diff options
author | Pauli <pauli@openssl.org> | 2023-03-20 09:46:08 +1100 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2023-03-29 09:25:58 +1100 |
commit | b345dbed28701f8aab06b0271603186127499928 (patch) | |
tree | 60a1141900c7be57c0980cdfb610b3435b488e88 /apps | |
parent | 808b30f6b60da3e92283e315f2e6f0e574a62080 (diff) | |
download | openssl-new-b345dbed28701f8aab06b0271603186127499928.tar.gz |
Let fipsinstall know about DRBG digiest limiting
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/fipsinstall.c | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index 2e6edc007a..3b0c52f1f5 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -39,6 +39,7 @@ typedef enum OPTION_choice { OPT_NO_CONDITIONAL_ERRORS, OPT_NO_SECURITY_CHECKS, OPT_TLS_PRF_EMS_CHECK, + OPT_DISALLOW_DRGB_TRUNC_DIGEST, OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL } OPTION_CHOICE; @@ -62,14 +63,16 @@ const OPTIONS fipsinstall_options[] = { "Forces self tests to run once on module installation"}, {"ems_check", OPT_TLS_PRF_EMS_CHECK, '-', "Enable the run-time FIPS check for EMS during TLS1_PRF"}, + {"no_drbg_truncated_digests", OPT_DISALLOW_DRGB_TRUNC_DIGEST, '-', + "Disallow truncated digests with Hash and HMAC DRBGs"}, OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input config file, used when verifying"}, OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output config file, used when generating"}, {"mac_name", OPT_MAC_NAME, 's', "MAC name"}, - {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form. " - "See 'PARAMETER NAMES' in the EVP_MAC_ docs"}, + {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form."}, + {OPT_MORE_STR, 0, 0, "See 'PARAMETER NAMES' in the EVP_MAC_ docs"}, {"noout", OPT_NO_LOG, '-', "Disable logging of self test events"}, {"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"}, {"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"}, @@ -175,6 +178,7 @@ static int write_config_fips_section(BIO *out, const char *section, int conditional_errors, int security_checks, int ems_check, + int drgb_no_trunc_dgst, unsigned char *install_mac, size_t install_mac_len) { @@ -190,6 +194,8 @@ static int write_config_fips_section(BIO *out, const char *section, security_checks ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, ems_check ? "1" : "0") <= 0 + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST, + drgb_no_trunc_dgst ? "1" : "0") <= 0 || !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac, module_mac_len)) goto end; @@ -212,7 +218,8 @@ static CONF *generate_config_and_load(const char *prov_name, size_t module_mac_len, int conditional_errors, int security_checks, - int ems_check) + int ems_check, + int drgb_no_trunc_dgst) { BIO *mem_bio = NULL; CONF *conf = NULL; @@ -226,6 +233,7 @@ static CONF *generate_config_and_load(const char *prov_name, conditional_errors, security_checks, ems_check, + drgb_no_trunc_dgst, NULL, 0)) goto end; @@ -323,7 +331,8 @@ int fipsinstall_main(int argc, char **argv) { int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 1; int enable_conditional_errors = 1, enable_security_checks = 1; - int enable_tls_prf_ems_check = 0; /* This is off by default */ + int enable_tls_prf_ems_check = 0; /* This is off by default */ + int enable_drgb_no_trunc_dgst = 0; /* This is off by default */ const char *section_name = "fips_sect"; const char *mac_name = "HMAC"; const char *prov_name = "fips"; @@ -372,6 +381,9 @@ opthelp: case OPT_TLS_PRF_EMS_CHECK: enable_tls_prf_ems_check = 1; break; + case OPT_DISALLOW_DRGB_TRUNC_DIGEST: + enable_drgb_no_trunc_dgst = 1; + break; case OPT_QUIET: quiet = 1; /* FALLTHROUGH */ @@ -536,7 +548,8 @@ opthelp: module_mac_len, enable_conditional_errors, enable_security_checks, - enable_tls_prf_ems_check); + enable_tls_prf_ems_check, + enable_drgb_no_trunc_dgst); if (conf == NULL) goto end; if (!load_fips_prov_and_run_self_test(prov_name)) @@ -554,6 +567,7 @@ opthelp: enable_conditional_errors, enable_security_checks, enable_tls_prf_ems_check, + enable_drgb_no_trunc_dgst, install_mac, install_mac_len)) goto end; if (!quiet) |