crypto/internal/fips/pbkdf2: add CAST testing

Per IG 10 3.A a module implementing PBKDF2 must perform a CAST
on the derivation of a master key. This commit adds the required CAST
test.

The salt length (16 bytes), and output length (14 bytes) for the test
are selected to meet FIPS requirements. The iteration count must be
at least 2 so we use that value exactly for the fastest self-test
allowable.

We test all underlying prerequisite algorithms (HMAC, digest algorithms)
separately.

For #69536

Change-Id: Iba9e87ab89eeec1c73adc7e56016674ac8065c39
Reviewed-on: https://go-review.googlesource.com/c/go/+/623195
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>

diff --git a/src/crypto/internal/fips140/pbkdf2/cast.go b/src/crypto/internal/fips140/pbkdf2/cast.go
new file mode 100644 (file)
index 0000000..748372a
--- /dev/null
+++ b/src/crypto/internal/fips140/pbkdf2/cast.go
@@ -0,0 +1,43 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pbkdf2
+
+import (
+       "bytes"
+       "crypto/internal/fips140"
+       _ "crypto/internal/fips140/check"
+       "crypto/internal/fips140/sha256"
+       "errors"
+)
+
+func init() {
+       // Per IG 10.3.A:
+       //   "if the module implements an approved PBKDF (SP 800-132), the module
+       //    shall perform a CAST, at minimum, on the derivation of the Master
+       //   Key (MK) as specified in Section 5.3 of SP 800-132"
+       //   "The Iteration Count parameter does not need to be among those
+       //   supported by the module in the approved mode but shall be at least
+       //   two."
+       fips140.CAST("PBKDF2", func() error {
+               salt := []byte{
+                       0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11,
+                       0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+               }
+               want := []byte{
+                       0xC7, 0x58, 0x76, 0xC0, 0x71, 0x1C, 0x29, 0x75,
+                       0x2D, 0x3A, 0xA6, 0xDF, 0x29, 0x96,
+               }
+
+               mk, err := Key(sha256.New, "password", salt, 2, 14)
+               if err != nil {
+                       return err
+               }
+               if !bytes.Equal(mk, want) {
+                       return errors.New("unexpected result")
+               }
+
+               return nil
+       })
+}

diff --git a/src/crypto/internal/fips140/pbkdf2/pbkdf2.go b/src/crypto/internal/fips140/pbkdf2/pbkdf2.go
index 3d4e385017b99fd49d16df8e05b45ab41a762fdb..8f6d9915041d3f1ee701c21a7653378541b6089b 100644 (file)
--- a/src/crypto/internal/fips140/pbkdf2/pbkdf2.go
+++ b/src/crypto/internal/fips140/pbkdf2/pbkdf2.go
@@ -6,7 +6,6 @@ package pbkdf2
 
 import (
        "crypto/internal/fips140"
-       _ "crypto/internal/fips140/check"
        "crypto/internal/fips140/hmac"
 )