File libgcrypt-FIPS-RSA-keylen-tests.patch of Package libgcrypt
From cc3571a1f2244bdf829d7d16dd546131711eb8a9 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Mon, 8 Nov 2021 13:57:18 +0900
Subject: tests: Expect errors from algorithms not supported in
FIPS mode.
* tests/basic.c (FLAG_NOFIPS): New.
(check_pubkey_sign): Pass and handle NOFIPS flag.
(check_pubkey_sign_ecdsa): Likewise.
(check_pubkey_crypt): Likewise.
(do_check_one_pubkey): Pass flags.
(check_pubkey): Mark explicitly algorithms expected not to work in
FIPS mode and make sure they fail.
--
Co-authored-by: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/basic.c | 65 ++++++++++++++++++++++++++++++++++++---------------
1 file changed, 46 insertions(+), 19 deletions(-)
Index: libgcrypt-1.9.4/tests/basic.c
===================================================================
--- libgcrypt-1.9.4.orig/tests/basic.c
+++ libgcrypt-1.9.4/tests/basic.c
@@ -55,9 +55,10 @@ typedef struct test_spec_pubkey
}
test_spec_pubkey_t;
-#define FLAG_CRYPT (1 << 0)
-#define FLAG_SIGN (1 << 1)
-#define FLAG_GRIP (1 << 2)
+#define FLAG_CRYPT (1 << 0)
+#define FLAG_SIGN (1 << 1)
+#define FLAG_GRIP (1 << 2)
+#define FLAG_NOFIPS (1 << 3)
static int in_fips_mode;
@@ -13509,7 +13510,8 @@ verify_one_signature (gcry_sexp_t pkey,
/* Test the public key sign function using the private key SKEY. PKEY
is used for verification. */
static void
-check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo)
+check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ int flags)
{
gcry_error_t rc;
gcry_sexp_t sig, badhash, hash;
@@ -13588,6 +13590,7 @@ check_pubkey_sign (int n, gcry_sexp_t sk
if (rc)
die ("converting data failed: %s\n", gpg_strerror (rc));
+ sig = NULL;
for (dataidx = 0; datas[dataidx].data; dataidx++)
{
if (datas[dataidx].algo && datas[dataidx].algo != algo)
@@ -13603,12 +13606,19 @@ check_pubkey_sign (int n, gcry_sexp_t sk
die ("converting data failed: %s\n", gpg_strerror (rc));
rc = gcry_pk_sign (&sig, hash, skey);
+ if (in_fips_mode && (flags & FLAG_NOFIPS))
+ {
+ if (!rc)
+ fail ("gcry_pk_sign did not fail as expected in FIPS mode\n");
+ goto next;
+ }
if (gcry_err_code (rc) != datas[dataidx].expected_rc)
fail ("gcry_pk_sign failed: %s\n", gpg_strerror (rc));
if (!rc)
verify_one_signature (pkey, hash, badhash, sig);
+ next:
gcry_sexp_release (sig);
sig = NULL;
gcry_sexp_release (hash);
@@ -13622,7 +13632,8 @@ check_pubkey_sign (int n, gcry_sexp_t sk
/* Test the public key sign function using the private key SKEY. PKEY
is used for verification. This variant is only used for ECDSA. */
static void
-check_pubkey_sign_ecdsa (int n, gcry_sexp_t skey, gcry_sexp_t pkey)
+check_pubkey_sign_ecdsa (int n, gcry_sexp_t skey, gcry_sexp_t pkey,
+ int flags)
{
gcry_error_t rc;
gcry_sexp_t sig, badhash, hash;
@@ -13704,6 +13715,7 @@ check_pubkey_sign_ecdsa (int n, gcry_sex
nbits = gcry_pk_get_nbits (skey);
+ sig = NULL;
for (dataidx = 0; datas[dataidx].data; dataidx++)
{
if (datas[dataidx].nbits != nbits)
@@ -13723,6 +13735,12 @@ check_pubkey_sign_ecdsa (int n, gcry_sex
die ("converting data failed: %s\n", gpg_strerror (rc));
rc = gcry_pk_sign (&sig, hash, skey);
+ if (in_fips_mode && (flags & FLAG_NOFIPS))
+ {
+ if (!rc)
+ fail ("gcry_pk_sign did not fail as expected in FIPS mode\n");
+ goto next;
+ }
if (gcry_err_code (rc) != datas[dataidx].expected_rc)
fail ("gcry_pk_sign failed: %s\n", gpg_strerror (rc));
@@ -13732,6 +13750,7 @@ check_pubkey_sign_ecdsa (int n, gcry_sex
if (!rc)
verify_one_signature (pkey, hash, badhash, sig);
+ next:
gcry_sexp_release (sig);
sig = NULL;
gcry_sexp_release (badhash);
@@ -13743,7 +13762,8 @@ check_pubkey_sign_ecdsa (int n, gcry_sex
static void
-check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo)
+check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ int flags)
{
gcry_error_t rc;
gcry_sexp_t plain = NULL;
@@ -13876,6 +13896,12 @@ check_pubkey_crypt (int n, gcry_sexp_t s
die ("converting data failed: %s\n", gpg_strerror (rc));
rc = gcry_pk_encrypt (&ciph, data, pkey);
+ if (in_fips_mode && (flags & FLAG_NOFIPS))
+ {
+ if (!rc)
+ fail ("gcry_pk_encrypt did not fail as expected in FIPS mode\n");
+ goto next;
+ }
if (gcry_err_code (rc) != datas[dataidx].encrypt_expected_rc)
fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (rc));
@@ -13974,6 +14000,7 @@ check_pubkey_crypt (int n, gcry_sexp_t s
}
}
+ next:
gcry_sexp_release (plain);
plain = NULL;
gcry_sexp_release (ciph);
@@ -14005,17 +14032,17 @@ static void
do_check_one_pubkey (int n, gcry_sexp_t skey, gcry_sexp_t pkey,
const unsigned char *grip, int algo, int flags)
{
- if (flags & FLAG_SIGN)
+ if ((flags & FLAG_SIGN))
{
if (algo == GCRY_PK_ECDSA)
- check_pubkey_sign_ecdsa (n, skey, pkey);
+ check_pubkey_sign_ecdsa (n, skey, pkey, flags);
else
- check_pubkey_sign (n, skey, pkey, algo);
+ check_pubkey_sign (n, skey, pkey, algo, flags);
}
- if (flags & FLAG_CRYPT)
- check_pubkey_crypt (n, skey, pkey, algo);
- if (grip && (flags & FLAG_GRIP))
- check_pubkey_grip (n, grip, skey, pkey, algo);
+ if ((flags & FLAG_CRYPT))
+ check_pubkey_crypt (n, skey, pkey, algo, flags);
+ if (grip && (flags & FLAG_GRIP))
+ check_pubkey_grip (n, grip, skey, pkey, algo);
}
static void
@@ -14089,7 +14116,7 @@ check_pubkey (void)
{
static const test_spec_pubkey_t pubkeys[] = {
{
- GCRY_PK_RSA, FLAG_CRYPT | FLAG_SIGN | FLAG_GRIP,
+ GCRY_PK_RSA, FLAG_CRYPT | FLAG_SIGN | FLAG_GRIP | FLAG_NOFIPS, /* 1k RSA */
{
"(private-key\n"
" (rsa\n"
@@ -14228,7 +14255,7 @@ check_pubkey (void)
"\x47\xdd\x69\x55\xdb\x3a\xac\x89\x6e\x40"}
},
{
- GCRY_PK_ELG, FLAG_SIGN | FLAG_CRYPT | FLAG_GRIP,
+ GCRY_PK_ELG, FLAG_SIGN | FLAG_CRYPT | FLAG_GRIP | FLAG_NOFIPS,
{
"(private-key\n"
" (ELG\n"
@@ -14360,7 +14387,7 @@ check_pubkey (void)
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" }
},
{ /* GOST R 34.10-2001/2012 test 256 bit. */
- GCRY_PK_ECDSA, FLAG_SIGN,
+ GCRY_PK_ECDSA, FLAG_SIGN | FLAG_NOFIPS,
{
"(private-key\n"
" (ecc\n"
@@ -14382,7 +14409,7 @@ check_pubkey (void)
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" }
},
{ /* GOST R 34.10-2012 test 512 bit. */
- GCRY_PK_ECDSA, FLAG_SIGN,
+ GCRY_PK_ECDSA, FLAG_SIGN | FLAG_NOFIPS,
{
"(private-key\n"
" (ecc\n"
@@ -14433,7 +14460,7 @@ check_pubkey (void)
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" }
},
{ /* sm2 test */
- GCRY_PK_ECDSA, FLAG_SIGN,
+ GCRY_PK_ECDSA, FLAG_SIGN | FLAG_NOFIPS,
{
"(private-key\n"
" (ecc\n"
From 66119e0c1a024f7cf059393c3db827eb338339b0 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 11 Nov 2021 13:03:58 +0900
Subject: tests:pubkey: Replace RSA key to one of 2k.
* tests/pubkey.c (sample_private_key_1): Use 2k key from basic.c.
(sample_private_key_1_1): Likewise.
(sample_private_key_1_2): Likewise.
--
GnuPG-bug-id: 5512
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
tests/pubkey.c | 126 ++++++++++++++++++++++++++++++++++---------------
1 file changed, 88 insertions(+), 38 deletions(-)
diff --git a/tests/pubkey.c b/tests/pubkey.c
index 8a482dc3..51ef0f51 100644
--- a/tests/pubkey.c
+++ b/tests/pubkey.c
@@ -36,21 +36,40 @@ static int in_fips_mode;
static const char sample_private_key_1[] =
"(private-key\n"
" (openpgp-rsa\n"
-" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
- "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
- "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
- "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n"
+" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC"
+" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8"
+" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C"
+" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917"
+" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613"
+" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C"
+" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918"
+" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6"
+" CB#)\n"
" (e #010001#)\n"
-" (d #046129F2489D71579BE0A75FE029BD6CDB574EBF57EA8A5B0FDA942CAB943B11"
- "7D7BB95E5D28875E0F9FC5FCC06A72F6D502464DABDED78EF6B716177B83D5BD"
- "C543DC5D3FED932E59F5897E92E6F58A0F33424106A3B6FA2CBF877510E4AC21"
- "C3EE47851E97D12996222AC3566D4CCB0B83D164074ABF7DE655FC2446DA1781#)\n"
-" (p #00e861b700e17e8afe6837e7512e35b6ca11d0ae47d8b85161c67baf64377213"
- "fe52d772f2035b3ca830af41d8a4120e1c1c70d12cc22f00d28d31dd48a8d424f1#)\n"
-" (q #00f7a7ca5367c661f8e62df34f0d05c10c88e5492348dd7bddc942c9a8f369f9"
- "35a07785d2db805215ed786e4285df1658eed3ce84f469b81b50d358407b4ad361#)\n"
-" (u #304559a9ead56d2309d203811a641bb1a09626bc8eb36fffa23c968ec5bd891e"
- "ebbafc73ae666e01ba7c8990bae06cc2bbe10b75e69fcacb353a6473079d8e9b#)\n"
+" (d #07EF82500C403899934FE993AC5A36F14FF2DF38CF1EF315F205EE4C83EDAA19"
+" 8890FC23DE9AA933CAFB37B6A8A8DBA675411958337287310D3FF2F1DDC0CB93"
+" 7E70F57F75F833C021852B631D2B9A520E4431A03C5C3FCB5742DCD841D9FB12"
+" 771AA1620DCEC3F1583426066ED9DC3F7028C5B59202C88FDF20396E2FA0EC4F"
+" 5A22D9008F3043673931BC14A5046D6327398327900867E39CC61B2D1AFE2F48"
+" EC8E1E3861C68D257D7425F4E6F99ABD77D61F10CA100EFC14389071831B33DD"
+" 69CC8EABEF860D1DC2AAA84ABEAE5DFC91BC124DAF0F4C8EF5BBEA436751DE84"
+" 3A8063E827A024466F44C28614F93B0732A100D4A0D86D532FE1E22C7725E401"
+" #)\n"
+" (p #00C29D438F115825779631CD665A5739367F3E128ADC29766483A46CA80897E0"
+" 79B32881860B8F9A6A04C2614A904F6F2578DAE13EA67CD60AE3D0AA00A1FF9B"
+" 441485E44B2DC3D0B60260FBFE073B5AC72FAF67964DE15C8212C389D20DB9CF"
+" 54AF6AEF5C4196EAA56495DD30CF709F499D5AB30CA35E086C2A1589D6283F17"
+" 83#)\n"
+" (q #00D1984135231CB243FE959C0CBEF551EDD986AD7BEDF71EDF447BE3DA27AF46"
+" 79C974A6FA69E4D52FE796650623DE70622862713932AA2FD9F2EC856EAEAA77"
+" 88B4EA6084DC81C902F014829B18EA8B2666EC41586818E0589E18876065F97E"
+" 8D22CE2DA53A05951EC132DCEF41E70A9C35F4ACC268FFAC2ADF54FA1DA110B9"
+" 19#)\n"
+" (u #67CF0FD7635205DD80FA814EE9E9C267C17376BF3209FB5D1BC42890D2822A04"
+" 479DAF4D5B6ED69D0F8D1AF94164D07F8CD52ECEFE880641FA0F41DDAB1785E4"
+" A37A32F997A516480B4CD4F6482B9466A1765093ED95023CA32D5EDC1E34CEE9"
+" AF595BC51FE43C4BF810FA225AF697FB473B83815966188A4312C048B885E3F7"
+" #)\n"
" )\n"
")\n";
@@ -58,15 +77,25 @@ static const char sample_private_key_1[] =
static const char sample_private_key_1_1[] =
"(private-key\n"
" (openpgp-rsa\n"
-" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
- "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
- "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
- "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n"
+" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC"
+" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8"
+" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C"
+" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917"
+" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613"
+" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C"
+" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918"
+" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6"
+" CB#)\n"
" (e #010001#)\n"
-" (d #046129F2489D71579BE0A75FE029BD6CDB574EBF57EA8A5B0FDA942CAB943B11"
- "7D7BB95E5D28875E0F9FC5FCC06A72F6D502464DABDED78EF6B716177B83D5BD"
- "C543DC5D3FED932E59F5897E92E6F58A0F33424106A3B6FA2CBF877510E4AC21"
- "C3EE47851E97D12996222AC3566D4CCB0B83D164074ABF7DE655FC2446DA1781#)\n"
+" (d #07EF82500C403899934FE993AC5A36F14FF2DF38CF1EF315F205EE4C83EDAA19"
+" 8890FC23DE9AA933CAFB37B6A8A8DBA675411958337287310D3FF2F1DDC0CB93"
+" 7E70F57F75F833C021852B631D2B9A520E4431A03C5C3FCB5742DCD841D9FB12"
+" 771AA1620DCEC3F1583426066ED9DC3F7028C5B59202C88FDF20396E2FA0EC4F"
+" 5A22D9008F3043673931BC14A5046D6327398327900867E39CC61B2D1AFE2F48"
+" EC8E1E3861C68D257D7425F4E6F99ABD77D61F10CA100EFC14389071831B33DD"
+" 69CC8EABEF860D1DC2AAA84ABEAE5DFC91BC124DAF0F4C8EF5BBEA436751DE84"
+" 3A8063E827A024466F44C28614F93B0732A100D4A0D86D532FE1E22C7725E401"
+" #)\n"
" )\n"
")\n";
@@ -75,29 +104,50 @@ static const char sample_private_key_1_1[] =
static const char sample_private_key_1_2[] =
"(private-key\n"
" (openpgp-rsa\n"
-" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
- "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
- "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
- "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n"
+" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC"
+" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8"
+" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C"
+" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917"
+" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613"
+" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C"
+" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918"
+" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6"
+" CB#)\n"
" (e #010001#)\n"
-" (d #046129F2489D71579BE0A75FE029BD6CDB574EBF57EA8A5B0FDA942CAB943B11"
- "7D7BB95E5D28875E0F9FC5FCC06A72F6D502464DABDED78EF6B716177B83D5BD"
- "C543DC5D3FED932E59F5897E92E6F58A0F33424106A3B6FA2CBF877510E4AC21"
- "C3EE47851E97D12996222AC3566D4CCB0B83D164074ABF7DE655FC2446DA1781#)\n"
-" (p #00e861b700e17e8afe6837e7512e35b6ca11d0ae47d8b85161c67baf64377213"
- "fe52d772f2035b3ca830af41d8a4120e1c1c70d12cc22f00d28d31dd48a8d424f1#)\n"
-" (u #304559a9ead56d2309d203811a641bb1a09626bc8eb36fffa23c968ec5bd891e"
- "ebbafc73ae666e01ba7c8990bae06cc2bbe10b75e69fcacb353a6473079d8e9b#)\n"
+" (d #07EF82500C403899934FE993AC5A36F14FF2DF38CF1EF315F205EE4C83EDAA19"
+" 8890FC23DE9AA933CAFB37B6A8A8DBA675411958337287310D3FF2F1DDC0CB93"
+" 7E70F57F75F833C021852B631D2B9A520E4431A03C5C3FCB5742DCD841D9FB12"
+" 771AA1620DCEC3F1583426066ED9DC3F7028C5B59202C88FDF20396E2FA0EC4F"
+" 5A22D9008F3043673931BC14A5046D6327398327900867E39CC61B2D1AFE2F48"
+" EC8E1E3861C68D257D7425F4E6F99ABD77D61F10CA100EFC14389071831B33DD"
+" 69CC8EABEF860D1DC2AAA84ABEAE5DFC91BC124DAF0F4C8EF5BBEA436751DE84"
+" 3A8063E827A024466F44C28614F93B0732A100D4A0D86D532FE1E22C7725E401"
+" #)\n"
+" (p #00C29D438F115825779631CD665A5739367F3E128ADC29766483A46CA80897E0"
+" 79B32881860B8F9A6A04C2614A904F6F2578DAE13EA67CD60AE3D0AA00A1FF9B"
+" 441485E44B2DC3D0B60260FBFE073B5AC72FAF67964DE15C8212C389D20DB9CF"
+" 54AF6AEF5C4196EAA56495DD30CF709F499D5AB30CA35E086C2A1589D6283F17"
+" 83#)\n"
+" (u #67CF0FD7635205DD80FA814EE9E9C267C17376BF3209FB5D1BC42890D2822A04"
+" 479DAF4D5B6ED69D0F8D1AF94164D07F8CD52ECEFE880641FA0F41DDAB1785E4"
+" A37A32F997A516480B4CD4F6482B9466A1765093ED95023CA32D5EDC1E34CEE9"
+" AF595BC51FE43C4BF810FA225AF697FB473B83815966188A4312C048B885E3F7"
+" #)\n"
" )\n"
")\n";
static const char sample_public_key_1[] =
"(public-key\n"
" (rsa\n"
-" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
- "2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
- "ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
- "891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)\n"
+" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC"
+" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8"
+" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C"
+" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917"
+" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613"
+" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C"
+" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918"
+" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6"
+" CB#)\n"
" (e #010001#)\n"
" )\n"
")\n";
--
2.33.1
From 1481607cb9db977468a75f9f4638dc1cf3ade007 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 11 Nov 2021 13:44:40 +0900
Subject: tests:pkcs1v2: Skip tests with small keys in FIPS
mode.
* tests/pkcs1v2.c (in_fips_mode): New.
(check_oaep): Skip when key size is less than 2048 in FIPS mode.
(check_pss, check_v15crypt, check_v15sign): Likewise.
--
GnuPG-bug-id: 5512
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
tests/pkcs1v2.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 75 insertions(+), 3 deletions(-)
diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c
index 968d3fea..f26e779b 100644
--- a/tests/pkcs1v2.c
+++ b/tests/pkcs1v2.c
@@ -36,6 +36,8 @@
#include "t-common.h"
+static int in_fips_mode;
+
static void
show_sexp (const char *prefix, gcry_sexp_t a)
{
@@ -147,6 +149,18 @@ check_oaep (void)
gcry_free (rsa_e);
gcry_free (rsa_d);
+ if (in_fips_mode)
+ {
+ unsigned int nbits = gcry_pk_get_nbits (pub_key);
+
+ if (nbits < 2048)
+ {
+ if (verbose > 1)
+ info ("... skipped\n");
+ goto next;
+ }
+ }
+
for (mno = 0; mno < DIM (tbl[0].m); mno++)
{
void *mesg, *seed, *encr;
@@ -225,6 +239,7 @@ check_oaep (void)
ciph = NULL;
}
+ next:
gcry_sexp_release (sec_key);
gcry_sexp_release (pub_key);
}
@@ -269,6 +284,18 @@ check_pss (void)
gcry_free (rsa_e);
gcry_free (rsa_d);
+ if (in_fips_mode)
+ {
+ unsigned int nbits = gcry_pk_get_nbits (pub_key);
+
+ if (nbits < 2048)
+ {
+ if (verbose > 1)
+ info ("... skipped\n");
+ goto next;
+ }
+ }
+
for (mno = 0; mno < DIM (tbl[0].m); mno++)
{
void *mesg, *salt, *sign;
@@ -347,6 +374,7 @@ check_pss (void)
sigtmpl = NULL;
}
+ next:
gcry_sexp_release (sec_key);
gcry_sexp_release (pub_key);
}
@@ -391,6 +419,18 @@ check_v15crypt (void)
gcry_free (rsa_e);
gcry_free (rsa_d);
+ if (in_fips_mode)
+ {
+ unsigned int nbits = gcry_pk_get_nbits (pub_key);
+
+ if (nbits < 2048)
+ {
+ if (verbose > 1)
+ info ("... skipped\n");
+ goto next;
+ }
+ }
+
for (mno = 0; mno < DIM (tbl[0].m); mno++)
{
void *mesg, *seed, *encr;
@@ -469,6 +509,7 @@ check_v15crypt (void)
ciph = NULL;
}
+ next:
gcry_sexp_release (sec_key);
gcry_sexp_release (pub_key);
}
@@ -513,6 +554,18 @@ check_v15sign (void)
gcry_free (rsa_e);
gcry_free (rsa_d);
+ if (in_fips_mode)
+ {
+ unsigned int nbits = gcry_pk_get_nbits (pub_key);
+
+ if (nbits < 2048)
+ {
+ if (verbose > 1)
+ info ("... skipped\n");
+ goto next;
+ }
+ }
+
for (mno = 0; mno < DIM (tbl[0].m); mno++)
{
void *mesg, *sign;
@@ -583,6 +636,7 @@ check_v15sign (void)
sigtmpl = NULL;
}
+ next:
gcry_sexp_release (sec_key);
gcry_sexp_release (pub_key);
}
@@ -597,6 +651,7 @@ main (int argc, char **argv)
int run_pss = 0;
int run_v15c = 0;
int run_v15s = 0;
+ int use_fips = 0;
if (argc)
{ argc--; argv++; }
@@ -625,6 +680,11 @@ main (int argc, char **argv)
die_on_error = 1;
argc--; argv++;
}
+ else if (!strcmp (*argv, "--fips"))
+ {
+ use_fips = 1;
+ argc--; argv++;
+ }
else if (!strcmp (*argv, "--oaep"))
{
run_oaep = 1;
@@ -651,9 +711,21 @@ main (int argc, char **argv)
run_oaep = run_pss = run_v15c = run_v15s = 1;
xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose));
- xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0));
- if (!gcry_check_version ("1.5.0"))
- die ("version mismatch\n");
+
+ if (use_fips)
+ xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0));
+
+ /* Check that we test exactly our version - including the patchlevel. */
+ if (strcmp (GCRYPT_VERSION, gcry_check_version (NULL)))
+ die ("version mismatch; pgm=%s, library=%s\n",
+ GCRYPT_VERSION,gcry_check_version (NULL));
+
+ if ( gcry_fips_mode_active () )
+ in_fips_mode = 1;
+
+ if (!in_fips_mode)
+ xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0));
+
xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
if (debug)
xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0));
--
2.33.1
