diff options
author | Pauli <ppzgs1@gmail.com> | 2024-08-05 15:45:30 +1000 |
---|---|---|
committer | Pauli <ppzgs1@gmail.com> | 2024-08-08 08:42:59 +1000 |
commit | 090247b2e29a71f49c12a753ca9204c30d14a0f8 (patch) | |
tree | 8f4bfedbf36864ff8ca2c32b1b7bdf2873dba478 /apps | |
parent | e77eb1dc0be75c98c53c932c861dd52e8896cc13 (diff) |
fipsinstall: add kbkdf key check option
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/fipsinstall.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index 269b0a7e73..70447e1db3 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -50,6 +50,7 @@ typedef enum OPTION_choice { OPT_DISALLOW_DSA_SIGN, OPT_DISALLOW_TDES_ENCRYPT, OPT_HKDF_KEY_CHECK, + OPT_KBKDF_KEY_CHECK, OPT_TLS13_KDF_KEY_CHECK, OPT_TLS1_PRF_KEY_CHECK, OPT_SSHKDF_KEY_CHECK, @@ -107,6 +108,8 @@ const OPTIONS fipsinstall_options[] = { "Disallow X931 Padding for RSA signing"}, {"hkdf_key_check", OPT_HKDF_KEY_CHECK, '-', "Enable key check for HKDF"}, + {"kbkdf_key_check", OPT_KBKDF_KEY_CHECK, '-', + "Enable key check for KBKDF"}, {"tls13_kdf_key_check", OPT_TLS13_KDF_KEY_CHECK, '-', "Enable key check for TLS13-KDF"}, {"tls1_prf_key_check", OPT_TLS1_PRF_KEY_CHECK, '-', @@ -154,6 +157,7 @@ typedef struct { unsigned int rsa_pkcs15_padding_disabled : 1; unsigned int sign_x931_padding_disabled : 1; unsigned int hkdf_key_check : 1; + unsigned int kbkdf_key_check : 1; unsigned int tls13_kdf_key_check : 1; unsigned int tls1_prf_key_check : 1; unsigned int sshkdf_key_check : 1; @@ -182,6 +186,7 @@ static const FIPS_OPTS pedantic_opts = { 1, /* rsa_pkcs15_padding_disabled */ 1, /* sign_x931_padding_disabled */ 1, /* hkdf_key_check */ + 1, /* kbkdf_key_check */ 1, /* tls13_kdf_key_check */ 1, /* tls1_prf_key_check */ 1, /* sshkdf_key_check */ @@ -210,6 +215,7 @@ static FIPS_OPTS fips_opts = { 0, /* rsa_pkcs15_padding_disabled */ 0, /* sign_x931_padding_disabled */ 0, /* hkdf_key_check */ + 0, /* kbkdf_key_check */ 0, /* tls13_kdf_key_check */ 0, /* tls1_prf_key_check */ 0, /* sshkdf_key_check */ @@ -371,6 +377,8 @@ static int write_config_fips_section(BIO *out, const char *section, opts->sign_x931_padding_disabled ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK, opts->hkdf_key_check ? "1": "0") <= 0 + || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK, + opts->kbkdf_key_check ? "1": "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK, opts->tls13_kdf_key_check ? "1": "0") <= 0 @@ -610,6 +618,9 @@ int fipsinstall_main(int argc, char **argv) case OPT_HKDF_KEY_CHECK: fips_opts.hkdf_key_check = 1; break; + case OPT_KBKDF_KEY_CHECK: + fips_opts.kbkdf_key_check = 1; + break; case OPT_TLS13_KDF_KEY_CHECK: fips_opts.tls13_kdf_key_check = 1; break; |