Index: b/tests/basic.c =================================================================== --- b/tests/basic.c +++ b/tests/basic.c @@ -7812,7 +7812,7 @@ if (verbose) fprintf (stderr, " generating RSA key:"); rc = gcry_sexp_new (&key_spec, - in_fips_mode ? "(genkey (rsa (nbits 4:1024)))" + in_fips_mode ? "(genkey (rsa (nbits 4:2048)))" : "(genkey (rsa (nbits 4:1024)(transient-key)))", 0, 1); if (rc) Index: b/tests/benchmark.c =================================================================== --- b/tests/benchmark.c +++ b/tests/benchmark.c @@ -1085,15 +1085,22 @@ gcry_sexp_t data; gcry_sexp_t sig = NULL; int count; + unsigned nbits = p_sizes[testno]; - printf ("RSA %3d bit ", p_sizes[testno]); + printf ("RSA %3d bit ", nbits); fflush (stdout); + if (in_fips_mode && !(nbits == 2048 || nbits == 3072)) + { + puts ("[skipped in fips mode]"); + continue; + } + err = gcry_sexp_build (&key_spec, NULL, gcry_fips_mode_active () ? "(genkey (RSA (nbits %d)))" : "(genkey (RSA (nbits %d)(transient-key)))", - p_sizes[testno]); + nbits); if (err) die ("creating S-expression failed: %s\n", gcry_strerror (err)); @@ -1101,7 +1108,7 @@ err = gcry_pk_genkey (&key_pair, key_spec); if (err) die ("creating %d bit RSA key failed: %s\n", - p_sizes[testno], gcry_strerror (err)); + nbits, gcry_strerror (err)); pub_key = gcry_sexp_find_token (key_pair, "public-key", 0); if (! pub_key) @@ -1116,8 +1123,8 @@ printf (" %s", elapsed_time (1)); fflush (stdout); - x = gcry_mpi_new (p_sizes[testno]); - gcry_mpi_randomize (x, p_sizes[testno]-8, GCRY_WEAK_RANDOM); + x = gcry_mpi_new (nbits); + gcry_mpi_randomize (x, nbits-8, GCRY_WEAK_RANDOM); err = gcry_sexp_build (&data, NULL, "(data (flags raw) (value %m))", x); gcry_mpi_release (x); @@ -1155,8 +1162,8 @@ if (no_blinding) { fflush (stdout); - x = gcry_mpi_new (p_sizes[testno]); - gcry_mpi_randomize (x, p_sizes[testno]-8, GCRY_WEAK_RANDOM); + x = gcry_mpi_new (nbits); + gcry_mpi_randomize (x, nbits-8, GCRY_WEAK_RANDOM); err = gcry_sexp_build (&data, NULL, "(data (flags no-blinding) (value %m))", x); gcry_mpi_release (x); Index: b/tests/keygen.c =================================================================== --- b/tests/keygen.c +++ b/tests/keygen.c @@ -40,6 +40,7 @@ static int verbose; static int debug; static int error_count; +static int in_fips_mode; static void @@ -63,7 +64,7 @@ va_list arg_ptr; fflush (stdout); - fprintf (stderr, "%s: ", PGM); + fprintf (stderr, "FAIL %s: ", PGM); /* if (wherestr) */ /* fprintf (stderr, "%s: ", wherestr); */ va_start (arg_ptr, format); @@ -196,11 +197,11 @@ int rc; if (verbose) - show ("creating 1024 bit RSA key\n"); + show ("creating 2048 bit RSA key\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (rsa\n" - " (nbits 4:1024)\n" + " (nbits 4:2048)\n" " ))", 0, 1); if (rc) die ("error creating S-expression: %s\n", gpg_strerror (rc)); @@ -208,9 +209,29 @@ gcry_sexp_release (keyparm); if (rc) die ("error generating RSA key: %s\n", gpg_strerror (rc)); - if (verbose > 1) - show_sexp ("1024 bit RSA key:\n", key); - check_generated_rsa_key (key, 65537); + + if (verbose) + show ("creating 1024 bit RSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (rsa\n" + " (nbits 4:1024)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); + rc = gcry_pk_genkey (&key, keyparm); + gcry_sexp_release (keyparm); + if (rc && !in_fips_mode) + fail ("error generating RSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + fail ("generating 1024 bit RSA key must not work!"); + + if (!rc) + { + if (verbose > 1) + show_sexp ("1024 bit RSA key:\n", key); + check_generated_rsa_key (key, 65537); + } gcry_sexp_release (key); @@ -226,10 +247,13 @@ die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) - die ("error generating RSA key: %s\n", gpg_strerror (rc)); + if (rc && !in_fips_mode) + fail ("error generating RSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + fail ("generating 512 bit RSA key must not work!"); - check_generated_rsa_key (key, 257); + if (!rc) + check_generated_rsa_key (key, 257); gcry_sexp_release (key); if (verbose) @@ -244,10 +268,13 @@ die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) - die ("error generating RSA key: %s\n", gpg_strerror (rc)); + if (rc && !in_fips_mode) + fail ("error generating RSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + fail ("generating 512 bit RSA key must not work!"); - check_generated_rsa_key (key, 0); /* We don't expect a constant exponent. */ + if (!rc) + check_generated_rsa_key (key, 0); /* We don't expect a constant exponent. */ gcry_sexp_release (key); } @@ -299,8 +326,10 @@ die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) + if (rc && !in_fips_mode) die ("error generating DSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + die ("generating 512 bit DSA key must not work!"); if (!i && verbose > 1) show_sexp ("1024 bit DSA key:\n", key); gcry_sexp_release (key); @@ -318,8 +347,10 @@ die ("error creating S-expression: %s\n", gpg_strerror (rc)); rc = gcry_pk_genkey (&key, keyparm); gcry_sexp_release (keyparm); - if (rc) + if (rc && !in_fips_mode) die ("error generating DSA key: %s\n", gpg_strerror (rc)); + else if (!rc && in_fips_mode) + die ("generating 1536 bit DSA key must not work!"); if (verbose > 1) show_sexp ("1536 bit DSA key:\n", key); gcry_sexp_release (key); @@ -586,6 +617,9 @@ break; } + if ( gcry_fips_mode_active () ) + in_fips_mode = 1; + if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); gcry_control (GCRYCTL_DISABLE_SECMEM, 0); Index: b/tests/pubkey.c =================================================================== --- b/tests/pubkey.c +++ b/tests/pubkey.c @@ -165,6 +165,33 @@ gcry_free (buf); } +/* from ../cipher/pubkey-util.c */ +gpg_err_code_t +_gcry_pk_util_get_nbits (gcry_sexp_t list, unsigned int *r_nbits) +{ + char buf[50]; + const char *s; + size_t n; + + *r_nbits = 0; + + list = gcry_sexp_find_token (list, "nbits", 0); + if (!list) + return 0; /* No NBITS found. */ + + s = gcry_sexp_nth_data (list, 1, &n); + if (!s || n >= DIM (buf) - 1 ) + { + /* NBITS given without a cdr. */ + gcry_sexp_release (list); + return GPG_ERR_INV_OBJ; + } + memcpy (buf, s, n); + buf[n] = 0; + *r_nbits = (unsigned int)strtoul (buf, NULL, 0); + gcry_sexp_release (list); + return 0; +} /* Convert STRING consisting of hex characters into its binary representation and return it as an allocated buffer. The valid @@ -903,8 +930,8 @@ } }; gpg_error_t err; - gcry_sexp_t key_spec, key, pub_key, sec_key; - gcry_mpi_t d_expected, d_have; + gcry_sexp_t key_spec = NULL, key = NULL, pub_key = NULL, sec_key = NULL; + gcry_mpi_t d_expected = NULL, d_have = NULL; if (what < 0 && what >= sizeof testtable) die ("invalid WHAT value\n"); @@ -913,10 +940,25 @@ if (err) die ("error creating S-expression [%d]: %s\n", what, gpg_strerror (err)); + { + unsigned nbits; + err = _gcry_pk_util_get_nbits(key_spec, &nbits); + if (err) + die ("nbits not found\n"); + if (gcry_fips_mode_active() && nbits < 2048) + { + info("RSA key test with %d bits skipped in fips mode\n", nbits); + goto leave; + } + } + err = gcry_pk_genkey (&key, key_spec); gcry_sexp_release (key_spec); if (err) - die ("error generating RSA key [%d]: %s\n", what, gpg_strerror (err)); + { + fail ("error generating RSA key [%d]: %s\n", what, gpg_strerror (err)); + goto leave; + } pub_key = gcry_sexp_find_token (key, "public-key", 0); if (!pub_key) @@ -942,6 +984,7 @@ show_sexp (NULL, sec_key); die ("parameter d does match expected value [%d]\n", what); } +leave: gcry_mpi_release (d_expected); gcry_mpi_release (d_have);