tests: Expect curves 25519/448 to fail in FIPS mode

* tests/t-cv25519.c (test_cv_hl): Expect the operation to fail in FIPS
  mode.
  (test_cv_x25519, test_it): Ditto.
  (main) Detect FIPS mode.
* tests/t-ed25519.c (one_test): Expect the operation to fail in FIPS
  mode.
  (main) Detect FIPS mode.
* tests/t-ed448.c (one_test): Expect the operation to fail in FIPS
  mode.
  (main) Detect FIPS mode.
* tests/t-x448.c (test_cv_hl): Expect the operation to fail in FIPS
  mode.
  (test_cv_x448, test_cv): Ditto.
  (main) Detect FIPS mode.
--
The ed25519, ed448, cv25519 and cv448 curves are not available in FIPS
mode. Some of the tests already skipped these, but it is always better
to make sure thy are failing, rather than just skipping these.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

1 files changed, 14 insertions, 4 deletions

diff --git a/tests/t-ed448.c b/tests/t-ed448.c
index 1f445ffc..f38cd10c 100644
--- a/tests/t-ed448.c
+++ b/tests/t-ed448.c
@@ -36,6 +36,7 @@
 static int sign_with_pk;
 static int no_verify;
 static int custom_data_file;
+static int in_fips_mode = 0;
 
 
 static void
@@ -302,7 +303,17 @@ one_test (int testno, int ph, const char *sk, const char *pk,
         }
     }
 
-  if ((err = gcry_pk_sign (&s_sig, s_msg, s_sk)))
+  err = gcry_pk_sign (&s_sig, s_msg, s_sk);
+  if (in_fips_mode)
+    {
+      if (!err)
+        fail ("gcry_pk_sign is not expected to work in FIPS mode for test %d",
+              testno);
+      if (verbose > 1)
+        info ("not executed in FIPS mode\n");
+      goto leave;
+    }
+  if (err)
     fail ("gcry_pk_sign failed for test %d: %s", testno, gpg_strerror (err));
   if (debug)
     show_sexp ("sig=", s_sig);
@@ -521,9 +532,8 @@ main (int argc, char **argv)
   xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0));
   xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
 
-  /* Ed448 isn't supported in fips mode */
-  if (gcry_fips_mode_active())
-    return 77;
+  if (gcry_fips_mode_active ())
+    in_fips_mode = 1;
 
   start_timer ();
   check_ed448 (fname);