tests: added unit test of gnutls_fips140_set_mode

Also ensure that 512-bit keys cannot be generated
in FIPS140-2 mode

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

1 files changed, 21 insertions, 6 deletions

diff --git a/tests/fips-test.c b/tests/fips-test.c
index 2d37c0f2f8..23d2318122 100644
--- a/tests/fips-test.c
+++ b/tests/fips-test.c
@@ -61,12 +61,23 @@ void doit(void)
 	}
 	gnutls_cipher_deinit(ch);
 
+	ret =
+	    gnutls_cipher_init(&ch, GNUTLS_CIPHER_ARCFOUR_128, &key, &iv);
+	if (ret != GNUTLS_E_UNWANTED_ALGORITHM) {
+		fail("gnutls_cipher_init succeeded for arcfour\n");
+	}
+
 	ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size);
 	if (ret < 0) {
 		fail("gnutls_hmac_init failed\n");
 	}
 	gnutls_hmac_deinit(mh, NULL);
 
+	ret = gnutls_hmac_init(&mh, GNUTLS_MAC_MD5, key.data, key.size);
+	if (ret != GNUTLS_E_UNWANTED_ALGORITHM) {
+		fail("gnutls_hmac_init succeeded for md5\n");
+	}
+
 	ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16));
 	if (ret < 0) {
 		fail("gnutls_rnd failed\n");
@@ -84,18 +95,22 @@ void doit(void)
 	}
 	gnutls_privkey_deinit(privkey);
 
-	ret = gnutls_x509_privkey_init(&xprivkey);
-	if (ret < 0) {
-		fail("gnutls_privkey_init failed\n");
-	}
-	gnutls_x509_privkey_deinit(xprivkey);
-
 	ret = gnutls_init(&session, 0);
 	if (ret < 0) {
 		fail("gnutls_init failed\n");
 	}
 	gnutls_deinit(session);
 
+	ret = gnutls_x509_privkey_init(&xprivkey);
+	if (ret < 0) {
+		fail("gnutls_privkey_init failed\n");
+	}
+	ret = gnutls_x509_privkey_generate(xprivkey, GNUTLS_PK_RSA, 512, 0);
+	if (ret != GNUTLS_E_PK_GENERATION_ERROR) {
+		fail("gnutls_x509_privkey_generate succeeded (%d) for 512-bit key\n", ret);
+	}
+	gnutls_x509_privkey_deinit(xprivkey);
+
 	/* Test when FIPS140 is set to error state */
 	_gnutls_lib_simulate_error();