[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-356-gd328095
by Werner Koch
cvs at cvs.gnupg.org
Tue Mar 22 17:56:08 CET 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, master has been updated
via d328095dd4de83b839d9d8c4bdbeec0956971016 (commit)
from 5f9b3c2e220ca6d0eaff32324a973ef67933a844 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d328095dd4de83b839d9d8c4bdbeec0956971016
Author: Werner Koch <wk at gnupg.org>
Date: Tue Mar 22 17:49:50 2016 +0100
tests: Add options --fips to keygen for manual tests.
(main): Add option --fips.
* tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539
because that is valid in FIPS mode. Check that key generation fails
for too short keys in FIPS mode.
(check_ecc_keys): Check that key generation fails for Ed25519 keys in
FIPS mode.
--
This option allows to test the FIPS mode manually for key generation.
We should eventually expand all tests to allow testing in FIPS mode in
non FIPS enabled boxes.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/tests/keygen.c b/tests/keygen.c
index 4bcea20..ebb708b 100644
--- a/tests/keygen.c
+++ b/tests/keygen.c
@@ -234,23 +234,20 @@ check_rsa_keys (void)
}
gcry_sexp_release (key);
-
if (verbose)
- show ("creating 1024 bit RSA key with e=65539\n");
+ show ("creating 2048 bit RSA key with e=65539\n");
rc = gcry_sexp_new (&keyparm,
"(genkey\n"
" (rsa\n"
- " (nbits 4:1024)\n"
+ " (nbits 4:2048)\n"
" (rsa-use-e 5:65539)\n"
" ))", 0, 1);
if (rc)
die ("error creating S-expression: %s\n", gpg_strerror (rc));
rc = gcry_pk_genkey (&key, keyparm);
gcry_sexp_release (keyparm);
- if (rc && !in_fips_mode)
+ if (rc)
fail ("error generating RSA key: %s\n", gpg_strerror (rc));
- else if (!rc && in_fips_mode)
- fail ("generating RSA key must not work!");
if (!rc)
check_generated_rsa_key (key, 65539);
@@ -274,6 +271,10 @@ check_rsa_keys (void)
else if (!rc && in_fips_mode)
fail ("generating 512 bit RSA key must not work!");
+ if (verbose && rc && in_fips_mode)
+ show ("... correctly rejected key creation in FIPS mode (%s)\n",
+ gpg_strerror (rc));
+
if (!rc)
check_generated_rsa_key (key, 257);
gcry_sexp_release (key);
@@ -295,6 +296,11 @@ check_rsa_keys (void)
else if (!rc && in_fips_mode)
fail ("generating 512 bit RSA key must not work!");
+ if (verbose && rc && in_fips_mode)
+ show ("... correctly rejected key creation in FIPS mode (%s)\n",
+ gpg_strerror (rc));
+
+
if (!rc)
check_generated_rsa_key (key, 0); /* We don't expect a constant exponent. */
gcry_sexp_release (key);
@@ -517,14 +523,23 @@ check_ecc_keys (void)
die ("error creating S-expression: %s\n", gpg_strerror (rc));
rc = gcry_pk_genkey (&key, keyparm);
gcry_sexp_release (keyparm);
- if (rc)
+ if (rc && !in_fips_mode)
die ("error generating ECC key using curve Ed25519 for ECDSA: %s\n",
gpg_strerror (rc));
+ else if (!rc && in_fips_mode)
+ fail ("generating Ed25519 key must not work!");
- if (verbose > 1)
- show_sexp ("ECC key:\n", key);
+ if (verbose && rc && in_fips_mode)
+ show ("... correctly rejected key creation in FIPS mode (%s)\n",
+ gpg_strerror (rc));
- check_generated_ecc_key (key);
+ if (!rc)
+ {
+ if (verbose > 1)
+ show_sexp ("ECC key:\n", key);
+
+ check_generated_ecc_key (key);
+ }
gcry_sexp_release (key);
if (verbose)
@@ -535,10 +550,16 @@ check_ecc_keys (void)
die ("error creating S-expression: %s\n", gpg_strerror (rc));
rc = gcry_pk_genkey (&key, keyparm);
gcry_sexp_release (keyparm);
- if (rc)
+ if (rc && !in_fips_mode)
die ("error generating ECC key using curve Ed25519 for ECDSA"
" (nocomp): %s\n",
gpg_strerror (rc));
+ else if (!rc && in_fips_mode)
+ fail ("generating Ed25519 key must not work in FIPS mode!");
+
+ if (verbose && rc && in_fips_mode)
+ show ("... correctly rejected key creation in FIPS mode (%s)\n",
+ gpg_strerror (rc));
if (verbose)
show ("creating ECC key using curve NIST P-384 for ECDSA\n");
@@ -589,13 +610,23 @@ check_ecc_keys (void)
die ("error creating S-expression: %s\n", gpg_strerror (rc));
rc = gcry_pk_genkey (&key, keyparm);
gcry_sexp_release (keyparm);
- if (rc)
+ if (rc && !in_fips_mode)
die ("error generating ECC key using curve Ed25519 for ECDSA"
" (transient-key): %s\n",
gpg_strerror (rc));
- if (verbose > 1)
- show_sexp ("ECC key:\n", key);
- check_generated_ecc_key (key);
+ else if (!rc && in_fips_mode)
+ fail ("generating Ed25519 key must not work in FIPS mode!");
+
+ if (verbose && rc && in_fips_mode)
+ show ("... correctly rejected key creation in FIPS mode (%s)\n",
+ gpg_strerror (rc));
+
+ if (!rc)
+ {
+ if (verbose > 1)
+ show_sexp ("ECC key:\n", key);
+ check_generated_ecc_key (key);
+ }
gcry_sexp_release (key);
if (verbose)
@@ -608,13 +639,23 @@ check_ecc_keys (void)
die ("error creating S-expression: %s\n", gpg_strerror (rc));
rc = gcry_pk_genkey (&key, keyparm);
gcry_sexp_release (keyparm);
- if (rc)
+ if (rc && !in_fips_mode)
die ("error generating ECC key using curve Ed25519 for ECDSA"
" (transient-key no-keytest): %s\n",
gpg_strerror (rc));
- if (verbose > 1)
- show_sexp ("ECC key:\n", key);
- check_generated_ecc_key (key);
+ else if (!rc && in_fips_mode)
+ fail ("generating Ed25519 key must not work in FIPS mode!");
+
+ if (verbose && rc && in_fips_mode)
+ show ("... correctly rejected key creation in FIPS mode (%s)\n",
+ gpg_strerror (rc));
+
+ if (!rc)
+ {
+ if (verbose > 1)
+ show_sexp ("ECC key:\n", key);
+ check_generated_ecc_key (key);
+ }
gcry_sexp_release (key);
}
@@ -682,6 +723,7 @@ usage (int mode)
"Options:\n"
" --verbose be verbose\n"
" --debug flyswatter\n"
+ " --fips run in FIPS mode\n"
" --progress print progress indicators\n",
mode? stderr : stdout);
if (mode)
@@ -692,6 +734,7 @@ int
main (int argc, char **argv)
{
int last_argc = -1;
+ int opt_fips = 0;
int with_progress = 0;
if (argc)
@@ -721,6 +764,11 @@ main (int argc, char **argv)
debug++;
argc--; argv++;
}
+ else if (!strcmp (*argv, "--fips"))
+ {
+ argc--; argv++;
+ opt_fips = 1;
+ }
else if (!strcmp (*argv, "--progress"))
{
argc--; argv++;
@@ -732,9 +780,16 @@ main (int argc, char **argv)
break;
}
+ gcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose);
+ if (opt_fips)
+ gcry_control (GCRYCTL_FORCE_FIPS_MODE, 0);
+
if (!gcry_check_version (GCRYPT_VERSION))
die ("version mismatch\n");
- gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
+
+ if (!opt_fips)
+ gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
+
gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
if (debug)
gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
@@ -746,6 +801,9 @@ main (int argc, char **argv)
if ( gcry_fips_mode_active () )
in_fips_mode = 1;
+ if (opt_fips && !in_fips_mode)
+ die ("failed to switch into FIPS mode\n");
+
if (!argc)
{
check_rsa_keys ();
-----------------------------------------------------------------------
Summary of changes:
tests/keygen.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 78 insertions(+), 20 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
_______________________________________________
Gnupg-commits mailing list
Gnupg-commits at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-commits
More information about the Gcrypt-devel
mailing list