diff --git a/tests/api.c b/tests/api.c index a9e63508f..500998b92 100644 --- a/tests/api.c +++ b/tests/api.c @@ -9163,6 +9163,31 @@ static int test_wc_RsaPublicKeyDecodeRaw (void) } /* END test_wc_RsaPublicKeyDecodeRaw */ + +#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) + /* In FIPS builds, wc_MakeRsaKey() will return an error if it cannot find + * a probable prime in 5*(modLen/2) attempts. In non-FIPS builds, it keeps + * trying until it gets a probable prime. */ + #ifdef WOLFSSL_FIPS + static int MakeRsaKeyRetry(RsaKey* key, int size, long e, WC_RNG* rng) + { + int ret; + + for (;;) { + ret = wc_MakeRsaKey(key, size, e, rng); + if (ret != PRIME_GEN_E) break; + printf("MakeRsaKey couldn't find prime; trying again.\n"); + } + + return ret; + } + #define MAKE_RSA_KEY(a, b, c, d) MakeRsaKeyRetry(a, b, c, d) + #else + #define MAKE_RSA_KEY(a, b, c, d) wc_MakeRsaKey(a, b, c, d) + #endif +#endif + + /* * Testing wc_MakeRsaKey() */ @@ -9180,7 +9205,7 @@ static int test_wc_MakeRsaKey (void) if (ret == 0) { ret = wc_InitRng(&rng); if (ret == 0) { - ret = wc_MakeRsaKey(&genKey, 1024, WC_RSA_EXPONENT, &rng); + ret = MAKE_RSA_KEY(&genKey, 1024, WC_RSA_EXPONENT, &rng); if (ret == 0 && wc_FreeRsaKey(&genKey) != 0) { ret = WOLFSSL_FATAL_ERROR; } @@ -9189,17 +9214,17 @@ static int test_wc_MakeRsaKey (void) #ifndef HAVE_USER_RSA /* Test bad args. */ if (ret == 0) { - ret = wc_MakeRsaKey(NULL, 1024, WC_RSA_EXPONENT, &rng); + ret = MAKE_RSA_KEY(NULL, 1024, WC_RSA_EXPONENT, &rng); if (ret == BAD_FUNC_ARG) { - ret = wc_MakeRsaKey(&genKey, 1024, WC_RSA_EXPONENT, NULL); + ret = MAKE_RSA_KEY(&genKey, 1024, WC_RSA_EXPONENT, NULL); } if (ret == BAD_FUNC_ARG) { /* e < 3 */ - ret = wc_MakeRsaKey(&genKey, 1024, 2, &rng); + ret = MAKE_RSA_KEY(&genKey, 1024, 2, &rng); } if (ret == BAD_FUNC_ARG) { /* e & 1 == 0 */ - ret = wc_MakeRsaKey(&genKey, 1024, 6, &rng); + ret = MAKE_RSA_KEY(&genKey, 1024, 6, &rng); } if (ret == BAD_FUNC_ARG) { ret = 0; @@ -9210,17 +9235,17 @@ static int test_wc_MakeRsaKey (void) #else /* Test bad args. */ if (ret == 0) { - ret = wc_MakeRsaKey(NULL, 1024, WC_RSA_EXPONENT, &rng); + ret = MAKE_RSA_KEY(NULL, 1024, WC_RSA_EXPONENT, &rng); if (ret == USER_CRYPTO_ERROR) { - ret = wc_MakeRsaKey(&genKey, 1024, WC_RSA_EXPONENT, NULL); + ret = MAKE_RSA_KEY(&genKey, 1024, WC_RSA_EXPONENT, NULL); } if (ret == USER_CRYPTO_ERROR) { /* e < 3 */ - ret = wc_MakeRsaKey(&genKey, 1024, 2, &rng); + ret = MAKE_RSA_KEY(&genKey, 1024, 2, &rng); } if (ret == USER_CRYPTO_ERROR) { /* e & 1 == 0 */ - ret = wc_MakeRsaKey(&genKey, 1024, 6, &rng); + ret = MAKE_RSA_KEY(&genKey, 1024, 6, &rng); } if (ret == USER_CRYPTO_ERROR) { ret = 0; @@ -9324,7 +9349,7 @@ static int test_wc_RsaKeyToDer (void) } /* Make key. */ if (ret == 0) { - ret = wc_MakeRsaKey(&genKey, 1024, WC_RSA_EXPONENT, &rng); + ret = MAKE_RSA_KEY(&genKey, 1024, WC_RSA_EXPONENT, &rng); if (ret != 0) { ret = WOLFSSL_FATAL_ERROR; } @@ -9417,7 +9442,7 @@ static int test_wc_RsaKeyToPublicDer (void) ret = wc_InitRng(&rng); } if (ret == 0) { - ret = wc_MakeRsaKey(&key, 1024, WC_RSA_EXPONENT, &rng); + ret = MAKE_RSA_KEY(&key, 1024, WC_RSA_EXPONENT, &rng); } printf(testingFmt, "wc_RsaKeyToPublicDer()"); @@ -9505,7 +9530,7 @@ static int test_wc_RsaPublicEncryptDecrypt (void) ret = wc_InitRng(&rng); } if (ret == 0) { - ret = wc_MakeRsaKey(&key, 1024, WC_RSA_EXPONENT, &rng); + ret = MAKE_RSA_KEY(&key, 1024, WC_RSA_EXPONENT, &rng); } /* Encrypt. */ printf(testingFmt, "wc_RsaPublicEncrypt()"); @@ -9593,7 +9618,7 @@ static int test_wc_RsaPublicEncryptDecrypt_ex (void) ret = wc_InitRng(&rng); } if (ret == 0) { - ret = wc_MakeRsaKey(&key, 1024, WC_RSA_EXPONENT, &rng); + ret = MAKE_RSA_KEY(&key, 1024, WC_RSA_EXPONENT, &rng); } /* Encrypt */ printf(testingFmt, "wc_RsaPublicEncrypt_ex()"); @@ -9700,7 +9725,7 @@ static int test_wc_RsaSSL_SignVerify (void) } if (ret == 0) { - ret = wc_MakeRsaKey(&key, 1024, WC_RSA_EXPONENT, &rng); + ret = MAKE_RSA_KEY(&key, 1024, WC_RSA_EXPONENT, &rng); } /* Sign. */ printf(testingFmt, "wc_RsaSSL_Sign()"); @@ -9846,7 +9871,7 @@ static int test_wc_RsaEncryptSize (void) printf(testingFmt, "wc_RsaEncryptSize()"); if (ret == 0) { - ret = wc_MakeRsaKey(&key, 1024, WC_RSA_EXPONENT, &rng); + ret = MAKE_RSA_KEY(&key, 1024, WC_RSA_EXPONENT, &rng); if (ret == 0) { ret = wc_RsaEncryptSize(&key); } @@ -9863,7 +9888,7 @@ static int test_wc_RsaEncryptSize (void) } if (ret == 0) { - ret = wc_MakeRsaKey(&key, FOURK_BUF, WC_RSA_EXPONENT, &rng); + ret = MAKE_RSA_KEY(&key, FOURK_BUF, WC_RSA_EXPONENT, &rng); if (ret == 0) { ret = wc_RsaEncryptSize(&key); } @@ -9920,7 +9945,7 @@ static int test_wc_RsaFlattenPublicKey (void) } if (ret == 0) { - ret = wc_MakeRsaKey(&key, 1024, WC_RSA_EXPONENT, &rng); + ret = MAKE_RSA_KEY(&key, 1024, WC_RSA_EXPONENT, &rng); if (ret >= 0) { ret = 0; } else { diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 931f60fdf..5df26dc89 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -2456,7 +2456,12 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) if (err == MP_OKAY) err = wc_CheckProbablePrime_ex(&p, NULL, &tmp3, size, &isPrime); +#ifdef WOLFSSL_FIPS i++; +#else + /* Keep the old retry behavior in non-FIPS build. */ + (void)i; +#endif } while (err == MP_OKAY && !isPrime && i < failCount); } @@ -2487,7 +2492,12 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) if (err == MP_OKAY) err = wc_CheckProbablePrime_ex(&p, &q, &tmp3, size, &isPrime); +#ifdef WOLFSSL_FIPS i++; +#else + /* Keep the old retry behavior in non-FIPS build. */ + (void)i; +#endif } while (err == MP_OKAY && !isPrime && i < failCount); }