diff options
author | Pauli <pauli@openssl.org> | 2023-03-17 12:42:21 +1100 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2023-03-29 09:25:19 +1100 |
commit | 83ccf81b1dd8886d54c570354ef8c532af4c514f (patch) | |
tree | 3f21e412a3c6f76d87bfd67204ed45de8b5e1b7e /include/openssl | |
parent | 3c95ef22df55cb2d9dc64ce1f3be6e5a8ee63206 (diff) | |
download | openssl-new-83ccf81b1dd8886d54c570354ef8c532af4c514f.tar.gz |
fips: rework the option handling code
Add option for restricting digests available to DRBGs.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)
Diffstat (limited to 'include/openssl')
-rw-r--r-- | include/openssl/core_names.h | 1 | ||||
-rw-r--r-- | include/openssl/fips_names.h | 11 |
2 files changed, 11 insertions, 1 deletions
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 0d07efcedc..2fba1e7b72 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -27,6 +27,7 @@ extern "C" { #define OSSL_PROV_PARAM_STATUS "status" /* uint */ #define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ #define OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" /* uint */ +#define OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md" /* uint */ /* Self test callback parameters */ #define OSSL_PROV_PARAM_SELF_TEST_PHASE "st-phase" /* utf8_string */ diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h index 3f29369b3f..67aa1c7e42 100644 --- a/include/openssl/fips_names.h +++ b/include/openssl/fips_names.h @@ -49,6 +49,7 @@ extern "C" { /* * A boolean that determines if the runtime FIPS security checks are performed. + * This is enabled by default. * Type: OSSL_PARAM_UTF8_STRING */ # define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks" @@ -56,11 +57,19 @@ extern "C" { /* * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. * This is disabled by default. - * * Type: OSSL_PARAM_UTF8_STRING */ # define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" +/* + * A boolean that determines if truncated digests can be used with Hash and HMAC + * DRBGs. FIPS 140-3 IG D.R disallows such use for efficiency rather than + * security reasons. + * This is disabled by default. + * Type: OSSL_PARAM_UTF8_STRING + */ +# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md" + # ifdef __cplusplus } # endif |