From 76aad97dd312e83f2f9b8d086553f2b72ab6546f Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Wed, 19 Jan 2022 11:41:40 +0900 Subject: [PATCH 2/2] fips: Reject shorter key for HMAC in FIPS mode. * cipher/md.c (prepare_macpads): Reject < 112-bit key. * cipher/kdf.c (selftest_pbkdf2): Remove selftest cases with shorter key. * cipher/mac-hmac.c (selftests_sha224, selftests_sha256): Likewise. (selftests_sha384, selftests_sha512, selftests_sha3): Likewise. * tests/basic.c (check_one_hmac) Handle an error when shorter key is rejected. (check_one_mac): Likewise. * tests/t-kdf.c (check_pbkdf2, check_scrypt): Likewise. -- GnuPG-bug-id: 5512 Signed-off-by: NIIBE Yutaka --- cipher/kdf.c | 76 ++--------------------------------------------- cipher/mac-hmac.c | 67 ----------------------------------------- cipher/md.c | 3 ++ tests/basic.c | 29 +++++++++++++++--- tests/t-kdf.c | 38 ++++++++++++++++++++---- 5 files changed, 62 insertions(+), 151 deletions(-) Index: libgcrypt-1.9.4/cipher/kdf.c =================================================================== --- libgcrypt-1.9.4.orig/cipher/kdf.c +++ libgcrypt-1.9.4/cipher/kdf.c @@ -324,6 +324,10 @@ check_one (int algo, int hash_algo, unsigned char key[512]; /* hardcoded to avoid allocation */ size_t keysize = expectlen; + /* Skip test with shoter passphrase in FIPS mode. */ + if (fips_mode () && passphraselen < 14) + return NULL; + if (keysize > sizeof(key)) return "invalid tests data"; Index: libgcrypt-1.9.4/cipher/mac-hmac.c =================================================================== --- libgcrypt-1.9.4.orig/cipher/mac-hmac.c +++ libgcrypt-1.9.4/cipher/mac-hmac.c @@ -241,6 +241,11 @@ check_one (int algo, const unsigned char *digest; /* printf ("HMAC algo %d\n", algo); */ + + /* Skip test with shoter key in FIPS mode. */ + if (fips_mode () && keylen < 14) + return NULL; + if (trunc) { if (_gcry_md_get_algo_dlen (algo) < expectlen) Index: libgcrypt-1.9.4/cipher/md.c =================================================================== --- libgcrypt-1.9.4.orig/cipher/md.c +++ libgcrypt-1.9.4/cipher/md.c @@ -903,6 +903,9 @@ prepare_macpads (gcry_md_hd_t a, const u { GcryDigestEntry *r; + if (fips_mode () && keylen < 14) + return GPG_ERR_INV_VALUE; + if (!a->ctx->list) return GPG_ERR_DIGEST_ALGO; /* Might happen if no algo is enabled. */ Index: libgcrypt-1.9.4/tests/basic.c =================================================================== --- libgcrypt-1.9.4.orig/tests/basic.c +++ libgcrypt-1.9.4/tests/basic.c @@ -12016,7 +12016,19 @@ check_one_hmac (int algo, const char *da return; } - gcry_md_setkey( hd, key, keylen ); + err = gcry_md_setkey( hd, key, keylen ); + if (err) + { + if (in_fips_mode) + { + if (verbose) + fprintf (stderr, + " shorter key (%d) rejected correctly in fips mode\n", + keylen); + } + gcry_md_close (hd); + return; + } gcry_md_write (hd, data, datalen); @@ -12420,9 +12432,18 @@ check_one_mac (int algo, const char *dat clutter_vector_registers(); err = gcry_mac_setkey (hd, key, keylen); if (err) - fail("algo %d, mac gcry_mac_setkey failed: %s\n", algo, gpg_strerror (err)); - if (err) - goto out; + { + if (in_fips_mode) + { + if (verbose) + fprintf (stderr, + " shorter key (%d) rejected correctly in fips mode\n", + keylen); + } + else + fail("algo %d, mac gcry_mac_setkey failed: %s\n", algo, gpg_strerror (err)); + goto out; + } if (ivlen && iv) { Index: libgcrypt-1.9.4/tests/t-kdf.c =================================================================== --- libgcrypt-1.9.4.orig/tests/t-kdf.c +++ libgcrypt-1.9.4/tests/t-kdf.c @@ -31,6 +31,8 @@ #define PGM "t-kdf" #include "t-common.h" +static int in_fips_mode; + static void dummy_consumer (volatile char *buffer, size_t buflen) @@ -858,8 +860,7 @@ check_openpgp (void) if (tv[tvidx].disabled) continue; /* MD5 isn't supported in fips mode */ - if (gcry_fips_mode_active() - && tv[tvidx].hashalgo == GCRY_MD_MD5) + if (in_fips_mode && tv[tvidx].hashalgo == GCRY_MD_MD5) continue; if (verbose) fprintf (stderr, "checking S2K test vector %d\n", tvidx); @@ -1104,7 +1105,7 @@ check_pbkdf2 (void) GCRY_KDF_PBKDF2, tv[tvidx].hashalgo, tv[tvidx].salt, tv[tvidx].saltlen, tv[tvidx].c, tv[tvidx].dklen, outbuf); - if (gcry_fips_mode_active() && tvidx > 6) + if (in_fips_mode && tvidx > 6) { if (!err) fail ("pbkdf2 test %d unexpectedly passed in FIPS mode: %s\n", @@ -1112,7 +1113,17 @@ check_pbkdf2 (void) continue; } if (err) - fail ("pbkdf2 test %d failed: %s\n", tvidx, gpg_strerror (err)); + { + if (in_fips_mode && tv[tvidx].plen < 14) + { + if (verbose) + fprintf (stderr, + " shorter key (%u) rejected correctly in fips mode\n", + (unsigned int)tv[tvidx].plen); + } + else + fail ("pbkdf2 test %d failed: %s\n", tvidx, gpg_strerror (err)); + } else if (memcmp (outbuf, tv[tvidx].dk, tv[tvidx].dklen)) { fail ("pbkdf2 test %d failed: mismatch\n", tvidx); @@ -1209,7 +1220,17 @@ check_scrypt (void) tv[tvidx].salt, tv[tvidx].saltlen, tv[tvidx].parm_p, tv[tvidx].dklen, outbuf); if (err) - fail ("scrypt test %d failed: %s\n", tvidx, gpg_strerror (err)); + { + if (in_fips_mode && tv[tvidx].plen < 14) + { + if (verbose) + fprintf (stderr, + " shorter key (%u) rejected correctly in fips mode\n", + (unsigned int)tv[tvidx].plen); + } + else + fail ("scrypt test %d failed: %s\n", tvidx, gpg_strerror (err)); + } else if (memcmp (outbuf, tv[tvidx].dk, tv[tvidx].dklen)) { fail ("scrypt test %d failed: mismatch\n", tvidx); @@ -1281,7 +1302,12 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + if (gcry_fips_mode_active ()) + in_fips_mode = 1; + + if (!in_fips_mode) + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0));