From: Dimitri John Ledkov Date: Sun, 10 Aug 2025 23:20:25 +0000 (+0100) Subject: fips: make PROV_NAMES_HMAC_DRBG_KDF internal only X-Git-Tag: openssl-3.6.0-alpha1~83 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71d3703e5d3715b23554a4818a2d480f9d306bdb;p=thirdparty%2Fopenssl.git fips: make PROV_NAMES_HMAC_DRBG_KDF internal only Reviewed-by: Shane Lontis Reviewed-by: Neil Horman Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/28213) --- diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 08ec84c3454..55aa27cb669 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -409,23 +409,32 @@ static const OSSL_ALGORITHM fips_macs_internal[] = { { NULL, NULL, NULL } }; +#define FIPS_KDFS_COMMON() \ + { PROV_NAMES_HKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_functions }, \ + { PROV_NAMES_HKDF_SHA256, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha256_functions }, \ + { PROV_NAMES_HKDF_SHA384, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha384_functions }, \ + { PROV_NAMES_HKDF_SHA512, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha512_functions }, \ + { PROV_NAMES_TLS1_3_KDF, FIPS_DEFAULT_PROPERTIES, \ + ossl_kdf_tls1_3_kdf_functions }, \ + { PROV_NAMES_SSKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sskdf_functions }, \ + { PROV_NAMES_PBKDF2, FIPS_DEFAULT_PROPERTIES, ossl_kdf_pbkdf2_functions }, \ + { PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions }, \ + { PROV_NAMES_X963KDF, FIPS_DEFAULT_PROPERTIES, \ + ossl_kdf_x963_kdf_functions }, \ + { PROV_NAMES_X942KDF_ASN1, FIPS_DEFAULT_PROPERTIES, \ + ossl_kdf_x942_kdf_functions }, \ + { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, \ + ossl_kdf_tls1_prf_functions }, \ + { PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions } + static const OSSL_ALGORITHM fips_kdfs[] = { - { PROV_NAMES_HKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_functions }, - { PROV_NAMES_HKDF_SHA256, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha256_functions }, - { PROV_NAMES_HKDF_SHA384, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha384_functions }, - { PROV_NAMES_HKDF_SHA512, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha512_functions }, - { PROV_NAMES_TLS1_3_KDF, FIPS_DEFAULT_PROPERTIES, - ossl_kdf_tls1_3_kdf_functions }, - { PROV_NAMES_SSKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sskdf_functions }, - { PROV_NAMES_PBKDF2, FIPS_DEFAULT_PROPERTIES, ossl_kdf_pbkdf2_functions }, - { PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions }, - { PROV_NAMES_X963KDF, FIPS_DEFAULT_PROPERTIES, - ossl_kdf_x963_kdf_functions }, - { PROV_NAMES_X942KDF_ASN1, FIPS_DEFAULT_PROPERTIES, - ossl_kdf_x942_kdf_functions }, - { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, - ossl_kdf_tls1_prf_functions }, - { PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions }, + FIPS_KDFS_COMMON(), + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM fips_kdfs_internal[] = { + FIPS_KDFS_COMMON(), + /* For deterministic ECDSA */ { PROV_NAMES_HMAC_DRBG_KDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hmac_drbg_functions }, { NULL, NULL, NULL } }; @@ -721,15 +730,20 @@ static const OSSL_ALGORITHM *fips_query(void *provctx, int operation_id, static const OSSL_ALGORITHM *fips_query_internal(void *provctx, int operation_id, int *no_cache) { - int is_digest_op = (operation_id == OSSL_OP_DIGEST); - - if (is_digest_op - || operation_id == OSSL_OP_MAC) { - *no_cache = 0; - if (!ossl_prov_is_running()) - return NULL; - return is_digest_op ? fips_digests_internal : fips_macs_internal; + *no_cache = 0; + + if (!ossl_prov_is_running()) + return NULL; + + switch (operation_id) { + case OSSL_OP_DIGEST: + return fips_digests_internal; + case OSSL_OP_MAC: + return fips_macs_internal; + case OSSL_OP_KDF: + return fips_kdfs_internal; } + return fips_query(provctx, operation_id, no_cache); }