From 004077be1bd3aa68818c51e2879c2d8ffd841f02 Mon Sep 17 00:00:00 2001
From: Pauli <ppzgs1@gmail.com>
Date: Mon, 4 Aug 2025 11:20:21 +1000
Subject: [PATCH] hkdf: introduce conditionals on the FIPS only parameters

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28163)
---
 providers/implementations/kdfs/hkdf.c.in | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/providers/implementations/kdfs/hkdf.c.in b/providers/implementations/kdfs/hkdf.c.in
index 3750da86e5c..634577c4cf3 100644
--- a/providers/implementations/kdfs/hkdf.c.in
+++ b/providers/implementations/kdfs/hkdf.c.in
@@ -271,8 +271,10 @@ struct hkdf_all_set_ctx_params_st {
     OSSL_PARAM *digest;
     OSSL_PARAM *key;
     OSSL_PARAM *salt;
+#ifdef FIPS_MODULE
     OSSL_PARAM *ind_k;
     OSSL_PARAM *ind_d;
+#endif
     OSSL_PARAM *prefix;
     OSSL_PARAM *label;
     OSSL_PARAM *data;
@@ -360,7 +362,7 @@ static int hkdf_common_set_ctx_params
                           ['KDF_PARAM_DIGEST',         'digest', 'utf8_string'],
                           ['KDF_PARAM_KEY',            'key',    'octet_string'],
                           ['KDF_PARAM_SALT',           'salt',   'octet_string'],
-                          ['KDF_PARAM_FIPS_KEY_CHECK', 'ind_k',  'int'],
+                          ['KDF_PARAM_FIPS_KEY_CHECK', 'ind_k',  'int', 'fips'],
                           ['KDF_PARAM_INFO',           'info',   'octet_string', HKDF_MAX_INFOS],
                          )); -}
 
@@ -400,7 +402,7 @@ static const OSSL_PARAM *kdf_hkdf_settable_ctx_params(ossl_unused void *ctx,
                           ['KDF_PARAM_MODE',                    'mode',   'int'],
                           ['KDF_PARAM_SALT',                    'salt',   'octet_string'],
                           ['KDF_PARAM_INFO',                    'info',   'octet_string'],
-                          ['KDF_PARAM_FIPS_APPROVED_INDICATOR', 'ind',    'int'],
+                          ['KDF_PARAM_FIPS_APPROVED_INDICATOR', 'ind',    'int', 'fips'],
                          )); -}
 
 static const OSSL_PARAM *hkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -527,7 +529,7 @@ static void *kdf_hkdf_fixed_digest_new(void *provctx, const char *digest)
                           ['KDF_PARAM_DIGEST',         'digest', 'utf8_string',  'hidden'],
                           ['KDF_PARAM_KEY',            'key',    'octet_string'],
                           ['KDF_PARAM_SALT',           'salt',   'octet_string'],
-                          ['KDF_PARAM_FIPS_KEY_CHECK', 'ind_k',  'int'],
+                          ['KDF_PARAM_FIPS_KEY_CHECK', 'ind_k',  'int', 'fips'],
                           ['KDF_PARAM_INFO',           'info',   'octet_string', HKDF_MAX_INFOS],
                          )); -}
 
@@ -1014,8 +1016,8 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
                           ['KDF_PARAM_DIGEST',            'digest', 'utf8_string'],
                           ['KDF_PARAM_KEY',               'key',    'octet_string'],
                           ['KDF_PARAM_SALT',              'salt',   'octet_string'],
-                          ['KDF_PARAM_FIPS_KEY_CHECK',    'ind_k',  'int'],
-                          ['KDF_PARAM_FIPS_DIGEST_CHECK', 'ind_d',  'int'],
+                          ['KDF_PARAM_FIPS_KEY_CHECK',    'ind_k',  'int', 'fips'],
+                          ['KDF_PARAM_FIPS_DIGEST_CHECK', 'ind_d',  'int', 'fips'],
                           ['KDF_PARAM_PREFIX',            'prefix', 'octet_string'],
                           ['KDF_PARAM_LABEL',             'label',  'octet_string'],
                           ['KDF_PARAM_DATA',              'data',   'octet_string'],
-- 
2.47.2