tests: Expect the RSA PKCS #1.5 encryption to fail in FIPS mode

Jakuje · NIIBE Yutaka · commit 1a270cda2ee5 · 2022-05-06T09:25:06.000+09:00
* tests/basic.c (check_pubkey_crypt): Expect RSA PKCS #1.5 encryption to fail in FIPS mode. Expect failure when wrong padding is selected * tests/pkcs1v2.c (check_v15crypt): Expect RSA PKCS #1.5 encryption to fail in FIPS mode -- Applied the master commit of: f736f3c GnuPG-bug-id: 5918 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
diff --git a/tests/basic.c b/tests/basic.c
@@ -15568,14 +15568,16 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
 	NULL,
 	0,
 	0,
-	0 },
+	0,
+	FLAG_NOFIPS },
       {	GCRY_PK_RSA,
         "(data\n (flags pkcs1)\n"
 	" (value #11223344556677889900AA#))\n",
 	"(flags pkcs1)",
 	1,
 	0,
-	0 },
+	0,
+	FLAG_NOFIPS },
       { GCRY_PK_RSA,
         "(data\n (flags oaep)\n"
 	" (value #11223344556677889900AA#))\n",
@@ -15677,7 +15679,8 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
 	die ("converting data failed: %s\n", gpg_strerror (rc));
 
       rc = gcry_pk_encrypt (&ciph, data, pkey);
-      if (in_fips_mode && (flags & FLAG_NOFIPS))
+      if (in_fips_mode && ((flags & FLAG_NOFIPS) ||
+                           (datas[dataidx].flags & FLAG_NOFIPS)))
         {
           if (!rc)
             fail ("gcry_pk_encrypt did not fail as expected in FIPS mode\n");
@@ -15726,7 +15729,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
 	      ciph = list;
 	    }
 	  rc = gcry_pk_decrypt (&plain, ciph, skey);
-          if (!rc && (datas[dataidx].flags & FLAG_SPECIAL))
+          if ((!rc || in_fips_mode) && (datas[dataidx].flags & FLAG_SPECIAL))
             {
               /* It may happen that OAEP formatted data which is
                  decrypted as pkcs#1 data returns a valid pkcs#1
diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c
@@ -454,7 +454,19 @@ check_v15crypt (void)
           gcry_free (seed);
 
           err = gcry_pk_encrypt (&ciph, plain, pub_key);
-          if (err)
+          if (in_fips_mode)
+            {
+              if (!err)
+                {
+                  fail ("gcry_pk_encrypt should have failed in FIPS mode:\n");
+                }
+              gcry_sexp_release (plain);
+              plain = NULL;
+              gcry_sexp_release (ciph);
+              ciph = NULL;
+              continue;
+            }
+          else if (err)
             {
               show_sexp ("plain:\n", ciph);
               fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (err));
