In addition to the build time regression test suite, Libgcrypt
implements self-tests to be performed at runtime. Which self-tests
are actually used depends on the mode Libgcrypt is used in. In
standard mode a limited set of self-tests is run at the time an
algorithm is first used. Note that not all algorithms feature a
self-test in standard mode. The GCRYCTL_SELFTEST
control
command may be used to run all implemented self-tests at any time;
this will even run more tests than those run in FIPS mode.
If any of the self-tests fails, the library immediately returns an error code to the caller. If Libgcrypt is in FIPS mode the self-tests will be performed within the “Self-Test” state and any failure puts the library into the “Error” state.
Power-up tests are only performed if Libgcrypt is in FIPS mode.
The following symmetric encryption algorithm tests are run during power-up:
cipher/des.c:selftest
)
cipher/rijndael.c:selftest_basic_128
)
cipher/rijndael.c:selftest_basic_192
)
cipher/rijndael.c:selftest_basic_256
)
The following hash algorithm tests are run during power-up:
"abc"
is run.
(cipher/sha1.c:selftests_sha1
)
"abc"
is run.
(cipher/sha256.c:selftests_sha224
)
"abc"
is run.
(cipher/sha256.c:selftests_sha256
)
"abc"
is run.
(cipher/sha512.c:selftests_sha384
)
"abc"
is run.
(cipher/sha512.c:selftests_sha512
)
The following MAC algorithm tests are run during power-up:
cipher/hmac-tests.c:selftests_sha1
)
cipher/hmac-tests.c:selftests_sha224
)
cipher/hmac-tests.c:selftests_sha256
)
cipher/hmac-tests.c:selftests_sha384
)
cipher/hmac-tests.c:selftests_sha512
)
The DRNG is tested during power-up this way:
The public key algorithms are tested during power-up:
cipher/rsa.c:selftests_rsa
)
cipher/rsa.c:selftests_rsa
)
cipher/rsa.c:selftest_sign_1024
)
cipher/rsa.c:selftest_encr_1024
)
cipher/dsa.c:selftests_dsa
)
cipher/dsa.c:selftests_dsa
)
cipher/dsa.c:selftest_sign_1024
)
The integrity of the Libgcrypt is tested during power-up but only if checking has been enabled at build time. The check works by computing a HMAC SHA-256 checksum over the file used to load Libgcrypt into memory. That checksum is compared against a checksum stored in a file of the same name but with a single dot as a prefix and a suffix of .hmac.
The 3DES weak key detection is tested during power-up by calling the
detection function with keys taken from a table listening all weak
keys. The table itself is protected using a SHA-1 hash.
(cipher/des.c:selftest
)
The conditional tests are performed if a certain contidion is met. This may occur at any time; the library does not necessary enter the “Self-Test” state to run these tests but will transit to the “Error” state if a test failed.
After an asymmetric key-pair has been generated, Libgcrypt runs a pair-wise consistency tests on the generated key. On failure the generated key is not used, an error code is returned and, if in FIPS mode, the library is put into the “Error” state.
A new random number of the same size is generated, signed and verified
to test the correctness of the signing operation. As a second signing
test, the signature is modified by incrementing its value and then
verified with the expected result that the verification fails.
(cipher/rsa.c:test_keys
)
cipher/dsa.c:test_keys
)
Loading of extra modules into libgcrypt is disabled in FIPS mode and
thus no tests are
implemented. (cipher/cipher.c:gcry_cipher_register
,
cipher/md.c:gcry_md_register
,
cipher/md.c:gcry_pk_register
)
A manual key entry feature is not implemented in Libgcrypt.
The continuous random number test is only used in FIPS mode. The RNG
generates blocks of 128 bit size; the first block generated per
context is saved in the context and another block is generated to be
returned to the caller. Each block is compared against the saved
block and then stored in the context. If a duplicated block is
detected an error is signaled and the libray is put into the
“Fatal-Error” state.
(random/random-fips.c:x931_aes_driver
)
The application may requests tests at any time by means of the
GCRYCTL_SELFTEST
control command. Note that using these tests
is not FIPS conform: Although Libgcrypt rejects all application
requests for services while running self-tests, it does not ensure
that no other operations of Libgcrypt are still being executed. Thus,
in FIPS mode an application requesting self-tests needs to power-cycle
Libgcrypt instead.
When self-tests are requested, Libgcrypt runs all the tests it does during power-up as well as a few extra checks as described below.
The following symmetric encryption algorithm tests are run in addition to the power-up tests:
The following hash algorithm tests are run in addition to the power-up tests:
cipher/sha1.c:selftests_sha1
,
cipher/sha256.c:selftests_sha224
,
cipher/sha256.c:selftests_sha256
)
cipher/sha512.c:selftests_sha384
,
cipher/sha512.c:selftests_sha512
)
The following MAC algorithm tests are run in addition to the power-up tests:
cipher/hmac-tests.c:selftests_sha1
)
cipher/hmac-tests.c:selftests_sha224
,
cipher/hmac-tests.c:selftests_sha256
,
cipher/hmac-tests.c:selftests_sha384
,
cipher/hmac-tests.c:selftests_sha512
)