diff options
| author | pohsingwu <pohsingwu@synology.com> | 2024-07-30 11:12:55 +0200 |
|---|---|---|
| committer | slontis <shane.lontis@oracle.com> | 2024-08-01 08:47:12 +0200 |
| commit | 81bb88481d972ffe56c2432fdf41d7644e9d7b90 (patch) | |
| tree | 007784b4fb919fb32b2695026fb8b85847f317c9 /providers/implementations/kdfs | |
| parent | Add FIPS indicator tests for KDFs (diff) | |
| download | openssl-81bb88481d972ffe56c2432fdf41d7644e9d7b90.tar.xz openssl-81bb88481d972ffe56c2432fdf41d7644e9d7b90.zip | |
Call key_check_passed in set_ctx_params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23900)
Diffstat (limited to 'providers/implementations/kdfs')
| -rw-r--r-- | providers/implementations/kdfs/hkdf.c | 20 | ||||
| -rw-r--r-- | providers/implementations/kdfs/sshkdf.c | 13 | ||||
| -rw-r--r-- | providers/implementations/kdfs/sskdf.c | 22 | ||||
| -rw-r--r-- | providers/implementations/kdfs/tls1_prf.c | 7 |
4 files changed, 34 insertions, 28 deletions
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 35276d8101..64a3e8f05e 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -236,11 +236,6 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } -#ifdef FIPS_MODULE - if (!fips_hkdf_key_check_passed(ctx)) - return 0; -#endif - switch (ctx->mode) { case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: default: @@ -345,6 +340,12 @@ static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) HKDF_MAXINFO) == 0) return 0; +#ifdef FIPS_MODULE + if (OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY) != NULL) + if (!fips_hkdf_key_check_passed(ctx)) + return 0; +#endif + return 1; } @@ -815,11 +816,6 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } -#ifdef FIPS_MODULE - if (!fips_tls1_3_key_check_passed(ctx)) - return 0; -#endif - switch (ctx->mode) { default: return 0; @@ -895,6 +891,10 @@ static int kdf_tls1_3_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (!fips_tls1_3_digest_check_passed(ctx, md)) return 0; } + + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) + if (!fips_tls1_3_key_check_passed(ctx)) + return 0; #endif return 1; diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index c4e4971992..fd77dabcb7 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -202,11 +202,6 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } -#ifdef FIPS_MODULE - if (!fips_key_check_passed(ctx)) - return 0; -#endif - return SSHKDF(md, ctx->key, ctx->key_len, ctx->xcghash, ctx->xcghash_len, ctx->session_id, ctx->session_id_len, @@ -247,10 +242,16 @@ static int kdf_sshkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) #endif } - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) { if (!sshkdf_set_membuf(&ctx->key, &ctx->key_len, p)) return 0; +#ifdef FIPS_MODULE + if (!fips_key_check_passed(ctx)) + return 0; +#endif + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_XCGHASH)) != NULL) if (!sshkdf_set_membuf(&ctx->xcghash, &ctx->xcghash_len, p)) diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c index da72d405f5..4bdb4e039c 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c @@ -425,11 +425,6 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } -#ifdef FIPS_MODULE - if (!fips_sskdf_key_check_passed(ctx)) - return 0; -#endif - md = ossl_prov_digest_md(&ctx->digest); if (ctx->macctx != NULL) { @@ -545,11 +540,6 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } -#ifdef FIPS_MODULE - if (!fips_x963kdf_key_check_passed(ctx)) - return 0; -#endif - /* H(x) = hash */ md = ossl_prov_digest_md(&ctx->digest); if (md == NULL) { @@ -634,6 +624,13 @@ static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (!sskdf_common_set_ctx_params(ctx, params)) return 0; +#ifdef FIPS_MODULE + if ((OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY) != NULL) || + (OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET) != NULL)) + if (!fips_sskdf_key_check_passed(ctx)) + return 0; +#endif + return 1; } @@ -714,6 +711,11 @@ static int x963kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (!fips_x963kdf_digest_check_passed(ctx, md)) return 0; } + + if ((OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY) != NULL) || + (OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET) != NULL)) + if (!fips_x963kdf_key_check_passed(ctx)) + return 0; #endif return 1; diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index 3d40b0b119..a82e4573d4 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c @@ -274,8 +274,6 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, #ifdef FIPS_MODULE if (!fips_ems_check_passed(ctx)) return 0; - if (!fips_key_check_passed(ctx)) - return 0; #endif return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, @@ -349,6 +347,11 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) ctx->sec = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->sec, 0, &ctx->seclen)) return 0; + +#ifdef FIPS_MODULE + if (!fips_key_check_passed(ctx)) + return 0; +#endif } /* The seed fields concatenate, so process them all */ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SEED)) != NULL) { |