public_key_1[] =
|
|
"(public-key\n"
|
|
" (rsa\n"
|
|
-" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
|
|
- "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
|
|
- "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
|
|
- "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n"
|
|
+" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC"
|
|
+" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8"
|
|
+" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C"
|
|
+" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917"
|
|
+" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613"
|
|
+" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C"
|
|
+" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918"
|
|
+" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6"
|
|
+" CB#)\n"
|
|
" (e #010001#)\n"
|
|
" )\n"
|
|
")\n";
|
|
--
|
|
2.33.1
|
|
|
|
From 1481607cb9db977468a75f9f4638dc1cf3ade007 Mon Sep 17 00:00:00 2001
|
|
From: NIIBE Yutaka <gniibe@fsij.org>
|
|
Date: Thu, 11 Nov 2021 13:44:40 +0900
|
|
Subject: tests:pkcs1v2: Skip tests with small keys in FIPS
|
|
mode.
|
|
|
|
* tests/pkcs1v2.c (in_fips_mode): New.
|
|
(check_oaep): Skip when key size is less than 2048 in FIPS mode.
|
|
(check_pss, check_v15crypt, check_v15sign): Likewise.
|
|
|
|
--
|
|
|
|
GnuPG-bug-id: 5512
|
|
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
---
|
|
tests/pkcs1v2.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++--
|
|
1 file changed, 75 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c
|
|
index 968d3fea..f26e779b 100644
|
|
--- a/tests/pkcs1v2.c
|
|
+++ b/tests/pkcs1v2.c
|
|
@@ -36,6 +36,8 @@
|
|
#include "t-common.h"
|
|
|
|
|
|
+static int in_fips_mode;
|
|
+
|
|
static void
|
|
show_sexp (const char *prefix, gcry_sexp_t a)
|
|
{
|
|
@@ -147,6 +149,18 @@ check_oaep (void)
|
|
gcry_free (rsa_e);
|
|
gcry_free (rsa_d);
|
|
|
|
+ if (in_fips_mode)
|
|
+ {
|
|
+ unsigned int nbits = gcry_pk_get_nbits (pub_key);
|
|
+
|
|
+ if (nbits < 2048)
|
|
+ {
|
|
+ if (verbose > 1)
|
|
+ info ("... skipped\n");
|
|
+ goto next;
|
|
+ }
|
|
+ }
|
|
+
|
|
for (mno = 0; mno < DIM (tbl[0].m); mno++)
|
|
{
|
|
void *mesg, *seed, *encr;
|
|
@@ -225,6 +239,7 @@ check_oaep (void)
|
|
ciph = NULL;
|
|
}
|
|
|
|
+ next:
|
|
gcry_sexp_release (sec_key);
|
|
gcry_sexp_release (pub_key);
|
|
}
|
|
@@ -269,6 +284,18 @@ check_pss (void)
|
|
gcry_free (rsa_e);
|
|
gcry_free (rsa_d);
|
|
|
|
+ if (in_fips_mode)
|
|
+ {
|
|
+ unsigned int nbits = gcry_pk_get_nbits (pub_key);
|
|
+
|
|
+ if (nbits < 2048)
|
|
+ {
|
|
+ if (verbose > 1)
|
|
+ info ("... skipped\n");
|
|
+ goto next;
|
|
+ }
|
|
+ }
|
|
+
|
|
for (mno = 0; mno < DIM (tbl[0].m); mno++)
|
|
{
|
|
void *mesg, *salt, *sign;
|
|
@@ -347,6 +374,7 @@ check_pss (void)
|
|
sigtmpl = NULL;
|
|
}
|
|
|
|
+ next:
|
|
gcry_sexp_release (sec_key);
|
|
gcry_sexp_release (pub_key);
|
|
}
|
|
@@ -391,6 +419,18 @@ check_v15crypt (void)
|
|
gcry_free (rsa_e);
|
|
gcry_free (rsa_d);
|
|
|
|
+ if (in_fips_mode)
|
|
+ {
|
|
+ unsigned int nbits = gcry_pk_get_nbits (pub_key);
|
|
+
|
|
+ if (nbits < 2048)
|
|
+ {
|
|
+ if (verbose > 1)
|
|
+ info ("... skipped\n");
|
|
+ goto next;
|
|
+ }
|
|
+ }
|
|
+
|
|
for (mno = 0; mno < DIM (tbl[0].m); mno++)
|
|
{
|
|
void *mesg, *seed, *encr;
|
|
@@ -469,6 +509,7 @@ check_v15crypt (void)
|
|
ciph = NULL;
|
|
}
|
|
|
|
+ next:
|
|
gcry_sexp_release (sec_key);
|
|
gcry_sexp_release (pub_key);
|
|
}
|
|
@@ -513,6 +554,18 @@ check_v15sign (void)
|
|
gcry_free (rsa_e);
|
|
gcry_free (rsa_d);
|
|
|
|
+ if (in_fips_mode)
|
|
+ {
|
|
+ unsigned int nbits = gcry_pk_get_nbits (pub_key);
|
|
+
|
|
+ if (nbits < 2048)
|
|
+ {
|
|
+ if (verbose > 1)
|
|
+ info ("... skipped\n");
|
|
+ goto next;
|
|
+ }
|
|
+ }
|
|
+
|
|
for (mno = 0; mno < DIM (tbl[0].m); mno++)
|
|
{
|
|
void *mesg, *sign;
|
|
@@ -583,6 +636,7 @@ check_v15sign (void)
|
|
sigtmpl = NULL;
|
|
}
|
|
|
|
+ next:
|
|
gcry_sexp_release (sec_key);
|
|
gcry_sexp_release (pub_key);
|
|
}
|
|
@@ -597,6 +651,7 @@ main (int argc, char **argv)
|
|
int run_pss = 0;
|
|
int run_v15c = 0;
|
|
int run_v15s = 0;
|
|
+ int use_fips = 0;
|
|
|
|
if (argc)
|
|
{ argc--; argv++; }
|
|
@@ -625,6 +680,11 @@ main (int argc, char **argv)
|
|
die_on_error = 1;
|
|
argc--; argv++;
|
|
}
|
|
+ else if (!strcmp (*argv, "--fips"))
|
|
+ {
|
|
+ use_fips = 1;
|
|
+ argc--; argv++;
|
|
+ }
|
|
else if (!strcmp (*argv, "--oaep"))
|
|
{
|
|
run_oaep = 1;
|
|
@@ -651,9 +711,21 @@ main (int argc, char **argv)
|
|
run_oaep = run_pss = run_v15c = run_v15s = 1;
|
|
|
|
xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose));
|
|
- xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0));
|
|
- if (!gcry_check_version ("1.5.0"))
|
|
- die ("version mismatch\n");
|
|
+
|
|
+ if (use_fips)
|
|
+ xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0));
|
|
+
|
|
+ /* Check that we test exactly our version - including the patchlevel. */
|
|
+ if (strcmp (GCRYPT_VERSION, gcry_check_version (NULL)))
|
|
+ die ("version mismatch; pgm=%s, library=%s\n",
|
|
+ GCRYPT_VERSION,gcry_check_version (NULL));
|
|
+
|
|
+ if ( gcry_fips_mode_active () )
|
|
+ in_fips_mode = 1;
|
|
+
|
|
+ if (!in_fips_mode)
|
|
+ xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0));
|
|
+
|
|
xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
|
|
if (debug)
|
|
xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0));
|
|
--
|
|
2.33.1
|
|
|