35eb386c3a
Resolves: rhbz#2109180 Deprecates keys smaller than 2048 bits in TestDecryptOAEP in boring mode
125 lines
4.8 KiB
Diff
125 lines
4.8 KiB
Diff
diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
|
|
index a4f2e2dbbe..76701d2e2b 100644
|
|
--- a/src/crypto/rsa/pkcs1v15_test.go
|
|
+++ b/src/crypto/rsa/pkcs1v15_test.go
|
|
@@ -52,6 +52,7 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
|
|
}
|
|
|
|
func TestDecryptPKCS1v15(t *testing.T) {
|
|
+ t.Skip("not supported in FIPS mode")
|
|
decryptionFuncs := []func([]byte) ([]byte, error){
|
|
func(ciphertext []byte) (plaintext []byte, err error) {
|
|
return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext)
|
|
@@ -76,6 +77,7 @@ func TestDecryptPKCS1v15(t *testing.T) {
|
|
}
|
|
|
|
func TestEncryptPKCS1v15(t *testing.T) {
|
|
+ t.Skip("not supported in FIPS mode")
|
|
random := rand.Reader
|
|
k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8
|
|
|
|
@@ -137,6 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
|
|
}
|
|
|
|
func TestEncryptPKCS1v15SessionKey(t *testing.T) {
|
|
+ t.Skip("not supported in FIPS mode")
|
|
for i, test := range decryptPKCS1v15SessionKeyTests {
|
|
key := []byte("FAIL")
|
|
err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key)
|
|
@@ -151,6 +154,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
|
|
}
|
|
|
|
func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
|
|
+ t.Skip("not supported in FIPS mode")
|
|
for i, test := range decryptPKCS1v15SessionKeyTests {
|
|
plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
|
|
if err != nil {
|
|
@@ -270,6 +274,7 @@ func TestUnpaddedSignature(t *testing.T) {
|
|
}
|
|
|
|
func TestShortSessionKey(t *testing.T) {
|
|
+ t.Skip("not supported in FIPS mode")
|
|
// This tests that attempting to decrypt a session key where the
|
|
// ciphertext is too small doesn't run outside the array bounds.
|
|
ciphertext, err := EncryptPKCS1v15(rand.Reader, &testRSA2048PrivateKey.PublicKey, []byte{1})
|
|
diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
|
|
index b547a87c71..99e7882866 100644
|
|
--- a/src/crypto/rsa/pss_test.go
|
|
+++ b/src/crypto/rsa/pss_test.go
|
|
@@ -77,6 +77,7 @@ func TestEMSAPSS(t *testing.T) {
|
|
// TestPSSGolden tests all the test vectors in pss-vect.txt from
|
|
// ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
|
|
func TestPSSGolden(t *testing.T) {
|
|
+ t.Skip("SHA1 not supported in boring mode")
|
|
inFile, err := os.Open("testdata/pss-vect.txt.bz2")
|
|
if err != nil {
|
|
t.Fatalf("Failed to open input file: %s", err)
|
|
diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
|
|
index 9aa67655ab..2f4e666abb 100644
|
|
--- a/src/crypto/rsa/rsa_test.go
|
|
+++ b/src/crypto/rsa/rsa_test.go
|
|
@@ -123,28 +123,29 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
|
|
t.Errorf("private exponent too large")
|
|
}
|
|
|
|
- if boring.Enabled() {
|
|
- // Cannot call encrypt/decrypt directly. Test via PKCS1v15.
|
|
- msg := []byte("hi!")
|
|
- if priv.Size() >= 256 {
|
|
- enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
|
|
- if err != nil {
|
|
- t.Errorf("EncryptPKCS1v15: %v", err)
|
|
- return
|
|
- }
|
|
- dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
|
|
- if err != nil {
|
|
- t.Errorf("DecryptPKCS1v15: %v", err)
|
|
- return
|
|
- }
|
|
- if !bytes.Equal(dec, msg) {
|
|
- t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
|
|
- }
|
|
- } else {
|
|
- t.Logf("skipping check for unsupported key less than 2048 bits")
|
|
- }
|
|
- return
|
|
- }
|
|
+ if boring.Enabled() {
|
|
+ // Cannot call encrypt/decrypt directly. Test via EncryptOAEP.
|
|
+ sha256 := sha256.New()
|
|
+ msg := []byte("hi!")
|
|
+ if priv.Size() >= 256 {
|
|
+ enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, msg, nil)
|
|
+ if err != nil {
|
|
+ t.Errorf("EncryptOAEP: %v", err)
|
|
+ return
|
|
+ }
|
|
+ dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, nil)
|
|
+ if err != nil {
|
|
+ t.Errorf("DecryptOAEP: %v", err)
|
|
+ return
|
|
+ }
|
|
+ if !bytes.Equal(dec, msg) {
|
|
+ t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
|
|
+ }
|
|
+ } else {
|
|
+ t.Logf("skipping check for unsupported key less than 2048 bits")
|
|
+ }
|
|
+ return
|
|
+ }
|
|
|
|
pub := &priv.PublicKey
|
|
m := big.NewInt(42)
|
|
@@ -312,6 +312,11 @@ func TestDecryptOAEP(t *testing.T) {
|
|
private.PublicKey = PublicKey{N: n, E: test.e}
|
|
private.D = d
|
|
|
|
+ if boring.Enabled() && private.PublicKey.Size() < 256 {
|
|
+ t.Logf("skipping check for unsupported key less than 2048 bits")
|
|
+ continue
|
|
+ }
|
|
+ t.Logf("running check for supported key size")
|
|
for j, message := range test.msgs {
|
|
out, err := DecryptOAEP(sha1, nil, private, message.out, nil)
|
|
if err != nil {
|