[PATCH] tests/t-kdf: Test KDF FIPS indicator
Clemens Lang
cllang at redhat.com
Wed Jul 6 18:33:42 CEST 2022
* tests/t-kdf.c (check_fips_indicators): Add test for gcry_control
(GCRYCTL_FIPS_SERVICE_INDICATOR_KDF).
--
Add a tests that checks that gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_KDF)
works correctly, does not return unexpected values, and returns that
only PBKDF2 is approved at the moment.
Signed-off-by: Clemens Lang <cllang at redhat.com>
---
tests/t-kdf.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 63 insertions(+)
diff --git a/tests/t-kdf.c b/tests/t-kdf.c
index 454b7c48..d9d57778 100644
--- a/tests/t-kdf.c
+++ b/tests/t-kdf.c
@@ -1895,6 +1895,67 @@ check_hkdf (void)
goto again;
}
+static void
+check_fips_indicators (void)
+{
+ enum gcry_kdf_algos fips_kdf_algos[] = {
+ GCRY_KDF_PBKDF2,
+ };
+ enum gcry_kdf_algos kdf_algos[] = {
+ GCRY_KDF_SIMPLE_S2K,
+ GCRY_KDF_SALTED_S2K,
+ GCRY_KDF_ITERSALTED_S2K,
+ GCRY_KDF_PBKDF1,
+ GCRY_KDF_PBKDF2,
+ GCRY_KDF_SCRYPT,
+ GCRY_KDF_ARGON2 ,
+ GCRY_KDF_BALLOON ,
+ GCRY_KDF_ONESTEP_KDF,
+ GCRY_KDF_ONESTEP_KDF_MAC,
+ GCRY_KDF_HKDF,
+ };
+ size_t i, j;
+
+ for (i = 0; i < sizeof(kdf_algos) / sizeof(*kdf_algos); i++)
+ {
+ int is_fips_kdf_algo = 0;
+ gcry_error_t err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i]);
+
+ if (verbose)
+ fprintf (stderr, "checking FIPS indicator for KDF %d: %s\n",
+ kdf_algos[i], gcry_strerror (err));
+
+ for (j = 0; j < sizeof(fips_kdf_algos) / sizeof(*fips_kdf_algos); j++)
+ {
+ if (kdf_algos[i] == fips_kdf_algos[j])
+ {
+ is_fips_kdf_algo = 1;
+ break;
+ }
+ }
+
+ switch (err & GPG_ERR_CODE_MASK)
+ {
+ case GPG_ERR_NO_ERROR:
+ if (!is_fips_kdf_algo)
+ fail ("KDF algorithm %d is marked as approved by"
+ " GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, but only PBKDF2 should"
+ " be marked as approved.", kdf_algos[i]);
+ break;
+ case GPG_ERR_NOT_SUPPORTED:
+ if (is_fips_kdf_algo)
+ fail ("KDF algorithm %d is marked as not approved by"
+ " GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, but it should be"
+ " approved", kdf_algos[i]);
+ break;
+ default:
+ fail ("Unexpected error '%s' (%d) returned by"
+ " GCRYCTL_FIPS_SERVICE_INDICATOR_KDF for KDF algorithm %d",
+ gcry_strerror (err), err, kdf_algos[i]);
+ }
+ }
+}
+
int
main (int argc, char **argv)
@@ -1976,6 +2037,8 @@ main (int argc, char **argv)
check_balloon ();
check_onestep_kdf ();
check_hkdf ();
+ if (in_fips_mode)
+ check_fips_indicators();
}
return error_count ? 1 : 0;
--
2.35.3
More information about the Gcrypt-devel
mailing list