[openssl/openssl] 83ccf8: fips: rework the option handling code

Pauli noreply at github.com
Tue Mar 28 22:28:40 UTC 2023 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: 83ccf81b1dd8886d54c570354ef8c532af4c514f
      https://github.com/openssl/openssl/commit/83ccf81b1dd8886d54c570354ef8c532af4c514f
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M include/openssl/core_names.h
    M include/openssl/fips_names.h
    M providers/fips/fipsprov.c

  Log Message:
  -----------
  fips: rework the option handling code

Add option for restricting digests available to DRBGs.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)


  Commit: f553c0f0dd24f037f31d971a99a1ffe7a11f64e6
      https://github.com/openssl/openssl/commit/f553c0f0dd24f037f31d971a99a1ffe7a11f64e6
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M providers/implementations/rands/drbg.c
    M providers/implementations/rands/drbg_hash.c
    M providers/implementations/rands/drbg_hmac.c
    M providers/implementations/rands/drbg_local.h

  Log Message:
  -----------
  DRBG: restrict the digests that can be used with HMAC and Hash DRBGs.

According to FIP 140-3 IG D.R: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf

Outside of FIPS, there remains no restriction other than not allowing
XOF digests.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)


  Commit: e14fc22c90ce5a9e6d66d8658fc6bb37f95019da
      https://github.com/openssl/openssl/commit/e14fc22c90ce5a9e6d66d8658fc6bb37f95019da
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M doc/man1/openssl-fipsinstall.pod.in
    M doc/man7/EVP_RAND-HASH-DRBG.pod
    M doc/man7/EVP_RAND-HMAC-DRBG.pod

  Log Message:
  -----------
  doc: note the restriction on digests used by DRBGs in FIPS mode.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)


  Commit: 808b30f6b60da3e92283e315f2e6f0e574a62080
      https://github.com/openssl/openssl/commit/808b30f6b60da3e92283e315f2e6f0e574a62080
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M CHANGES.md

  Log Message:
  -----------
  changes: note the banning of truncated hashes with DRBGs

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)


  Commit: b345dbed28701f8aab06b0271603186127499928
      https://github.com/openssl/openssl/commit/b345dbed28701f8aab06b0271603186127499928
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M apps/fipsinstall.c

  Log Message:
  -----------
  Let fipsinstall know about DRBG digiest limiting

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)


  Commit: 78bcbc1ea440feac3e9a3292dba4b055b81ca29e
      https://github.com/openssl/openssl/commit/78bcbc1ea440feac3e9a3292dba4b055b81ca29e
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M test/recipes/03-test_fipsinstall.t

  Log Message:
  -----------
  test: test -drbg_allow_truncated_digests option

Verify that the option produces the correct output in the FIPS configuration
file and that the default is as expected.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)


  Commit: 30ab774770a7e8547b0d6363b63a73cc80f33a7b
      https://github.com/openssl/openssl/commit/30ab774770a7e8547b0d6363b63a73cc80f33a7b
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    A providers/common/include/prov/fipscommon.h
    M providers/common/securitycheck_fips.c
    M providers/fips/fipsprov.c
    M providers/implementations/rands/drbg.c

  Log Message:
  -----------
  Declare FIPS option functions in their own header

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)


Compare: https://github.com/openssl/openssl/compare/3c95ef22df55...30ab774770a7

More information about the openssl-commits mailing list