diff options
| -rw-r--r-- | cipher/dsa.c | 31 | ||||
| -rw-r--r-- | tests/benchmark.c | 7 | ||||
| -rw-r--r-- | tests/dsa-rfc6979.c | 2 | ||||
| -rw-r--r-- | tests/fips186-dsa.c | 4 |
4 files changed, 38 insertions, 6 deletions
diff --git a/cipher/dsa.c b/cipher/dsa.c index f1d30ad8..d5b00912 100644 --- a/cipher/dsa.c +++ b/cipher/dsa.c @@ -145,6 +145,17 @@ static void (*progress_cb) (void *,const char *, int, int, int ); static void *progress_cb_data; +/* Check the DSA key length is acceptable for key generation or usage */ +static gpg_err_code_t +dsa_check_keysize (unsigned int nbits) +{ + if (fips_mode () && nbits < 2048) + return GPG_ERR_INV_VALUE; + + return 0; +} + + void _gcry_register_pk_dsa_progress (void (*cb) (void *, const char *, int, int, int), @@ -419,6 +430,10 @@ generate_fips186 (DSA_secret_key *sk, unsigned int nbits, unsigned int qbits, else return GPG_ERR_INV_VALUE; + ec = dsa_check_keysize (nbits); + if (ec) + return ec; + if (domain->p && domain->q && domain->g) { /* Domain parameters are given; use them. */ @@ -1066,9 +1081,13 @@ dsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms) DSA_secret_key sk = {NULL, NULL, NULL, NULL, NULL}; gcry_mpi_t sig_r = NULL; gcry_mpi_t sig_s = NULL; + unsigned int nbits = dsa_get_nbits (keyparms); + + rc = dsa_check_keysize (nbits); + if (rc) + return rc; - _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_SIGN, - dsa_get_nbits (keyparms)); + _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_SIGN, nbits); /* Extract the data. */ rc = _gcry_pk_util_data_to_mpi (s_data, &data, &ctx); @@ -1136,9 +1155,13 @@ dsa_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t s_keyparms) gcry_mpi_t sig_s = NULL; gcry_mpi_t data = NULL; DSA_public_key pk = { NULL, NULL, NULL, NULL }; + unsigned int nbits = dsa_get_nbits (s_keyparms); + + rc = dsa_check_keysize (nbits); + if (rc) + return rc; - _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_VERIFY, - dsa_get_nbits (s_keyparms)); + _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_VERIFY, nbits); /* Extract the data. */ rc = _gcry_pk_util_data_to_mpi (s_data, &data, &ctx); diff --git a/tests/benchmark.c b/tests/benchmark.c index 24141371..5208366a 100644 --- a/tests/benchmark.c +++ b/tests/benchmark.c @@ -1427,6 +1427,12 @@ dsa_bench (int iterations, int print_header) printf ("DSA %d/%d -", p_sizes[i], q_sizes[i]); fflush (stdout); + if (in_fips_mode && !(p_sizes[i] == 2048 || p_sizes[i] == 3072)) + { + puts ("[skipped in fips mode]"); + goto next; + } + start_timer (); for (j=0; j < iterations; j++) { @@ -1460,6 +1466,7 @@ dsa_bench (int iterations, int print_header) printf (" %s\n", elapsed_time (1)); fflush (stdout); + next: gcry_sexp_release (sig); gcry_sexp_release (data); sig = NULL; diff --git a/tests/dsa-rfc6979.c b/tests/dsa-rfc6979.c index 0f124575..7fa4b7bd 100644 --- a/tests/dsa-rfc6979.c +++ b/tests/dsa-rfc6979.c @@ -132,7 +132,7 @@ check_dsa_rfc6979 (void) " 92195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D" " 4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E6" " 82F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B#)" - " ))", 1 + " ))", 0 }, { "DSA, 2048 bits", diff --git a/tests/fips186-dsa.c b/tests/fips186-dsa.c index eb74cc2b..3d59dfd3 100644 --- a/tests/fips186-dsa.c +++ b/tests/fips186-dsa.c @@ -564,7 +564,9 @@ main (int argc, char **argv) xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); - check_dsa_gen_186_2 (); + if ( !gcry_fips_mode_active () ) + check_dsa_gen_186_2 (); + check_dsa_gen_186_3 (); |