fipsinstall: add kbkdf key check option

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/25095)
2024-11-27 03:54:14 +08:00 · 2024-08-05 15:45:30 +10:00 · 2024-08-05 15:45:30 +10:00 · 090247b2e2
commit 090247b2e2
parent e77eb1dc0b
2 changed files with 19 additions and 0 deletions
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@ -50,6 +50,7 @@ typedef enum OPTION_choice {
    OPT_DISALLOW_DSA_SIGN,
    OPT_DISALLOW_TDES_ENCRYPT,
    OPT_HKDF_KEY_CHECK,
+    OPT_KBKDF_KEY_CHECK,
    OPT_TLS13_KDF_KEY_CHECK,
    OPT_TLS1_PRF_KEY_CHECK,
    OPT_SSHKDF_KEY_CHECK,
@ -107,6 +108,8 @@ const OPTIONS fipsinstall_options[] = {
     "Disallow X931 Padding for RSA signing"},
    {"hkdf_key_check", OPT_HKDF_KEY_CHECK, '-',
     "Enable key check for HKDF"},
+    {"kbkdf_key_check", OPT_KBKDF_KEY_CHECK, '-',
+     "Enable key check for KBKDF"},
    {"tls13_kdf_key_check", OPT_TLS13_KDF_KEY_CHECK, '-',
     "Enable key check for TLS13-KDF"},
    {"tls1_prf_key_check", OPT_TLS1_PRF_KEY_CHECK, '-',
@ -154,6 +157,7 @@ typedef struct {
    unsigned int rsa_pkcs15_padding_disabled : 1;
    unsigned int sign_x931_padding_disabled : 1;
    unsigned int hkdf_key_check : 1;
+    unsigned int kbkdf_key_check : 1;
    unsigned int tls13_kdf_key_check : 1;
    unsigned int tls1_prf_key_check : 1;
    unsigned int sshkdf_key_check : 1;
@ -182,6 +186,7 @@ static const FIPS_OPTS pedantic_opts = {
    1,      /* rsa_pkcs15_padding_disabled */
    1,      /* sign_x931_padding_disabled */
    1,      /* hkdf_key_check */
+    1,      /* kbkdf_key_check */
    1,      /* tls13_kdf_key_check */
    1,      /* tls1_prf_key_check */
    1,      /* sshkdf_key_check */
@ -210,6 +215,7 @@ static FIPS_OPTS fips_opts = {
    0,      /* rsa_pkcs15_padding_disabled */
    0,      /* sign_x931_padding_disabled */
    0,      /* hkdf_key_check */
+    0,      /* kbkdf_key_check */
    0,      /* tls13_kdf_key_check */
    0,      /* tls1_prf_key_check */
    0,      /* sshkdf_key_check */
@ -371,6 +377,8 @@ static int write_config_fips_section(BIO *out, const char *section,
                      opts->sign_x931_padding_disabled ? "1" : "0") <= 0
        || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK,
                      opts->hkdf_key_check ? "1": "0") <= 0
+        || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK,
+                      opts->kbkdf_key_check ? "1": "0") <= 0
        || BIO_printf(out, "%s = %s\n",
                      OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK,
                      opts->tls13_kdf_key_check ? "1": "0") <= 0
@ -610,6 +618,9 @@ int fipsinstall_main(int argc, char **argv)
        case OPT_HKDF_KEY_CHECK:
            fips_opts.hkdf_key_check = 1;
            break;
+        case OPT_KBKDF_KEY_CHECK:
+            fips_opts.kbkdf_key_check = 1;
+            break;
        case OPT_TLS13_KDF_KEY_CHECK:
            fips_opts.tls13_kdf_key_check = 1;
            break;
--- a/include/openssl/fips_names.h
+++ b/include/openssl/fips_names.h
@ -174,6 +174,14 @@ extern "C" {
 */
 # define OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK "hkdf-key-check"

+/*
+ * A boolean that determines if the runtime FIPS key check for KBKDF is
+ * performed.
+ * This is disabled by default.
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK "kbkdf-key-check"
+
 /*
 * A boolean that determines if the runtime FIPS key check for TLS13 KDF is
 * performed.