diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
index a4f2e2dbbe..76701d2e2b 100644
--- a/src/crypto/rsa/pkcs1v15_test.go
+++ b/src/crypto/rsa/pkcs1v15_test.go
@@ -52,6 +52,7 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
}
func TestDecryptPKCS1v15(t *testing.T) {
+ t.Skip("not supported in FIPS mode")
decryptionFuncs := []func([]byte) ([]byte, error){
func(ciphertext []byte) (plaintext []byte, err error) {
return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext)
@@ -76,6 +77,7 @@ func TestDecryptPKCS1v15(t *testing.T) {
}
func TestEncryptPKCS1v15(t *testing.T) {
+ t.Skip("not supported in FIPS mode")
random := rand.Reader
k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8
@@ -137,6 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
}
func TestEncryptPKCS1v15SessionKey(t *testing.T) {
+ t.Skip("not supported in FIPS mode")
for i, test := range decryptPKCS1v15SessionKeyTests {
key := []byte("FAIL")
err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key)
@@ -151,6 +154,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
}
func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
+ t.Skip("not supported in FIPS mode")
for i, test := range decryptPKCS1v15SessionKeyTests {
plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
if err != nil {
@@ -270,6 +274,7 @@ func TestUnpaddedSignature(t *testing.T) {
}
func TestShortSessionKey(t *testing.T) {
+ t.Skip("not supported in FIPS mode")
// This tests that attempting to decrypt a session key where the
// ciphertext is too small doesn't run outside the array bounds.
ciphertext, err := EncryptPKCS1v15(rand.Reader, &testRSA2048PrivateKey.PublicKey, []byte{1})
diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
index b547a87c71..99e7882866 100644
--- a/src/crypto/rsa/pss_test.go
+++ b/src/crypto/rsa/pss_test.go
@@ -77,6 +77,7 @@ func TestEMSAPSS(t *testing.T) {
// TestPSSGolden tests all the test vectors in pss-vect.txt from
// ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
func TestPSSGolden(t *testing.T) {
+ t.Skip("SHA1 not supported in boring mode")
inFile, err := os.Open("testdata/pss-vect.txt.bz2")
if err != nil {
t.Fatalf("Failed to open input file: %s", err)
diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
index 9aa67655ab..2f4e666abb 100644
--- a/src/crypto/rsa/rsa_test.go
+++ b/src/crypto/rsa/rsa_test.go
@@ -123,28 +123,29 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
t.Errorf("private exponent too large")
}
- if boring.Enabled() {
- // Cannot call encrypt/decrypt directly. Test via PKCS1v15.
- msg := []byte("hi!")
- if priv.Size() >= 256 {
- enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
- if err != nil {
- t.Errorf("EncryptPKCS1v15: %v", err)
- return
- }
- dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
- if err != nil {
- t.Errorf("DecryptPKCS1v15: %v", err)
- return
- }
- if !bytes.Equal(dec, msg) {
- t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
- }
- } else {
- t.Logf("skipping check for unsupported key less than 2048 bits")
- }
- return
- }
+ if boring.Enabled() {
+ // Cannot call encrypt/decrypt directly. Test via EncryptOAEP.
+ sha256 := sha256.New()
+ msg := []byte("hi!")
+ if priv.Size() >= 256 {
+ enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, msg, nil)
+ if err != nil {
+ t.Errorf("EncryptOAEP: %v", err)
+ return
+ }
+ dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, nil)
+ if err != nil {
+ t.Errorf("DecryptOAEP: %v", err)
+ return
+ }
+ if !bytes.Equal(dec, msg) {
+ t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
+ }
+ } else {
+ t.Logf("skipping check for unsupported key less than 2048 bits")
+ }
+ return
+ }
pub := &priv.PublicKey
m := big.NewInt(42)
@@ -312,6 +312,11 @@ func TestDecryptOAEP(t *testing.T) {
private.PublicKey = PublicKey{N: n, E: test.e}
private.D = d
+ if boring.Enabled() && private.PublicKey.Size() < 256 {
+ t.Logf("skipping check for unsupported key less than 2048 bits")
+ continue
+ }
+ t.Logf("running check for supported key size")
for j, message := range test.msgs {
out, err := DecryptOAEP(sha1, nil, private, message.out, nil)
if err != nil {