From: Pauli <ppzgs1@gmail.com>
Date: Mon, 5 Aug 2024 05:45:30 +0000 (+1000)
Subject: fipsinstall: add kbkdf key check option
X-Git-Tag: openssl-3.4.0-alpha1~189
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=090247b2e29a71f49c12a753ca9204c30d14a0f8;p=thirdparty%2Fopenssl.git

fipsinstall: add kbkdf key check option

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
---

diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index 269b0a7e73e..70447e1db34 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -50,6 +50,7 @@ typedef enum OPTION_choice {
     OPT_DISALLOW_DSA_SIGN,
     OPT_DISALLOW_TDES_ENCRYPT,
     OPT_HKDF_KEY_CHECK,
+    OPT_KBKDF_KEY_CHECK,
     OPT_TLS13_KDF_KEY_CHECK,
     OPT_TLS1_PRF_KEY_CHECK,
     OPT_SSHKDF_KEY_CHECK,
@@ -107,6 +108,8 @@ const OPTIONS fipsinstall_options[] = {
      "Disallow X931 Padding for RSA signing"},
     {"hkdf_key_check", OPT_HKDF_KEY_CHECK, '-',
      "Enable key check for HKDF"},
+    {"kbkdf_key_check", OPT_KBKDF_KEY_CHECK, '-',
+     "Enable key check for KBKDF"},
     {"tls13_kdf_key_check", OPT_TLS13_KDF_KEY_CHECK, '-',
      "Enable key check for TLS13-KDF"},
     {"tls1_prf_key_check", OPT_TLS1_PRF_KEY_CHECK, '-',
@@ -154,6 +157,7 @@ typedef struct {
     unsigned int rsa_pkcs15_padding_disabled : 1;
     unsigned int sign_x931_padding_disabled : 1;
     unsigned int hkdf_key_check : 1;
+    unsigned int kbkdf_key_check : 1;
     unsigned int tls13_kdf_key_check : 1;
     unsigned int tls1_prf_key_check : 1;
     unsigned int sshkdf_key_check : 1;
@@ -182,6 +186,7 @@ static const FIPS_OPTS pedantic_opts = {
     1,      /* rsa_pkcs15_padding_disabled */
     1,      /* sign_x931_padding_disabled */
     1,      /* hkdf_key_check */
+    1,      /* kbkdf_key_check */
     1,      /* tls13_kdf_key_check */
     1,      /* tls1_prf_key_check */
     1,      /* sshkdf_key_check */
@@ -210,6 +215,7 @@ static FIPS_OPTS fips_opts = {
     0,      /* rsa_pkcs15_padding_disabled */
     0,      /* sign_x931_padding_disabled */
     0,      /* hkdf_key_check */
+    0,      /* kbkdf_key_check */
     0,      /* tls13_kdf_key_check */
     0,      /* tls1_prf_key_check */
     0,      /* sshkdf_key_check */
@@ -371,6 +377,8 @@ static int write_config_fips_section(BIO *out, const char *section,
                       opts->sign_x931_padding_disabled ? "1" : "0") <= 0
         || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK,
                       opts->hkdf_key_check ? "1": "0") <= 0
+        || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK,
+                      opts->kbkdf_key_check ? "1": "0") <= 0
         || BIO_printf(out, "%s = %s\n",
                       OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK,
                       opts->tls13_kdf_key_check ? "1": "0") <= 0
@@ -610,6 +618,9 @@ int fipsinstall_main(int argc, char **argv)
         case OPT_HKDF_KEY_CHECK:
             fips_opts.hkdf_key_check = 1;
             break;
+        case OPT_KBKDF_KEY_CHECK:
+            fips_opts.kbkdf_key_check = 1;
+            break;
         case OPT_TLS13_KDF_KEY_CHECK:
             fips_opts.tls13_kdf_key_check = 1;
             break;
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
index 07c30a7e4fa..c83b4b803b6 100644
--- a/include/openssl/fips_names.h
+++ b/include/openssl/fips_names.h
@@ -174,6 +174,14 @@ extern "C" {
  */
 # define OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK "hkdf-key-check"
 
+/*
+ * A boolean that determines if the runtime FIPS key check for KBKDF is
+ * performed.
+ * This is disabled by default.
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK "kbkdf-key-check"
+
 /*
  * A boolean that determines if the runtime FIPS key check for TLS13 KDF is
  * performed.