Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
libgcrypt.20076
fix-test-suite-for-RSA-in-fips-mode.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fix-test-suite-for-RSA-in-fips-mode.patch of Package libgcrypt.20076
From 5958dd99b173ef62fac0e21ff97a52a67aa6423f Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nussel@suse.de> Date: Wed, 24 Sep 2014 18:02:28 +0200 Subject: [PATCH] fix test suite for RSA in fips mode --- tests/basic.c | 2 +- tests/benchmark.c | 30 +++++++++++++++++++-------- tests/keygen.c | 62 ++++++++++++++++++++++++++++++++++++++++++------------- tests/pubkey.c | 49 ++++++++++++++++++++++++++++++++++++++++--- 4 files changed, 116 insertions(+), 27 deletions(-) diff --git a/tests/basic.c b/tests/basic.c index f7e2005..6c43b45 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -5710,7 +5710,7 @@ get_keys_new (gcry_sexp_t *pkey, gcry_sexp_t *skey) if (verbose) fprintf (stderr, " generating RSA key:"); rc = gcry_sexp_new (&key_spec, - in_fips_mode ? "(genkey (rsa (nbits 4:1024)))" + in_fips_mode ? "(genkey (rsa (nbits 4:2048)))" : "(genkey (rsa (nbits 4:1024)(transient-key)))", 0, 1); if (rc) diff --git a/tests/benchmark.c b/tests/benchmark.c index 5efc083..9a45918 100644 --- a/tests/benchmark.c +++ b/tests/benchmark.c @@ -716,6 +716,11 @@ cipher_bench ( const char *algoname ) for (modeidx=0; modes[modeidx].mode; modeidx++) { + if (in_fips_mode && modes[modeidx].mode == GCRY_CIPHER_MODE_GCM) + { + printf(" [skipped]"); + continue; + } if ((blklen > 1 && modes[modeidx].mode == GCRY_CIPHER_MODE_STREAM) || (blklen == 1 && modes[modeidx].mode != GCRY_CIPHER_MODE_STREAM)) continue; @@ -862,28 +867,35 @@ rsa_bench (int iterations, int print_header, int no_blinding) { gpg_error_t err; int p_sizes[] = { 1024, 2048, 3072, 4096 }; - int testno; + int testno = 0; if (print_header) printf ("Algorithm generate %4d*sign %4d*verify\n" "------------------------------------------------\n", iterations, iterations ); - for (testno=0; testno < DIM (p_sizes); testno++) + for (; testno < DIM (p_sizes); testno++) { gcry_sexp_t key_spec, key_pair, pub_key, sec_key; gcry_mpi_t x; gcry_sexp_t data; gcry_sexp_t sig = NULL; int count; + unsigned nbits = p_sizes[testno]; - printf ("RSA %3d bit ", p_sizes[testno]); + printf ("RSA %3d bit ", nbits); fflush (stdout); + if (in_fips_mode && !(nbits == 2048 || nbits == 3072)) + { + puts ("[skipped in fips mode]"); + continue; + } + err = gcry_sexp_build (&key_spec, NULL, gcry_fips_mode_active () ? "(genkey (RSA (nbits %d)))" : "(genkey (RSA (nbits %d)(transient-key)))", - p_sizes[testno]); + nbits); if (err) die ("creating S-expression failed: %s\n", gcry_strerror (err)); @@ -891,7 +903,7 @@ rsa_bench (int iterations, int print_header, int no_blinding) err = gcry_pk_genkey (&key_pair, key_spec); if (err) die ("creating %d bit RSA key failed: %s\n", - p_sizes[testno], gcry_strerror (err)); + nbits, gcry_strerror (err)); pub_key = gcry_sexp_find_token (key_pair, "public-key", 0); if (! pub_key) @@ -906,8 +918,8 @@ rsa_bench (int iterations, int print_header, int no_blinding) printf (" %s", elapsed_time ()); fflush (stdout); - x = gcry_mpi_new (p_sizes[testno]); - gcry_mpi_randomize (x, p_sizes[testno]-8, GCRY_WEAK_RANDOM); + x = gcry_mpi_new (nbits); + gcry_mpi_randomize (x, nbits-8, GCRY_WEAK_RANDOM); err = gcry_sexp_build (&data, NULL, "(data (flags raw) (value %m))", x); gcry_mpi_release (x); @@ -945,8 +957,8 @@ rsa_bench (int iterations, int print_header, int no_blinding) if (no_blinding) { fflush (stdout); - x = gcry_mpi_new (p_sizes[testno]); - gcry_mpi_randomize (x, p_sizes[testno]-8, GCRY_WEAK_RANDOM); + x = gcry_mpi_new (nbits); + gcry_mpi_randomize (x, nbits-8, GCRY_WEAK_RANDOM); err = gcry_sexp_build (&data, NULL, "(data (flags no-blinding) (value %m))", x); gcry_mpi_release (x); diff --git a/tests/keygen.c b/tests/keygen.c index 4aff9c9..4d4034a 100644 --- a/tests/keygen.c +++ b/tests/keygen.c @@ -40,6 +40,7 @@ static int verbose; static int debug; static int error_count; +static int in_fips_mode; static void @@ -63,7 +64,7 @@ fail (const char *format, ...) va_list arg_ptr; fflush (stdout); - fprintf (stderr, "%s: ", PGM); + fprintf (stderr, "FAIL %s: ", PGM); /* if (wherestr) */ /* fprintf (stderr, "%s: ", wherestr); */ va_start (arg_ptr, format); @@ -196,11 +197,11 @@ check_rsa_keys (void) int rc; if (verbose) - show ("creating 1024 bit RSA key\n"); + show ("creating 2048 bit RSA key\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (rsa\n" - " (nbits 4:1024)\n" + " (nbits 4:2048)\n" " ))", 0, 1); if (rc) die ("error creating S-expression: %s\n", gpg_strerror (rc)); @@ -208,9 +209,29 @@ check_rsa_keys (void) gcry_sexp_release (keyparm); if (rc) die ("error generating RSA key: %s\n", gpg_strerror (rc)); - if (verbose > 1) - show_sexp ("1024 bit RSA key:\n", key); - check_generated_rsa_key (key, 65537); + + if (verbose) + show ("creating 1024 bit RSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (rsa\n" + " (nbits 4:1024)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc && !in_fips_mode) + fail ("error generating RSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + fail ("generating 1024 bit RSA key must not work!"); + + if (!rc) + { + if (verbose > 1) + show_sexp ("1024 bit RSA key:\n", key); + check_generated_rsa_key (key, 65537); + } gcry_sexp_release (key); @@ -226,10 +247,13 @@ check_rsa_keys (void) die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) - die ("error generating RSA key: %s\n", gpg_strerror (rc)); + if (rc && !in_fips_mode) + fail ("error generating RSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + fail ("generating 512 bit RSA key must not work!"); - check_generated_rsa_key (key, 257); + if (!rc) + check_generated_rsa_key (key, 257); gcry_sexp_release (key); if (verbose) @@ -244,10 +268,13 @@ check_rsa_keys (void) die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) - die ("error generating RSA key: %s\n", gpg_strerror (rc)); + if (rc && !in_fips_mode) + fail ("error generating RSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + fail ("generating 512 bit RSA key must not work!"); - check_generated_rsa_key (key, 0); /* We don't expect a constant exponent. */ + if (!rc) + check_generated_rsa_key (key, 0); /* We don't expect a constant exponent. */ gcry_sexp_release (key); } @@ -299,8 +326,10 @@ check_dsa_keys (void) die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) + if (rc && !in_fips_mode) die ("error generating DSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + die ("generating 512 bit DSA key must not work!"); if (!i && verbose > 1) show_sexp ("1024 bit DSA key:\n", key); gcry_sexp_release (key); @@ -318,8 +347,10 @@ check_dsa_keys (void) die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) + if (rc && !in_fips_mode) die ("error generating DSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + die ("generating 1536 bit DSA key must not work!"); if (verbose > 1) show_sexp ("1536 bit DSA key:\n", key); gcry_sexp_release (key); @@ -550,6 +581,9 @@ main (int argc, char **argv) break; } + if ( gcry_fips_mode_active () ) + in_fips_mode = 1; + if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); gcry_control (GCRYCTL_DISABLE_SECMEM, 0); diff --git a/tests/pubkey.c b/tests/pubkey.c index f5da67b..e1bde8b 100644 --- a/tests/pubkey.c +++ b/tests/pubkey.c @@ -165,6 +165,33 @@ show_sexp (const char *prefix, gcry_sexp_t a) gcry_free (buf); } +/* from ../cipher/pubkey-util.c */ +gpg_err_code_t +_gcry_pk_util_get_nbits (gcry_sexp_t list, unsigned int *r_nbits) +{ + char buf[50]; + const char *s; + size_t n; + + *r_nbits = 0; + + list = gcry_sexp_find_token (list, "nbits", 0); + if (!list) + return 0; /* No NBITS found. */ + + s = gcry_sexp_nth_data (list, 1, &n); + if (!s || n >= DIM (buf) - 1 ) + { + /* NBITS given without a cdr. */ + gcry_sexp_release (list); + return GPG_ERR_INV_OBJ; + } + memcpy (buf, s, n); + buf[n] = 0; + *r_nbits = (unsigned int)strtoul (buf, NULL, 0); + gcry_sexp_release (list); + return 0; +} /* Convert STRING consisting of hex characters into its binary representation and return it as an allocated buffer. The valid @@ -903,8 +930,8 @@ check_x931_derived_key (int what) } }; gpg_error_t err; - gcry_sexp_t key_spec, key, pub_key, sec_key; - gcry_mpi_t d_expected, d_have; + gcry_sexp_t key_spec = NULL, key = NULL, pub_key = NULL, sec_key = NULL; + gcry_mpi_t d_expected = NULL, d_have = NULL; if (what < 0 && what >= sizeof testtable) die ("invalid WHAT value\n"); @@ -913,10 +940,25 @@ check_x931_derived_key (int what) if (err) die ("error creating S-expression [%d]: %s\n", what, gpg_strerror (err)); + { + unsigned nbits; + err = _gcry_pk_util_get_nbits(key_spec, &nbits); + if (err) + die ("nbits not found\n"); + if (gcry_fips_mode_active() && nbits < 2048) + { + info("RSA key test with %d bits skipped in fips mode\n", nbits); + goto leave; + } + } + err = gcry_pk_genkey (&key, key_spec); gcry_sexp_release (key_spec); if (err) - die ("error generating RSA key [%d]: %s\n", what, gpg_strerror (err)); + { + fail ("error generating RSA key [%d]: %s\n", what, gpg_strerror (err)); + goto leave; + } pub_key = gcry_sexp_find_token (key, "public-key", 0); if (!pub_key) @@ -942,6 +984,7 @@ check_x931_derived_key (int what) show_sexp (NULL, sec_key); die ("parameter d does match expected value [%d]\n", what); } +leave: gcry_mpi_release (d_expected); gcry_mpi_release (d_have); -- 2.1.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor