Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
libgcrypt
libgcrypt-fips_testsuite.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libgcrypt-fips_testsuite.patch of Package libgcrypt
Currently only fips186-dsa and t-ed25519 doesn't work. The fips186-dsa is expecting old FIPS 186-2, and Ed25519 isn't support in our fips mode. Index: libgcrypt-1.6.1/tests/keygen.c =================================================================== --- libgcrypt-1.6.1.orig/tests/keygen.c 2015-05-27 16:46:54.640042100 +0200 +++ libgcrypt-1.6.1/tests/keygen.c 2015-05-27 16:50:25.931543907 +0200 @@ -329,7 +329,7 @@ check_dsa_keys (void) if (rc && !in_fips_mode) die ("error generating DSA key: %s\n", gpg_strerror (rc)); else if (!rc && in_fips_mode) - die ("generating 512 bit DSA key must not work!"); + die ("generating 1024 bit DSA key must not work!"); if (!i && verbose > 1) show_sexp ("1024 bit DSA key:\n", key); gcry_sexp_release (key); @@ -354,6 +354,77 @@ check_dsa_keys (void) if (verbose > 1) show_sexp ("1536 bit DSA key:\n", key); gcry_sexp_release (key); + + if (verbose) + show ("creating 3072 bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" + " (nbits 4:3072)\n" + " (qbits 3:256)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating DSA key: %s\n", gpg_strerror (rc)); + if (verbose > 1) + show_sexp ("3072 bit DSA key:\n", key); + gcry_sexp_release (key); + + if (verbose) + show ("creating 2048/256 bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" + " (nbits 4:2048)\n" + " (qbits 3:256)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating DSA key: %s\n", gpg_strerror (rc)); + if (verbose > 1) + show_sexp ("2048 bit DSA key:\n", key); + gcry_sexp_release (key); + + if (verbose) + show ("creating 2048/224 bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" + " (nbits 4:2048)\n" + " (qbits 3:224)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating DSA key: %s\n", gpg_strerror (rc)); + if (verbose > 1) + show_sexp ("2048 bit DSA key:\n", key); + gcry_sexp_release (key); + + if (verbose) + show ("creating 2048/? bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" + " (nbits 4:2048)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc) + die ("error generating DSA key: %s\n", gpg_strerror (rc)); + if (verbose > 1) + show_sexp ("2048 bit DSA key:\n", key); + gcry_sexp_release (key); } @@ -405,10 +476,14 @@ check_ecc_keys (void) { if (verbose) show ("creating ECC key using curve %s\n", curves[testno]); - if (!strcmp (curves[testno], "Ed25519")) + if (!strcmp (curves[testno], "Ed25519")) { + /* Ed25519 isn't allowed in fips mode */ + if (in_fips_mode) + continue; rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve %s)(flags param eddsa)))", curves[testno]); + } else rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve %s)(flags param)))", @@ -429,15 +504,21 @@ check_ecc_keys (void) gcry_sexp_release (key); } + if (verbose) - show ("creating ECC key using curve Ed25519 for ECDSA\n"); - rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve Ed25519)))"); + show ("creating ECC key using curve NIST P-384 for ECDSA\n"); + /* must be specified as nistp384 (one word), + because ecc_generate uses _gcry_sexp_nth_string which takes + the first word of the name and thus libgcrypt can't find it + later in its curves table + */ + rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve nistp384)))"); if (rc) die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); if (rc) - die ("error generating ECC key using curve Ed25519 for ECDSA: %s\n", + die ("error generating ECC key using curve NIST P-384 for ECDSA: %s\n", gpg_strerror (rc)); if (verbose > 1) @@ -447,15 +528,15 @@ check_ecc_keys (void) gcry_sexp_release (key); if (verbose) - show ("creating ECC key using curve Ed25519 for ECDSA (nocomp)\n"); + show ("creating ECC key using curve NIST P-384 for ECDSA (nocomp)\n"); rc = gcry_sexp_build (&keyparm, NULL, - "(genkey(ecc(curve Ed25519)(flags nocomp)))"); + "(genkey(ecc(curve nistp384)(flags nocomp)))"); if (rc) die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); if (rc) - die ("error generating ECC key using curve Ed25519 for ECDSA" + die ("error generating ECC key using curve NIST P-384 for ECDSA" " (nocomp): %s\n", gpg_strerror (rc)); Index: libgcrypt-1.6.1/tests/pubkey.c =================================================================== --- libgcrypt-1.6.1.orig/tests/pubkey.c 2015-05-27 16:46:54.640042100 +0200 +++ libgcrypt-1.6.1/tests/pubkey.c 2015-05-28 13:49:46.497537668 +0200 @@ -483,8 +483,8 @@ get_dsa_key_new (gcry_sexp_t *pkey, gcry rc = gcry_sexp_new (&key_spec, transient_key - ? "(genkey (dsa (nbits 4:1024)(transient-key)))" - : "(genkey (dsa (nbits 4:1024)))", + ? "(genkey (dsa (nbits 4:2048)(transient-key)))" + : "(genkey (dsa (nbits 4:2048)))", 0, 1); if (rc) die ("error creating S-expression: %s\n", gcry_strerror (rc)); @@ -517,7 +517,7 @@ get_dsa_key_fips186_new (gcry_sexp_t *pk int rc; rc = gcry_sexp_new - (&key_spec, "(genkey (dsa (nbits 4:1024)(use-fips186)))", 0, 1); + (&key_spec, "(genkey (dsa (nbits 4:2048)(use-fips186)))", 0, 1); if (rc) die ("error creating S-expression: %s\n", gcry_strerror (rc)); rc = gcry_pk_genkey (&key, key_spec); @@ -637,7 +637,7 @@ get_dsa_key_fips186_with_seed_new (gcry_ (&key_spec, "(genkey" " (dsa" - " (nbits 4:1024)" + " (nbits 4:3072)" " (use-fips186)" " (transient-key)" " (derive-parms" @@ -742,19 +742,26 @@ check_run (void) gcry_sexp_release (pkey); gcry_sexp_release (skey); - if (verbose) - fprintf (stderr, "Generating DSA key with given domain.\n"); - get_dsa_key_with_domain_new (&pkey, &skey); - /* Fixme: Add a check function for DSA keys. */ - gcry_sexp_release (pkey); - gcry_sexp_release (skey); + /* The given domain contains too short q for generate_fips186 */ + if (!gcry_fips_mode_active()) + { + if (verbose) + fprintf (stderr, "Generating DSA key with given domain.\n"); + get_dsa_key_with_domain_new (&pkey, &skey); + /* Fixme: Add a check function for DSA keys. */ + gcry_sexp_release (pkey); + gcry_sexp_release (skey); + } +/* FIXME*/ +/* The given domain contains too short q for generate_fips186 */ +/* if (verbose) fprintf (stderr, "Generating DSA key with given domain (FIPS 186).\n"); get_dsa_key_fips186_with_domain_new (&pkey, &skey); - /* Fixme: Add a check function for DSA keys. */ gcry_sexp_release (pkey); gcry_sexp_release (skey); +*/ if (verbose) fprintf (stderr, "Generating DSA key with given seed (FIPS 186).\n"); @@ -1240,7 +1247,8 @@ main (int argc, char **argv) check_x931_derived_key (i); check_ecc_sample_key (); - check_ed25519ecdsa_sample_key (); + if (!gcry_fips_mode_active ()) + check_ed25519ecdsa_sample_key (); return !!error_count; } Index: libgcrypt-1.6.1/tests/random.c =================================================================== --- libgcrypt-1.6.1.orig/tests/random.c 2013-12-16 18:44:32.000000000 +0100 +++ libgcrypt-1.6.1/tests/random.c 2015-05-27 16:46:54.674042503 +0200 @@ -559,8 +559,10 @@ main (int argc, char **argv) signal (SIGPIPE, SIG_IGN); #endif + /* don't switch rng in fips mode */ if (early_rng) - check_early_rng_type_switching (); + if (!gcry_fips_mode_active()) + check_early_rng_type_switching (); gcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (!gcry_check_version (GCRYPT_VERSION)) @@ -579,7 +581,9 @@ main (int argc, char **argv) check_nonce_forking (); check_close_random_device (); } - check_rng_type_switching (); + /* don't switch rng in fips mode */ + if (!gcry_fips_mode_active()) + check_rng_type_switching (); if (!in_recursion) run_all_rng_tests (program); Index: libgcrypt-1.6.1/tests/t-mpi-point.c =================================================================== --- libgcrypt-1.6.1.orig/tests/t-mpi-point.c 2014-01-29 10:48:38.000000000 +0100 +++ libgcrypt-1.6.1/tests/t-mpi-point.c 2015-05-28 13:55:03.836130203 +0200 @@ -543,6 +543,17 @@ context_param (void) show ("checking standard curves\n"); for (idx=0; test_curve[idx].desc; idx++) { + /* P-192 and Ed25519 are not supported in fips mode */ + if (!strcmp(test_curve[idx].desc, "NIST P-192") || + !strcmp(test_curve[idx].desc, "Ed25519")) + { + show("skipping %s\n", test_curve[idx].desc ); + continue; + } +else { + show("testing %s\n", test_curve[idx].desc ); + +} gcry_ctx_release (ctx); err = gcry_mpi_ec_new (&ctx, NULL, test_curve[idx].desc); if (err) @@ -656,8 +667,15 @@ context_param (void) gcry_ctx_release (ctx); err = gcry_mpi_ec_new (&ctx, keyparam, NULL); if (err) - fail ("gcry_mpi_ec_new failed for sample public key: %s\n", - gpg_strerror (err)); + { + if (!gcry_fips_mode_active()) + fail ("gcry_mpi_ec_new failed for sample public key: %s\n", + gpg_strerror (err)); + else + { + show ("Skipping ed25519 in fips mode.\n"); + } + } else { gcry_sexp_t sexp; @@ -1102,8 +1120,12 @@ main (int argc, char **argv) context_alloc (); context_param (); basic_ec_math (); - basic_ec_math_simplified (); - twistededwards_math (); + + /* the tests are for P-192 and ed25519 which are not supported in FIPS mode */ + if (!gcry_fips_mode_active()) { + basic_ec_math_simplified (); + twistededwards_math (); + } show ("All tests completed. Errors: %d\n", error_count); return error_count ? 1 : 0; Index: libgcrypt-1.6.1/tests/t-kdf.c =================================================================== --- libgcrypt-1.6.1.orig/tests/t-kdf.c 2013-12-16 18:44:32.000000000 +0100 +++ libgcrypt-1.6.1/tests/t-kdf.c 2015-05-27 16:46:54.675042515 +0200 @@ -834,6 +834,10 @@ check_openpgp (void) { if (tv[tvidx].disabled) continue; + /* MD5 and SHA1 not supported in fips mode */ + if (gcry_fips_mode_active() && + tv[tvidx].hashalgo == GCRY_MD_MD5) + continue; if (verbose) fprintf (stderr, "checking S2K test vector %d\n", tvidx); assert (tv[tvidx].dklen <= sizeof outbuf); Index: libgcrypt-1.6.1/tests/dsa-rfc6979.c =================================================================== --- libgcrypt-1.6.1.orig/tests/dsa-rfc6979.c 2013-12-16 18:44:32.000000000 +0100 +++ libgcrypt-1.6.1/tests/dsa-rfc6979.c 2015-05-27 16:46:54.675042515 +0200 @@ -210,16 +210,6 @@ check_dsa_rfc6979 (void) " ))" }, { - "ECDSA, 192 bits (prime field)", - "(private-key" - " (ecdsa" - " (curve \"NIST P-192\")" - " (q #04AC2C77F529F91689FEA0EA5EFEC7F210D8EEA0B9E047ED56" - " 3BC723E57670BD4887EBC732C523063D0A7C957BC97C1C43#)" - " (d #6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4#)" - " ))" - }, - { "ECDSA, 224 bits (prime field)", "(private-key" " (ecdsa" @@ -442,86 +432,6 @@ check_dsa_rfc6979 (void) "89EC4BB1400ECCFF8E7D9AA515CD1DE7803F2DAFF09693EE7FD1353E90A68307", "C9F0BDABCC0D880BB137A994CC7F3980CE91CC10FAF529FC46565B15CEA854E1" }, - { - "ECDSA, 192 bits (prime field)", - "With SHA-1, message = \"sample\"", - "sha1", "sample", - "37D7CA00D2C7B0E5E412AC03BD44BA837FDD5B28CD3B0021", - "98C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF", - "57A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64" - }, - { - "ECDSA, 192 bits (prime field)", - "With SHA-224, message = \"sample\"", - "sha224", "sample", - "4381526B3FC1E7128F202E194505592F01D5FF4C5AF015D8", - "A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5", - "E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97A" - }, - { - "ECDSA, 192 bits (prime field)", - "With SHA-256, message = \"sample\"", - "sha256", "sample", - "32B1B6D7D42A05CB449065727A84804FB1A3E34D8F261496", - "4B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55", - "CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85" - }, - { - "ECDSA, 192 bits (prime field)", - "With SHA-384, message = \"sample\"", - "sha384", "sample", - "4730005C4FCB01834C063A7B6760096DBE284B8252EF4311", - "DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5", - "C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E" - }, - { - "ECDSA, 192 bits (prime field)", - "With SHA-512, message = \"sample\"", - "sha512", "sample", - "A2AC7AB055E4F20692D49209544C203A7D1F2C0BFBC75DB1", - "4D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B8", - "3F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67" - }, - { - "ECDSA, 192 bits (prime field)", - "With SHA-1, message = \"test\"", - "sha1", "test", - "D9CF9C3D3297D3260773A1DA7418DB5537AB8DD93DE7FA25", - "0F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D", - "EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B7" - }, - { - "ECDSA, 192 bits (prime field)", - "With SHA-224, message = \"test\"", - "sha224", "test", - "F5DC805F76EF851800700CCE82E7B98D8911B7D510059FBE", - "6945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34", - "B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15293" - }, - { - "ECDSA, 192 bits (prime field)", - "With SHA-256, message = \"test\"", - "sha256", "test", - "5C4CE89CF56D9E7C77C8585339B006B97B5F0680B4306C6C", - "3A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE", - "5662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124F" - }, - { - "ECDSA, 192 bits (prime field)", - "With SHA-384, message = \"test\"", - "sha384", "test", - "5AFEFB5D3393261B828DB6C91FBC68C230727B030C975693", - "B234B60B4DB75A733E19280A7A6034BD6B1EE88AF5332367", - "7994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77A" - }, - { - "ECDSA, 192 bits (prime field)", - "With SHA-512, message = \"test\"", - "sha512", "test", - "0758753A5254759C7CFBAD2E2D9B0792EEE44136C9480527", - "FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE739", - "74CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52290" - }, Index: libgcrypt-1.6.1/tests/benchmark.c =================================================================== --- libgcrypt-1.6.1.orig/tests/benchmark.c 2015-05-27 16:46:54.640042100 +0200 +++ libgcrypt-1.6.1/tests/benchmark.c 2015-05-27 16:46:54.675042515 +0200 @@ -1120,6 +1120,11 @@ ecc_bench (int iterations, int print_hea is_ed25519 = !strcmp (p_sizes[testno], "Ed25519"); is_gost = !strncmp (p_sizes[testno], "gost", 4); + + /* Only P-{224,256,384,521} allowed in fips mode */ + if (gcry_fips_mode_active() && (is_ed25519 || is_gost || !strcmp (p_sizes[testno], "192"))) + continue; + if (is_ed25519) { p_size = 256; Index: libgcrypt-1.6.1/tests/curves.c =================================================================== --- libgcrypt-1.6.1.orig/tests/curves.c 2014-01-29 10:48:38.000000000 +0100 +++ libgcrypt-1.6.1/tests/curves.c 2015-05-27 16:46:54.675042515 +0200 @@ -169,6 +169,9 @@ check_get_params (void) gcry_sexp_release (param); + /* Brainpool curves not supported in fips mode */ + if (gcry_fips_mode_active()) + return; param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_2_curve); if (!param) Index: libgcrypt-1.6.1/tests/fips186-dsa.c =================================================================== --- libgcrypt-1.6.1.orig/tests/fips186-dsa.c 2013-12-16 18:44:32.000000000 +0100 +++ libgcrypt-1.6.1/tests/fips186-dsa.c 2015-05-27 16:46:54.675042515 +0200 @@ -458,7 +458,9 @@ main (int argc, char **argv) gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - check_dsa_gen_186_2 (); + /* This test has too short key length for FIPS 186-4 */ + if (!gcry_fips_mode_active()) + check_dsa_gen_186_2 (); return error_count ? 1 : 0; Index: libgcrypt-1.6.1/tests/t-ed25519.c =================================================================== --- libgcrypt-1.6.1.orig/tests/t-ed25519.c 2013-12-16 18:44:32.000000000 +0100 +++ libgcrypt-1.6.1/tests/t-ed25519.c 2015-05-27 16:46:54.675042515 +0200 @@ -548,6 +548,10 @@ main (int argc, char **argv) gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + /* Ed25519 isn't supported in fips mode */ + if (gcry_fips_mode_active()) + return 0; + start_timer (); check_ed25519 (fname); stop_timer ();
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor