diff options
author | Clemens Lang <cllang@redhat.com> | 2022-07-06 18:33:42 +0200 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2022-07-13 11:51:38 +0900 |
commit | 3bbcf16e0b8b63d70893f6d9cc0fe77f7d8bc17b (patch) | |
tree | e2b2b143430f2d9a54bc65e838f389bc683dc384 | |
parent | 04960f5179cd9732931b9f245a902a8a34bde964 (diff) | |
download | libgcrypt-3bbcf16e0b8b63d70893f6d9cc0fe77f7d8bc17b.tar.gz |
tests/t-kdf: Test KDF FIPS indicator
* tests/t-kdf.c (check_fips_indicators): Add test for gcry_control
(GCRYCTL_FIPS_SERVICE_INDICATOR_KDF).
--
Backport master commit of:
37b812f5e2a3c80d4bc104512248a07268f3c98b
Add a tests that checks that
gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_KDF) works correctly, does
not return unexpected values, and returns that only PBKDF2 is approved
at the moment.
Signed-off-by: Clemens Lang <cllang@redhat.com>
-rw-r--r-- | tests/t-kdf.c | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/tests/t-kdf.c b/tests/t-kdf.c index 4c82fed8..15e77c82 100644 --- a/tests/t-kdf.c +++ b/tests/t-kdf.c @@ -1490,6 +1490,64 @@ check_argon2 (void) } +static void +check_fips_indicators (void) +{ + enum gcry_kdf_algos fips_kdf_algos[] = { + GCRY_KDF_PBKDF2, + }; + enum gcry_kdf_algos kdf_algos[] = { + GCRY_KDF_SIMPLE_S2K, + GCRY_KDF_SALTED_S2K, + GCRY_KDF_ITERSALTED_S2K, + GCRY_KDF_PBKDF1, + GCRY_KDF_PBKDF2, + GCRY_KDF_SCRYPT, + GCRY_KDF_ARGON2 + }; + size_t i, j; + + for (i = 0; i < sizeof(kdf_algos) / sizeof(*kdf_algos); i++) + { + int is_fips_kdf_algo = 0; + gcry_error_t err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i]); + + if (verbose) + fprintf (stderr, "checking FIPS indicator for KDF %d: %s\n", + kdf_algos[i], gcry_strerror (err)); + + for (j = 0; j < sizeof(fips_kdf_algos) / sizeof(*fips_kdf_algos); j++) + { + if (kdf_algos[i] == fips_kdf_algos[j]) + { + is_fips_kdf_algo = 1; + break; + } + } + + switch (err & GPG_ERR_CODE_MASK) + { + case GPG_ERR_NO_ERROR: + if (!is_fips_kdf_algo) + fail ("KDF algorithm %d is marked as approved by" + " GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, but only PBKDF2 should" + " be marked as approved.", kdf_algos[i]); + break; + case GPG_ERR_NOT_SUPPORTED: + if (is_fips_kdf_algo) + fail ("KDF algorithm %d is marked as not approved by" + " GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, but it should be" + " approved", kdf_algos[i]); + break; + default: + fail ("Unexpected error '%s' (%d) returned by" + " GCRYCTL_FIPS_SERVICE_INDICATOR_KDF for KDF algorithm %d", + gcry_strerror (err), err, kdf_algos[i]); + } + } +} + + int main (int argc, char **argv) { @@ -1567,6 +1625,8 @@ main (int argc, char **argv) check_pbkdf2 (); check_scrypt (); check_argon2 (); + if (in_fips_mode) + check_fips_indicators(); } return error_count ? 1 : 0; |