Skip to content

Commit 2ff2bc5

Browse files
qmuntalqmuntal
committed
fix openssl3 in fips mode
1 parent c8ac68f commit 2ff2bc5

File tree

1 file changed

+34
-18
lines changed

1 file changed

+34
-18
lines changed

dsa_test.go

Lines changed: 34 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package openssl_test
33
import (
44
"crypto/dsa"
55
"encoding/asn1"
6+
"fmt"
67
"math/big"
78
"testing"
89

@@ -15,16 +16,28 @@ type dsaSignature struct {
1516
}
1617

1718
func TestDSAGenerateParameters(t *testing.T) {
18-
testGenerateDSAParameters(t, 1024, 160)
19-
testGenerateDSAParameters(t, 2048, 224)
20-
testGenerateDSAParameters(t, 2048, 256)
21-
testGenerateDSAParameters(t, 3072, 256)
19+
var tests = []struct {
20+
L, N int
21+
}{
22+
{1024, 160},
23+
{2048, 224},
24+
{2048, 256},
25+
{3072, 256},
26+
}
27+
for _, test := range tests {
28+
t.Run(fmt.Sprintf("%d-%d", test.L, test.N), func(t *testing.T) {
29+
if openssl.FIPS() {
30+
t.Skip("generating DSA parameters with L = 2048 is not supported in FIPS mode")
31+
}
32+
testGenerateDSAParameters(t, test.L, test.N)
33+
})
34+
}
2235
}
2336

2437
func testGenerateDSAParameters(t *testing.T, L, N int) {
2538
params, err := openssl.GenerateDSAParameters(L, N)
2639
if err != nil {
27-
t.Errorf("%d-%d: error generating parameters: %s", L, N, err)
40+
t.Errorf("error generating parameters: %s", err)
2841
return
2942
}
3043

@@ -33,23 +46,23 @@ func testGenerateDSAParameters(t *testing.T, L, N int) {
3346
G := bbig.Dec(params.G)
3447

3548
if P.BitLen() != L {
36-
t.Errorf("%d-%d: params.BitLen got:%d want:%d", L, N, P.BitLen(), L)
49+
t.Errorf("params.BitLen got:%d want:%d", P.BitLen(), L)
3750
}
3851

3952
if Q.BitLen() != N {
40-
t.Errorf("%d-%d: q.BitLen got:%d want:%d", L, N, Q.BitLen(), L)
53+
t.Errorf("q.BitLen got:%d want:%d", Q.BitLen(), L)
4154
}
4255

4356
one := new(big.Int)
4457
one.SetInt64(1)
4558
pm1 := new(big.Int).Sub(P, one)
4659
quo, rem := new(big.Int).DivMod(pm1, Q, new(big.Int))
4760
if rem.Sign() != 0 {
48-
t.Errorf("%d-%d: p-1 mod q != 0", L, N)
61+
t.Error("p-1 mod q != 0")
4962
}
5063
x := new(big.Int).Exp(G, quo, P)
5164
if x.Cmp(one) == 0 {
52-
t.Errorf("%d-%d: invalid generator", L, N)
65+
t.Error("invalid generator")
5366
}
5467

5568
priv, err := openssl.GenerateKeyDSA(params)
@@ -58,23 +71,23 @@ func testGenerateDSAParameters(t *testing.T, L, N int) {
5871
return
5972
}
6073

61-
testDSASignAndVerify(t, L, priv)
74+
testDSASignAndVerify(t, priv)
6275
}
6376

64-
func testDSASignAndVerify(t *testing.T, i int, priv *openssl.PrivateKeyDSA) {
77+
func testDSASignAndVerify(t *testing.T, priv *openssl.PrivateKeyDSA) {
6578
hashed := []byte("testing")
6679
sig, err := openssl.SignDSA(priv, hashed[:])
6780
if err != nil {
68-
t.Errorf("%d: error signing: %s", i, err)
81+
t.Errorf("error signing: %s", err)
6982
return
7083
}
7184
pub, err := openssl.NewPublicKeyDSA(priv.DSAParameters, priv.Y)
7285
if err != nil {
73-
t.Errorf("%d: error getting public key: %s", i, err)
86+
t.Errorf("error getting public key: %s", err)
7487
return
7588
}
7689
if !openssl.VerifyDSA(pub, hashed[:], sig) {
77-
t.Errorf("%d: error verifying", i)
90+
t.Error("error verifying")
7891
return
7992
}
8093

@@ -96,11 +109,11 @@ func testDSASignAndVerify(t *testing.T, i int, priv *openssl.PrivateKeyDSA) {
96109
return
97110
}
98111
if !dsa.Verify(&priv1.PublicKey, hashed[:], esig.R, esig.S) {
99-
t.Errorf("%d: compat: crypto/dsa can't verify OpenSSL signature", i)
112+
t.Error("compat: crypto/dsa can't verify OpenSSL signature")
100113
}
101114
r1, s1, err := dsa.Sign(openssl.RandReader, &priv1, hashed[:])
102115
if err != nil {
103-
t.Errorf("%d: error signing: %s", i, err)
116+
t.Errorf("error signing: %s", err)
104117
return
105118
}
106119
sig, err = asn1.Marshal(dsaSignature{r1, s1})
@@ -109,12 +122,15 @@ func testDSASignAndVerify(t *testing.T, i int, priv *openssl.PrivateKeyDSA) {
109122
return
110123
}
111124
if !openssl.VerifyDSA(pub, hashed[:], sig) {
112-
t.Errorf("%d: compat: OpenSSL can't verify crypto/dsa signature", i)
125+
t.Error("compat: OpenSSL can't verify crypto/dsa signature")
113126
return
114127
}
115128
}
116129

117130
func TestDSASignAndVerify(t *testing.T) {
131+
if openssl.FIPS() {
132+
t.Skip("DSA signing with L = 2048 is not supported in FIPS mode")
133+
}
118134
params := openssl.DSAParameters{
119135
P: bbig.Enc(fromHex("A9B5B793FB4785793D246BAE77E8FF63CA52F442DA763C440259919FE1BC1D6065A9350637A04F75A2F039401D49F08E066C4D275A5A65DA5684BC563C14289D7AB8A67163BFBF79D85972619AD2CFF55AB0EE77A9002B0EF96293BDD0F42685EBB2C66C327079F6C98000FBCB79AACDE1BC6F9D5C7B1A97E3D9D54ED7951FEF")),
120136
Q: bbig.Enc(fromHex("E1D3391245933D68A0714ED34BBCB7A1F422B9C1")),
@@ -127,7 +143,7 @@ func TestDSASignAndVerify(t *testing.T) {
127143
t.Fatalf("error generating key: %s", err)
128144
}
129145

130-
testDSASignAndVerify(t, 0, priv)
146+
testDSASignAndVerify(t, priv)
131147
}
132148

133149
func TestDSANewPrivateKeyWithDegenerateKeys(t *testing.T) {

0 commit comments

Comments
 (0)