Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP4:Update
gnutls.33311
gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-S...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch of Package gnutls.33311
Index: gnutls-3.7.3/lib/crypto-api.c =================================================================== --- gnutls-3.7.3.orig/lib/crypto-api.c +++ gnutls-3.7.3/lib/crypto-api.c @@ -1845,7 +1845,12 @@ gnutls_pbkdf2(gnutls_mac_algorithm_t mac if (!is_mac_algo_allowed(mac)) { _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - } else if (!is_mac_algo_approved_in_fips(mac)) { + } else if (!is_mac_algo_approved_for_pbkdf2_in_fips(mac)) { + not_approved = true; + } + + /* Key lengthes less than 112 bits are not approved */ + if (length < 14 || key->size < 14) { not_approved = true; } Index: gnutls-3.7.3/lib/fips.h =================================================================== --- gnutls-3.7.3.orig/lib/fips.h +++ gnutls-3.7.3/lib/fips.h @@ -104,6 +104,25 @@ is_mac_algo_approved_in_fips(gnutls_mac_ } inline static bool +is_mac_algo_approved_for_pbkdf2_in_fips(gnutls_mac_algorithm_t algo) +{ + switch (algo) { + case GNUTLS_MAC_SHA1: + case GNUTLS_MAC_SHA256: + case GNUTLS_MAC_SHA384: + case GNUTLS_MAC_SHA512: + case GNUTLS_MAC_SHA224: + case GNUTLS_MAC_SHA3_224: + case GNUTLS_MAC_SHA3_256: + case GNUTLS_MAC_SHA3_384: + case GNUTLS_MAC_SHA3_512: + return true; + default: + return false; + } +} + +inline static bool is_mac_algo_allowed_in_fips(gnutls_mac_algorithm_t algo) { return is_mac_algo_approved_in_fips(algo); Index: gnutls-3.7.3/lib/crypto-selftests.c =================================================================== --- gnutls-3.7.3.orig/lib/crypto-selftests.c +++ gnutls-3.7.3/lib/crypto-selftests.c @@ -3088,30 +3088,6 @@ struct pbkdf2_vectors_st { }; const struct pbkdf2_vectors_st pbkdf2_sha256_vectors[] = { - /* RFC 7914: 11. Test Vectors for PBKDF2 with HMAC-SHA-256 */ - { - STR(key, key_size, "passwd"), - STR(salt, salt_size, "salt"), - .iter_count = 1, - STR(output, output_size, - "\x55\xac\x04\x6e\x56\xe3\x08\x9f\xec\x16\x91\xc2\x25\x44" - "\xb6\x05\xf9\x41\x85\x21\x6d\xde\x04\x65\xe6\x8b\x9d\x57" - "\xc2\x0d\xac\xbc\x49\xca\x9c\xcc\xf1\x79\xb6\x45\x99\x16" - "\x64\xb3\x9d\x77\xef\x31\x7c\x71\xb8\x45\xb1\xe3\x0b\xd5" - "\x09\x11\x20\x41\xd3\xa1\x97\x83"), - }, - /* RFC 7914: 11. Test Vectors for PBKDF2 with HMAC-SHA-256 */ - { - STR(key, key_size, "Password"), - STR(salt, salt_size, "NaCl"), - .iter_count = 80000, - STR(output, output_size, - "\x4d\xdc\xd8\xf6\x0b\x98\xbe\x21\x83\x0c\xee\x5e\xf2\x27" - "\x01\xf9\x64\x1a\x44\x18\xd0\x4c\x04\x14\xae\xff\x08\x87" - "\x6b\x34\xab\x56\xa1\xd4\x25\xa1\x22\x58\x33\x54\x9a\xdb" - "\x84\x1b\x51\xc9\xb3\x17\x6a\x27\x2b\xde\xbb\xa1\xd0\x78" - "\x47\x8f\x62\xb3\x97\xf3\x3c\x8d"), - }, /* Test vector extracted from: * https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */ { Index: gnutls-3.7.3/tests/kdf-api.c =================================================================== --- gnutls-3.7.3.orig/tests/kdf-api.c +++ gnutls-3.7.3/tests/kdf-api.c @@ -185,14 +185,19 @@ doit(void) "2d2d0a90cf1a5a4c5db02d56ecc4c5bf" "34007208d5b887185865"); - /* Test vector from RFC 6070. More thorough testing is done - * in nettle. */ - test_pbkdf2(GNUTLS_MAC_SHA1, - "70617373776f7264", /* "password" */ - "73616c74", /* "salt" */ + /* Test vector extracted from: + * https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */ + test_pbkdf2(GNUTLS_MAC_SHA256, + "70617373776f726450415353" + "574f524470617373776f7264", /* "passwordPASSWORDpassword" */ + "73616c7453414c5473616c74" + "53414c5473616c7453414c54" + "73616c7453414c5473616c74", /* "saltSALTsaltSALTsaltSALTsaltSALTsalt" */ 4096, - 20, - "4b007901b765489abead49d926f721d065a429c1"); + 40, + "348c89dbcbd32b2f32d814b8" + "116e84cf2b17347ebc180018" + "1c4e2a1fb8dd53e1c635518c7dac47e9"); gnutls_fips140_context_deinit(fips_context); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor