diff options
| author | Vitezslav Cizek <vcizek@suse.com> | 2016-03-18 17:54:36 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2016-03-18 17:54:36 +0100 |
| commit | 9ecc2690181ba0bb44f66451a7dce2fc19965793 (patch) | |
| tree | f2877351c342a3ff00eecc6e9804ba5f82416a8d /tests/keygen.c | |
| parent | 1a02d741cacc3b57fe3d6ffebd794d53a60c9e97 (diff) | |
| download | libgcrypt-9ecc2690181ba0bb44f66451a7dce2fc19965793.tar.gz | |
tests: Fix testsuite after the FIPS adjustments.
* tests/benchmark.c (ecc_bench): Avoid not approved curves in FIPS.
* tests/curves.c (check_get_params): Skip Brainpool curves in FIPS.
* tests/keygen.c (check_dsa_keys): Generate 2048 and 3072 bits keys.
(check_ecc_keys): Skip Ed25519 in FIPS mode.
* tests/random.c (main): Don't switch DRBG in FIPS mode.
* tests/t-ed25519.c (main): Ed25519 isn't supported in FIPS mode.
* tests/t-kdf.c (check_openpgp): Skip vectors using md5 in FIPS.
* tests/t-mpi-point.c (context_param): Skip P-192 and Ed25519 in FIPS.
(main): Skip math tests that use P-192 and Ed25519 in FIPS.
--
Fix the testsuite to make it pass after the FIPS adjustmens.
This consists mostly of disabling the tests that use not approved
curves and algorithms as well as increasing the keysizes.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
- Removed changes already done with commit e40939b. The original
patch had these chnages:
* tests/fips186-dsa.c (main): Merely suggest a future improvement.
* tests/pubkey.c (get_dsa_key_*new): Increase keysizes.
(check_run): Skip tests with small domain in FIPS.
(main): Skip Ed25519 sample key test in FIPS.
Noet that get_dsa_key_fips186_with_seed_new was not changed from
1024 to 3072 but to 2048 bit.
- Return with 77 (skip) from t-ed25519.c in FIPS mode.
- Some code style changes.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'tests/keygen.c')
| -rw-r--r-- | tests/keygen.c | 101 |
1 files changed, 97 insertions, 4 deletions
diff --git a/tests/keygen.c b/tests/keygen.c index 7afa76c1..dcb59e48 100644 --- a/tests/keygen.c +++ b/tests/keygen.c @@ -329,7 +329,7 @@ check_dsa_keys (void) if (rc && !in_fips_mode) die ("error generating DSA key: %s\n", gpg_strerror (rc)); else if (!rc && in_fips_mode) - die ("generating 512 bit DSA key must not work!"); + die ("generating 1024 bit DSA key must not work!"); if (!i && verbose > 1) show_sexp ("1024 bit DSA key:\n", key); gcry_sexp_release (key); @@ -354,6 +354,60 @@ check_dsa_keys (void) if (verbose > 1) show_sexp ("1536 bit DSA key:\n", key); gcry_sexp_release (key); + + if (verbose) + show ("creating 3072 bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" + " (nbits 4:3072)\n" + " (qbits 3:256)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating DSA key: %s\n", gpg_strerror (rc)); + if (verbose > 1) + show_sexp ("3072 bit DSA key:\n", key); + gcry_sexp_release (key); + + if (verbose) + show ("creating 2048/256 bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" + " (nbits 4:2048)\n" + " (qbits 3:256)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating DSA key: %s\n", gpg_strerror (rc)); + if (verbose > 1) + show_sexp ("2048 bit DSA key:\n", key); + gcry_sexp_release (key); + + if (verbose) + show ("creating 2048/224 bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" + " (nbits 4:2048)\n" + " (qbits 3:224)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating DSA key: %s\n", gpg_strerror (rc)); + if (verbose > 1) + show_sexp ("2048 bit DSA key:\n", key); + gcry_sexp_release (key); } @@ -406,9 +460,14 @@ check_ecc_keys (void) if (verbose) show ("creating ECC key using curve %s\n", curves[testno]); if (!strcmp (curves[testno], "Ed25519")) - rc = gcry_sexp_build (&keyparm, NULL, - "(genkey(ecc(curve %s)(flags param eddsa)))", - curves[testno]); + { + /* Ed25519 isn't allowed in fips mode */ + if (in_fips_mode) + continue; + rc = gcry_sexp_build (&keyparm, NULL, + "(genkey(ecc(curve %s)(flags param eddsa)))", + curves[testno]); + } else rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve %s)(flags param)))", @@ -459,6 +518,40 @@ check_ecc_keys (void) " (nocomp): %s\n", gpg_strerror (rc)); + if (verbose) + show ("creating ECC key using curve NIST P-384 for ECDSA\n"); + + /* Must be specified as nistp384 (one word), because ecc_generate + * uses _gcry_sexp_nth_string which takes the first word of the name + * and thus libgcrypt can't find it later in its curves table. */ + rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve nistp384)))"); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating ECC key using curve NIST P-384 for ECDSA: %s\n", + gpg_strerror (rc)); + + if (verbose > 1) + show_sexp ("ECC key:\n", key); + + check_generated_ecc_key (key); + gcry_sexp_release (key); + + if (verbose) + show ("creating ECC key using curve NIST P-384 for ECDSA (nocomp)\n"); + rc = gcry_sexp_build (&keyparm, NULL, + "(genkey(ecc(curve nistp384)(flags nocomp)))"); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating ECC key using curve NIST P-384 for ECDSA" + " (nocomp): %s\n", + gpg_strerror (rc)); + if (verbose > 1) show_sexp ("ECC key:\n", key); |