File libgcrypt-FIPS-fix-regression-tests.patch of Package libgcrypt

Overview Repositories Revisions Requests Users Attributes Meta

File libgcrypt-FIPS-fix-regression-tests.patch of Package libgcrypt

Index: libgcrypt-1.9.4/cipher/pubkey.c
===================================================================
--- libgcrypt-1.9.4.orig/cipher/pubkey.c
+++ libgcrypt-1.9.4/cipher/pubkey.c
@@ -224,7 +224,7 @@ check_pubkey_algo (int algo, unsigned us
   gcry_pk_spec_t *spec;
 
   spec = spec_from_algo (algo);
-  if (spec)
+  if (spec && !spec->flags.disabled)
     {
       if (((use & GCRY_PK_USAGE_SIGN)
 	   && (! (spec->use & GCRY_PK_USAGE_SIGN)))
From 44c7c41af21c668826280abfee1257853020ba2d Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Mon, 16 Aug 2021 12:41:11 +0900
Subject: [PATCH 161/200] tests: Skip tests when FIPS for keygrip computations.

* tests/keygrip.c (check): Skip non-FIPS curves when FIPS.
(main): Check if FIPS is enabled.

GnuPG-bug-id: 5520
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
 tests/keygrip.c | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/tests/keygrip.c b/tests/keygrip.c
index cfccc06e..49bd71bc 100644
--- a/tests/keygrip.c
+++ b/tests/keygrip.c
@@ -33,6 +33,9 @@
 
 static int repetitions;
 
+/* Whether fips mode was active at startup.  */
+static int in_fips_mode;
+
 
 
 static void
@@ -54,6 +57,7 @@ static struct
   int algo;
   const char *key;
   const unsigned char grip[20];
+  int skip_when_fips;
 } key_grips[] =
   {
     {
@@ -155,7 +159,8 @@ static struct
       /*   */"436DD11A1756AFE56CD93408410FCDA9"
       /*   */"BA95024EB613BD481A14FCFEC27A448A#)))",
       "\x52\xBA\xD4\xB4\xA3\x2D\x32\xA1\xDD\x06"
-      "\x5E\x99\x0B\xF1\xAB\xC1\x13\x3D\x84\xD4"
+      "\x5E\x99\x0B\xF1\xAB\xC1\x13\x3D\x84\xD4",
+      1
     },
     { /* Compressed form of above.  */
       GCRY_PK_ECC,
@@ -165,7 +170,8 @@ static struct
       " (q #022ECD8679930BE2DB4AD42B8600BA3F80"
       /*   */"2D4D539BFF2F69B83EC9B7BBAA7F3406#)))",
       "\x52\xBA\xD4\xB4\xA3\x2D\x32\xA1\xDD\x06"
-      "\x5E\x99\x0B\xF1\xAB\xC1\x13\x3D\x84\xD4"
+      "\x5E\x99\x0B\xF1\xAB\xC1\x13\x3D\x84\xD4",
+      1
     },
     {
       GCRY_PK_ECC,
@@ -177,7 +183,8 @@ static struct
       /*   */"9EBBA41915313417BA54218EB0569C59"
       /*   */"0B156C76DBCAB6E84575E6EF68CE7B87#)))",
       "\x99\x38\x6A\x82\x41\x96\x29\x9C\x89\x74"
-      "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F"
+      "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F",
+      1
     },
     { /* Compressed form of above.  */
       GCRY_PK_ECC,
@@ -187,7 +194,8 @@ static struct
       " (q #035B784CA008EE64AB3D85017EE0D2BE87"
       /*   */"558762C7300E0C8E06B1F9AF7C031458#)))",
       "\x99\x38\x6A\x82\x41\x96\x29\x9C\x89\x74"
-      "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F"
+      "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F",
+      1
     },
     { /* Ed25519 standard */
       GCRY_PK_ECC,
@@ -199,7 +207,8 @@ static struct
       "     47BD24842905C049257673B3F5249524E0A41FAA17B25B818D0F97E625F1A1D0#)"
       "     ))",
       "\x0C\xCA\xB2\xFD\x48\x9A\x33\x40\x2C\xE8"
-      "\xE0\x4A\x1F\xB2\x45\xEA\x80\x3D\x0A\xF1"
+      "\xE0\x4A\x1F\xB2\x45\xEA\x80\x3D\x0A\xF1",
+      1
     },
     { /* Ed25519+EdDSA */
       GCRY_PK_ECC,
@@ -209,7 +218,8 @@ static struct
       " (q #773E72848C1FD5F9652B29E2E7AF79571A04990E96F2016BF4E0EC1890C2B7DB#)"
       " ))",
       "\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70"
-      "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47"
+      "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47",
+      1
     },
     { /* Ed25519+EdDSA (with compression prefix) */
       GCRY_PK_ECC,
@@ -220,7 +230,8 @@ static struct
       "     773E72848C1FD5F9652B29E2E7AF79571A04990E96F2016BF4E0EC1890C2B7DB#)"
       " ))",
       "\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70"
-      "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47"
+      "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47",
+      1
     },
     { /* Ed25519+EdDSA  (same but uncompressed)*/
       GCRY_PK_ECC,
@@ -232,7 +243,8 @@ static struct
       "     5bb7c29018ece0f46b01f2960e99041a5779afe7e2292b65f9d51f8c84723e77#)"
       " ))",
       "\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70"
-      "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47"
+      "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47",
+      1
     },
     { /* Cv25519 */
       GCRY_PK_ECC,
@@ -243,7 +255,8 @@ static struct
       "     918C1733127F6BF2646FAE3D081A18AE77111C903B906310B077505EFFF12740#)"
       " ))",
       "\x0F\x89\xA5\x65\xD3\xEA\x18\x7C\xE8\x39"
-      "\x33\x23\x98\xF5\xD4\x80\x67\x7D\xF4\x9C"
+      "\x33\x23\x98\xF5\xD4\x80\x67\x7D\xF4\x9C",
+      1
     },
     { /* Random key  */
       GCRY_PK_RSA,
@@ -280,6 +293,9 @@ check (void)
 
   for (i = 0; i < (sizeof (key_grips) / sizeof (*key_grips)); i++)
     {
+      if (in_fips_mode && key_grips[i].skip_when_fips)
+        continue;
+
       if (gcry_pk_test_algo (key_grips[i].algo))
         {
           if (verbose)
@@ -379,6 +395,9 @@ main (int argc, char **argv)
   if (debug)
     xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0));
 
+  if (gcry_fips_mode_active ())
+    in_fips_mode = 1;
+
   check ();
 
   return 0;
-- 
2.33.0

From 3026148331523ec7ca81031339b5629431cafa23 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Jul 2021 09:20:18 +0200
Subject: tests: Expect curves 25519/448 to fail in FIPS mode

* tests/t-cv25519.c (test_cv_hl): Expect the operation to fail in FIPS
  mode.
  (test_cv_x25519, test_it): Ditto.
  (main) Detect FIPS mode.
* tests/t-ed25519.c (one_test): Expect the operation to fail in FIPS
  mode.
  (main) Detect FIPS mode.
* tests/t-ed448.c (one_test): Expect the operation to fail in FIPS
  mode.
  (main) Detect FIPS mode.
* tests/t-x448.c (test_cv_hl): Expect the operation to fail in FIPS
  mode.
  (test_cv_x448, test_cv): Ditto.
  (main) Detect FIPS mode.
--
The ed25519, ed448, cv25519 and cv448 curves are not available in FIPS
mode. Some of the tests already skipped these, but it is always better
to make sure thy are failing, rather than just skipping these.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
 tests/t-cv25519.c | 37 +++++++++++++++++++++++++++++++++++--
 tests/t-ed25519.c | 18 ++++++++++++++----
 tests/t-ed448.c   | 18 ++++++++++++++----
 tests/t-x448.c    | 41 +++++++++++++++++++++++++++++++++++++----
 4 files changed, 100 insertions(+), 14 deletions(-)

diff --git a/tests/t-cv25519.c b/tests/t-cv25519.c
index 0de50a02..b4126f4c 100644
--- a/tests/t-cv25519.c
+++ b/tests/t-cv25519.c
@@ -33,6 +33,7 @@
 #include "t-common.h"
 #define N_TESTS 18
 
+static int in_fips_mode = 0;
 
 static void
 print_mpi (const char *text, gcry_mpi_t a)
@@ -188,7 +189,17 @@ test_cv_hl (int testno, const char *k_str, const char *u_str,
   xfree (buffer);
   buffer = NULL;
 
-  if ((err = gcry_pk_encrypt (&s_result, s_data, s_pk)))
+  err = gcry_pk_encrypt (&s_result, s_data, s_pk);
+  if (in_fips_mode)
+    {
+      if (!err)
+        fail ("gcry_pk_encrypt is not expected to work in FIPS mode for test %d",
+              testno);
+      if (verbose > 1)
+        info ("not executed in FIPS mode\n");
+      goto leave;
+    }
+  if (err)
     fail ("gcry_pk_encrypt failed for test %d: %s", testno,
           gpg_strerror (err));
 
@@ -281,7 +292,17 @@ test_cv_x25519 (int testno, const char *k_str, const char *u_str,
       goto leave;
     }
 
-  if ((err = gcry_ecc_mul_point (algo, result, scalar, point)))
+  err = gcry_ecc_mul_point (algo, result, scalar, point);
+  if (in_fips_mode)
+    {
+      if (!err)
+        fail ("gcry_ecc_mul_point is not expected to work in FIPS mode for test %d",
+              testno);
+      if (verbose > 1)
+        info ("not executed in FIPS mode\n");
+      goto leave;
+    }
+  if (err)
     fail ("gcry_ecc_mul_point failed for test %d: %s", testno,
           gpg_strerror (err));
 
@@ -335,6 +356,15 @@ test_it (int testno, const char *k_str, int iter, const char *result_str)
     info ("Running test %d: iteration=%d\n", testno, iter);
 
   gcry_mpi_ec_new (&ctx, NULL, "Curve25519");
+  if (in_fips_mode)
+    {
+      if (ctx)
+        fail ("gcry_mpi_ec_new should fail in FIPS mode for test %d",
+              testno);
+      if (verbose > 1)
+        info ("not executed in FIPS mode\n");
+      return;
+    }
   Q = gcry_mpi_point_new (0);
 
   if (!(buffer = hex2buffer (k_str, &buflen)) || buflen != 32)
@@ -640,6 +670,9 @@ main (int argc, char **argv)
   xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0));
   xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
 
+  if (gcry_fips_mode_active ())
+    in_fips_mode = 1;
+
   start_timer ();
   check_cv25519 ();
   stop_timer ();
diff --git a/tests/t-ed25519.c b/tests/t-ed25519.c
index a5271c25..567bc797 100644
--- a/tests/t-ed25519.c
+++ b/tests/t-ed25519.c
@@ -36,6 +36,7 @@
 static int sign_with_pk;
 static int no_verify;
 static int custom_data_file;
+static int in_fips_mode = 0;
 
 
 static void
@@ -271,7 +272,17 @@ one_test (int testno, const char *sk, const char *pk,
       goto leave;
     }
 
-  if ((err = gcry_pk_sign (&s_sig, s_msg, s_sk)))
+  err = gcry_pk_sign (&s_sig, s_msg, s_sk);
+  if (in_fips_mode)
+    {
+      if (!err)
+        fail ("gcry_pk_sign is not expected to work in FIPS mode for test %d",
+              testno);
+      if (verbose > 1)
+        info ("not executed in FIPS mode\n");
+      goto leave;
+    }
+  if (err)
     fail ("gcry_pk_sign failed for test %d: %s", testno, gpg_strerror (err));
   if (debug)
     show_sexp ("sig=", s_sig);
@@ -481,9 +492,8 @@ main (int argc, char **argv)
   xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0));
   xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
 
-  /* Ed25519 isn't supported in fips mode */
-  if (gcry_fips_mode_active())
-    return 77;
+  if (gcry_fips_mode_active ())
+    in_fips_mode = 1;
 
   start_timer ();
   check_ed25519 (fname);
diff --git a/tests/t-ed448.c b/tests/t-ed448.c
index 1f445ffc..f38cd10c 100644
--- a/tests/t-ed448.c
+++ b/tests/t-ed448.c
@@ -36,6 +36,7 @@
 static int sign_with_pk;
 static int no_verify;
 static int custom_data_file;
+static int in_fips_mode = 0;
 
 
 static void
@@ -302,7 +303,17 @@ one_test (int testno, int ph, const char *sk, const char *pk,
         }
     }
 
-  if ((err = gcry_pk_sign (&s_sig, s_msg, s_sk)))
+  err = gcry_pk_sign (&s_sig, s_msg, s_sk);
+  if (in_fips_mode)
+    {
+      if (!err)
+        fail ("gcry_pk_sign is not expected to work in FIPS mode for test %d",
+              testno);
+      if (verbose > 1)
+        info ("not executed in FIPS mode\n");
+      goto leave;
+    }
+  if (err)
     fail ("gcry_pk_sign failed for test %d: %s", testno, gpg_strerror (err));
   if (debug)
     show_sexp ("sig=", s_sig);
@@ -521,9 +532,8 @@ main (int argc, char **argv)
   xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0));
   xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
 
-  /* Ed448 isn't supported in fips mode */
-  if (gcry_fips_mode_active())
-    return 77;
+  if (gcry_fips_mode_active ())
+    in_fips_mode = 1;
 
   start_timer ();
   check_ed448 (fname);
diff --git a/tests/t-x448.c b/tests/t-x448.c
index 5c3cbeb9..cc4b10fc 100644
--- a/tests/t-x448.c
+++ b/tests/t-x448.c
@@ -34,6 +34,7 @@
 #include "t-common.h"
 #define N_TESTS 9
 
+static int in_fips_mode = 0;
 
 static void
 print_mpi (const char *text, gcry_mpi_t a)
@@ -179,8 +180,18 @@ test_cv_hl (int testno, const char *k_str, const char *u_str,
   xfree (buffer);
   buffer = NULL;
 
-  if ((err = gcry_pk_encrypt (&s_result, s_data, s_pk)))
-    fail ("gcry_pk_encrypt failed for test %d: %s", testno,
+  err = gcry_pk_encrypt (&s_result, s_data, s_pk);
+  if (in_fips_mode)
+    {
+      if (!err)
+        fail ("gcry_pk_encrypt is not expected to work in FIPS mode for test %d",
+              testno);
+      if (verbose > 1)
+        info ("not executed in FIPS mode\n");
+      goto leave;
+    }
+  if (err)
+    fail ("gcry_pk_encrypt goto leavefailed for test %d: %s", testno,
           gpg_strerror (err));
 
   s_tmp = gcry_sexp_find_token (s_result, "s", 0);
@@ -257,7 +268,17 @@ test_cv_x448 (int testno, const char *k_str, const char *u_str,
       goto leave;
     }
 
-  if ((err = gcry_ecc_mul_point (GCRY_ECC_CURVE448, result, scalar, point)))
+  err = gcry_ecc_mul_point (GCRY_ECC_CURVE448, result, scalar, point);
+  if (in_fips_mode)
+    {
+      if (err != GPG_ERR_NOT_SUPPORTED)
+        fail ("gcry_ecc_mul_point is not expected to work in FIPS mode for test %d: %s",
+              testno, gpg_strerror (err));
+      if (verbose > 1)
+        info ("not executed in FIPS mode\n");
+      goto leave;
+    }
+  if (err)
     fail ("gcry_ecc_mul_point failed for test %d: %s", testno,
           gpg_strerror (err));
 
@@ -296,7 +317,7 @@ test_cv (int testno, const char *k_str, const char *u_str,
 static void
 test_it (int testno, const char *k_str, int iter, const char *result_str)
 {
-  gcry_ctx_t ctx;
+  gcry_ctx_t ctx = NULL;
   gpg_error_t err;
   void *buffer = NULL;
   size_t buflen;
@@ -311,6 +332,15 @@ test_it (int testno, const char *k_str, int iter, const char *result_str)
     info ("Running test %d: iteration=%d\n", testno, iter);
 
   gcry_mpi_ec_new (&ctx, NULL, "X448");
+  if (in_fips_mode)
+    {
+      if (ctx)
+        fail ("gcry_mpi_ec_new should fail in FIPS mode for test %d",
+              testno);
+      if (verbose > 1)
+        info ("not executed in FIPS mode\n");
+      return;
+    }
   Q = gcry_mpi_point_new (0);
 
   if (!(buffer = hex2buffer (k_str, &buflen)) || buflen != 56)
@@ -583,6 +613,9 @@ main (int argc, char **argv)
   xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0));
   xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
 
+  if (gcry_fips_mode_active ())
+    in_fips_mode = 1;
+
   start_timer ();
   check_x448 ();
   stop_timer ();
-- 
2.33.0

Places

File libgcrypt-FIPS-fix-regression-tests.patch of Package libgcrypt

Places