Pedro Monreal Gonzalez
6bc57d937f
* SHA-1 is not allowed anymore in FIPS 186-5 for signature verification operations. After 12/31/2030, NIST will disallow SHA-1 for all of its usages. * Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch - FIPS: RSA keygen PCT requirements. * Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the self-test requirements are covered by do_rsa_pct() for both RSA-OAEP and RSA signatures [bsc#1221760] * Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753] * Add openssl-3-FIPS-PCT_rsa_keygen.patch - FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode. [bsc#1220523] * Rebase openssl-Force-FIPS.patch - FIPS: Port openssl to use jitterentropy [bsc#1220523] * Set the module in error state if the jitter RNG fails either on initialization or entropy gathering because health tests failed. * Add jitterentropy as a seeding source output also in crypto/info.c * Move the jitter entropy collector and the associated lock out of the header file to avoid redefinitions. * Add the fips_local.cnf symlink to the spec file. This simlink points to the openssl_fips.config file that is provided by the crypto-policies package. * Rebase openssl-3-jitterentropy-3.4.0.patch * Rebase openssl-FIPS-enforce-EMS-support.patch - FIPS: Block non-Approved Elliptic Curves [bsc#1221786] OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110
878 lines
34 KiB
Diff
878 lines
34 KiB
Diff
From 2000eaead63732669283e6b54c8ef02e268eaeb8 Mon Sep 17 00:00:00 2001
|
|
From: rpm-build <rpm-build>
|
|
Date: Mon, 31 Jul 2023 09:41:29 +0200
|
|
Subject: [PATCH 34/48] 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
|
|
|
|
Patch-name: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
|
|
Patch-id: 78
|
|
Patch-status: |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772
|
|
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
|
---
|
|
include/crypto/evp.h | 7 ++
|
|
include/openssl/core_names.h | 1 +
|
|
include/openssl/kdf.h | 4 +
|
|
providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
|
|
providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
|
|
providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
|
|
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
|
|
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
|
|
providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
|
|
9 files changed, 487 insertions(+), 22 deletions(-)
|
|
|
|
Index: openssl-3.1.4/include/crypto/evp.h
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/include/crypto/evp.h
|
|
+++ openssl-3.1.4/include/crypto/evp.h
|
|
@@ -219,6 +219,13 @@ struct evp_mac_st {
|
|
OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
|
|
};
|
|
|
|
+#ifdef FIPS_MODULE
|
|
+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
|
|
+ * Additional Keys from a Cryptographic Key, "[t]he length of the
|
|
+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
|
|
+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
|
|
+#endif
|
|
+
|
|
struct evp_kdf_st {
|
|
OSSL_PROVIDER *prov;
|
|
int name_id;
|
|
Index: openssl-3.1.4/include/openssl/core_names.h
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/include/openssl/core_names.h
|
|
+++ openssl-3.1.4/include/openssl/core_names.h
|
|
@@ -226,6 +226,7 @@ extern "C" {
|
|
#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo"
|
|
#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo"
|
|
#define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits"
|
|
+#define OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator"
|
|
|
|
/* Known KDF names */
|
|
#define OSSL_KDF_NAME_HKDF "HKDF"
|
|
Index: openssl-3.1.4/include/openssl/kdf.h
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/include/openssl/kdf.h
|
|
+++ openssl-3.1.4/include/openssl/kdf.h
|
|
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *
|
|
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
|
|
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
|
|
|
|
+# define EVP_KDF_SUSE_FIPS_INDICATOR_UNDETERMINED 0
|
|
+# define EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED 1
|
|
+# define EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
|
|
+
|
|
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
|
|
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
|
|
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
|
|
Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/providers/implementations/kdfs/hkdf.c
|
|
+++ openssl-3.1.4/providers/implementations/kdfs/hkdf.c
|
|
@@ -43,6 +43,7 @@ static OSSL_FUNC_kdf_settable_ctx_params
|
|
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
|
|
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
|
|
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
|
|
+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
|
|
static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
|
|
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
|
|
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
|
|
@@ -86,6 +87,10 @@ typedef struct {
|
|
size_t data_len;
|
|
unsigned char *info;
|
|
size_t info_len;
|
|
+ int is_tls13;
|
|
+#ifdef FIPS_MODULE
|
|
+ int fips_indicator;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
} KDF_HKDF;
|
|
|
|
static void *kdf_hkdf_new(void *provctx)
|
|
@@ -201,6 +206,11 @@ static int kdf_hkdf_derive(void *vctx, u
|
|
return 0;
|
|
}
|
|
|
|
+#ifdef FIPS_MODULE
|
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
+
|
|
switch (ctx->mode) {
|
|
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
|
|
default:
|
|
@@ -363,13 +373,15 @@ static int kdf_hkdf_get_ctx_params(void
|
|
{
|
|
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
|
|
OSSL_PARAM *p;
|
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
|
|
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
size_t sz = kdf_hkdf_size(ctx);
|
|
|
|
- if (sz == 0)
|
|
+ any_valid = 1;
|
|
+
|
|
+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
|
|
return 0;
|
|
- return OSSL_PARAM_set_size_t(p, sz);
|
|
}
|
|
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
|
|
if (ctx->info == NULL || ctx->info_len == 0) {
|
|
@@ -378,7 +390,68 @@ static int kdf_hkdf_get_ctx_params(void
|
|
}
|
|
return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
|
|
}
|
|
- return -2;
|
|
+
|
|
+#ifdef FIPS_MODULE
|
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR))
|
|
+ != NULL) {
|
|
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
|
|
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
|
|
+
|
|
+ any_valid = 1;
|
|
+
|
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
+ * bits". */
|
|
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
+ * Verification Program, Section D.B and NIST Special Publication
|
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
+ * be longer than that. If a derived key has ever been shorter than
|
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
+ * should also set the returned FIPS indicator to unapproved. */
|
|
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ if (ctx->is_tls13) {
|
|
+ if (md != NULL
|
|
+ && !EVP_MD_is_a(md, "SHA2-256")
|
|
+ && !EVP_MD_is_a(md, "SHA2-384")) {
|
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic
|
|
+ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
|
|
+ * key derivation function documented in Section 7.1 of RFC
|
|
+ * 8446. This is considered an approved CVL because the
|
|
+ * underlying functions performed within the TLS 1.3 KDF map to
|
|
+ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
|
|
+ * Option #3), SP 800-56Crev2, and SP 800-108."
|
|
+ *
|
|
+ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+ }
|
|
+ } else {
|
|
+ if (md != NULL
|
|
+ && (EVP_MD_is_a(md, "SHAKE-128") ||
|
|
+ EVP_MD_is_a(md, "SHAKE-256"))) {
|
|
+ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
|
|
+ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
|
|
+ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
|
|
+ * extendable-output functions may only be used as the
|
|
+ * standalone algorithms." */
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+ }
|
|
+ }
|
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
+ return 0;
|
|
+ }
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
+
|
|
+ if (!any_valid)
|
|
+ return -2;
|
|
+
|
|
+ return 1;
|
|
}
|
|
|
|
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
@@ -387,6 +460,9 @@ static const OSSL_PARAM *kdf_hkdf_gettab
|
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
|
|
+#ifdef FIPS_MODULE
|
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
OSSL_PARAM_END
|
|
};
|
|
return known_gettable_ctx_params;
|
|
@@ -717,6 +793,17 @@ static int prov_tls13_hkdf_generate_secr
|
|
return ret;
|
|
}
|
|
|
|
+static void *kdf_tls1_3_new(void *provctx)
|
|
+{
|
|
+ KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
|
|
+
|
|
+ if (hkdf != NULL)
|
|
+ hkdf->is_tls13 = 1;
|
|
+
|
|
+ return hkdf;
|
|
+}
|
|
+
|
|
+
|
|
static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
|
const OSSL_PARAM params[])
|
|
{
|
|
@@ -732,6 +819,11 @@ static int kdf_tls1_3_derive(void *vctx,
|
|
return 0;
|
|
}
|
|
|
|
+#ifdef FIPS_MODULE
|
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
+
|
|
switch (ctx->mode) {
|
|
default:
|
|
return 0;
|
|
@@ -809,7 +901,7 @@ static const OSSL_PARAM *kdf_tls1_3_sett
|
|
}
|
|
|
|
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
|
|
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
|
|
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
|
|
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
|
|
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
|
|
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
|
|
Index: openssl-3.1.4/providers/implementations/kdfs/kbkdf.c
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/providers/implementations/kdfs/kbkdf.c
|
|
+++ openssl-3.1.4/providers/implementations/kdfs/kbkdf.c
|
|
@@ -59,6 +59,9 @@ typedef struct {
|
|
kbkdf_mode mode;
|
|
EVP_MAC_CTX *ctx_init;
|
|
|
|
+ /* HMAC digest algorithm, if any; used to compute FIPS indicator */
|
|
+ PROV_DIGEST digest;
|
|
+
|
|
/* Names are lowercased versions of those found in SP800-108. */
|
|
int r;
|
|
unsigned char *ki;
|
|
@@ -72,6 +75,9 @@ typedef struct {
|
|
int use_l;
|
|
int is_kmac;
|
|
int use_separator;
|
|
+#ifdef FIPS_MODULE
|
|
+ int fips_indicator;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
} KBKDF;
|
|
|
|
/* Definitions needed for typechecking. */
|
|
@@ -143,6 +149,7 @@ static void kbkdf_reset(void *vctx)
|
|
void *provctx = ctx->provctx;
|
|
|
|
EVP_MAC_CTX_free(ctx->ctx_init);
|
|
+ ossl_prov_digest_reset(&ctx->digest);
|
|
OPENSSL_clear_free(ctx->context, ctx->context_len);
|
|
OPENSSL_clear_free(ctx->label, ctx->label_len);
|
|
OPENSSL_clear_free(ctx->ki, ctx->ki_len);
|
|
@@ -308,6 +315,11 @@ static int kbkdf_derive(void *vctx, unsi
|
|
goto done;
|
|
}
|
|
|
|
+#ifdef FIPS_MODULE
|
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
+
|
|
h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
|
|
if (h == 0)
|
|
goto done;
|
|
@@ -381,6 +393,9 @@ static int kbkdf_set_ctx_params(void *vc
|
|
}
|
|
}
|
|
|
|
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
|
|
+ return 0;
|
|
+
|
|
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
|
|
if (p != NULL
|
|
&& OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
|
|
@@ -461,20 +476,77 @@ static const OSSL_PARAM *kbkdf_settable_
|
|
static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
{
|
|
OSSL_PARAM *p;
|
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
|
|
p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
|
|
- if (p == NULL)
|
|
+ if (p != NULL) {
|
|
+ any_valid = 1;
|
|
+
|
|
+ /* KBKDF can produce results as large as you like. */
|
|
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+#ifdef FIPS_MODULE
|
|
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
|
|
+ if (p != NULL) {
|
|
+ KBKDF *ctx = (KBKDF *)vctx;
|
|
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
|
|
+
|
|
+ any_valid = 1;
|
|
+
|
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
+ * bits". */
|
|
+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
+ * Verification Program, Section D.B and NIST Special Publication
|
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
+ * be longer than that. If a derived key has ever been shorter than
|
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
+ * should also set the returned FIPS indicator to unapproved. */
|
|
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
|
+ * extendable-output functions may only be used as the standalone
|
|
+ * algorithms." Note that the digest is only used when the MAC
|
|
+ * algorithm is HMAC. */
|
|
+ if (ctx->ctx_init != NULL
|
|
+ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
|
|
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
|
|
+ if (md != NULL
|
|
+ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
+ return 0;
|
|
+ }
|
|
+#endif
|
|
+
|
|
+ if (!any_valid)
|
|
return -2;
|
|
|
|
- /* KBKDF can produce results as large as you like. */
|
|
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
|
+ return 1;
|
|
}
|
|
|
|
static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
ossl_unused void *provctx)
|
|
{
|
|
- static const OSSL_PARAM known_gettable_ctx_params[] =
|
|
- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
|
|
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
+#ifdef FIPS_MODULE
|
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
+ OSSL_PARAM_END
|
|
+ };
|
|
return known_gettable_ctx_params;
|
|
}
|
|
|
|
Index: openssl-3.1.4/providers/implementations/kdfs/sshkdf.c
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/providers/implementations/kdfs/sshkdf.c
|
|
+++ openssl-3.1.4/providers/implementations/kdfs/sshkdf.c
|
|
@@ -49,6 +49,9 @@ typedef struct {
|
|
char type; /* X */
|
|
unsigned char *session_id;
|
|
size_t session_id_len;
|
|
+#ifdef FIPS_MODULE
|
|
+ int fips_indicator;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
} KDF_SSHKDF;
|
|
|
|
static void *kdf_sshkdf_new(void *provctx)
|
|
@@ -151,6 +154,12 @@ static int kdf_sshkdf_derive(void *vctx,
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
|
|
return 0;
|
|
}
|
|
+
|
|
+#ifdef FIPS_MODULE
|
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
+
|
|
return SSHKDF(md, ctx->key, ctx->key_len,
|
|
ctx->xcghash, ctx->xcghash_len,
|
|
ctx->session_id, ctx->session_id_len,
|
|
@@ -219,10 +228,67 @@ static const OSSL_PARAM *kdf_sshkdf_sett
|
|
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
{
|
|
OSSL_PARAM *p;
|
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
|
|
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
|
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
|
- return -2;
|
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
+ any_valid = 1;
|
|
+
|
|
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+#ifdef FIPS_MODULE
|
|
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
|
|
+ if (p != NULL) {
|
|
+ KDF_SSHKDF *ctx = vctx;
|
|
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
|
|
+
|
|
+ any_valid = 1;
|
|
+
|
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
+ * bits". */
|
|
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
+ * Verification Program, Section D.B and NIST Special Publication
|
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
+ * be longer than that. If a derived key has ever been shorter than
|
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
+ * should also set the returned FIPS indicator to unapproved. */
|
|
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
|
+ * extendable-output functions may only be used as the standalone
|
|
+ * algorithms."
|
|
+ *
|
|
+ * Additionally, SP 800-135r1 section 5.2 specifies that the hash
|
|
+ * function used in SSHKDF "is one of the hash functions specified in
|
|
+ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
|
|
+ * */
|
|
+ if (ctx->digest.md != NULL
|
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
|
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
|
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
|
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
|
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+ }
|
|
+
|
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
+ return 0;
|
|
+ }
|
|
+#endif
|
|
+
|
|
+ if (!any_valid)
|
|
+ return -2;
|
|
+
|
|
+ return 1;
|
|
}
|
|
|
|
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
@@ -230,6 +296,9 @@ static const OSSL_PARAM *kdf_sshkdf_gett
|
|
{
|
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
+#ifdef FIPS_MODULE
|
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
OSSL_PARAM_END
|
|
};
|
|
return known_gettable_ctx_params;
|
|
Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/providers/implementations/kdfs/sskdf.c
|
|
+++ openssl-3.1.4/providers/implementations/kdfs/sskdf.c
|
|
@@ -63,6 +63,10 @@ typedef struct {
|
|
size_t salt_len;
|
|
size_t out_len; /* optional KMAC parameter */
|
|
int is_kmac;
|
|
+ int is_x963kdf;
|
|
+#ifdef FIPS_MODULE
|
|
+ int fips_indicator;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
} KDF_SSKDF;
|
|
|
|
#define SSKDF_MAX_INLEN (1<<30)
|
|
@@ -73,6 +77,7 @@ typedef struct {
|
|
static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
|
|
|
|
static OSSL_FUNC_kdf_newctx_fn sskdf_new;
|
|
+static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
|
|
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
|
|
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
|
|
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
|
|
@@ -297,6 +302,16 @@ static void *sskdf_new(void *provctx)
|
|
return ctx;
|
|
}
|
|
|
|
+static void *x963kdf_new(void *provctx)
|
|
+{
|
|
+ KDF_SSKDF *ctx = sskdf_new(provctx);
|
|
+
|
|
+ if (ctx)
|
|
+ ctx->is_x963kdf = 1;
|
|
+
|
|
+ return ctx;
|
|
+}
|
|
+
|
|
static void sskdf_reset(void *vctx)
|
|
{
|
|
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
|
@@ -392,6 +407,11 @@ static int sskdf_derive(void *vctx, unsi
|
|
}
|
|
md = ossl_prov_digest_md(&ctx->digest);
|
|
|
|
+#ifdef FIPS_MODULE
|
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
+
|
|
if (ctx->macctx != NULL) {
|
|
/* H(x) = KMAC or H(x) = HMAC */
|
|
int ret;
|
|
@@ -473,6 +493,11 @@ static int x963kdf_derive(void *vctx, un
|
|
return 0;
|
|
}
|
|
|
|
+#ifdef FIPS_MODULE
|
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
+
|
|
return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
|
|
ctx->info, ctx->info_len, 1, key, keylen);
|
|
}
|
|
@@ -545,10 +570,74 @@ static int sskdf_get_ctx_params(void *vc
|
|
{
|
|
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
|
OSSL_PARAM *p;
|
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
+
|
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
+ any_valid = 1;
|
|
+
|
|
+ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
|
|
+ return 0;
|
|
+ }
|
|
|
|
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
|
- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
|
|
- return -2;
|
|
+#ifdef FIPS_MODULE
|
|
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
|
|
+ if (p != NULL) {
|
|
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
|
|
+
|
|
+ any_valid = 1;
|
|
+
|
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
+ * bits". */
|
|
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
+ * Verification Program, Section D.B and NIST Special Publication
|
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
+ * be longer than that. If a derived key has ever been shorter than
|
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
+ * should also set the returned FIPS indicator to unapproved. */
|
|
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
|
+ * extendable-output functions may only be used as the standalone
|
|
+ * algorithms." */
|
|
+ if (ctx->macctx == NULL
|
|
+ || (ctx->macctx != NULL &&
|
|
+ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
|
|
+ if (ctx->digest.md != NULL
|
|
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
|
|
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+ }
|
|
+
|
|
+ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
|
|
+ * should only be used for 80-bit key agreement, but FIPS 140-3
|
|
+ * requires a security strength of 112 bits, so SHA-1 cannot be
|
|
+ * used with X9.63. See the discussion in
|
|
+ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
|
|
+ */
|
|
+ if (ctx->is_x963kdf
|
|
+ && ctx->digest.md != NULL
|
|
+ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
+ return 0;
|
|
+ }
|
|
+#endif
|
|
+
|
|
+ if (!any_valid)
|
|
+ return -2;
|
|
+
|
|
+ return 1;
|
|
}
|
|
|
|
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
@@ -556,6 +645,9 @@ static const OSSL_PARAM *sskdf_gettable_
|
|
{
|
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
+#ifdef FIPS_MODULE
|
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
OSSL_PARAM_END
|
|
};
|
|
return known_gettable_ctx_params;
|
|
@@ -577,7 +669,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_funct
|
|
};
|
|
|
|
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
|
|
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
|
|
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
|
|
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
|
|
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
|
|
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
|
|
Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/providers/implementations/kdfs/tls1_prf.c
|
|
+++ openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c
|
|
@@ -104,6 +104,13 @@ typedef struct {
|
|
/* Buffer of concatenated seed data */
|
|
unsigned char seed[TLS1_PRF_MAXBUF];
|
|
size_t seedlen;
|
|
+
|
|
+ /* MAC digest algorithm; used to compute FIPS indicator */
|
|
+ PROV_DIGEST digest;
|
|
+
|
|
+#ifdef FIPS_MODULE
|
|
+ int fips_indicator;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
} TLS1_PRF;
|
|
|
|
static void *kdf_tls1_prf_new(void *provctx)
|
|
@@ -140,6 +147,7 @@ static void kdf_tls1_prf_reset(void *vct
|
|
EVP_MAC_CTX_free(ctx->P_sha1);
|
|
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
|
OPENSSL_cleanse(ctx->seed, ctx->seedlen);
|
|
+ ossl_prov_digest_reset(&ctx->digest);
|
|
memset(ctx, 0, sizeof(*ctx));
|
|
ctx->provctx = provctx;
|
|
}
|
|
@@ -194,6 +202,10 @@ static int kdf_tls1_prf_derive(void *vct
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
|
return 0;
|
|
}
|
|
+#ifdef FIPS_MODULE
|
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
|
|
/*
|
|
* The seed buffer is prepended with a label.
|
|
@@ -243,6 +255,9 @@ static int kdf_tls1_prf_set_ctx_params(v
|
|
}
|
|
}
|
|
|
|
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
|
|
+ return 0;
|
|
+
|
|
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
|
|
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
|
ctx->sec = NULL;
|
|
@@ -284,10 +299,60 @@ static const OSSL_PARAM *kdf_tls1_prf_se
|
|
static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
{
|
|
OSSL_PARAM *p;
|
|
+#ifdef FIPS_MODULE
|
|
+ TLS1_PRF *ctx = vctx;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
+
|
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
+ any_valid = 1;
|
|
+
|
|
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+#ifdef FIPS_MODULE
|
|
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
|
|
+ if (p != NULL) {
|
|
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
|
|
+
|
|
+ any_valid = 1;
|
|
+
|
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
+ * bits". */
|
|
+ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
+ * Verification Program, Section D.B and NIST Special Publication
|
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
+ * be longer than that. If a derived key has ever been shorter than
|
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
+ * should also set the returned FIPS indicator to unapproved. */
|
|
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
|
|
+ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
|
|
+ if (ctx->digest.md != NULL
|
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
|
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
|
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+ }
|
|
+
|
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
+ return 0;
|
|
+ }
|
|
+#endif
|
|
|
|
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
|
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
|
- return -2;
|
|
+ if (!any_valid)
|
|
+ return -2;
|
|
+
|
|
+ return 1;
|
|
}
|
|
|
|
static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
|
@@ -295,6 +360,9 @@ static const OSSL_PARAM *kdf_tls1_prf_ge
|
|
{
|
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
+#ifdef FIPS_MODULE
|
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
OSSL_PARAM_END
|
|
};
|
|
return known_gettable_ctx_params;
|
|
Index: openssl-3.1.4/providers/implementations/kdfs/x942kdf.c
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/providers/implementations/kdfs/x942kdf.c
|
|
+++ openssl-3.1.4/providers/implementations/kdfs/x942kdf.c
|
|
@@ -13,11 +13,13 @@
|
|
#include <openssl/core_dispatch.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/evp.h>
|
|
+#include <openssl/kdf.h>
|
|
#include <openssl/params.h>
|
|
#include <openssl/proverr.h>
|
|
#include "internal/packet.h"
|
|
#include "internal/der.h"
|
|
#include "internal/nelem.h"
|
|
+#include "crypto/evp.h"
|
|
#include "prov/provider_ctx.h"
|
|
#include "prov/providercommon.h"
|
|
#include "prov/implementations.h"
|
|
@@ -49,6 +51,9 @@ typedef struct {
|
|
const unsigned char *cek_oid;
|
|
size_t cek_oid_len;
|
|
int use_keybits;
|
|
+#ifdef FIPS_MODULE
|
|
+ int fips_indicator;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
} KDF_X942;
|
|
|
|
/*
|
|
@@ -497,6 +502,10 @@ static int x942kdf_derive(void *vctx, un
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
|
|
return 0;
|
|
}
|
|
+#ifdef FIPS_MODULE
|
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
|
|
der, der_len, ctr, key, keylen);
|
|
OPENSSL_free(der);
|
|
@@ -600,10 +609,58 @@ static int x942kdf_get_ctx_params(void *
|
|
{
|
|
KDF_X942 *ctx = (KDF_X942 *)vctx;
|
|
OSSL_PARAM *p;
|
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
|
|
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
|
- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
|
|
- return -2;
|
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
+ any_valid = 1;
|
|
+
|
|
+ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+#ifdef FIPS_MODULE
|
|
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
|
|
+ if (p != NULL) {
|
|
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
|
|
+
|
|
+ any_valid = 1;
|
|
+
|
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
+ * bits". */
|
|
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
+ * Verification Program, Section D.B and NIST Special Publication
|
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
+ * be longer than that. If a derived key has ever been shorter than
|
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
+ * should also set the returned FIPS indicator to unapproved. */
|
|
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+
|
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
|
+ * extendable-output functions may only be used as the standalone
|
|
+ * algorithms." */
|
|
+ if (ctx->digest.md != NULL
|
|
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
|
|
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+ }
|
|
+
|
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
+ return 0;
|
|
+ }
|
|
+#endif
|
|
+
|
|
+ if (!any_valid)
|
|
+ return -2;
|
|
+
|
|
+ return 1;
|
|
}
|
|
|
|
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
@@ -611,6 +668,9 @@ static const OSSL_PARAM *x942kdf_gettabl
|
|
{
|
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
+#ifdef FIPS_MODULE
|
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
OSSL_PARAM_END
|
|
};
|
|
return known_gettable_ctx_params;
|