fips: only mark HMAC as approved in PBKDF2

As ACVP only allows HMAC used with PBKDF2[1], this change marks other
hash algorithms not-approved.

1. https://pages.nist.gov/ACVP/draft-celi-acvp-pbkdf.html

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index d3e601ab3ac71371ad43d3ea78dfdd74c1b46363..9f7e18db11c9933568af038e3a5d1f556b0c5a8b 100644 (file)
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -2229,7 +2229,10 @@ gnutls_pbkdf2(gnutls_mac_algorithm_t mac,
        if (!is_mac_algo_allowed(mac)) {
                _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
                return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
-       } else if (!is_mac_algo_approved_in_fips(mac)) {
+       } else if (!is_mac_algo_hmac_approved_in_fips(mac)) {
+               /* ACVP only allows HMAC used with PBKDF2:
+                * https://pages.nist.gov/ACVP/draft-celi-acvp-pbkdf.html
+                */
                not_approved = true;
        }
 

diff --git a/lib/fips.h b/lib/fips.h
index 3a74f254e7310f8c89ac051c7b39e23adc40b77f..bf61b36741145b41615d44a057c12f8cd0ee653a 100644 (file)
--- a/lib/fips.h
+++ b/lib/fips.h
@@ -76,7 +76,7 @@ void _gnutls_lib_simulate_error(void);
 void _gnutls_lib_force_operational(void);
 
 inline static bool
-is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo)
+is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo)
 {
        switch (algo) {
        case GNUTLS_MAC_SHA1:
@@ -88,6 +88,20 @@ is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo)
        case GNUTLS_MAC_SHA3_256:
        case GNUTLS_MAC_SHA3_384:
        case GNUTLS_MAC_SHA3_512:
+               return true;
+       default:
+               return false;
+       }
+}
+
+inline static bool
+is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo)
+{
+       if (is_mac_algo_hmac_approved_in_fips(algo)) {
+               return true;
+       }
+
+       switch (algo) {
        case GNUTLS_MAC_AES_CMAC_128:
        case GNUTLS_MAC_AES_CMAC_256:
        case GNUTLS_MAC_AES_GMAC_128:

diff --git a/tests/kdf-api.c b/tests/kdf-api.c
index 9774ce60007f41e8a265bcd4038a08b605037904..2e70d09ca1457e9561425adbb52337ae645fc76c 100644 (file)
--- a/tests/kdf-api.c
+++ b/tests/kdf-api.c
@@ -26,6 +26,7 @@
 #include <gnutls/crypto.h>
 
 #include <assert.h>
+#include <stdbool.h>
 #include <stdint.h>
 
 #include "utils.h"
@@ -109,6 +110,25 @@ test_hkdf(gnutls_mac_algorithm_t mac,
        gnutls_free(hex.data);
 }
 
+inline static bool
+is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo)
+{
+       switch (algo) {
+       case GNUTLS_MAC_SHA1:
+       case GNUTLS_MAC_SHA256:
+       case GNUTLS_MAC_SHA384:
+       case GNUTLS_MAC_SHA512:
+       case GNUTLS_MAC_SHA224:
+       case GNUTLS_MAC_SHA3_224:
+       case GNUTLS_MAC_SHA3_256:
+       case GNUTLS_MAC_SHA3_384:
+       case GNUTLS_MAC_SHA3_512:
+               return true;
+       default:
+               return false;
+       }
+}
+
 static void
 test_pbkdf2(gnutls_mac_algorithm_t mac,
            const char *ikm_hex,
@@ -181,5 +201,14 @@ doit(void)
                    /* Key sizes and output sizes less than 112-bit are not approved.  */
                    GNUTLS_FIPS140_OP_NOT_APPROVED);
 
+       test_pbkdf2(GNUTLS_MAC_AES_CMAC_128,
+                   "70617373776f726470617373776f7264", /* "passwordpassword" */
+                   "73616c74",         /* "salt" */
+                   4096,
+                   20,
+                   "c4c112c6e1e3b8757640603dec78825ff87605a7",
+                   /* Use of AES-CMAC in PBKDF2 is not supported in ACVP.  */
+                   GNUTLS_FIPS140_OP_NOT_APPROVED);
+
        gnutls_fips140_context_deinit(fips_context);
 }