From: Pauli Date: Wed, 17 Jul 2024 00:35:37 +0000 (+1000) Subject: fipsinstall: add no_short_mac option X-Git-Tag: openssl-3.4.0-alpha1~284 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=00231a6ae9dfe806bdc1107f2c5ae86015a2a9e0;p=thirdparty%2Fopenssl.git fipsinstall: add no_short_mac option Reviewed-by: Shane Lontis Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/24917) --- diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index d725839787b..3b7d0819ecc 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -38,7 +38,7 @@ typedef enum OPTION_choice { OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG, OPT_NO_CONDITIONAL_ERRORS, OPT_NO_SECURITY_CHECKS, - OPT_TLS_PRF_EMS_CHECK, + OPT_TLS_PRF_EMS_CHECK, OPT_NO_SHORT_MAC, OPT_DISALLOW_DRGB_TRUNC_DIGEST, OPT_HKDF_DIGEST_CHECK, OPT_TLS13_KDF_DIGEST_CHECK, @@ -71,6 +71,7 @@ const OPTIONS fipsinstall_options[] = { "Forces self tests to run once on module installation"}, {"ems_check", OPT_TLS_PRF_EMS_CHECK, '-', "Enable the run-time FIPS check for EMS during TLS1_PRF"}, + {"no_short_mac", OPT_NO_SHORT_MAC, '-', "Disallow short MAC output"}, {"no_drbg_truncated_digests", OPT_DISALLOW_DRGB_TRUNC_DIGEST, '-', "Disallow truncated digests with Hash and HMAC DRBGs"}, {"hkdf_digest_check", OPT_HKDF_DIGEST_CHECK, '-', @@ -108,6 +109,7 @@ typedef struct { unsigned int conditional_errors : 1; unsigned int security_checks : 1; unsigned int tls_prf_ems_check : 1; + unsigned int no_short_mac : 1; unsigned int drgb_no_trunc_dgst : 1; unsigned int hkdf_digest_check : 1; unsigned int tls13_kdf_digest_check : 1; @@ -124,6 +126,7 @@ static const FIPS_OPTS pedantic_opts = { 1, /* conditional_errors */ 1, /* security_checks */ 1, /* tls_prf_ems_check */ + 1, /* no_short_mac */ 1, /* drgb_no_trunc_dgst */ 1, /* hkdf_digest_check */ 1, /* tls13_kdf_digest_check */ @@ -140,6 +143,7 @@ static FIPS_OPTS fips_opts = { 1, /* conditional_errors */ 1, /* security_checks */ 0, /* tls_prf_ems_check */ + 0, /* no_short_mac */ 0, /* drgb_no_trunc_dgst */ 0, /* hkdf_digest_check */ 0, /* tls13_kdf_digest_check */ @@ -269,6 +273,8 @@ static int write_config_fips_section(BIO *out, const char *section, opts->security_checks ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, opts->tls_prf_ems_check ? "1" : "0") <= 0 + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_NO_SHORT_MAC, + opts->no_short_mac ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST, opts->drgb_no_trunc_dgst ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_DIGEST_CHECK, @@ -472,6 +478,9 @@ int fipsinstall_main(int argc, char **argv) case OPT_TLS_PRF_EMS_CHECK: fips_opts.tls_prf_ems_check = 1; break; + case OPT_NO_SHORT_MAC: + fips_opts.no_short_mac = 1; + break; case OPT_DISALLOW_DRGB_TRUNC_DIGEST: fips_opts.drgb_no_trunc_dgst = 1; break; diff --git a/util/mk-fipsmodule-cnf.pl b/util/mk-fipsmodule-cnf.pl index 54b774e0631..6ff8fc20b7c 100644 --- a/util/mk-fipsmodule-cnf.pl +++ b/util/mk-fipsmodule-cnf.pl @@ -13,6 +13,7 @@ use Getopt::Long; my $conditional_errors = 1; my $security_checks = 1; my $ems_check = 1; +my $no_short_mac = 1; my $drgb_no_trunc_dgst = 1; my $kdf_digest_check = 1; my $dsa_sign_disabled = 1; @@ -50,6 +51,7 @@ install-version = $version conditional-errors = $conditional_errors security-checks = $security_checks tls1-prf-ems-check = $ems_check +no-short-mac = $no_short_mac drbg-no-trunc-md = $drgb_no_trunc_dgst dsa-sign-disabled = $dsa_sign_disabled module-mac = $module_mac