diff --git a/ctaocrypt/src/hmac.c b/ctaocrypt/src/hmac.c index 0bd1c41d1..cadbd18fc 100644 --- a/ctaocrypt/src/hmac.c +++ b/ctaocrypt/src/hmac.c @@ -131,6 +131,11 @@ int HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) if (ret != 0) return ret; +#ifdef HAVE_FIPS + if (length < HMAC_FIPS_MIN_KEY) + return -1; /* TODO: next, fix wolfCrypt error range */ +#endif + switch (hmac->macType) { #ifndef NO_MD5 case MD5: diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index c2c5d7f4e..e6684d011 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -1149,9 +1149,11 @@ int hmac_md5_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { -#ifdef HAVE_CAVIUM +#if defined(HAVE_FIPS) || defined(HAVE_CAVIUM) if (i == 1) - continue; /* driver can't handle keys <= bytes */ + continue; /* cavium can't handle short keys, fips not allowed */ +#endif +#ifdef HAVE_CAVIUM if (HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0) return -20009; #endif @@ -1224,9 +1226,11 @@ int hmac_sha_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { -#ifdef HAVE_CAVIUM +#if defined(HAVE_FIPS) || defined(HAVE_CAVIUM) if (i == 1) - continue; /* driver can't handle keys <= bytes */ + continue; /* cavium can't handle short keys, fips not allowed */ +#endif +#ifdef HAVE_CAVIUM if (HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0) return -20010; #endif @@ -1303,9 +1307,11 @@ int hmac_sha256_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { -#ifdef HAVE_CAVIUM +#if defined(HAVE_FIPS) || defined(HAVE_CAVIUM) if (i == 1) - continue; /* driver can't handle keys <= bytes */ + continue; /* cavium can't handle short keys, fips not allowed */ +#endif +#ifdef HAVE_CAVIUM if (HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0) return -20011; #endif @@ -1382,9 +1388,11 @@ int hmac_blake2b_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { -#ifdef HAVE_CAVIUM +#if defined(HAVE_FIPS) || defined(HAVE_CAVIUM) if (i == 1) - continue; /* driver can't handle keys <= bytes */ + continue; /* cavium can't handle short keys, fips not allowed */ +#endif +#ifdef HAVE_CAVIUM if (HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0) return -20011; #endif @@ -1465,6 +1473,10 @@ int hmac_sha384_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac, SHA384, (byte*)keys[i],(word32)strlen(keys[i])); if (ret != 0) return -4027; @@ -1541,6 +1553,10 @@ int hmac_sha512_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac, SHA512, (byte*)keys[i],(word32)strlen(keys[i])); if (ret != 0) return -4030; diff --git a/cyassl/ctaocrypt/hmac.h b/cyassl/ctaocrypt/hmac.h index 68627efcd..78cc9556c 100644 --- a/cyassl/ctaocrypt/hmac.h +++ b/cyassl/ctaocrypt/hmac.h @@ -60,6 +60,8 @@ #define CYASSL_HMAC_CAVIUM_MAGIC 0xBEEF0005 enum { + HMAC_FIPS_MIN_KEY = 14, /* 112 bit key length minimum */ + IPAD = 0x36, OPAD = 0x5C, diff --git a/tests/hash.c b/tests/hash.c index 03bf4bcb0..e8a7e6df5 100644 --- a/tests/hash.c +++ b/tests/hash.c @@ -608,6 +608,10 @@ int hmac_md5_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac, MD5, (byte*)keys[i], (word32)strlen(keys[i])); if (ret != 0) return -4014; @@ -674,6 +678,10 @@ int hmac_sha_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac, SHA, (byte*)keys[i], (word32)strlen(keys[i])); if (ret != 0) return -4017; @@ -743,6 +751,10 @@ int hmac_sha256_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac,SHA256, (byte*)keys[i], (word32)strlen(keys[i])); if (ret != 0) return -4020; @@ -816,6 +828,10 @@ int hmac_sha384_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac,SHA384, (byte*)keys[i], (word32)strlen(keys[i])); if (ret != 0) return -4023;