fipsinstall: add no_short_mac option

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index d725839787bcfea667c6675741ca3d70af03210c..3b7d0819ecc7dcf689c09b6f5405962248a01662 100644 (file)
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -38,7 +38,7 @@ typedef enum OPTION_choice {
     OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
     OPT_NO_CONDITIONAL_ERRORS,
     OPT_NO_SECURITY_CHECKS,
-    OPT_TLS_PRF_EMS_CHECK,
+    OPT_TLS_PRF_EMS_CHECK, OPT_NO_SHORT_MAC,
     OPT_DISALLOW_DRGB_TRUNC_DIGEST,
     OPT_HKDF_DIGEST_CHECK,
     OPT_TLS13_KDF_DIGEST_CHECK,
@@ -71,6 +71,7 @@ const OPTIONS fipsinstall_options[] = {
      "Forces self tests to run once on module installation"},
     {"ems_check", OPT_TLS_PRF_EMS_CHECK, '-',
      "Enable the run-time FIPS check for EMS during TLS1_PRF"},
+    {"no_short_mac", OPT_NO_SHORT_MAC, '-', "Disallow short MAC output"},
     {"no_drbg_truncated_digests", OPT_DISALLOW_DRGB_TRUNC_DIGEST, '-',
      "Disallow truncated digests with Hash and HMAC DRBGs"},
     {"hkdf_digest_check", OPT_HKDF_DIGEST_CHECK, '-',
@@ -108,6 +109,7 @@ typedef struct {
     unsigned int conditional_errors : 1;
     unsigned int security_checks : 1;
     unsigned int tls_prf_ems_check : 1;
+    unsigned int no_short_mac : 1;
     unsigned int drgb_no_trunc_dgst : 1;
     unsigned int hkdf_digest_check : 1;
     unsigned int tls13_kdf_digest_check : 1;
@@ -124,6 +126,7 @@ static const FIPS_OPTS pedantic_opts = {
     1,      /* conditional_errors */
     1,      /* security_checks */
     1,      /* tls_prf_ems_check */
+    1,      /* no_short_mac */
     1,      /* drgb_no_trunc_dgst */
     1,      /* hkdf_digest_check */
     1,      /* tls13_kdf_digest_check */
@@ -140,6 +143,7 @@ static FIPS_OPTS fips_opts = {
     1,      /* conditional_errors */
     1,      /* security_checks */
     0,      /* tls_prf_ems_check */
+    0,      /* no_short_mac */
     0,      /* drgb_no_trunc_dgst */
     0,      /* hkdf_digest_check */
     0,      /* tls13_kdf_digest_check */
@@ -269,6 +273,8 @@ static int write_config_fips_section(BIO *out, const char *section,
                       opts->security_checks ? "1" : "0") <= 0
         || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK,
                       opts->tls_prf_ems_check ? "1" : "0") <= 0
+        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_NO_SHORT_MAC,
+                      opts->no_short_mac ? "1" : "0") <= 0
         || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
                       opts->drgb_no_trunc_dgst ? "1" : "0") <= 0
         || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_DIGEST_CHECK,
@@ -472,6 +478,9 @@ int fipsinstall_main(int argc, char **argv)
         case OPT_TLS_PRF_EMS_CHECK:
             fips_opts.tls_prf_ems_check = 1;
             break;
+        case OPT_NO_SHORT_MAC:
+            fips_opts.no_short_mac = 1;
+            break;
         case OPT_DISALLOW_DRGB_TRUNC_DIGEST:
             fips_opts.drgb_no_trunc_dgst = 1;
             break;

diff --git a/util/mk-fipsmodule-cnf.pl b/util/mk-fipsmodule-cnf.pl
index 54b774e0631a97060843e5c06101ce342b250be4..6ff8fc20b7c72ed794a78f15ddcb9a22de763b40 100644 (file)
--- a/util/mk-fipsmodule-cnf.pl
+++ b/util/mk-fipsmodule-cnf.pl
@@ -13,6 +13,7 @@ use Getopt::Long;
 my $conditional_errors = 1;
 my $security_checks = 1;
 my $ems_check = 1;
+my $no_short_mac = 1;
 my $drgb_no_trunc_dgst = 1;
 my $kdf_digest_check = 1;
 my $dsa_sign_disabled = 1;
@@ -50,6 +51,7 @@ install-version = $version
 conditional-errors = $conditional_errors
 security-checks = $security_checks
 tls1-prf-ems-check = $ems_check
+no-short-mac = $no_short_mac
 drbg-no-trunc-md = $drgb_no_trunc_dgst
 dsa-sign-disabled = $dsa_sign_disabled
 module-mac = $module_mac