diff options
Diffstat (limited to 'tests')
-rw-r--r-- | tests/benchmark.c | 6 | ||||
-rw-r--r-- | tests/curves.c | 3 | ||||
-rw-r--r-- | tests/keygen.c | 101 | ||||
-rw-r--r-- | tests/pubkey.c | 7 | ||||
-rw-r--r-- | tests/random.c | 11 | ||||
-rw-r--r-- | tests/t-ed25519.c | 4 | ||||
-rw-r--r-- | tests/t-kdf.c | 4 | ||||
-rw-r--r-- | tests/t-mpi-point.c | 26 |
8 files changed, 151 insertions, 11 deletions
diff --git a/tests/benchmark.c b/tests/benchmark.c index c748dacf..1258b81c 100644 --- a/tests/benchmark.c +++ b/tests/benchmark.c @@ -1434,6 +1434,12 @@ ecc_bench (int iterations, int print_header) is_ed25519 = !strcmp (p_sizes[testno], "Ed25519"); is_gost = !strncmp (p_sizes[testno], "gost", 4); + + /* Only P-{224,256,384,521} are allowed in fips mode */ + if (gcry_fips_mode_active() + && (is_ed25519 || is_gost || !strcmp (p_sizes[testno], "192"))) + continue; + if (is_ed25519) { p_size = 256; diff --git a/tests/curves.c b/tests/curves.c index bec48e99..2732bbdc 100644 --- a/tests/curves.c +++ b/tests/curves.c @@ -171,6 +171,9 @@ check_get_params (void) gcry_sexp_release (param); + /* Brainpool curves are not supported in fips mode */ + if (gcry_fips_mode_active()) + return; param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_2_curve); if (!param) diff --git a/tests/keygen.c b/tests/keygen.c index 7afa76c1..dcb59e48 100644 --- a/tests/keygen.c +++ b/tests/keygen.c @@ -329,7 +329,7 @@ check_dsa_keys (void) if (rc && !in_fips_mode) die ("error generating DSA key: %s\n", gpg_strerror (rc)); else if (!rc && in_fips_mode) - die ("generating 512 bit DSA key must not work!"); + die ("generating 1024 bit DSA key must not work!"); if (!i && verbose > 1) show_sexp ("1024 bit DSA key:\n", key); gcry_sexp_release (key); @@ -354,6 +354,60 @@ check_dsa_keys (void) if (verbose > 1) show_sexp ("1536 bit DSA key:\n", key); gcry_sexp_release (key); + + if (verbose) + show ("creating 3072 bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" + " (nbits 4:3072)\n" + " (qbits 3:256)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating DSA key: %s\n", gpg_strerror (rc)); + if (verbose > 1) + show_sexp ("3072 bit DSA key:\n", key); + gcry_sexp_release (key); + + if (verbose) + show ("creating 2048/256 bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" + " (nbits 4:2048)\n" + " (qbits 3:256)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating DSA key: %s\n", gpg_strerror (rc)); + if (verbose > 1) + show_sexp ("2048 bit DSA key:\n", key); + gcry_sexp_release (key); + + if (verbose) + show ("creating 2048/224 bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" + " (nbits 4:2048)\n" + " (qbits 3:224)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating DSA key: %s\n", gpg_strerror (rc)); + if (verbose > 1) + show_sexp ("2048 bit DSA key:\n", key); + gcry_sexp_release (key); } @@ -406,9 +460,14 @@ check_ecc_keys (void) if (verbose) show ("creating ECC key using curve %s\n", curves[testno]); if (!strcmp (curves[testno], "Ed25519")) - rc = gcry_sexp_build (&keyparm, NULL, - "(genkey(ecc(curve %s)(flags param eddsa)))", - curves[testno]); + { + /* Ed25519 isn't allowed in fips mode */ + if (in_fips_mode) + continue; + rc = gcry_sexp_build (&keyparm, NULL, + "(genkey(ecc(curve %s)(flags param eddsa)))", + curves[testno]); + } else rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve %s)(flags param)))", @@ -459,6 +518,40 @@ check_ecc_keys (void) " (nocomp): %s\n", gpg_strerror (rc)); + if (verbose) + show ("creating ECC key using curve NIST P-384 for ECDSA\n"); + + /* Must be specified as nistp384 (one word), because ecc_generate + * uses _gcry_sexp_nth_string which takes the first word of the name + * and thus libgcrypt can't find it later in its curves table. */ + rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve nistp384)))"); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating ECC key using curve NIST P-384 for ECDSA: %s\n", + gpg_strerror (rc)); + + if (verbose > 1) + show_sexp ("ECC key:\n", key); + + check_generated_ecc_key (key); + gcry_sexp_release (key); + + if (verbose) + show ("creating ECC key using curve NIST P-384 for ECDSA (nocomp)\n"); + rc = gcry_sexp_build (&keyparm, NULL, + "(genkey(ecc(curve nistp384)(flags nocomp)))"); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating ECC key using curve NIST P-384 for ECDSA" + " (nocomp): %s\n", + gpg_strerror (rc)); + if (verbose > 1) show_sexp ("ECC key:\n", key); diff --git a/tests/pubkey.c b/tests/pubkey.c index 5ed6ca1e..b691913b 100644 --- a/tests/pubkey.c +++ b/tests/pubkey.c @@ -483,8 +483,8 @@ get_dsa_key_new (gcry_sexp_t *pkey, gcry_sexp_t *skey, int transient_key) rc = gcry_sexp_new (&key_spec, transient_key - ? "(genkey (dsa (nbits 4:1024)(transient-key)))" - : "(genkey (dsa (nbits 4:1024)))", + ? "(genkey (dsa (nbits 4:2048)(transient-key)))" + : "(genkey (dsa (nbits 4:2048)))", 0, 1); if (rc) die ("error creating S-expression: %s\n", gcry_strerror (rc)); @@ -1243,7 +1243,8 @@ main (int argc, char **argv) check_x931_derived_key (i); check_ecc_sample_key (); - check_ed25519ecdsa_sample_key (); + if (!gcry_fips_mode_active ()) + check_ed25519ecdsa_sample_key (); return !!error_count; } diff --git a/tests/random.c b/tests/random.c index 2a4b698b..3c087265 100644 --- a/tests/random.c +++ b/tests/random.c @@ -647,7 +647,11 @@ main (int argc, char **argv) #endif if (early_rng) - check_early_rng_type_switching (); + { + /* Don't switch RNG in fips mode. */ + if (!gcry_fips_mode_active()) + check_early_rng_type_switching (); + } gcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (!gcry_check_version (GCRYPT_VERSION)) @@ -670,7 +674,10 @@ main (int argc, char **argv) to its high requirement for entropy. */ if (!getenv ("GCRYPT_IN_REGRESSION_TEST")) check_drbg_reinit (); - check_rng_type_switching (); + + /* Don't switch RNG in fips mode. */ + if (!gcry_fips_mode_active()) + check_rng_type_switching (); if (!in_recursion) run_all_rng_tests (program); diff --git a/tests/t-ed25519.c b/tests/t-ed25519.c index 38e154de..d63c145d 100644 --- a/tests/t-ed25519.c +++ b/tests/t-ed25519.c @@ -548,6 +548,10 @@ main (int argc, char **argv) gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + /* Ed25519 isn't supported in fips mode */ + if (gcry_fips_mode_active()) + return 77; + start_timer (); check_ed25519 (fname); stop_timer (); diff --git a/tests/t-kdf.c b/tests/t-kdf.c index 18c83575..bf31c830 100644 --- a/tests/t-kdf.c +++ b/tests/t-kdf.c @@ -888,6 +888,10 @@ check_openpgp (void) { if (tv[tvidx].disabled) continue; + /* MD5 isn't supported in fips mode */ + if (gcry_fips_mode_active() + && tv[tvidx].hashalgo == GCRY_MD_MD5) + continue; if (verbose) fprintf (stderr, "checking S2K test vector %d\n", tvidx); assert (tv[tvidx].dklen <= sizeof outbuf); diff --git a/tests/t-mpi-point.c b/tests/t-mpi-point.c index d72cd27f..55c6b666 100644 --- a/tests/t-mpi-point.c +++ b/tests/t-mpi-point.c @@ -540,6 +540,17 @@ context_param (void) show ("checking standard curves\n"); for (idx=0; test_curve[idx].desc; idx++) { + /* P-192 and Ed25519 are not supported in fips mode */ + if (gcry_fips_mode_active()) + { + if (!strcmp(test_curve[idx].desc, "NIST P-192") + || !strcmp(test_curve[idx].desc, "Ed25519")) + { + show("skipping %s in fips mode\n", test_curve[idx].desc ); + continue; + } + } + gcry_ctx_release (ctx); err = gcry_mpi_ec_new (&ctx, NULL, test_curve[idx].desc); if (err) @@ -635,6 +646,10 @@ context_param (void) gcry_sexp_release (sexp); } + /* Skipping Ed25519 if in FIPS mode (it isn't supported) */ + if (gcry_fips_mode_active()) + goto cleanup; + show ("checking sample public key (Ed25519)\n"); q = hex2mpi (sample_ed25519_q); gcry_sexp_release (keyparam); @@ -722,6 +737,7 @@ context_param (void) } + cleanup: gcry_ctx_release (ctx); gcry_sexp_release (keyparam); } @@ -1101,8 +1117,14 @@ main (int argc, char **argv) context_alloc (); context_param (); basic_ec_math (); - basic_ec_math_simplified (); - twistededwards_math (); + + /* The tests are for P-192 and ed25519 which are not supported in + FIPS mode. */ + if (!gcry_fips_mode_active()) + { + basic_ec_math_simplified (); + twistededwards_math (); + } show ("All tests completed. Errors: %d\n", error_count); return error_count ? 1 : 0; |