diff options
author | Tobias Heider <tobias.heider@canonical.com> | 2023-03-30 16:38:05 +0200 |
---|---|---|
committer | Tobias Heider <tobias.heider@canonical.com> | 2023-03-30 16:38:05 +0200 |
commit | f53252fd7872b07da175f699f386d4f2493a53f8 (patch) | |
tree | d492fd2562e71bfb6545111e6d355d0b2a501500 | |
parent | d8d0a00b4206e1d9b627ae7509a1eb5743b59d23 (diff) | |
download | gnutls-f53252fd7872b07da175f699f386d4f2493a53f8.tar.gz |
fips: adjust pbkdf2 tests for SP 800-132 limits
- Make sure to always use approved iteration count
- Check that salt < 16 return non-approved
- Check that iteration count < 1000 returns non-approved
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
-rw-r--r-- | tests/fips-test.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/tests/fips-test.c b/tests/fips-test.c index aa76d062f8..86d1aa8811 100644 --- a/tests/fips-test.c +++ b/tests/fips-test.c @@ -450,7 +450,7 @@ void doit(void) /* PBKDF2 with key equal to or longer than 112 bits: approved */ FIPS_PUSH_CONTEXT(); - ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100, + ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 1000, &pbkdf2, sizeof(pbkdf2)); if (ret < 0) { fail("gnutls_pbkdf2 failed\n"); @@ -460,7 +460,7 @@ void doit(void) /* PBKDF2 with key shorter than 112 bits: not approved */ FIPS_PUSH_CONTEXT(); key.size = 13; - ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100, + ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 1000, &pbkdf2, sizeof(pbkdf2)); if (ret < 0) { fail("gnutls_pbkdf2 failed\n"); @@ -468,9 +468,29 @@ void doit(void) key.size = sizeof(key16); FIPS_POP_CONTEXT(NOT_APPROVED); + /* PBKDF2 with iteration count lower than 1000: not approved */ + FIPS_PUSH_CONTEXT(); + ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 999, + &pbkdf2, sizeof(pbkdf2)); + if (ret < 0) { + fail("gnutls_pbkdf2 failed\n"); + } + FIPS_POP_CONTEXT(NOT_APPROVED); + + /* PBKDF2 with salt shorter than 16 bytes: not approved */ + FIPS_PUSH_CONTEXT(); + iv.size = 13; + ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 1000, + &pbkdf2, sizeof(pbkdf2)); + if (ret < 0) { + fail("gnutls_pbkdf2 failed\n"); + } + iv.size = sizeof(iv16); + FIPS_POP_CONTEXT(NOT_APPROVED); + /* PBKDF2 with output shorter than 112 bits: not approved */ FIPS_PUSH_CONTEXT(); - ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100, &pbkdf2, 13); + ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 1000, &pbkdf2, 13); if (ret < 0) { fail("gnutls_pbkdf2 failed\n"); } |