File openssl-1_1-ossl-sli-020-PBKDF2-HMAC-size-SLI.patch of Package openssl-1_1.37526
diff --git a/crypto/fips/fips_sli.c b/crypto/fips/fips_sli.c
index a31f4d2..a92579d 100644
--- a/crypto/fips/fips_sli.c
+++ b/crypto/fips/fips_sli.c
@@ -140,6 +140,7 @@ typedef enum hash_usage_e {
HASH_SIGVER,
HASH_KDF_SSHKDF,
HASH_KDF_PBKDF2,
+ HASH_KDF_HKDF,
HASH_KDF_TLS,
HASH_RNG,
HASH_MAC,
@@ -161,8 +162,25 @@ static FIPS_STATUS get_fips_hash_status(const EVP_MD *md, HASH_USAGE u) {
case NID_md5_sha1:
default:
return FIPS_NONAPPROVED;
- }
+ }
case HASH_KDF_PBKDF2:
+ case HASH_KDF_HKDF:
+ switch (EVP_MD_type(md)) {
+ //case NID_sha1:
+ case NID_sha224:
+ case NID_sha256:
+ case NID_sha384:
+ case NID_sha512:
+ case NID_sha512_224:
+ case NID_sha512_256:
+ case NID_sha3_224:
+ case NID_sha3_256:
+ case NID_sha3_384:
+ case NID_sha3_512:
+ return FIPS_APPROVED;
+ default:
+ return FIPS_NONAPPROVED;
+ }
case HASH_MAC:
switch (EVP_MD_type(md)) {
case NID_sha224:
@@ -239,6 +257,9 @@ make_fips_sli_check_hash(HMAC_CTX, mac, HASH_MAC)
FIPS_STATUS fips_sli_get_hash_status_sshkdf(const EVP_MD * md) {
return get_fips_hash_status(md, HASH_KDF_SSHKDF);
}
+FIPS_STATUS fips_sli_get_hash_status_hkdf(const EVP_MD * md) {
+ return get_fips_hash_status(md, HASH_KDF_HKDF);
+}
FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md) {
return get_fips_hash_status(md, HASH_KDF_PBKDF2);
}
diff --git a/crypto/kdf/hkdf.c b/crypto/kdf/hkdf.c
index 12f4167..616a542 100644
--- a/crypto/kdf/hkdf.c
+++ b/crypto/kdf/hkdf.c
@@ -16,6 +16,7 @@
#include "internal/cryptlib.h"
#include "crypto/evp.h"
#include "kdf_local.h"
+#include "internal/fips_sli_local.h"
#define HKDF_MAXBUF 1024
@@ -222,8 +223,10 @@ static int kdf_hkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key,
}
}
-static int kdf_hkdf_fips_sli_is_approved(EVP_KDF_IMPL *impl) {
- if (impl->key_len < 112)
+static int kdf_hkdf_fips_sli_is_approved(const EVP_KDF_IMPL *impl) {
+ if (fips_sli_get_hash_status_hkdf(impl->md) != FIPS_APPROVED)
+ return 0;
+ if (impl->key_len < 112/8)
return 0;
return 1;
}
diff --git a/crypto/kdf/pbkdf2.c b/crypto/kdf/pbkdf2.c
index 2310580..25d526a 100644
--- a/crypto/kdf/pbkdf2.c
+++ b/crypto/kdf/pbkdf2.c
@@ -34,6 +34,14 @@ struct evp_kdf_impl_st {
FIPS_STATUS sli; /* Service Level Indicator */
};
+static int kdf_pbkdf_fips_sli_is_approved(const EVP_KDF_IMPL *impl) {
+ if (fips_sli_get_hash_status_pbkdf2(impl->md) != FIPS_APPROVED)
+ return 0;
+ if (impl->pass_len < 112/8)
+ return 0;
+ return 1;
+}
+
static ossl_unused int fips_sli_is_approved_struct_evp_kdf_impl_st(const struct evp_kdf_impl_st *ctx);
fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st)
@@ -207,7 +215,7 @@ const EVP_KDF_METHOD pbkdf2_kdf_meth = {
kdf_pbkdf2_ctrl_str,
NULL,
kdf_pbkdf2_derive,
- fips_sli_is_approved_struct_evp_kdf_impl_st
+ kdf_pbkdf_fips_sli_is_approved
};
/*
diff --git a/include/internal/fips_sli_local.h b/include/internal/fips_sli_local.h
index e444af8..2b8b735 100644
--- a/include/internal/fips_sli_local.h
+++ b/include/internal/fips_sli_local.h
@@ -66,8 +66,10 @@ void fips_sli_check_hash_sigver_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md);
void fips_sli_check_hash_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const EVP_MD * md);
void fips_sli_check_hash_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const EVP_MD * md);
void fips_sli_check_hash_mac_HMAC_CTX(HMAC_CTX * ctx, const EVP_MD * md);
+void fips_sli_check_hash_pbkdf2_HMAC_CTX(EVP_KDF_CTX * ctx, const EVP_MD * md);
FIPS_STATUS fips_sli_get_hash_status_sshkdf(const EVP_MD * md);
+FIPS_STATUS fips_sli_get_hash_status_hkdf(const EVP_MD * md);
FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md);
FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md);
FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes);
