Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP4:Update
gnutls.33311
gnutls-FIPS-pbkdf2-additional-requirements.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gnutls-FIPS-pbkdf2-additional-requirements.patch of Package gnutls.33311
Index: gnutls-3.7.3/lib/crypto-api.c =================================================================== --- gnutls-3.7.3.orig/lib/crypto-api.c +++ gnutls-3.7.3/lib/crypto-api.c @@ -1849,8 +1849,23 @@ gnutls_pbkdf2(gnutls_mac_algorithm_t mac not_approved = true; } - /* Key lengthes less than 112 bits are not approved */ - if (length < 14 || key->size < 14) { + /* FIPS requires a minimum key length of 112 bits, see FIPS 140-3 IG D.N */ + if (length < 14) { + not_approved = true; + } + + /* FIPS requires minimum salt length of 128 bits (SP 800-132 5.1) */ + if (salt->size < 16) { + not_approved = true; + } + + /* FIPS requires minimum iterations count (SP 800-132 5.2) */ + if (iter_count < 1000) { + not_approved = true; + } + + /* FIPS recommends minimum passlen of 20 characters (SP SP800-132 sec 5) */ + if (key->size < 20) { not_approved = true; } Index: gnutls-3.7.3/tests/kdf-api.c =================================================================== --- gnutls-3.7.3.orig/tests/kdf-api.c +++ gnutls-3.7.3/tests/kdf-api.c @@ -32,6 +32,9 @@ #define MAX_BUF 1024 +#define GNUTLS_PBKDF2_FIPS_NOT_APPROVED 0 +#define GNUTLS_PBKDF2_FIPS_APPROVED 1 + static gnutls_fips140_context_t fips_context; static gnutls_fips140_operation_state_t fips_state; @@ -130,7 +133,8 @@ test_pbkdf2(gnutls_mac_algorithm_t mac, const char *salt_hex, unsigned iter_count, size_t length, - const char *okm_hex) + const char *okm_hex, + unsigned is_fips_approved) { gnutls_datum_t hex; gnutls_datum_t ikm; @@ -151,7 +155,11 @@ test_pbkdf2(gnutls_mac_algorithm_t mac, FIPS_PUSH_CONTEXT(); assert(gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length) >= 0); - FIPS_POP_CONTEXT(APPROVED); + if (is_fips_approved) { + FIPS_POP_CONTEXT(APPROVED); + } else { + FIPS_POP_CONTEXT(NOT_APPROVED); + } gnutls_free(ikm.data); gnutls_free(salt.data); @@ -185,6 +193,26 @@ doit(void) "2d2d0a90cf1a5a4c5db02d56ecc4c5bf" "34007208d5b887185865"); + /* Test vector from RFC 6070. More thorough testing is done + * in nettle. */ + test_pbkdf2(GNUTLS_MAC_SHA1, + "70617373776f7264", /* "password" */ + "73616c74", /* "salt" */ + 4096, + 20, + "4b007901b765489abead49d926f721d065a429c1", + /* Key sizes and output sizes less than 112-bit are not approved. */ + GNUTLS_PBKDF2_FIPS_NOT_APPROVED); + + test_pbkdf2(GNUTLS_MAC_AES_CMAC_128, + "70617373776f726470617373776f7264", /* "passwordpassword" */ + "73616c74", /* "salt" */ + 4096, + 20, + "c4c112c6e1e3b8757640603dec78825ff87605a7", + /* Use of AES-CMAC in PBKDF2 is not supported in ACVP. */ + GNUTLS_PBKDF2_FIPS_NOT_APPROVED); + /* Test vector extracted from: * https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */ test_pbkdf2(GNUTLS_MAC_SHA256, @@ -197,7 +225,9 @@ doit(void) 40, "348c89dbcbd32b2f32d814b8" "116e84cf2b17347ebc180018" - "1c4e2a1fb8dd53e1c635518c7dac47e9"); + "1c4e2a1fb8dd53e1c635518c7dac47e9", + /* FIPS approved */ + GNUTLS_PBKDF2_FIPS_APPROVED); gnutls_fips140_context_deinit(fips_context); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor