Re: [PATCH 5/6] crypto: hkdf - add known answer tests

From: Eric Biggers
Date: Mon Jan 14 2019 - 12:44:22 EST

Next message: Rob Herring: "[PATCH v2] arm64: dts: Remove inconsistent use of 'arm,armv8' compatible string"
Previous message: KHIM LEANG: "Ree..."
In reply to: Stephan Müller: "Re: [PATCH 5/6] crypto: hkdf - add known answer tests"
Next in thread: Stephan Müller: "[PATCH 4/6] crypto: hkdf - RFC5869 Key Derivation Function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 14, 2019 at 10:25:16AM +0100, Stephan Müller wrote:
> Am Samstag, 12. Januar 2019, 06:19:15 CET schrieb Eric Biggers:
>
> Hi Eric,
>
> [...]
> >
> > > + }
> > > + }
> > > + }, {
> > > + .alg = "hkdf(hmac(sha224))",
> > > + .test = alg_test_null,
> > > + .fips_allowed = 1,
> >
> > I think it is dumb to add algorithms to the testmgr with no tests just so
> > the 'fips_allowed' flag can be set.
>
> Currently it is the only way. But I agree that it could be done better.
>
> > And doesn't FIPS sometimes require
> > tests anyway? I don't think the "null test" should count as a test :-)
>
> Yes, it DOES count as a test (as strange as it may sound)! :-)
>
> The FIPS requirements are as follows:
>
> - raw ciphers must be subject to a FIPS test with one block chaining mode to
> cover that cipher with all block chaining modes (e.g. you can test ecb(aes) to
> cover AES with *all* existing block chaining modes).
>
> - for compound crypto algorithm (like RSA with respect to hashes, KDF with
> respect to the keyed message digest, HMAC with respect to hashes), the
> wrapping crypto algorithm needs to be tested with *one* wrapped cipher at
> least (but also not more. E.g. if you have a self test for, say, all SHA-1 and
> SHA-2, you only need one HMAC SHA test or one KDF HMAC SHA test.
>
> - in some circumstances, it is even permissible to test wrapping crypto
> algorithms where the underlying algo is implicitly tested. E.g. if you have a
> HMAC SHA-256 test, you do not need an individual SHA-256 test.
>
>
> >
> > Perhaps just include sha256 and sha512, and have tests for them?
>
> Do you happen to have an official SHA-512 HKDF test vector? RFC5869 only has
> SHA-1 and SHA-256 tests.
> >
>

No, I don't know of any official HKDF-SHA512 test vectors.

> [...]
> > >
> > > +/* Test vectors from RFC 5869 appendix A */
> > > +static struct kdf_testvec hkdf_hmac_sha256_tv_template[] = {
> >
> > const
> >
> > Likewise for all other kdf_testvecs.
>
> const does not work with __VECS :-(
>
> I leave it without const at the moment. I think the __VECS should be updated
> along with all test vectors.
>
> [...]

I don't see why. kdf_testvec just needs to be made const everywhere.

- Eric

Next message: Rob Herring: "[PATCH v2] arm64: dts: Remove inconsistent use of 'arm,armv8' compatible string"
Previous message: KHIM LEANG: "Ree..."
In reply to: Stephan Müller: "Re: [PATCH 5/6] crypto: hkdf - add known answer tests"
Next in thread: Stephan Müller: "[PATCH 4/6] crypto: hkdf - RFC5869 Key Derivation Function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]