From 14e46600c68ece74970462a60ad20703221747a1 Mon Sep 17 00:00:00 2001 From: pohsingwu Date: Wed, 17 Jul 2024 15:19:51 +0800 Subject: [PATCH] Restrict digest in set_ctx_params In this commit, we also return different error if the digest is XOF. Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/23889) --- doc/man7/EVP_KDF-SS.pod | 16 -- doc/man7/EVP_KDF-SSHKDF.pod | 2 +- doc/man7/EVP_KDF-TLS13_KDF.pod | 2 +- doc/man7/EVP_KDF-TLS1_PRF.pod | 2 +- doc/man7/EVP_KDF-X963.pod | 2 +- providers/implementations/kdfs/hkdf.c | 146 +++++++------ providers/implementations/kdfs/sshkdf.c | 28 ++- providers/implementations/kdfs/sskdf.c | 202 ++++++++++++------ providers/implementations/kdfs/tls1_prf.c | 39 ++-- test/recipes/30-test_evp_data/evpkdf_hkdf.txt | 13 +- test/recipes/30-test_evp_data/evpkdf_ss.txt | 14 +- test/recipes/30-test_evp_data/evpkdf_ssh.txt | 11 +- .../30-test_evp_data/evpkdf_tls12_prf.txt | 11 +- .../30-test_evp_data/evpkdf_tls13_kdf.txt | 10 +- test/recipes/30-test_evp_data/evpkdf_x963.txt | 9 +- .../30-test_evp_data/evppkey_kdf_hkdf.txt | 13 +- .../30-test_evp_data/evppkey_kdf_tls1_prf.txt | 9 + 17 files changed, 311 insertions(+), 218 deletions(-) diff --git a/doc/man7/EVP_KDF-SS.pod b/doc/man7/EVP_KDF-SS.pod index 6e09f9b8454e0..c8d19691a797b 100644 --- a/doc/man7/EVP_KDF-SS.pod +++ b/doc/man7/EVP_KDF-SS.pod @@ -61,22 +61,6 @@ This parameter set the shared secret that is used for key derivation. This parameter sets an optional value for fixedinfo, also known as otherinfo. -=item "fips-indicator" (B) - -A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if any "***_check" -related parameter is set to 0 and the check fails. -This option is used by the OpenSSL FIPS provider. - -=item "digest-check" (B) - -The default value of 1 causes an error during EVP_KDF_derive() if -used digest is not approved. -Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if -set to 0. - =back =head1 NOTES diff --git a/doc/man7/EVP_KDF-SSHKDF.pod b/doc/man7/EVP_KDF-SSHKDF.pod index 396afa2b5dc0b..3b5994e967401 100644 --- a/doc/man7/EVP_KDF-SSHKDF.pod +++ b/doc/man7/EVP_KDF-SSHKDF.pod @@ -83,7 +83,7 @@ A single char of value 70 (ASCII char 'F'). =item "fips-indicator" (B) A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if any "***_check" +This may be used after calling EVP_KDF_derive. It returns 0 if any "***-check" related parameter is set to 0 and the check fails. This option is used by the OpenSSL FIPS provider. diff --git a/doc/man7/EVP_KDF-TLS13_KDF.pod b/doc/man7/EVP_KDF-TLS13_KDF.pod index f0d74d6992c2d..2dd32d33d49c9 100644 --- a/doc/man7/EVP_KDF-TLS13_KDF.pod +++ b/doc/man7/EVP_KDF-TLS13_KDF.pod @@ -57,7 +57,7 @@ There are two modes that are currently defined: =item "fips-indicator" (B) A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if any "***_check" +This may be used after calling EVP_KDF_derive. It returns 0 if any "***-check" related parameter is set to 0 and the check fails. This option is used by the OpenSSL FIPS provider. diff --git a/doc/man7/EVP_KDF-TLS1_PRF.pod b/doc/man7/EVP_KDF-TLS1_PRF.pod index 708d0ea4c2e4e..224340a624f2d 100644 --- a/doc/man7/EVP_KDF-TLS1_PRF.pod +++ b/doc/man7/EVP_KDF-TLS1_PRF.pod @@ -47,7 +47,7 @@ this should be more than enough for any normal use of the TLS PRF. =item "fips-indicator" (B) A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if any "***_check" +This may be used after calling EVP_KDF_derive. It returns 0 if any "***-check" related parameter is set to 0 and the check fails. This option is used by the OpenSSL FIPS provider. diff --git a/doc/man7/EVP_KDF-X963.pod b/doc/man7/EVP_KDF-X963.pod index e275edeaa6f7a..c6d4c66ef3c9e 100644 --- a/doc/man7/EVP_KDF-X963.pod +++ b/doc/man7/EVP_KDF-X963.pod @@ -39,7 +39,7 @@ This parameter specifies an optional value for shared info. =item "fips-indicator" (B) A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if any "***_check" +This may be used after calling EVP_KDF_derive. It returns 0 if any "***-check" related parameter is set to 0 and the check fails. This option is used by the OpenSSL FIPS provider. diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 3829ce1ee3966..1efd1102bc172 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -50,6 +50,8 @@ static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; +static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_tls1_3_gettable_ctx_params; +static OSSL_FUNC_kdf_get_ctx_params_fn kdf_tls1_3_get_ctx_params; static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, const unsigned char *salt, size_t salt_len, @@ -66,13 +68,18 @@ static int HKDF_Expand(const EVP_MD *evp_md, unsigned char *okm, size_t okm_len); /* Settable context parameters that are common across HKDF and the TLS KDF */ -#define HKDF_COMMON_SETTABLES \ - OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MODE, NULL, 0), \ - OSSL_PARAM_int(OSSL_KDF_PARAM_MODE, NULL), \ - OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \ - OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \ - OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \ - OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0) +#define HKDF_COMMON_SETTABLES \ + OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MODE, NULL, 0), \ + OSSL_PARAM_int(OSSL_KDF_PARAM_MODE, NULL), \ + OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \ + OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \ + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \ + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0) + +/* Gettable context parameters that are common across HKDF and the TLS KDF */ +#define HKDF_COMMON_GETTABLES \ + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), \ + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0) typedef struct { void *provctx; @@ -187,33 +194,6 @@ static size_t kdf_hkdf_size(KDF_HKDF *ctx) return sz; } -#ifdef FIPS_MODULE -static int fips_hkdf_digest_check_passed(KDF_HKDF *ctx) -{ - OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); - /* - * Perform digest check - * - * HKDF is a TwoStep KDF defined in SP 800-56Cr2. According to section 7, - * the valid hash functions are specified in FIPS 180 and FIPS 202. - * However, it only lists SHA-1, SHA-2 and SHA-3 in the table in section - * 5.2. ACVP also only lists the same set of hash functions. - */ - int digest_unapproved = ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0); - - if (digest_unapproved) { - if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, - libctx, "HKDF", "Digest", - FIPS_hkdf_digest_check)) { - ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); - return 0; - } - } - return 1; -} -#endif - static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, const OSSL_PARAM params[]) { @@ -238,11 +218,6 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } -#ifdef FIPS_MODULE - if (!fips_hkdf_digest_check_passed(ctx)) - return 0; -#endif - switch (ctx->mode) { case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: default: @@ -268,8 +243,18 @@ static int hkdf_common_set_ctx_params(KDF_HKDF *ctx, const OSSL_PARAM params[]) if (params == NULL) return 1; - if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) - return 0; + if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) { + const EVP_MD *md = NULL; + + if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) + return 0; + + md = ossl_prov_digest_md(&ctx->digest); + if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); + return 0; + } + } if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE)) != NULL) { if (p->data_type == OSSL_PARAM_UTF8_STRING) { @@ -325,10 +310,6 @@ static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (params == NULL) return 1; - if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params, - OSSL_KDF_PARAM_FIPS_DIGEST_CHECK)) - return 0; - if (!hkdf_common_set_ctx_params(ctx, params)) return 0; @@ -346,17 +327,18 @@ static const OSSL_PARAM *kdf_hkdf_settable_ctx_params(ossl_unused void *ctx, static const OSSL_PARAM known_settable_ctx_params[] = { HKDF_COMMON_SETTABLES, OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), - OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) OSSL_PARAM_END }; return known_settable_ctx_params; } -static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) +static int hkdf_common_get_ctx_params(KDF_HKDF *ctx, OSSL_PARAM params[]) { - KDF_HKDF *ctx = (KDF_HKDF *)vctx; OSSL_PARAM *p; + if (params == NULL) + return 1; + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { size_t sz = kdf_hkdf_size(ctx); @@ -365,14 +347,27 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) if (!OSSL_PARAM_set_size_t(p, sz)) return 0; } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { if (ctx->info == NULL || ctx->info_len == 0) p->return_size = 0; else if (!OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len)) return 0; } - if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params)) + + return 1; +} + +static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) +{ + KDF_HKDF *ctx = (KDF_HKDF *)vctx; + + if (params == NULL) + return 1; + + if (!hkdf_common_get_ctx_params(ctx, params)) return 0; + return 1; } @@ -380,9 +375,7 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), - OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), - OSSL_FIPS_IND_GETTABLE_CTX_PARAM() + HKDF_COMMON_GETTABLES, OSSL_PARAM_END }; return known_gettable_ctx_params; @@ -714,10 +707,9 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, } #ifdef FIPS_MODULE -static int fips_tls1_3_digest_check_passed(KDF_HKDF *ctx) +static int fips_tls1_3_digest_check_passed(KDF_HKDF *ctx, const EVP_MD *md) { OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); /* * Perform digest check * @@ -755,11 +747,6 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } -#ifdef FIPS_MODULE - if (!fips_tls1_3_digest_check_passed(ctx)) - return 0; -#endif - switch (ctx->mode) { default: return 0; @@ -824,6 +811,16 @@ static int kdf_tls1_3_set_ctx_params(void *vctx, const OSSL_PARAM params[]) && !OSSL_PARAM_get_octet_string(p, (void **)&ctx->data, 0, &ctx->data_len)) return 0; + +#ifdef FIPS_MODULE + if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) { + const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); + + if (!fips_tls1_3_digest_check_passed(ctx, md)) + return 0; + } +#endif + return 1; } @@ -841,6 +838,33 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, return known_settable_ctx_params; } +static int kdf_tls1_3_get_ctx_params(void *vctx, OSSL_PARAM params[]) +{ + KDF_HKDF *ctx = (KDF_HKDF *)vctx; + + if (params == NULL) + return 1; + + if (!hkdf_common_get_ctx_params(ctx, params)) + return 0; + + if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params)) + return 0; + + return 1; +} + +static const OSSL_PARAM *kdf_tls1_3_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) +{ + static const OSSL_PARAM known_gettable_ctx_params[] = { + HKDF_COMMON_GETTABLES, + OSSL_FIPS_IND_GETTABLE_CTX_PARAM() + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +} + const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, @@ -851,7 +875,7 @@ const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { (void(*)(void))kdf_tls1_3_settable_ctx_params }, { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_tls1_3_set_ctx_params }, { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, - (void(*)(void))kdf_hkdf_gettable_ctx_params }, - { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_hkdf_get_ctx_params }, + (void(*)(void))kdf_tls1_3_gettable_ctx_params }, + { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_tls1_3_get_ctx_params }, OSSL_DISPATCH_END }; diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index 767066bb2c731..d26047bee8770 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -127,10 +127,9 @@ static int sshkdf_set_membuf(unsigned char **dst, size_t *dst_len, } #ifdef FIPS_MODULE -static int fips_digest_check_passed(KDF_SSHKDF *ctx) +static int fips_digest_check_passed(KDF_SSHKDF *ctx, const EVP_MD *md) { OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); /* * Perform digest check * @@ -187,11 +186,6 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } -#ifdef FIPS_MODULE - if (!fips_digest_check_passed(ctx)) - return 0; -#endif - return SSHKDF(md, ctx->key, ctx->key_len, ctx->xcghash, ctx->xcghash_len, ctx->session_id, ctx->session_id_len, @@ -211,8 +205,23 @@ static int kdf_sshkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) OSSL_KDF_PARAM_FIPS_DIGEST_CHECK)) return 0; - if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx)) - return 0; + if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) { + const EVP_MD *md = NULL; + + if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx)) + return 0; + + md = ossl_prov_digest_md(&ctx->digest); + if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); + return 0; + } + +#ifdef FIPS_MODULE + if (!fips_digest_check_passed(ctx, md)) + return 0; +#endif + } if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) if (!sshkdf_set_membuf(&ctx->key, &ctx->key_len, p)) @@ -376,4 +385,3 @@ static int SSHKDF(const EVP_MD *evp_md, OPENSSL_cleanse(digest, EVP_MAX_MD_SIZE); return ret; } - diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c index f1edcda7ef686..c603525e3a344 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c @@ -82,11 +82,30 @@ static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; static OSSL_FUNC_kdf_freectx_fn sskdf_free; static OSSL_FUNC_kdf_reset_fn sskdf_reset; static OSSL_FUNC_kdf_derive_fn sskdf_derive; -static OSSL_FUNC_kdf_derive_fn x963kdf_derive; static OSSL_FUNC_kdf_settable_ctx_params_fn sskdf_settable_ctx_params; static OSSL_FUNC_kdf_set_ctx_params_fn sskdf_set_ctx_params; static OSSL_FUNC_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params; static OSSL_FUNC_kdf_get_ctx_params_fn sskdf_get_ctx_params; +static OSSL_FUNC_kdf_derive_fn x963kdf_derive; +static OSSL_FUNC_kdf_settable_ctx_params_fn x963kdf_settable_ctx_params; +static OSSL_FUNC_kdf_set_ctx_params_fn x963kdf_set_ctx_params; +static OSSL_FUNC_kdf_gettable_ctx_params_fn x963kdf_gettable_ctx_params; +static OSSL_FUNC_kdf_get_ctx_params_fn x963kdf_get_ctx_params; + +/* Settable context parameters that are common across SSKDF and X963 KDF */ +#define SSKDF_COMMON_SETTABLES \ + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), \ + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \ + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), \ + OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \ + OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \ + OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC, NULL, 0), \ + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0), \ + OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE, NULL) + +/* Gettable context parameters that are common across SSKDF and X963 KDF */ +#define SSKDF_COMMON_GETTABLES \ + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL) /* * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final @@ -375,35 +394,6 @@ static size_t sskdf_size(KDF_SSKDF *ctx) return (len <= 0) ? 0 : (size_t)len; } -#ifdef FIPS_MODULE -static int fips_sskdf_digest_check_passed(KDF_SSKDF *ctx) -{ - OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); - /* - * Perform digest check - * - * SSKDF is a OneStep KDF defined in SP 800-56Cr2. According to section 7, - * the valid hash functions are specified in FIPS 180 and FIPS 202. - * However, it only lists SHA-1, SHA-2 and SHA-3 in the table in section - * 4.2. ACVP also only lists the same set of hash functions. - */ - int digest_unapproved = (ctx->is_kmac != 1) - && (md != NULL) - && ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0); - - if (digest_unapproved) { - if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, - libctx, "SSKDF", "Digest", - FIPS_sskdf_digest_check)) { - ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); - return 0; - } - } - return 1; -} -#endif - static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, const OSSL_PARAM params[]) { @@ -417,11 +407,6 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } -#ifdef FIPS_MODULE - if (!fips_sskdf_digest_check_passed(ctx)) - return 0; -#endif - md = ossl_prov_digest_md(&ctx->digest); if (ctx->macctx != NULL) { @@ -478,10 +463,9 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, } #ifdef FIPS_MODULE -static int fips_x963kdf_digest_check_passed(KDF_SSKDF *ctx) +static int fips_x963kdf_digest_check_passed(KDF_SSKDF *ctx, const EVP_MD *md) { OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); /* * Perform digest check * @@ -489,9 +473,7 @@ static int fips_x963kdf_digest_check_passed(KDF_SSKDF *ctx) * section 7.3.1, only SHA-2 and SHA-3 can be regarded as valid hash * functions. */ - int digest_unapproved = (ctx->is_kmac != 1) - && (((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) - || EVP_MD_is_a(md, SN_sha1)); + int digest_unapproved = (ctx->is_kmac != 1) && EVP_MD_is_a(md, SN_sha1); if (digest_unapproved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, @@ -511,7 +493,7 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; const EVP_MD *md; - if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params)) + if (!ossl_prov_is_running() || !x963kdf_set_ctx_params(ctx, params)) return 0; if (ctx->secret == NULL) { @@ -531,30 +513,21 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } -#ifdef FIPS_MODULE - if (!fips_x963kdf_digest_check_passed(ctx)) - return 0; -#endif - return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, ctx->info, ctx->info_len, 1, key, keylen); } -static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +static int sskdf_common_set_ctx_params(KDF_SSKDF *ctx, const OSSL_PARAM params[]) { const OSSL_PARAM *p; - KDF_SSKDF *ctx = vctx; OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); + const EVP_MD *md = NULL; size_t sz; int r; if (params == NULL) return 1; - if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params, - OSSL_KDF_PARAM_FIPS_DIGEST_CHECK)) - return 0; - if (!ossl_prov_macctx_load_from_params(&ctx->macctx, params, NULL, NULL, NULL, libctx)) return 0; @@ -567,8 +540,16 @@ static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } } - if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) - return 0; + if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) { + if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) + return 0; + + md = ossl_prov_digest_md(&ctx->digest); + if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); + return 0; + } + } r = ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_SECRET, &ctx->secret, &ctx->secret_len); @@ -595,35 +576,54 @@ static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } +static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; + + if (params == NULL) + return 1; + + if (!sskdf_common_set_ctx_params(ctx, params)) + return 0; + + return 1; +} + static const OSSL_PARAM *sskdf_settable_ctx_params(ossl_unused void *ctx, ossl_unused void *provctx) { static const OSSL_PARAM known_settable_ctx_params[] = { - OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), - OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), - OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), - OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), - OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), - OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC, NULL, 0), - OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0), - OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE, NULL), - OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) + SSKDF_COMMON_SETTABLES, OSSL_PARAM_END }; return known_settable_ctx_params; } -static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) +static int sskdf_common_get_ctx_params(KDF_SSKDF *ctx, OSSL_PARAM params[]) { - KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; OSSL_PARAM *p; + if (params == NULL) + return 1; + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx))) return 0; } - if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params)) + + return 1; +} + +static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) +{ + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; + + if (params == NULL) + return 1; + + if (!sskdf_common_get_ctx_params(ctx, params)) return 0; + return 1; } @@ -631,7 +631,67 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), + SSKDF_COMMON_GETTABLES, + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +} + +static int x963kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; + + if (params == NULL) + return 1; + + if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params, + OSSL_KDF_PARAM_FIPS_DIGEST_CHECK)) + return 0; + + if (!sskdf_common_set_ctx_params(ctx, params)) + return 0; + +#ifdef FIPS_MODULE + if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) { + const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); + + if (!fips_x963kdf_digest_check_passed(ctx, md)) + return 0; + } +#endif + + return 1; +} + +static const OSSL_PARAM *x963kdf_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) +{ + static const OSSL_PARAM known_settable_ctx_params[] = { + SSKDF_COMMON_SETTABLES, + OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) + OSSL_PARAM_END + }; + return known_settable_ctx_params; +} + +static int x963kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) +{ + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; + + if (!sskdf_common_get_ctx_params(ctx, params)) + return 0; + + if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params)) + return 0; + + return 1; +} + +static const OSSL_PARAM *x963kdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) +{ + static const OSSL_PARAM known_gettable_ctx_params[] = { + SSKDF_COMMON_GETTABLES, OSSL_FIPS_IND_GETTABLE_CTX_PARAM() OSSL_PARAM_END }; @@ -660,10 +720,10 @@ const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive }, { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, - (void(*)(void))sskdf_settable_ctx_params }, - { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params }, + (void(*)(void))x963kdf_settable_ctx_params }, + { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))x963kdf_set_ctx_params }, { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, - (void(*)(void))sskdf_gettable_ctx_params }, - { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params }, + (void(*)(void))x963kdf_gettable_ctx_params }, + { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))x963kdf_get_ctx_params }, OSSL_DISPATCH_END }; diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index 72af2e329bdf9..620b0c84c3fa9 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c @@ -109,10 +109,6 @@ typedef struct { unsigned char *seed; size_t seedlen; -#ifdef FIPS_MODULE - PROV_DIGEST digest; -#endif - OSSL_FIPS_IND_DECLARE } TLS1_PRF; @@ -145,9 +141,6 @@ static void kdf_tls1_prf_reset(void *vctx) TLS1_PRF *ctx = (TLS1_PRF *)vctx; void *provctx = ctx->provctx; -#ifdef FIPS_MODULE - ossl_prov_digest_reset(&ctx->digest); -#endif EVP_MAC_CTX_free(ctx->P_hash); EVP_MAC_CTX_free(ctx->P_sha1); OPENSSL_clear_free(ctx->sec, ctx->seclen); @@ -174,10 +167,6 @@ static void *kdf_tls1_prf_dup(void *vctx) if (!ossl_prov_memdup(src->seed, src->seedlen, &dest->seed, &dest->seedlen)) goto err; -#ifdef FIPS_MODULE - if (!ossl_prov_digest_copy(&dest->digest, &src->digest)) - goto err; -#endif OSSL_FIPS_IND_COPY(dest, src) } return dest; @@ -215,10 +204,9 @@ static int fips_ems_check_passed(TLS1_PRF *ctx) return 1; } -static int fips_digest_check_passed(TLS1_PRF *ctx) +static int fips_digest_check_passed(TLS1_PRF *ctx, const EVP_MD *md) { OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); /* * Perform digest check * @@ -226,8 +214,7 @@ static int fips_digest_check_passed(TLS1_PRF *ctx) * specified in FIPS 180-3. ACVP also only lists the same set of hash * functions. */ - int digest_unapproved = (md != NULL) - && !EVP_MD_is_a(md, SN_sha256) + int digest_unapproved = !EVP_MD_is_a(md, SN_sha256) && !EVP_MD_is_a(md, SN_sha384) && !EVP_MD_is_a(md, SN_sha512); @@ -271,8 +258,6 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, #ifdef FIPS_MODULE if (!fips_ems_check_passed(ctx)) return 0; - if (!fips_digest_check_passed(ctx)) - return 0; #endif return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, @@ -298,6 +283,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 0; if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { + PROV_DIGEST digest; + const EVP_MD *md = NULL; + if (OPENSSL_strcasecmp(p->data, SN_md5_sha1) == 0) { if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params, OSSL_MAC_NAME_HMAC, @@ -314,10 +302,25 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 0; } + memset(&digest, 0, sizeof(digest)); + if (!ossl_prov_digest_load_from_params(&digest, params, libctx)) + return 0; + + md = ossl_prov_digest_md(&digest); + if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); + ossl_prov_digest_reset(&digest); + return 0; + } + #ifdef FIPS_MODULE - if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) + if (!fips_digest_check_passed(ctx, md)) { + ossl_prov_digest_reset(&digest); return 0; + } #endif + + ossl_prov_digest_reset(&digest); } if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { diff --git a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt index 5918840ac744b..82f10d803b291 100644 --- a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt @@ -222,20 +222,11 @@ Ctrl.salt = hexsalt:000000000000000000000000000000000000000000000000000000000000 Ctrl.info = info: Output = 62f99231760bedd72319cc6cad -Title = FIPS indicator tests - -# Test that the operation with unapproved digest function is rejected -# -# There is no corresponding test for checking `fips-indicator` and derived key -# because that -# * HKDF can be used with SHA-1, SHA-2 and SHA-3 but not with the -# extendable-output functions. -# * HMAC construction is not allowed to be used with the extendable-output -# functions. +# Test that the operation with XOF digest function is rejected FIPSversion = >=3.4.0 KDF = HKDF Ctrl.digest = digest:SHAKE-256 Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b Ctrl.salt = hexsalt:000102030405060708090a0b0c Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 -Result = KDF_DERIVE_ERROR +Result = KDF_CTRL_ERROR diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt index bfa42a296b46a..b206f860863ca 100644 --- a/test/recipes/30-test_evp_data/evpkdf_ss.txt +++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt @@ -1132,20 +1132,10 @@ Ctrl.hexinfo = hexinfo:0553552e5345a22404223020a003020110a10c040aaaaaaaaaaaaaaa Ctrl.hexinfo = hexinfo:aaaaaaa20b0409bbbbbbbbbbbbbbbbbb Output = d3c78b78d75313e9a926f75dfb012363fa17fa01db -Title = FIPS indicator tests - -# Test that the operation with unapproved digest function is rejected -# -# There is no corresponding test for checking `fips-indicator` and derived key -# because that -# * SSKDF can be used with SHA-1, SHA-2 and SHA-3 but not with the -# extendable-output functions. -# * The return value from the `EVP_MD_get_size` function for the -# extendable-output functions always is 0, so the `SSKDF_hash_kdm` function -# will return 0 directly. +# Test that the operation with XOF digest function is rejected FIPSversion = >=3.4.0 KDF = SSKDF Ctrl.digest = digest:SHAKE-256 Ctrl.hexsecret = hexsecret:d09a6b1a472f930db4f5e6b967900744 Ctrl.hexinfo = hexinfo:b117255ab5f1b6b96fc434b0 -Result = KDF_DERIVE_ERROR +Result = KDF_CTRL_ERROR diff --git a/test/recipes/30-test_evp_data/evpkdf_ssh.txt b/test/recipes/30-test_evp_data/evpkdf_ssh.txt index 29383a710c6df..fb33733ad10bc 100644 --- a/test/recipes/30-test_evp_data/evpkdf_ssh.txt +++ b/test/recipes/30-test_evp_data/evpkdf_ssh.txt @@ -4866,6 +4866,15 @@ Ctrl.type = type:A Output = FF Result = KDF_MISMATCH +# Test that unsupported XOF is rejected +KDF = SSHKDF +Ctrl.digest = digest:SHAKE-256 +Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 +Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 +Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 +Ctrl.type = type:A +Result = KDF_CTRL_ERROR + Title = FIPS indicator tests # Test that the operation with unapproved digest function is rejected @@ -4876,7 +4885,7 @@ Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a6869 Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 Ctrl.type = type:A -Result = KDF_DERIVE_ERROR +Result = KDF_CTRL_ERROR # Test that the operation with unapproved digest function is is reported as # unapproved diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt index e10f24a333251..e43c442e7d397 100644 --- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt @@ -70,6 +70,15 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf +# Test that unsupported XOF is rejected +KDF = TLS1-PRF +Ctrl.digest = digest:SHAKE-256 +Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc +Ctrl.label = seed:extended master secret +Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c +Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce +Result = KDF_CTRL_ERROR + Title = FIPS indicator tests # Test that the operation with unapproved digest function is rejected @@ -80,7 +89,7 @@ Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55 Ctrl.label = seed:extended master secret Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce -Result = KDF_DERIVE_ERROR +Result = KDF_CTRL_ERROR # Test that the operation with unapproved digest function is is reported as # unapproved diff --git a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt index 9eb297517669d..453362d614588 100644 --- a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt @@ -4935,6 +4935,14 @@ Ctrl.mode = mode:EXTRACT_AND_EXPAND Ctrl.digest = digest:SHA256 Result = KDF_CTRL_ERROR +Title = TLS13-KDF unsupported XOF test + +KDF = TLS13-KDF +Ctrl.mode = mode:EXTRACT_ONLY +Ctrl.digest = digest:SHAKE-256 +Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05 +Result = KDF_CTRL_ERROR + Title = FIPS indicator tests # Test that the operation with unapproved digest function is rejected @@ -4943,7 +4951,7 @@ KDF = TLS13-KDF Ctrl.mode = mode:EXTRACT_ONLY Ctrl.digest = digest:SHA512-256 Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05 -Result = KDF_DERIVE_ERROR +Result = KDF_CTRL_ERROR # Test that the operation with unapproved digest function is is reported as # unapproved diff --git a/test/recipes/30-test_evp_data/evpkdf_x963.txt b/test/recipes/30-test_evp_data/evpkdf_x963.txt index a305aa4c024f6..445ea23d4f1b3 100644 --- a/test/recipes/30-test_evp_data/evpkdf_x963.txt +++ b/test/recipes/30-test_evp_data/evpkdf_x963.txt @@ -121,6 +121,13 @@ Ctrl.hexinfo = hexinfo:cf3a74ba86 Ctrl.hexinfo = hexinfo:af42f1ae85477ead645583 Output = 995d1ab8557dfeafcb347f8182583fa0ac5e6cb3912393592590989f38a0214f6cf7d6fbe23917b0966c6a870876de2a2c13a45fa7aa1715be137ed332e1ffc204ce4dcce33ece6dec7f3da61fa049780040e44142cc8a1e5121cf56b386f65b7c261a192f05e5fefae4221a602bc51c41ef175dc45fb7eab8642421b4f7e3e7 +# Test that unsupported XOF is rejected +KDF = X963KDF +Ctrl.digest = digest:SHAKE-256 +Ctrl.hexsecret = hexsecret:fd17198b89ab39c4ab5d7cca363b82f9fd7e23c3984dc8a2 +Ctrl.hexinfo = hexinfo:856a53f3e36a26bbc5792879f307cce2 +Result = KDF_CTRL_ERROR + Title = FIPS indicator tests # Test that the operation with unapproved digest function is rejected @@ -129,7 +136,7 @@ KDF = X963KDF Ctrl.digest = digest:SHA1 Ctrl.hexsecret = hexsecret:fd17198b89ab39c4ab5d7cca363b82f9fd7e23c3984dc8a2 Ctrl.hexinfo = hexinfo:856a53f3e36a26bbc5792879f307cce2 -Result = KDF_DERIVE_ERROR +Result = KDF_CTRL_ERROR # Test that the operation with unapproved digest function is is reported as # unapproved diff --git a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt index ef574128aa56f..805f65abc47a7 100644 --- a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt +++ b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt @@ -194,20 +194,11 @@ Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c Ctrl.salt = salt: Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 -Title = FIPS indicator tests - -# Test that the operation with unapproved digest function is rejected -# -# There is no corresponding test for checking `fips-indicator` and derived key -# because that -# * HKDF can be used with SHA-1, SHA-2 and SHA-3 but not with the -# extendable-output functions. -# * HMAC construction is not allowed to be used with the extendable-output -# functions. +# Test that the operation with XOF digest function is rejected FIPSversion = >=3.4.0 PKEYKDF = HKDF Ctrl.digest = digest:SHAKE-256 Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b Ctrl.salt = hexsalt:000102030405060708090a0b0c Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 -Result = KDF_DERIVE_ERROR +Result = PKEY_CTRL_ERROR diff --git a/test/recipes/30-test_evp_data/evppkey_kdf_tls1_prf.txt b/test/recipes/30-test_evp_data/evppkey_kdf_tls1_prf.txt index b5276e664e120..a1510cc036404 100644 --- a/test/recipes/30-test_evp_data/evppkey_kdf_tls1_prf.txt +++ b/test/recipes/30-test_evp_data/evppkey_kdf_tls1_prf.txt @@ -70,6 +70,15 @@ Ctrl.Seed = hexseed:02 Output = 03 Result = KDF_DERIVE_ERROR +# Test that unsupported XOF is rejected +KDF = TLS1-PRF +Ctrl.digest = digest:SHAKE-256 +Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc +Ctrl.label = seed:extended master secret +Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c +Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce +Result = KDF_CTRL_ERROR + Title = FIPS indicator tests # Test that the operation with unapproved digest function is rejected