diff options
author | Jakub Jelen <jjelen@redhat.com> | 2022-12-06 10:03:47 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2022-12-06 10:03:47 +0900 |
commit | 06ea5b5332ffdb44a0a394d766be8989bcb6a95c (patch) | |
tree | b975681b25180dd5e15f2b5d722af31ddf349e02 /tests | |
parent | bf1e62e59200b2046680d1d3d1599facc88cfe63 (diff) | |
download | libgcrypt-06ea5b5332ffdb44a0a394d766be8989bcb6a95c.tar.gz |
fips,rsa: Prevent usage of X9.31 keygen in FIPS mode.
* cipher/rsa.c (rsa_generate): Do not accept use-x931 or derive-parms
in FIPS mode.
* tests/pubkey.c (get_keys_x931_new): Expect failure in FIPS mode.
(check_run): Skip checking X9.31 keys in FIPS mode.
* doc/gcrypt.texi: Document "test-parms" and clarify some cases around
the X9.31 keygen.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/pubkey.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/tests/pubkey.c b/tests/pubkey.c index bc44f3a5..2669b41a 100644 --- a/tests/pubkey.c +++ b/tests/pubkey.c @@ -430,7 +430,17 @@ get_keys_x931_new (gcry_sexp_t *pkey, gcry_sexp_t *skey) rc = gcry_pk_genkey (&key, key_spec); gcry_sexp_release (key_spec); if (rc) - die ("error generating RSA key: %s\n", gcry_strerror (rc)); + { + if (in_fips_mode) + { + if (verbose) + fprintf (stderr, "The X9.31 RSA keygen is not available in FIPS modee.\n"); + return; + } + die ("error generating RSA key: %s\n", gcry_strerror (rc)); + } + else if (in_fips_mode) + die ("generating X9.31 RSA key unexpected worked in FIPS mode\n"); if (verbose > 1) show_sexp ("generated RSA (X9.31) key:\n", key); @@ -777,7 +787,8 @@ check_run (void) if (verbose) fprintf (stderr, "Checking generated RSA key (X9.31).\n"); get_keys_x931_new (&pkey, &skey); - check_keys (pkey, skey, 800, 0); + if (!in_fips_mode) + check_keys (pkey, skey, 800, 0); gcry_sexp_release (pkey); gcry_sexp_release (skey); pkey = skey = NULL; |