diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/rng/hmac_drbg/hmac_drbg.cpp | 15 | ||||
-rw-r--r-- | src/tests/test_rng.cpp | 26 |
2 files changed, 38 insertions, 3 deletions
diff --git a/src/lib/rng/hmac_drbg/hmac_drbg.cpp b/src/lib/rng/hmac_drbg/hmac_drbg.cpp index 03ea2013a..4f19b5256 100644 --- a/src/lib/rng/hmac_drbg/hmac_drbg.cpp +++ b/src/lib/rng/hmac_drbg/hmac_drbg.cpp @@ -168,8 +168,17 @@ void HMAC_DRBG::add_entropy(const uint8_t input[], size_t input_len) size_t HMAC_DRBG::security_level() const { // security strength of the hash function - // for pre-image resistance (see NIST SP800-57), - // but NIST SP800-90A only supports up to 256 bits - return std::min(m_mac->output_length(), size_t(32)) * 8; + // for pre-image resistance (see NIST SP 800-57) + // SHA-160: 128 bits, SHA-224, SHA-512/224: 192 bits, + // SHA-256, SHA-512/256, SHA-384, SHA-512: >= 256 bits + // NIST SP 800-90A only supports up to 256 bits though + if(m_mac->output_length() < 32) + { + return (m_mac->output_length() - 4) * 8; + } + else + { + return 32 * 8; + } } } diff --git a/src/tests/test_rng.cpp b/src/tests/test_rng.cpp index 3fb5bd461..f65c122fa 100644 --- a/src/tests/test_rng.cpp +++ b/src/tests/test_rng.cpp @@ -489,6 +489,31 @@ class HMAC_DRBG_Unit_Tests : public Test return result; } + Test::Result test_security_level() + { + Test::Result result("HMAC_DRBG Security Level"); + + std::vector<std::string> approved_hash_fns { "SHA-160", "SHA-224", "SHA-256", "SHA-512/256", "SHA-384", "SHA-512" }; + std::vector<uint32_t> security_strengths { 128, 192, 256, 256, 256, 256 }; + + for( size_t i = 0; i < approved_hash_fns.size(); ++i ) + { + std::string hash_fn = approved_hash_fns[i]; + std::string mac_name = "HMAC(" + hash_fn + ")"; + auto mac = Botan::MessageAuthenticationCode::create(mac_name); + if(!mac) + { + result.note_missing(mac_name); + continue; + } + + Botan::HMAC_DRBG rng(std::move(mac)); + result.test_eq(hash_fn + " security level", rng.security_level(), security_strengths[i]); + } + + return result; + } + Test::Result test_randomize_with_ts_input() { Test::Result result("HMAC_DRBG Randomize With Timestamp Input"); @@ -538,6 +563,7 @@ class HMAC_DRBG_Unit_Tests : public Test results.push_back(test_prediction_resistance()); results.push_back(test_fork_safety()); results.push_back(test_randomize_with_ts_input()); + results.push_back(test_security_level()); return results; } }; |