[openssl/openssl] 965a46: fips: rework the option handling code

Pauli noreply at github.com
Tue Mar 28 22:31:42 UTC 2023


  Branch: refs/heads/openssl-3.1
  Home:   https://github.com/openssl/openssl
  Commit: 965a469529ab521d6cc4c09b0596e102691d8971
      https://github.com/openssl/openssl/commit/965a469529ab521d6cc4c09b0596e102691d8971
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M include/openssl/core_names.h
    M include/openssl/fips_names.h
    M providers/fips/fipsprov.c

  Log Message:
  -----------
  fips: rework the option handling code

Add option for restricting digests available to DRBGs.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit 83ccf81b1dd8886d54c570354ef8c532af4c514f)


  Commit: 2d574892fee144f2307b5fb9c5b19d3cbe9ad99e
      https://github.com/openssl/openssl/commit/2d574892fee144f2307b5fb9c5b19d3cbe9ad99e
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M providers/implementations/rands/drbg.c
    M providers/implementations/rands/drbg_hash.c
    M providers/implementations/rands/drbg_hmac.c
    M providers/implementations/rands/drbg_local.h

  Log Message:
  -----------
  DRBG: restrict the digests that can be used with HMAC and Hash DRBGs.

According to FIP 140-3 IG D.R: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf

Outside of FIPS, there remains no restriction other than not allowing
XOF digests.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit f553c0f0dd24f037f31d971a99a1ffe7a11f64e6)


  Commit: 2fa58ca78266a0c9e01030520fe743cb7eeed72f
      https://github.com/openssl/openssl/commit/2fa58ca78266a0c9e01030520fe743cb7eeed72f
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M doc/man1/openssl-fipsinstall.pod.in
    M doc/man7/EVP_RAND-HASH-DRBG.pod
    M doc/man7/EVP_RAND-HMAC-DRBG.pod

  Log Message:
  -----------
  doc: note the restriction on digests used by DRBGs in FIPS mode.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit e14fc22c90ce5a9e6d66d8658fc6bb37f95019da)


  Commit: d5c1aa0eec288a2aac4ff400496c9411be9dad9f
      https://github.com/openssl/openssl/commit/d5c1aa0eec288a2aac4ff400496c9411be9dad9f
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M CHANGES.md

  Log Message:
  -----------
  changes: note the banning of truncated hashes with DRBGs

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit 808b30f6b60da3e92283e315f2e6f0e574a62080)


  Commit: 4f822fba69b5c0c646b03000ed4794f1c9dcb8f5
      https://github.com/openssl/openssl/commit/4f822fba69b5c0c646b03000ed4794f1c9dcb8f5
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M apps/fipsinstall.c

  Log Message:
  -----------
  Let fipsinstall know about DRBG digiest limiting

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit b345dbed28701f8aab06b0271603186127499928)


  Commit: 0c587f9bb2b28b91dc51647f50c291dce6fc1dd1
      https://github.com/openssl/openssl/commit/0c587f9bb2b28b91dc51647f50c291dce6fc1dd1
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    M test/recipes/03-test_fipsinstall.t

  Log Message:
  -----------
  test: test -drbg_allow_truncated_digests option

Verify that the option produces the correct output in the FIPS configuration
file and that the default is as expected.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit 78bcbc1ea440feac3e9a3292dba4b055b81ca29e)


  Commit: ae87b41e9eb0ca3cd982a8d72048c4f79eb50e6d
      https://github.com/openssl/openssl/commit/ae87b41e9eb0ca3cd982a8d72048c4f79eb50e6d
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-29 (Wed, 29 Mar 2023)

  Changed paths:
    A providers/common/include/prov/fipscommon.h
    M providers/common/securitycheck_fips.c
    M providers/fips/fipsprov.c
    M providers/implementations/rands/drbg.c

  Log Message:
  -----------
  Declare FIPS option functions in their own header

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit 30ab774770a7e8547b0d6363b63a73cc80f33a7b)


Compare: https://github.com/openssl/openssl/compare/fc814a30fc4f...ae87b41e9eb0


More information about the openssl-commits mailing list