fips: Reject shorter key for HMAC in FIPS mode.

* cipher/md.c (prepare_macpads): Reject < 112-bit key. * cipher/kdf.c (selftest_pbkdf2): Remove selftest cases with shorter key. * cipher/mac-hmac.c (selftests_sha224, selftests_sha256): Likewise. (selftests_sha384, selftests_sha512, selftests_sha3): Likewise. * tests/basic.c (check_one_hmac) Handle an error when shorter key is rejected. (check_one_mac): Likewise. * tests/t-kdf.c (check_pbkdf2, check_scrypt): Likewise. -- GnuPG-bug-id: 5512 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
author: NIIBE Yutaka <gniibe@fsij.org> 2022-01-19 11:41:40 +0900
committer: NIIBE Yutaka <gniibe@fsij.org> 2022-01-19 11:41:40 +0900
commit: 76aad97dd312e83f2f9b8d086553f2b72ab6546f (patch)
tree: 40d41c810f9cff3ebbdae697fceaec5ee2d49928 /tests
parent: 6f225308d3e59f8749403ad743d8e6c591142f8f (diff)
download: libgcrypt-76aad97dd312e83f2f9b8d086553f2b72ab6546f.tar.gz
2 files changed, 57 insertions, 10 deletions
diff --git a/tests/basic.c b/tests/basic.c
index ab9a4733..32be7c2f 100644
--- a/tests/basic.c
+++ b/tests/basic.c
@@ -13757,7 +13757,19 @@ check_one_hmac (int algo, const char *data, int datalen,
       return;
     }
 
-  gcry_md_setkey( hd, key, keylen );
+  err = gcry_md_setkey( hd, key, keylen );
+  if (err)
+    {
+      if (in_fips_mode)
+        {
+          if (verbose)
+            fprintf (stderr,
+                     "  shorter key (%d) rejected correctly in fips mode\n",
+                     keylen);
+        }
+      gcry_md_close (hd);
+      return;
+    }
 
   gcry_md_write (hd, data, datalen);
 
@@ -14161,9 +14173,18 @@ check_one_mac (int algo, const char *data, int datalen,
   clutter_vector_registers();
   err = gcry_mac_setkey (hd, key, keylen);
   if (err)
-    fail("algo %d, mac gcry_mac_setkey failed: %s\n", algo, gpg_strerror (err));
-  if (err)
-    goto out;
+    {
+      if (in_fips_mode)
+        {
+          if (verbose)
+            fprintf (stderr,
+                     "  shorter key (%d) rejected correctly in fips mode\n",
+                     keylen);
+        }
+      else
+        fail("algo %d, mac gcry_mac_setkey failed: %s\n", algo, gpg_strerror (err));
+      goto out;
+    }
 
   if (ivlen && iv)
     {
diff --git a/tests/t-kdf.c b/tests/t-kdf.c
index 48309b9a..26570186 100644
--- a/tests/t-kdf.c
+++ b/tests/t-kdf.c
@@ -31,6 +31,8 @@
 #define PGM "t-kdf"
 #include "t-common.h"
 
+static int in_fips_mode;
+
 
 static void
 dummy_consumer (volatile char *buffer, size_t buflen)
@@ -858,8 +860,7 @@ check_openpgp (void)
       if (tv[tvidx].disabled)
         continue;
       /* MD5 isn't supported in fips mode */
-      if (gcry_fips_mode_active()
-          && tv[tvidx].hashalgo == GCRY_MD_MD5)
+      if (in_fips_mode && tv[tvidx].hashalgo == GCRY_MD_MD5)
         continue;
       if (verbose)
         fprintf (stderr, "checking S2K test vector %d\n", tvidx);
@@ -1104,7 +1105,7 @@ check_pbkdf2 (void)
                              GCRY_KDF_PBKDF2, tv[tvidx].hashalgo,
                              tv[tvidx].salt, tv[tvidx].saltlen,
                              tv[tvidx].c, tv[tvidx].dklen, outbuf);
-      if (gcry_fips_mode_active() && tvidx > 6)
+      if (in_fips_mode && tvidx > 6)
         {
           if (!err)
             fail ("pbkdf2 test %d unexpectedly passed in FIPS mode: %s\n",
@@ -1112,7 +1113,17 @@ check_pbkdf2 (void)
           continue;
         }
       if (err)
-        fail ("pbkdf2 test %d failed: %s\n", tvidx, gpg_strerror (err));
+        {
+          if (in_fips_mode && tv[tvidx].plen < 14)
+            {
+              if (verbose)
+                fprintf (stderr,
+                         "  shorter key (%ld) rejected correctly in fips mode\n",
+                         tv[tvidx].plen);
+            }
+          else
+            fail ("pbkdf2 test %d failed: %s\n", tvidx, gpg_strerror (err));
+        }
       else if (memcmp (outbuf, tv[tvidx].dk, tv[tvidx].dklen))
         {
           fail ("pbkdf2 test %d failed: mismatch\n", tvidx);
@@ -1209,7 +1220,17 @@ check_scrypt (void)
                              tv[tvidx].salt, tv[tvidx].saltlen,
                              tv[tvidx].parm_p, tv[tvidx].dklen, outbuf);
       if (err)
-        fail ("scrypt test %d failed: %s\n", tvidx, gpg_strerror (err));
+        {
+          if (in_fips_mode && tv[tvidx].plen < 14)
+            {
+              if (verbose)
+                fprintf (stderr,
+                         "  shorter key (%ld) rejected correctly in fips mode\n",
+                         tv[tvidx].plen);
+            }
+          else
+            fail ("scrypt test %d failed: %s\n", tvidx, gpg_strerror (err));
+        }
       else if (memcmp (outbuf, tv[tvidx].dk, tv[tvidx].dklen))
         {
           fail ("scrypt test %d failed: mismatch\n", tvidx);
@@ -1281,7 +1302,12 @@ main (int argc, char **argv)
   if (!gcry_check_version (GCRYPT_VERSION))
     die ("version mismatch\n");
 
-  xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0));
+  if (gcry_fips_mode_active ())
+    in_fips_mode = 1;
+
+  if (!in_fips_mode)
+    xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0));
+
   xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
   if (debug)
     xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0));
author	NIIBE Yutaka <gniibe@fsij.org>	2022-01-19 11:41:40 +0900
committer	NIIBE Yutaka <gniibe@fsij.org>	2022-01-19 11:41:40 +0900
commit	76aad97dd312e83f2f9b8d086553f2b72ab6546f (patch)
tree	40d41c810f9cff3ebbdae697fceaec5ee2d49928 /tests
parent	6f225308d3e59f8749403ad743d8e6c591142f8f (diff)
download	libgcrypt-76aad97dd312e83f2f9b8d086553f2b72ab6546f.tar.gz