Skip to content

Commit

Permalink
tests: Expect the RSA PKCS #1.5 encryption to fail in FIPS mode
Browse files Browse the repository at this point in the history
* tests/basic.c (check_pubkey_crypt): Expect RSA PKCS #1.5 encryption to
  fail in FIPS mode. Expect failure when wrong padding is selected
* tests/pkcs1v2.c (check_v15crypt): Expect RSA PKCS #1.5 encryption to
  fail in FIPS mode
--

GnuPG-bug-id: 5918
Signed-off-by: Jakub Jelen <[email protected]>
  • Loading branch information
Jakuje authored and NIIBE Yutaka committed Apr 21, 2022
1 parent 299e2f9 commit f736f3c
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 5 deletions.
11 changes: 7 additions & 4 deletions tests/basic.c
Original file line number Diff line number Diff line change
Expand Up @@ -15568,14 +15568,16 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
NULL,
0,
0,
0 },
0,
FLAG_NOFIPS },
{ GCRY_PK_RSA,
"(data\n (flags pkcs1)\n"
" (value #11223344556677889900AA#))\n",
"(flags pkcs1)",
1,
0,
0 },
0,
FLAG_NOFIPS },
{ GCRY_PK_RSA,
"(data\n (flags oaep)\n"
" (value #11223344556677889900AA#))\n",
Expand Down Expand Up @@ -15677,7 +15679,8 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
die ("converting data failed: %s\n", gpg_strerror (rc));

rc = gcry_pk_encrypt (&ciph, data, pkey);
if (in_fips_mode && (flags & FLAG_NOFIPS))
if (in_fips_mode && ((flags & FLAG_NOFIPS) ||
(datas[dataidx].flags & FLAG_NOFIPS)))
{
if (!rc)
fail ("gcry_pk_encrypt did not fail as expected in FIPS mode\n");
Expand Down Expand Up @@ -15726,7 +15729,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
ciph = list;
}
rc = gcry_pk_decrypt (&plain, ciph, skey);
if (!rc && (datas[dataidx].flags & FLAG_SPECIAL))
if ((!rc || in_fips_mode) && (datas[dataidx].flags & FLAG_SPECIAL))
{
/* It may happen that OAEP formatted data which is
decrypted as pkcs#1 data returns a valid pkcs#1
Expand Down
14 changes: 13 additions & 1 deletion tests/pkcs1v2.c
Original file line number Diff line number Diff line change
Expand Up @@ -454,7 +454,19 @@ check_v15crypt (void)
gcry_free (seed);

err = gcry_pk_encrypt (&ciph, plain, pub_key);
if (err)
if (in_fips_mode)
{
if (!err)
{
fail ("gcry_pk_encrypt should have failed in FIPS mode:\n");
}
gcry_sexp_release (plain);
plain = NULL;
gcry_sexp_release (ciph);
ciph = NULL;
continue;
}
else if (err)
{
show_sexp ("plain:\n", ciph);
fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (err));
Expand Down

0 comments on commit f736f3c

Please sign in to comment.