diff options
author | Vitezslav Cizek <vcizek@suse.com> | 2015-10-30 15:38:13 +0100 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2016-03-18 16:19:06 +0100 |
commit | c690230af5a66b809f8f6fbab1a6262a5ba078cb (patch) | |
tree | 54f0767ef1ec226cb7fa55755c81d88cbab11fc3 /tests/keygen.c | |
parent | 78cec8b4754fdf774edb2d575000cb3e972e244c (diff) | |
download | libgcrypt-c690230af5a66b809f8f6fbab1a6262a5ba078cb.tar.gz |
tests: Fixes for RSA testsuite in FIPS mode
* tests/basic.c (get_keys_new): Generate 2048 bit key.
* tests/benchmark.c (rsa_bench): Skip keys of lengths different
than 2048 and 3072 in FIPS mode.
* tests/keygen.c (check_rsa_keys): Failure if short keys can be
generated in FIPS mode.
(check_dsa_keys): Ditto for DSA keys.
* tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS.
--
Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
- Remove printing of "FAIL" in fail() because this is reserved for
use by the test driver of the Makefile.
- Move setting of IN_FIPS_MODE after gcry_check_version in keygen.c
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'tests/keygen.c')
-rw-r--r-- | tests/keygen.c | 60 |
1 files changed, 47 insertions, 13 deletions
diff --git a/tests/keygen.c b/tests/keygen.c index 8b9a1d58..7afa76c1 100644 --- a/tests/keygen.c +++ b/tests/keygen.c @@ -40,6 +40,7 @@ static int verbose; static int debug; static int error_count; +static int in_fips_mode; static void @@ -196,11 +197,11 @@ check_rsa_keys (void) int rc; if (verbose) - show ("creating 1024 bit RSA key\n"); + show ("creating 2048 bit RSA key\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (rsa\n" - " (nbits 4:1024)\n" + " (nbits 4:2048)\n" " ))", 0, 1); if (rc) die ("error creating S-expression: %s\n", gpg_strerror (rc)); @@ -208,9 +209,29 @@ check_rsa_keys (void) gcry_sexp_release (keyparm); if (rc) die ("error generating RSA key: %s\n", gpg_strerror (rc)); - if (verbose > 1) - show_sexp ("1024 bit RSA key:\n", key); - check_generated_rsa_key (key, 65537); + + if (verbose) + show ("creating 1024 bit RSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (rsa\n" + " (nbits 4:1024)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc && !in_fips_mode) + fail ("error generating RSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + fail ("generating 1024 bit RSA key must not work!"); + + if (!rc) + { + if (verbose > 1) + show_sexp ("1024 bit RSA key:\n", key); + check_generated_rsa_key (key, 65537); + } gcry_sexp_release (key); @@ -226,10 +247,13 @@ check_rsa_keys (void) die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) - die ("error generating RSA key: %s\n", gpg_strerror (rc)); + if (rc && !in_fips_mode) + fail ("error generating RSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + fail ("generating 512 bit RSA key must not work!"); - check_generated_rsa_key (key, 257); + if (!rc) + check_generated_rsa_key (key, 257); gcry_sexp_release (key); if (verbose) @@ -244,10 +268,13 @@ check_rsa_keys (void) die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) - die ("error generating RSA key: %s\n", gpg_strerror (rc)); + if (rc && !in_fips_mode) + fail ("error generating RSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + fail ("generating 512 bit RSA key must not work!"); - check_generated_rsa_key (key, 0); /* We don't expect a constant exponent. */ + if (!rc) + check_generated_rsa_key (key, 0); /* We don't expect a constant exponent. */ gcry_sexp_release (key); } @@ -299,8 +326,10 @@ check_dsa_keys (void) die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) + if (rc && !in_fips_mode) die ("error generating DSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + die ("generating 512 bit DSA key must not work!"); if (!i && verbose > 1) show_sexp ("1024 bit DSA key:\n", key); gcry_sexp_release (key); @@ -318,8 +347,10 @@ check_dsa_keys (void) die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) + if (rc && !in_fips_mode) die ("error generating DSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + die ("generating 1536 bit DSA key must not work!"); if (verbose > 1) show_sexp ("1536 bit DSA key:\n", key); gcry_sexp_release (key); @@ -597,6 +628,9 @@ main (int argc, char **argv) if (with_progress) gcry_set_progress_handler (progress_cb, NULL); + if ( gcry_fips_mode_active () ) + in_fips_mode = 1; + if (!argc) { check_rsa_keys (); |