fipsinstall: add kbkdf key check option

author Pauli <ppzgs1@gmail.com>

Mon, 5 Aug 2024 05:45:30 +0000 (15:45 +1000)

committer Pauli <ppzgs1@gmail.com>

Wed, 7 Aug 2024 22:42:59 +0000 (08:42 +1000)
author Pauli <ppzgs1@gmail.com>
Mon, 5 Aug 2024 05:45:30 +0000 (15:45 +1000)
committer Pauli <ppzgs1@gmail.com>
Wed, 7 Aug 2024 22:42:59 +0000 (08:42 +1000)
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c

index 269b0a7e73ec8743748a754a92577a39aa74ae7e..70447e1db3436014604e4ba7313b26de8463ca4e 100644 (file)
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -50,6 +50,7 @@ typedef enum OPTION_choice {
      OPT_DISALLOW_DSA_SIGN,
      OPT_DISALLOW_TDES_ENCRYPT,
      OPT_HKDF_KEY_CHECK,
+    OPT_KBKDF_KEY_CHECK,
      OPT_TLS13_KDF_KEY_CHECK,
      OPT_TLS1_PRF_KEY_CHECK,
      OPT_SSHKDF_KEY_CHECK,
@@ -107,6 +108,8 @@ const OPTIONS fipsinstall_options[] = {
       "Disallow X931 Padding for RSA signing"},
      {"hkdf_key_check", OPT_HKDF_KEY_CHECK, '-',
       "Enable key check for HKDF"},
+    {"kbkdf_key_check", OPT_KBKDF_KEY_CHECK, '-',
+     "Enable key check for KBKDF"},
      {"tls13_kdf_key_check", OPT_TLS13_KDF_KEY_CHECK, '-',
       "Enable key check for TLS13-KDF"},
      {"tls1_prf_key_check", OPT_TLS1_PRF_KEY_CHECK, '-',
@@ -154,6 +157,7 @@ typedef struct {
      unsigned int rsa_pkcs15_padding_disabled : 1;
      unsigned int sign_x931_padding_disabled : 1;
      unsigned int hkdf_key_check : 1;
+    unsigned int kbkdf_key_check : 1;
      unsigned int tls13_kdf_key_check : 1;
      unsigned int tls1_prf_key_check : 1;
      unsigned int sshkdf_key_check : 1;
@@ -182,6 +186,7 @@ static const FIPS_OPTS pedantic_opts = {
      1,      /* rsa_pkcs15_padding_disabled */
      1,      /* sign_x931_padding_disabled */
      1,      /* hkdf_key_check */
+    1,      /* kbkdf_key_check */
      1,      /* tls13_kdf_key_check */
      1,      /* tls1_prf_key_check */
      1,      /* sshkdf_key_check */
@@ -210,6 +215,7 @@ static FIPS_OPTS fips_opts = {
      0,      /* rsa_pkcs15_padding_disabled */
      0,      /* sign_x931_padding_disabled */
      0,      /* hkdf_key_check */
+    0,      /* kbkdf_key_check */
      0,      /* tls13_kdf_key_check */
      0,      /* tls1_prf_key_check */
      0,      /* sshkdf_key_check */
@@ -371,6 +377,8 @@ static int write_config_fips_section(BIO *out, const char *section,
                        opts->sign_x931_padding_disabled ? "1" : "0") <= 0
          || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK,
                        opts->hkdf_key_check ? "1": "0") <= 0
+        || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK,
+                      opts->kbkdf_key_check ? "1": "0") <= 0
          || BIO_printf(out, "%s = %s\n",
                        OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK,
                        opts->tls13_kdf_key_check ? "1": "0") <= 0
@@ -610,6 +618,9 @@ int fipsinstall_main(int argc, char **argv)
          case OPT_HKDF_KEY_CHECK:
              fips_opts.hkdf_key_check = 1;
              break;
+        case OPT_KBKDF_KEY_CHECK:
+            fips_opts.kbkdf_key_check = 1;
+            break;
          case OPT_TLS13_KDF_KEY_CHECK:
              fips_opts.tls13_kdf_key_check = 1;
              break;
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h

index 07c30a7e4fa28f75ec989e0a33615d672194827f..c83b4b803b62e968caaa4a153cc9b652ee54c2d7 100644 (file)
--- a/include/openssl/fips_names.h
+++ b/include/openssl/fips_names.h
@@ -174,6 +174,14 @@ extern "C" {
   */
  # define OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK "hkdf-key-check"
  
+/*
+ * A boolean that determines if the runtime FIPS key check for KBKDF is
+ * performed.
+ * This is disabled by default.
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK "kbkdf-key-check"
+
  /*
   * A boolean that determines if the runtime FIPS key check for TLS13 KDF is
   * performed.
author	Pauli <ppzgs1@gmail.com>
	Mon, 5 Aug 2024 05:45:30 +0000 (15:45 +1000)
committer	Pauli <ppzgs1@gmail.com>
	Wed, 7 Aug 2024 22:42:59 +0000 (08:42 +1000)
apps/fipsinstall.c		patch \| blob \| blame \| history
include/openssl/fips_names.h		patch \| blob \| blame \| history