/[smecontribs]/rpms/openssl3/contribs10/0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:47 2024 UTC (10 months ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 jpp 1.1 From 185fbbfea732588187c81d1b2cafb3e1fae9eb77 Mon Sep 17 00:00:00 2001
2     From: Clemens Lang <cllang@redhat.com>
3     Date: Thu, 17 Nov 2022 16:38:45 +0100
4     Subject: [PATCH 2/2] kbkdf: Add explicit FIPS indicator for key length
5    
6     NIST SP 800-131Ar2, section 8 "Deriving Additional Keys from
7     a Cryptographic Key" says that for KDFs defined in SP 800-108, "[t]he
8     length of the key-derivation key shall be at least 112 bits". It further
9     specifies that HMAC-based KDFs "with a key whose length is at least 112
10     bits" are acceptable.
11    
12     Add an explicit indicator for SP 800-108 KDFs that will mark shorter key
13     lengths as unapproved. The indicator can be queried from the EVP_KDF_CTX
14     object using EVP_KDF_CTX_get_params() with the
15     OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR
16     parameter.
17    
18     Signed-off-by: Clemens Lang <cllang@redhat.com>
19     ---
20     providers/implementations/kdfs/kbkdf.c | 32 +++++++++++++++++++++-----
21     1 file changed, 26 insertions(+), 6 deletions(-)
22    
23     diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
24     index a542f84dfa..93a8a10537 100644
25     --- a/providers/implementations/kdfs/kbkdf.c
26     +++ b/providers/implementations/kdfs/kbkdf.c
27     @@ -365,18 +365,38 @@ static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
28     OSSL_PARAM *p;
29    
30     p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
31     - if (p == NULL)
32     - return -2;
33     + if (p != NULL)
34     + /* KBKDF can produce results as large as you like. */
35     + return OSSL_PARAM_set_size_t(p, SIZE_MAX);
36     +
37     +#ifdef FIPS_MODULE
38     + p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
39     + if (p != NULL) {
40     + KBKDF *ctx = (KBKDF *)vctx;
41     + int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
42     + /* According to NIST Special Publication 800-131Ar2, Section 8:
43     + * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
44     + * the key-derivation key [i.e., the input key] shall be at least 112
45     + * bits". */
46     + if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
47     + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
48     + return OSSL_PARAM_set_int(p, fips_indicator);
49     + }
50     +#endif
51    
52     - /* KBKDF can produce results as large as you like. */
53     - return OSSL_PARAM_set_size_t(p, SIZE_MAX);
54     + return -2;
55     }
56    
57     static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
58     ossl_unused void *provctx)
59     {
60     - static const OSSL_PARAM known_gettable_ctx_params[] =
61     - { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
62     + static const OSSL_PARAM known_gettable_ctx_params[] = {
63     + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
64     +#ifdef FIPS_MODULE
65     + OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
66     +#endif /* defined(FIPS_MODULE) */
67     + OSSL_PARAM_END
68     + };
69     return known_gettable_ctx_params;
70     }
71    
72     --
73     2.38.1
74    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed