diff options
author | Daiki Ueno <ueno@gnu.org> | 2023-04-01 23:24:59 +0000 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2023-04-01 23:24:59 +0000 |
commit | 0138bcb40b04df6b191d8e0caf80e00ff160ee10 (patch) | |
tree | aa04aab2c02d63ca6228d1c0b0c2444edc602118 | |
parent | 1fd97c0b7fe75bc46b768af8ce018425ebeab151 (diff) | |
parent | f53252fd7872b07da175f699f386d4f2493a53f8 (diff) | |
download | gnutls-0138bcb40b04df6b191d8e0caf80e00ff160ee10.tar.gz |
Merge branch 'pbkdf' into 'master'
fips: add additional pbkdf limit checks as defined in SP 800-132
See merge request gnutls/gnutls!1736
-rw-r--r-- | lib/crypto-api.c | 10 | ||||
-rw-r--r-- | tests/fips-test.c | 26 |
2 files changed, 33 insertions, 3 deletions
diff --git a/lib/crypto-api.c b/lib/crypto-api.c index 9f7619bd68..568edf7571 100644 --- a/lib/crypto-api.c +++ b/lib/crypto-api.c @@ -2218,6 +2218,16 @@ gnutls_pbkdf2(gnutls_mac_algorithm_t mac, not_approved = true; } + /* Minimum salt length of 128 bits (SP 800-132 5.1) */ + if (salt->size < 16) { + not_approved = true; + } + + /* Minimum iterations bound (SP 800-132 5.2) */ + if (iter_count < 1000) { + not_approved = true; + } + ret = _gnutls_kdf_ops.pbkdf2(mac, key->data, key->size, salt->data, salt->size, iter_count, output, length); diff --git a/tests/fips-test.c b/tests/fips-test.c index aa76d062f8..86d1aa8811 100644 --- a/tests/fips-test.c +++ b/tests/fips-test.c @@ -450,7 +450,7 @@ void doit(void) /* PBKDF2 with key equal to or longer than 112 bits: approved */ FIPS_PUSH_CONTEXT(); - ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100, + ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 1000, &pbkdf2, sizeof(pbkdf2)); if (ret < 0) { fail("gnutls_pbkdf2 failed\n"); @@ -460,7 +460,7 @@ void doit(void) /* PBKDF2 with key shorter than 112 bits: not approved */ FIPS_PUSH_CONTEXT(); key.size = 13; - ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100, + ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 1000, &pbkdf2, sizeof(pbkdf2)); if (ret < 0) { fail("gnutls_pbkdf2 failed\n"); @@ -468,9 +468,29 @@ void doit(void) key.size = sizeof(key16); FIPS_POP_CONTEXT(NOT_APPROVED); + /* PBKDF2 with iteration count lower than 1000: not approved */ + FIPS_PUSH_CONTEXT(); + ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 999, + &pbkdf2, sizeof(pbkdf2)); + if (ret < 0) { + fail("gnutls_pbkdf2 failed\n"); + } + FIPS_POP_CONTEXT(NOT_APPROVED); + + /* PBKDF2 with salt shorter than 16 bytes: not approved */ + FIPS_PUSH_CONTEXT(); + iv.size = 13; + ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 1000, + &pbkdf2, sizeof(pbkdf2)); + if (ret < 0) { + fail("gnutls_pbkdf2 failed\n"); + } + iv.size = sizeof(iv16); + FIPS_POP_CONTEXT(NOT_APPROVED); + /* PBKDF2 with output shorter than 112 bits: not approved */ FIPS_PUSH_CONTEXT(); - ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100, &pbkdf2, 13); + ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 1000, &pbkdf2, 13); if (ret < 0) { fail("gnutls_pbkdf2 failed\n"); } |