diff options
author | Jakub Jelen <jjelen@redhat.com> | 2021-09-10 18:38:17 +0200 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2021-09-16 09:54:14 +0900 |
commit | fd116968ef2dcecb4058be2b2b3e8ab90f1e3181 (patch) | |
tree | 18b2b462318018de4ff954deaac744707d0eb849 /tests | |
parent | f9ae351c954c01a382c8ac915298efa25fc45177 (diff) | |
download | libgcrypt-fd116968ef2dcecb4058be2b2b3e8ab90f1e3181.tar.gz |
tests: Improve FIPS detection in curves test.
* tests/curves.c (check_matching): When FIPS mode enabled, skip a test
with sample_key_2, which uses brainpoolP160r1 curve.
(check_get_params): Replace "error_expected" filed to "flags" to hold
TEST_ERROR_EXPECTED and/or TEST_NOFIPS. Put TEST_NOFIPS flags for
non-FIPS curves. When FIPS mode enabled, don't skip supported curves.
--
(ChangeLog entry and link to tracker are written by gniibe.)
GnuPG-bug-id: 5520
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/curves.c | 277 |
1 files changed, 147 insertions, 130 deletions
diff --git a/tests/curves.c b/tests/curves.c index 12f3827f..2dd067a0 100644 --- a/tests/curves.c +++ b/tests/curves.c @@ -69,6 +69,7 @@ static char const sample_key_2[] = static char const sample_key_2_curve[] = "brainpoolP160r1"; static unsigned int sample_key_2_nbits = 160; +static int in_fips_mode = 0; static void list_curves (void) @@ -112,22 +113,27 @@ check_matching (void) gcry_sexp_release (key); - err = gcry_sexp_new (&key, sample_key_2, 0, 1); - if (err) - die ("parsing s-expression string failed: %s\n", gpg_strerror (err)); - name = gcry_pk_get_curve (key, 0, &nbits); - if (!name) - fail ("curve name not found for sample_key_2\n"); - else if (strcmp (name, sample_key_2_curve)) - fail ("expected curve name %s but got %s for sample_key_2\n", - sample_key_2_curve, name); - else if (nbits != sample_key_2_nbits) - fail ("expected curve size %u but got %u for sample_key_2\n", - sample_key_2_nbits, nbits); - - gcry_sexp_release (key); + if (!in_fips_mode) + { + err = gcry_sexp_new (&key, sample_key_2, 0, 1); + if (err) + die ("parsing s-expression string failed: %s\n", gpg_strerror (err)); + name = gcry_pk_get_curve (key, 0, &nbits); + if (!name) + fail ("curve name not found for sample_key_2\n"); + else if (strcmp (name, sample_key_2_curve)) + fail ("expected curve name %s but got %s for sample_key_2\n", + sample_key_2_curve, name); + else if (nbits != sample_key_2_nbits) + fail ("expected curve size %u but got %u for sample_key_2\n", + sample_key_2_nbits, nbits); + + gcry_sexp_release (key); + } } +#define TEST_ERROR_EXPECTED (1 << 0) +#define TEST_NOFIPS (1 << 1) static void check_get_params (void) @@ -135,28 +141,28 @@ check_get_params (void) static struct { int algo; const char *name; - int error_expected; + int flags; } tv[] = { - { GCRY_PK_ECC, "Ed25519" }, - { GCRY_PK_ECC, "1.3.6.1.4.1.11591.15.1" }, - { GCRY_PK_ECC, "1.3.101.112" }, - - { GCRY_PK_ECC, "Curve25519" }, - { GCRY_PK_ECC, "1.3.6.1.4.1.3029.1.5.1" }, - { GCRY_PK_ECC, "1.3.101.110" }, - { GCRY_PK_ECC, "X25519" }, - - { GCRY_PK_ECC, "Ed448" }, - { GCRY_PK_ECC, "X448" }, - { GCRY_PK_ECC, "1.3.101.113" }, - { GCRY_PK_ECC, "1.3.101.111" }, - - { GCRY_PK_ECC, "NIST P-192" }, - { GCRY_PK_ECC, "1.2.840.10045.3.1.1" }, - { GCRY_PK_ECC, "prime192v1" }, - { GCRY_PK_ECC, "secp192r1" }, - { GCRY_PK_ECC, "nistp192" }, + { GCRY_PK_ECC, "Ed25519", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.6.1.4.1.11591.15.1", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.101.112", TEST_NOFIPS }, + + { GCRY_PK_ECC, "Curve25519", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.6.1.4.1.3029.1.5.1", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.101.110", TEST_NOFIPS }, + { GCRY_PK_ECC, "X25519", TEST_NOFIPS }, + + { GCRY_PK_ECC, "Ed448", TEST_NOFIPS }, + { GCRY_PK_ECC, "X448", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.101.113", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.101.111", TEST_NOFIPS }, + + { GCRY_PK_ECC, "NIST P-192", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.840.10045.3.1.1", TEST_NOFIPS }, + { GCRY_PK_ECC, "prime192v1", TEST_NOFIPS }, + { GCRY_PK_ECC, "secp192r1", TEST_NOFIPS }, + { GCRY_PK_ECC, "nistp192", TEST_NOFIPS }, { GCRY_PK_ECC, "NIST P-224" }, { GCRY_PK_ECC, "secp224r1" }, @@ -179,85 +185,85 @@ check_get_params (void) { GCRY_PK_ECC, "1.3.132.0.35" }, { GCRY_PK_ECC, "nistp521" }, - { GCRY_PK_ECC, "brainpoolP160r1" }, - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1" }, - { GCRY_PK_ECC, "brainpoolP192r1" }, - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3" }, - { GCRY_PK_ECC, "brainpoolP224r1" }, - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5" }, - { GCRY_PK_ECC, "brainpoolP256r1" }, - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7" }, - { GCRY_PK_ECC, "brainpoolP320r1" }, - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9" }, - { GCRY_PK_ECC, "brainpoolP384r1" }, - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11"}, - { GCRY_PK_ECC, "brainpoolP512r1" }, - { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13"}, - - { GCRY_PK_ECC, "GOST2001-test" }, - { GCRY_PK_ECC, "1.2.643.2.2.35.0" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-A" }, - { GCRY_PK_ECC, "1.2.643.2.2.35.1" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-B" }, - { GCRY_PK_ECC, "1.2.643.2.2.35.2" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-C" }, - { GCRY_PK_ECC, "1.2.643.2.2.35.3" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-A" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-XchA" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-C" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-XchB" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-A" }, - { GCRY_PK_ECC, "1.2.643.2.2.36.0" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-C" }, - { GCRY_PK_ECC, "1.2.643.2.2.36.1" }, + { GCRY_PK_ECC, "brainpoolP160r1", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", TEST_NOFIPS }, + { GCRY_PK_ECC, "brainpoolP192r1", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", TEST_NOFIPS }, + { GCRY_PK_ECC, "brainpoolP224r1", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", TEST_NOFIPS }, + { GCRY_PK_ECC, "brainpoolP256r1", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", TEST_NOFIPS }, + { GCRY_PK_ECC, "brainpoolP320r1", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", TEST_NOFIPS }, + { GCRY_PK_ECC, "brainpoolP384r1", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", TEST_NOFIPS }, + { GCRY_PK_ECC, "brainpoolP512r1", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", TEST_NOFIPS }, + + { GCRY_PK_ECC, "GOST2001-test", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.2.2.35.0", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-A", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.2.2.35.1", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-B", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.2.2.35.2", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-C", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.2.2.35.3", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-A", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-XchA", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-C", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-XchB", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-A", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.2.2.36.0", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-C", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.2.2.36.1", TEST_NOFIPS }, /* Noet that GOST2012-256-tc26-A" is only in the curve alias * list but has no parameter entry. */ - { GCRY_PK_ECC, "GOST2001-CryptoPro-A" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.2" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-A" }, - { GCRY_PK_ECC, "GOST2012-256-tc26-B" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-B" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.3" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-B" }, - { GCRY_PK_ECC, "GOST2012-256-tc26-C" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-C" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.4" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-C" }, - { GCRY_PK_ECC, "GOST2012-256-tc26-D" }, - - { GCRY_PK_ECC, "GOST2012-512-test" }, - { GCRY_PK_ECC, "GOST2012-test" }, - { GCRY_PK_ECC, "GOST2012-512-test" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.0" }, - { GCRY_PK_ECC, "GOST2012-512-tc26-A" }, - { GCRY_PK_ECC, "GOST2012-tc26-A" }, - { GCRY_PK_ECC, "GOST2012-512-tc26-B" }, - { GCRY_PK_ECC, "GOST2012-tc26-B" }, - { GCRY_PK_ECC, "GOST2012-512-tc26-A" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.1" }, - { GCRY_PK_ECC, "GOST2012-512-tc26-B" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.2" }, - { GCRY_PK_ECC, "GOST2012-512-tc26-C" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.3" }, - - { GCRY_PK_ECC, "secp256k1" }, - { GCRY_PK_ECC, "1.3.132.0.10" }, - - { GCRY_PK_ECC, "sm2p256v1" }, - { GCRY_PK_ECC, "1.2.156.10197.1.301" }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-A", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.2", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-A", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-256-tc26-B", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-B", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.3", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-B", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-256-tc26-C", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-C", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.4", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2001-CryptoPro-C", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-256-tc26-D", TEST_NOFIPS }, + + { GCRY_PK_ECC, "GOST2012-512-test", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-test", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-512-test", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.0", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-512-tc26-A", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-tc26-A", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-512-tc26-B", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-tc26-B", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-512-tc26-A", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.1", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-512-tc26-B", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.2", TEST_NOFIPS }, + { GCRY_PK_ECC, "GOST2012-512-tc26-C", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.3", TEST_NOFIPS }, + + { GCRY_PK_ECC, "secp256k1", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.3.132.0.10", TEST_NOFIPS }, + + { GCRY_PK_ECC, "sm2p256v1", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.156.10197.1.301", TEST_NOFIPS }, /* Check also the ECC algo mapping. */ - { GCRY_PK_ECDSA, "Ed25519" }, - { GCRY_PK_EDDSA, "Ed25519" }, - { GCRY_PK_ECDH, "Ed25519" }, - { GCRY_PK_ECDSA, "Curve25519" }, - { GCRY_PK_EDDSA, "Curve25519" }, - { GCRY_PK_ECDH, "Curve25519" }, - { GCRY_PK_ECC, "NoSuchCurve", 1 }, - { GCRY_PK_RSA, "rsa", 1 }, - { GCRY_PK_ELG, "elg", 1 }, - { GCRY_PK_DSA, "dsa", 1 } + { GCRY_PK_ECDSA, "Ed25519", TEST_NOFIPS }, + { GCRY_PK_EDDSA, "Ed25519", TEST_NOFIPS }, + { GCRY_PK_ECDH, "Ed25519", TEST_NOFIPS }, + { GCRY_PK_ECDSA, "Curve25519", TEST_NOFIPS }, + { GCRY_PK_EDDSA, "Curve25519", TEST_NOFIPS }, + { GCRY_PK_ECDH, "Curve25519", TEST_NOFIPS }, + { GCRY_PK_ECC, "NoSuchCurve", TEST_ERROR_EXPECTED }, + { GCRY_PK_RSA, "rsa", TEST_ERROR_EXPECTED }, + { GCRY_PK_ELG, "elg", TEST_ERROR_EXPECTED }, + { GCRY_PK_DSA, "dsa", TEST_ERROR_EXPECTED } }; int idx; gcry_sexp_t param; @@ -276,38 +282,45 @@ check_get_params (void) gcry_sexp_release (param); - /* Brainpool curves are not supported in fips mode */ - if (gcry_fips_mode_active()) - return; + if (!in_fips_mode) + { + param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_2_curve); + if (!param) + fail ("error gerring parameters for `%s'\n", sample_key_2_curve); - param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_2_curve); - if (!param) - fail ("error gerring parameters for `%s'\n", sample_key_2_curve); + name = gcry_pk_get_curve (param, 0, NULL); + if (!name) + fail ("get_param: curve name not found for sample_key_2\n"); + else if (strcmp (name, sample_key_2_curve)) + fail ("get_param: expected curve name %s but got %s for sample_key_2\n", + sample_key_2_curve, name); - name = gcry_pk_get_curve (param, 0, NULL); - if (!name) - fail ("get_param: curve name not found for sample_key_2\n"); - else if (strcmp (name, sample_key_2_curve)) - fail ("get_param: expected curve name %s but got %s for sample_key_2\n", - sample_key_2_curve, name); - - gcry_sexp_release (param); + gcry_sexp_release (param); + } /* Some simple tests */ for (idx=0; idx < DIM (tv); idx++) { param = gcry_pk_get_param (tv[idx].algo, tv[idx].name); - if (!param) + if (in_fips_mode && tv[idx].flags & TEST_NOFIPS) { - if (!tv[idx].error_expected) - fail ("get_param: test %d (%s) failed\n", idx, tv[idx].name); - } - else - { - if (tv[idx].error_expected) - fail ("get_param: test %d (%s) failed (error expected)\n", + if (param) + fail ("get_param: test %d (%s) should have failed in fips mode\n", idx, tv[idx].name); } + else { + if (!param) + { + if (!(tv[idx].flags & TEST_ERROR_EXPECTED)) + fail ("get_param: test %d (%s) failed\n", idx, tv[idx].name); + } + else + { + if (tv[idx].flags & TEST_ERROR_EXPECTED) + fail ("get_param: test %d (%s) failed (error expected)\n", + idx, tv[idx].name); + } + } gcry_sexp_release (param); } } @@ -328,6 +341,10 @@ main (int argc, char **argv) xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); + + if (gcry_fips_mode_active ()) + in_fips_mode = 1; + list_curves (); check_matching (); check_get_params (); |