diff options
author | Vitezslav Cizek <vcizek@suse.com> | 2015-10-30 15:38:13 +0100 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2016-03-18 16:19:06 +0100 |
commit | c690230af5a66b809f8f6fbab1a6262a5ba078cb (patch) | |
tree | 54f0767ef1ec226cb7fa55755c81d88cbab11fc3 /tests/pubkey.c | |
parent | 78cec8b4754fdf774edb2d575000cb3e972e244c (diff) | |
download | libgcrypt-c690230af5a66b809f8f6fbab1a6262a5ba078cb.tar.gz |
tests: Fixes for RSA testsuite in FIPS mode
* tests/basic.c (get_keys_new): Generate 2048 bit key.
* tests/benchmark.c (rsa_bench): Skip keys of lengths different
than 2048 and 3072 in FIPS mode.
* tests/keygen.c (check_rsa_keys): Failure if short keys can be
generated in FIPS mode.
(check_dsa_keys): Ditto for DSA keys.
* tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS.
--
Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
- Remove printing of "FAIL" in fail() because this is reserved for
use by the test driver of the Makefile.
- Move setting of IN_FIPS_MODE after gcry_check_version in keygen.c
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'tests/pubkey.c')
-rw-r--r-- | tests/pubkey.c | 49 |
1 files changed, 46 insertions, 3 deletions
diff --git a/tests/pubkey.c b/tests/pubkey.c index 62dc0d6b..5ed6ca1e 100644 --- a/tests/pubkey.c +++ b/tests/pubkey.c @@ -165,6 +165,33 @@ show_sexp (const char *prefix, gcry_sexp_t a) gcry_free (buf); } +/* from ../cipher/pubkey-util.c */ +gpg_err_code_t +_gcry_pk_util_get_nbits (gcry_sexp_t list, unsigned int *r_nbits) +{ + char buf[50]; + const char *s; + size_t n; + + *r_nbits = 0; + + list = gcry_sexp_find_token (list, "nbits", 0); + if (!list) + return 0; /* No NBITS found. */ + + s = gcry_sexp_nth_data (list, 1, &n); + if (!s || n >= DIM (buf) - 1 ) + { + /* NBITS given without a cdr. */ + gcry_sexp_release (list); + return GPG_ERR_INV_OBJ; + } + memcpy (buf, s, n); + buf[n] = 0; + *r_nbits = (unsigned int)strtoul (buf, NULL, 0); + gcry_sexp_release (list); + return 0; +} /* Convert STRING consisting of hex characters into its binary representation and return it as an allocated buffer. The valid @@ -906,8 +933,8 @@ check_x931_derived_key (int what) } }; gpg_error_t err; - gcry_sexp_t key_spec, key, pub_key, sec_key; - gcry_mpi_t d_expected, d_have; + gcry_sexp_t key_spec = NULL, key = NULL, pub_key = NULL, sec_key = NULL; + gcry_mpi_t d_expected = NULL, d_have = NULL; if (what < 0 && what >= sizeof testtable) die ("invalid WHAT value\n"); @@ -916,10 +943,25 @@ check_x931_derived_key (int what) if (err) die ("error creating S-expression [%d]: %s\n", what, gpg_strerror (err)); + { + unsigned nbits; + err = _gcry_pk_util_get_nbits(key_spec, &nbits); + if (err) + die ("nbits not found\n"); + if (gcry_fips_mode_active() && nbits < 2048) + { + info("RSA key test with %d bits skipped in fips mode\n", nbits); + goto leave; + } + } + err = gcry_pk_genkey (&key, key_spec); gcry_sexp_release (key_spec); if (err) - die ("error generating RSA key [%d]: %s\n", what, gpg_strerror (err)); + { + fail ("error generating RSA key [%d]: %s\n", what, gpg_strerror (err)); + goto leave; + } pub_key = gcry_sexp_find_token (key, "public-key", 0); if (!pub_key) @@ -945,6 +987,7 @@ check_x931_derived_key (int what) show_sexp (NULL, sec_key); die ("parameter d does match expected value [%d]\n", what); } +leave: gcry_mpi_release (d_expected); gcry_mpi_release (d_have); |