Blob Blame History Raw
diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
index a4f2e2dbbe..76701d2e2b 100644
--- a/src/crypto/rsa/pkcs1v15_test.go
+++ b/src/crypto/rsa/pkcs1v15_test.go
@@ -52,6 +52,7 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
 }
 
 func TestDecryptPKCS1v15(t *testing.T) {
+	t.Skip("not supported in FIPS mode")
 	decryptionFuncs := []func([]byte) ([]byte, error){
 		func(ciphertext []byte) (plaintext []byte, err error) {
 			return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext)
@@ -76,6 +77,7 @@ func TestDecryptPKCS1v15(t *testing.T) {
 }
 
 func TestEncryptPKCS1v15(t *testing.T) {
+	t.Skip("not supported in FIPS mode")
 	random := rand.Reader
 	k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8
 
@@ -137,6 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
 }
 
 func TestEncryptPKCS1v15SessionKey(t *testing.T) {
+	t.Skip("not supported in FIPS mode")
 	for i, test := range decryptPKCS1v15SessionKeyTests {
 		key := []byte("FAIL")
 		err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key)
@@ -151,6 +154,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
 }
 
 func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
+	t.Skip("not supported in FIPS mode")
 	for i, test := range decryptPKCS1v15SessionKeyTests {
 		plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
 		if err != nil {
@@ -270,6 +274,7 @@ func TestUnpaddedSignature(t *testing.T) {
 }
 
 func TestShortSessionKey(t *testing.T) {
+	t.Skip("not supported in FIPS mode")
 	// This tests that attempting to decrypt a session key where the
 	// ciphertext is too small doesn't run outside the array bounds.
 	ciphertext, err := EncryptPKCS1v15(rand.Reader, &testRSA2048PrivateKey.PublicKey, []byte{1})
diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
index b547a87c71..99e7882866 100644
--- a/src/crypto/rsa/pss_test.go
+++ b/src/crypto/rsa/pss_test.go
@@ -77,6 +77,7 @@ func TestEMSAPSS(t *testing.T) {
 // TestPSSGolden tests all the test vectors in pss-vect.txt from
 // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
 func TestPSSGolden(t *testing.T) {
+	t.Skip("SHA1 not supported in boring mode")
 	inFile, err := os.Open("testdata/pss-vect.txt.bz2")
 	if err != nil {
 		t.Fatalf("Failed to open input file: %s", err)
diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
index 9aa67655ab..2f4e666abb 100644
--- a/src/crypto/rsa/rsa_test.go
+++ b/src/crypto/rsa/rsa_test.go
@@ -123,28 +123,29 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
 		t.Errorf("private exponent too large")
 	}
 
-	if boring.Enabled() {
-		// Cannot call encrypt/decrypt directly. Test via PKCS1v15.
-		msg := []byte("hi!")
-		if priv.Size() >= 256 {
-			enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
-			if err != nil {
-				t.Errorf("EncryptPKCS1v15: %v", err)
-				return
-			}
-			dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
-			if err != nil {
-				t.Errorf("DecryptPKCS1v15: %v", err)
-				return
-			}
-			if !bytes.Equal(dec, msg) {
-				t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
-			}
-		} else {
-			t.Logf("skipping check for unsupported key less than 2048 bits")
-		}
-		return
-	}
+        if boring.Enabled() {
+                // Cannot call encrypt/decrypt directly. Test via EncryptOAEP.
+		sha256 := sha256.New()
+                msg := []byte("hi!")
+                if priv.Size() >= 256 {
+                        enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, msg, nil)
+                        if err != nil {
+                                t.Errorf("EncryptOAEP: %v", err)
+                                return
+                        }
+                        dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, nil)
+                        if err != nil {
+                                t.Errorf("DecryptOAEP: %v", err)
+                                return
+                        }
+                        if !bytes.Equal(dec, msg) {
+                                t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
+                        }
+                } else {
+                        t.Logf("skipping check for unsupported key less than 2048 bits")
+                }
+                return
+        }
 
 	pub := &priv.PublicKey
 	m := big.NewInt(42)
@@ -312,6 +312,11 @@ func TestDecryptOAEP(t *testing.T) {
 		private.PublicKey = PublicKey{N: n, E: test.e}
 		private.D = d
 
+		if boring.Enabled() && private.PublicKey.Size() < 256 {
+			t.Logf("skipping check for unsupported key less than 2048 bits")
+			continue
+		}
+		t.Logf("running check for supported key size")
 		for j, message := range test.msgs {
 			out, err := DecryptOAEP(sha1, nil, private, message.out, nil)
 			if err != nil {