From f736f3c70182d9c948f9105eb769c47c5578df35 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 1 Apr 2022 18:34:42 +0200 Subject: [PATCH] tests: Expect the RSA PKCS #1.5 encryption to fail in FIPS mode * tests/basic.c (check_pubkey_crypt): Expect RSA PKCS #1.5 encryption to fail in FIPS mode. Expect failure when wrong padding is selected * tests/pkcs1v2.c (check_v15crypt): Expect RSA PKCS #1.5 encryption to fail in FIPS mode -- GnuPG-bug-id: 5918 Signed-off-by: Jakub Jelen --- tests/basic.c | 11 +++++++---- tests/pkcs1v2.c | 14 +++++++++++++- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/tests/basic.c b/tests/basic.c index 1c6cb40b..85764591 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -15568,14 +15568,16 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, NULL, 0, 0, - 0 }, + 0, + FLAG_NOFIPS }, { GCRY_PK_RSA, "(data\n (flags pkcs1)\n" " (value #11223344556677889900AA#))\n", "(flags pkcs1)", 1, 0, - 0 }, + 0, + FLAG_NOFIPS }, { GCRY_PK_RSA, "(data\n (flags oaep)\n" " (value #11223344556677889900AA#))\n", @@ -15677,7 +15679,8 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, die ("converting data failed: %s\n", gpg_strerror (rc)); rc = gcry_pk_encrypt (&ciph, data, pkey); - if (in_fips_mode && (flags & FLAG_NOFIPS)) + if (in_fips_mode && ((flags & FLAG_NOFIPS) || + (datas[dataidx].flags & FLAG_NOFIPS))) { if (!rc) fail ("gcry_pk_encrypt did not fail as expected in FIPS mode\n"); @@ -15726,7 +15729,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, ciph = list; } rc = gcry_pk_decrypt (&plain, ciph, skey); - if (!rc && (datas[dataidx].flags & FLAG_SPECIAL)) + if ((!rc || in_fips_mode) && (datas[dataidx].flags & FLAG_SPECIAL)) { /* It may happen that OAEP formatted data which is decrypted as pkcs#1 data returns a valid pkcs#1 diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c index f26e779b..6c7f3d81 100644 --- a/tests/pkcs1v2.c +++ b/tests/pkcs1v2.c @@ -454,7 +454,19 @@ check_v15crypt (void) gcry_free (seed); err = gcry_pk_encrypt (&ciph, plain, pub_key); - if (err) + if (in_fips_mode) + { + if (!err) + { + fail ("gcry_pk_encrypt should have failed in FIPS mode:\n"); + } + gcry_sexp_release (plain); + plain = NULL; + gcry_sexp_release (ciph); + ciph = NULL; + continue; + } + else if (err) { show_sexp ("plain:\n", ciph); fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (err));