[PATCH] tests/t-kdf: Test KDF FIPS indicator

Clemens Lang cllang at redhat.com
Wed Jul 6 18:33:42 CEST 2022


 * tests/t-kdf.c (check_fips_indicators): Add test for gcry_control
   (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF).

--

Add a tests that checks that gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_KDF)
works correctly, does not return unexpected values, and returns that
only PBKDF2 is approved at the moment.

Signed-off-by: Clemens Lang <cllang at redhat.com>
---
 tests/t-kdf.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/tests/t-kdf.c b/tests/t-kdf.c
index 454b7c48..d9d57778 100644
--- a/tests/t-kdf.c
+++ b/tests/t-kdf.c
@@ -1895,6 +1895,67 @@ check_hkdf (void)
     goto again;
 }
 
+static void
+check_fips_indicators (void)
+{
+  enum gcry_kdf_algos fips_kdf_algos[] = {
+    GCRY_KDF_PBKDF2,
+  };
+  enum gcry_kdf_algos kdf_algos[] = {
+    GCRY_KDF_SIMPLE_S2K,
+    GCRY_KDF_SALTED_S2K,
+    GCRY_KDF_ITERSALTED_S2K,
+    GCRY_KDF_PBKDF1,
+    GCRY_KDF_PBKDF2,
+    GCRY_KDF_SCRYPT,
+    GCRY_KDF_ARGON2  ,
+    GCRY_KDF_BALLOON ,
+    GCRY_KDF_ONESTEP_KDF,
+    GCRY_KDF_ONESTEP_KDF_MAC,
+    GCRY_KDF_HKDF,
+  };
+  size_t i, j;
+
+  for (i = 0; i < sizeof(kdf_algos) / sizeof(*kdf_algos); i++)
+    {
+      int is_fips_kdf_algo = 0;
+      gcry_error_t err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i]);
+
+      if (verbose)
+        fprintf (stderr, "checking FIPS indicator for KDF %d: %s\n",
+                 kdf_algos[i], gcry_strerror (err));
+
+      for (j = 0; j < sizeof(fips_kdf_algos) / sizeof(*fips_kdf_algos); j++)
+        {
+          if (kdf_algos[i] == fips_kdf_algos[j])
+            {
+              is_fips_kdf_algo = 1;
+              break;
+            }
+        }
+
+      switch (err & GPG_ERR_CODE_MASK)
+        {
+          case GPG_ERR_NO_ERROR:
+            if (!is_fips_kdf_algo)
+              fail ("KDF algorithm %d is marked as approved by"
+                    " GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, but only PBKDF2 should"
+                    " be marked as approved.", kdf_algos[i]);
+            break;
+          case GPG_ERR_NOT_SUPPORTED:
+            if (is_fips_kdf_algo)
+              fail ("KDF algorithm %d is marked as not approved by"
+                    " GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, but it should be"
+                    " approved", kdf_algos[i]);
+            break;
+          default:
+            fail ("Unexpected error '%s' (%d) returned by"
+                  " GCRYCTL_FIPS_SERVICE_INDICATOR_KDF for KDF algorithm %d",
+                  gcry_strerror (err), err, kdf_algos[i]);
+        }
+    }
+}
+
 
 int
 main (int argc, char **argv)
@@ -1976,6 +2037,8 @@ main (int argc, char **argv)
       check_balloon ();
       check_onestep_kdf ();
       check_hkdf ();
+      if (in_fips_mode)
+        check_fips_indicators();
     }
 
   return error_count ? 1 : 0;
-- 
2.35.3




More information about the Gcrypt-devel mailing list