tests: Fixes for RSA testsuite in FIPS mode

* tests/basic.c (get_keys_new): Generate 2048 bit key. * tests/benchmark.c (rsa_bench): Skip keys of lengths different than 2048 and 3072 in FIPS mode. * tests/keygen.c (check_rsa_keys): Failure if short keys can be generated in FIPS mode. (check_dsa_keys): Ditto for DSA keys. * tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS. -- Thanks to Ludwig Nussel. Signed-off-by: Vitezslav Cizek <vcizek@suse.com> Additional changes by wk: - Remove printing of "FAIL" in fail() because this is reserved for use by the test driver of the Makefile. - Move setting of IN_FIPS_MODE after gcry_check_version in keygen.c Signed-off-by: Werner Koch <wk@gnupg.org>
author: Vitezslav Cizek <vcizek@suse.com> 2015-10-30 15:38:13 +0100
committer: Werner Koch <wk@gnupg.org> 2016-03-18 16:19:06 +0100
commit: c690230af5a66b809f8f6fbab1a6262a5ba078cb (patch)
tree: 54f0767ef1ec226cb7fa55755c81d88cbab11fc3 /tests/keygen.c
parent: 78cec8b4754fdf774edb2d575000cb3e972e244c (diff)
download: libgcrypt-c690230af5a66b809f8f6fbab1a6262a5ba078cb.tar.gz
1 files changed, 47 insertions, 13 deletions
diff --git a/tests/keygen.c b/tests/keygen.c
index 8b9a1d58..7afa76c1 100644
--- a/tests/keygen.c
+++ b/tests/keygen.c
@@ -40,6 +40,7 @@
 static int verbose;
 static int debug;
 static int error_count;
+static int in_fips_mode;
 
 
 static void
@@ -196,11 +197,11 @@ check_rsa_keys (void)
   int rc;
 
   if (verbose)
-    show ("creating 1024 bit RSA key\n");
+    show ("creating 2048 bit RSA key\n");
   rc = gcry_sexp_new (&keyparm,
                       "(genkey\n"
                       " (rsa\n"
-                      "  (nbits 4:1024)\n"
+                      "  (nbits 4:2048)\n"
                       " ))", 0, 1);
   if (rc)
     die ("error creating S-expression: %s\n", gpg_strerror (rc));
@@ -208,9 +209,29 @@ check_rsa_keys (void)
   gcry_sexp_release (keyparm);
   if (rc)
     die ("error generating RSA key: %s\n", gpg_strerror (rc));
-  if (verbose > 1)
-    show_sexp ("1024 bit RSA key:\n", key);
-  check_generated_rsa_key (key, 65537);
+
+  if (verbose)
+    show ("creating 1024 bit RSA key\n");
+  rc = gcry_sexp_new (&keyparm,
+                      "(genkey\n"
+                      " (rsa\n"
+                      "  (nbits 4:1024)\n"
+                      " ))", 0, 1);
+  if (rc)
+    die ("error creating S-expression: %s\n", gpg_strerror (rc));
+  rc = gcry_pk_genkey (&key, keyparm);
+  gcry_sexp_release (keyparm);
+  if (rc && !in_fips_mode)
+    fail ("error generating RSA key: %s\n", gpg_strerror (rc));
+  else if (!rc && in_fips_mode)
+    fail ("generating 1024 bit RSA key must not work!");
+
+  if (!rc)
+    {
+      if (verbose > 1)
+        show_sexp ("1024 bit RSA key:\n", key);
+      check_generated_rsa_key (key, 65537);
+    }
   gcry_sexp_release (key);
 
 
@@ -226,10 +247,13 @@ check_rsa_keys (void)
     die ("error creating S-expression: %s\n", gpg_strerror (rc));
   rc = gcry_pk_genkey (&key, keyparm);
   gcry_sexp_release (keyparm);
-  if (rc)
-    die ("error generating RSA key: %s\n", gpg_strerror (rc));
+  if (rc && !in_fips_mode)
+    fail ("error generating RSA key: %s\n", gpg_strerror (rc));
+  else if (!rc && in_fips_mode)
+    fail ("generating 512 bit RSA key must not work!");
 
-  check_generated_rsa_key (key, 257);
+  if (!rc)
+    check_generated_rsa_key (key, 257);
   gcry_sexp_release (key);
 
   if (verbose)
@@ -244,10 +268,13 @@ check_rsa_keys (void)
     die ("error creating S-expression: %s\n", gpg_strerror (rc));
   rc = gcry_pk_genkey (&key, keyparm);
   gcry_sexp_release (keyparm);
-  if (rc)
-    die ("error generating RSA key: %s\n", gpg_strerror (rc));
+  if (rc && !in_fips_mode)
+    fail ("error generating RSA key: %s\n", gpg_strerror (rc));
+  else if (!rc && in_fips_mode)
+    fail ("generating 512 bit RSA key must not work!");
 
-  check_generated_rsa_key (key, 0); /* We don't expect a constant exponent. */
+  if (!rc)
+    check_generated_rsa_key (key, 0); /* We don't expect a constant exponent. */
   gcry_sexp_release (key);
 }
 
@@ -299,8 +326,10 @@ check_dsa_keys (void)
         die ("error creating S-expression: %s\n", gpg_strerror (rc));
       rc = gcry_pk_genkey (&key, keyparm);
       gcry_sexp_release (keyparm);
-      if (rc)
+      if (rc && !in_fips_mode)
         die ("error generating DSA key: %s\n", gpg_strerror (rc));
+      else if (!rc && in_fips_mode)
+        die ("generating 512 bit DSA key must not work!");
       if (!i && verbose > 1)
         show_sexp ("1024 bit DSA key:\n", key);
       gcry_sexp_release (key);
@@ -318,8 +347,10 @@ check_dsa_keys (void)
     die ("error creating S-expression: %s\n", gpg_strerror (rc));
   rc = gcry_pk_genkey (&key, keyparm);
   gcry_sexp_release (keyparm);
-  if (rc)
+  if (rc && !in_fips_mode)
     die ("error generating DSA key: %s\n", gpg_strerror (rc));
+  else if (!rc && in_fips_mode)
+    die ("generating 1536 bit DSA key must not work!");
   if (verbose > 1)
     show_sexp ("1536 bit DSA key:\n", key);
   gcry_sexp_release (key);
@@ -597,6 +628,9 @@ main (int argc, char **argv)
   if (with_progress)
     gcry_set_progress_handler (progress_cb, NULL);
 
+  if ( gcry_fips_mode_active () )
+    in_fips_mode = 1;
+
   if (!argc)
     {
       check_rsa_keys ();
author	Vitezslav Cizek <vcizek@suse.com>	2015-10-30 15:38:13 +0100
committer	Werner Koch <wk@gnupg.org>	2016-03-18 16:19:06 +0100
commit	c690230af5a66b809f8f6fbab1a6262a5ba078cb (patch)
tree	54f0767ef1ec226cb7fa55755c81d88cbab11fc3 /tests/keygen.c
parent	78cec8b4754fdf774edb2d575000cb3e972e244c (diff)
download	libgcrypt-c690230af5a66b809f8f6fbab1a6262a5ba078cb.tar.gz