|
 |
9fd32d |
diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
|
|
|
9fd32d |
index a4f2e2dbbe..76701d2e2b 100644
|
|
|
9fd32d |
--- a/src/crypto/rsa/pkcs1v15_test.go
|
|
|
9fd32d |
+++ b/src/crypto/rsa/pkcs1v15_test.go
|
|
|
9fd32d |
@@ -52,6 +52,7 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
|
|
|
9fd32d |
}
|
|
|
9fd32d |
|
|
|
9fd32d |
func TestDecryptPKCS1v15(t *testing.T) {
|
|
|
9fd32d |
+ t.Skip("not supported in FIPS mode")
|
|
|
9fd32d |
decryptionFuncs := []func([]byte) ([]byte, error){
|
|
|
9fd32d |
func(ciphertext []byte) (plaintext []byte, err error) {
|
|
|
9fd32d |
return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext)
|
|
|
9fd32d |
@@ -76,6 +77,7 @@ func TestDecryptPKCS1v15(t *testing.T) {
|
|
|
9fd32d |
}
|
|
|
9fd32d |
|
|
|
9fd32d |
func TestEncryptPKCS1v15(t *testing.T) {
|
|
|
9fd32d |
+ t.Skip("not supported in FIPS mode")
|
|
|
9fd32d |
random := rand.Reader
|
|
|
9fd32d |
k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8
|
|
|
9fd32d |
|
|
|
9fd32d |
@@ -137,6 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
|
|
|
9fd32d |
}
|
|
|
9fd32d |
|
|
|
9fd32d |
func TestEncryptPKCS1v15SessionKey(t *testing.T) {
|
|
|
9fd32d |
+ t.Skip("not supported in FIPS mode")
|
|
|
9fd32d |
for i, test := range decryptPKCS1v15SessionKeyTests {
|
|
|
9fd32d |
key := []byte("FAIL")
|
|
|
9fd32d |
err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key)
|
|
|
9fd32d |
@@ -151,6 +154,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
|
|
|
9fd32d |
}
|
|
|
9fd32d |
|
|
|
9fd32d |
func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
|
|
|
9fd32d |
+ t.Skip("not supported in FIPS mode")
|
|
|
9fd32d |
for i, test := range decryptPKCS1v15SessionKeyTests {
|
|
|
9fd32d |
plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
|
|
|
9fd32d |
if err != nil {
|
|
|
9fd32d |
@@ -270,6 +274,7 @@ func TestUnpaddedSignature(t *testing.T) {
|
|
|
9fd32d |
}
|
|
|
9fd32d |
|
|
|
9fd32d |
func TestShortSessionKey(t *testing.T) {
|
|
|
9fd32d |
+ t.Skip("not supported in FIPS mode")
|
|
|
9fd32d |
// This tests that attempting to decrypt a session key where the
|
|
|
9fd32d |
// ciphertext is too small doesn't run outside the array bounds.
|
|
|
9fd32d |
ciphertext, err := EncryptPKCS1v15(rand.Reader, &testRSA2048PrivateKey.PublicKey, []byte{1})
|
|
|
9fd32d |
diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
|
|
|
9fd32d |
index b547a87c71..99e7882866 100644
|
|
|
9fd32d |
--- a/src/crypto/rsa/pss_test.go
|
|
|
9fd32d |
+++ b/src/crypto/rsa/pss_test.go
|
|
|
9fd32d |
@@ -77,6 +77,7 @@ func TestEMSAPSS(t *testing.T) {
|
|
|
9fd32d |
// TestPSSGolden tests all the test vectors in pss-vect.txt from
|
|
|
9fd32d |
// ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
|
|
|
9fd32d |
func TestPSSGolden(t *testing.T) {
|
|
|
9fd32d |
+ t.Skip("SHA1 not supported in boring mode")
|
|
|
9fd32d |
inFile, err := os.Open("testdata/pss-vect.txt.bz2")
|
|
|
9fd32d |
if err != nil {
|
|
|
9fd32d |
t.Fatalf("Failed to open input file: %s", err)
|
|
|
9fd32d |
diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
|
|
|
9fd32d |
index 9aa67655ab..2f4e666abb 100644
|
|
|
9fd32d |
--- a/src/crypto/rsa/rsa_test.go
|
|
|
9fd32d |
+++ b/src/crypto/rsa/rsa_test.go
|
|
|
9fd32d |
@@ -123,28 +123,29 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
|
|
|
9fd32d |
t.Errorf("private exponent too large")
|
|
|
9fd32d |
}
|
|
|
9fd32d |
|
|
|
9fd32d |
- if boring.Enabled() {
|
|
|
9fd32d |
- // Cannot call encrypt/decrypt directly. Test via PKCS1v15.
|
|
|
9fd32d |
- msg := []byte("hi!")
|
|
|
9fd32d |
- if priv.Size() >= 256 {
|
|
|
9fd32d |
- enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
|
|
|
9fd32d |
- if err != nil {
|
|
|
9fd32d |
- t.Errorf("EncryptPKCS1v15: %v", err)
|
|
|
9fd32d |
- return
|
|
|
9fd32d |
- }
|
|
|
9fd32d |
- dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
|
|
|
9fd32d |
- if err != nil {
|
|
|
9fd32d |
- t.Errorf("DecryptPKCS1v15: %v", err)
|
|
|
9fd32d |
- return
|
|
|
9fd32d |
- }
|
|
|
9fd32d |
- if !bytes.Equal(dec, msg) {
|
|
|
9fd32d |
- t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
|
|
|
9fd32d |
- }
|
|
|
9fd32d |
- } else {
|
|
|
9fd32d |
- t.Logf("skipping check for unsupported key less than 2048 bits")
|
|
|
9fd32d |
- }
|
|
|
9fd32d |
- return
|
|
|
9fd32d |
- }
|
|
|
9fd32d |
+ if boring.Enabled() {
|
|
|
9fd32d |
+ // Cannot call encrypt/decrypt directly. Test via EncryptOAEP.
|
|
|
9fd32d |
+ sha256 := sha256.New()
|
|
|
9fd32d |
+ msg := []byte("hi!")
|
|
|
9fd32d |
+ if priv.Size() >= 256 {
|
|
|
9fd32d |
+ enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, msg, nil)
|
|
|
9fd32d |
+ if err != nil {
|
|
|
9fd32d |
+ t.Errorf("EncryptOAEP: %v", err)
|
|
|
9fd32d |
+ return
|
|
|
9fd32d |
+ }
|
|
|
9fd32d |
+ dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, nil)
|
|
|
9fd32d |
+ if err != nil {
|
|
|
9fd32d |
+ t.Errorf("DecryptOAEP: %v", err)
|
|
|
9fd32d |
+ return
|
|
|
9fd32d |
+ }
|
|
|
9fd32d |
+ if !bytes.Equal(dec, msg) {
|
|
|
9fd32d |
+ t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
|
|
|
9fd32d |
+ }
|
|
|
9fd32d |
+ } else {
|
|
|
9fd32d |
+ t.Logf("skipping check for unsupported key less than 2048 bits")
|
|
|
9fd32d |
+ }
|
|
|
9fd32d |
+ return
|
|
|
9fd32d |
+ }
|
|
|
9fd32d |
|
|
|
9fd32d |
pub := &priv.PublicKey
|
|
|
9fd32d |
m := big.NewInt(42)
|
|
|
9fd32d |
@@ -312,6 +312,11 @@ func TestDecryptOAEP(t *testing.T) {
|
|
|
9fd32d |
private.PublicKey = PublicKey{N: n, E: test.e}
|
|
|
9fd32d |
private.D = d
|
|
|
9fd32d |
|
|
|
9fd32d |
+ if boring.Enabled() && private.PublicKey.Size() < 256 {
|
|
|
9fd32d |
+ t.Logf("skipping check for unsupported key less than 2048 bits")
|
|
|
9fd32d |
+ continue
|
|
|
9fd32d |
+ }
|
|
|
9fd32d |
+ t.Logf("running check for supported key size")
|
|
|
9fd32d |
for j, message := range test.msgs {
|
|
|
9fd32d |
out, err := DecryptOAEP(sha1, nil, private, message.out, nil)
|
|
|
9fd32d |
if err != nil {
|