mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-30 14:01:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Let fipsinstall know about DRBG digiest limiting

Browse Source 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)
This commit is contained in:
Pauli 2023-03-20 09:46:08 +11:00
parent 808b30f6b6
commit b345dbed28
1 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
apps/fipsinstall.c
View File

@ -39,6 +39,7 @@ typedef enum OPTION_choice {
OPT_NO_CONDITIONAL_ERRORS,
OPT_NO_SECURITY_CHECKS,
OPT_TLS_PRF_EMS_CHECK,
OPT_DISALLOW_DRGB_TRUNC_DIGEST,
OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL
} OPTION_CHOICE;
@ -62,14 +63,16 @@ const OPTIONS fipsinstall_options[] = {
"Forces self tests to run once on module installation"},
{"ems_check", OPT_TLS_PRF_EMS_CHECK, '-',
"Enable the run-time FIPS check for EMS during TLS1_PRF"},
{"no_drbg_truncated_digests", OPT_DISALLOW_DRGB_TRUNC_DIGEST, '-',
"Disallow truncated digests with Hash and HMAC DRBGs"},
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input config file, used when verifying"},
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output config file, used when generating"},
{"mac_name", OPT_MAC_NAME, 's', "MAC name"},
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form. "
"See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form."},
{OPT_MORE_STR, 0, 0, "See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
{"noout", OPT_NO_LOG, '-', "Disable logging of self test events"},
{"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"},
{"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"},
@ -175,6 +178,7 @@ static int write_config_fips_section(BIO *out, const char *section,
int conditional_errors,
int security_checks,
int ems_check,
int drgb_no_trunc_dgst,
unsigned char *install_mac,
size_t install_mac_len)
{
@ -190,6 +194,8 @@ static int write_config_fips_section(BIO *out, const char *section,
security_checks ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK,
ems_check ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
drgb_no_trunc_dgst ? "1" : "0") <= 0
|| !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
module_mac_len))
goto end;
@ -212,7 +218,8 @@ static CONF *generate_config_and_load(const char *prov_name,
size_t module_mac_len,
int conditional_errors,
int security_checks,
int ems_check)
int ems_check,
int drgb_no_trunc_dgst)
{
BIO *mem_bio = NULL;
CONF *conf = NULL;
@ -226,6 +233,7 @@ static CONF *generate_config_and_load(const char *prov_name,
conditional_errors,
security_checks,
ems_check,
drgb_no_trunc_dgst,
NULL, 0))
goto end;
@ -323,7 +331,8 @@ int fipsinstall_main(int argc, char **argv)
{
int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 1;
int enable_conditional_errors = 1, enable_security_checks = 1;
int enable_tls_prf_ems_check = 0; /* This is off by default */
int enable_tls_prf_ems_check = 0; /* This is off by default */
int enable_drgb_no_trunc_dgst = 0; /* This is off by default */
const char *section_name = "fips_sect";
const char *mac_name = "HMAC";
const char *prov_name = "fips";
@ -372,6 +381,9 @@ opthelp:
case OPT_TLS_PRF_EMS_CHECK:
enable_tls_prf_ems_check = 1;
break;
case OPT_DISALLOW_DRGB_TRUNC_DIGEST:
enable_drgb_no_trunc_dgst = 1;
break;
case OPT_QUIET:
quiet = 1;
/* FALLTHROUGH */
@ -536,7 +548,8 @@ opthelp:
module_mac_len,
enable_conditional_errors,
enable_security_checks,
enable_tls_prf_ems_check);
enable_tls_prf_ems_check,
enable_drgb_no_trunc_dgst);
if (conf == NULL)
goto end;
if (!load_fips_prov_and_run_self_test(prov_name))
@ -554,6 +567,7 @@ opthelp:
enable_conditional_errors,
enable_security_checks,
enable_tls_prf_ems_check,
enable_drgb_no_trunc_dgst,
install_mac, install_mac_len))
goto end;
if (!quiet)