fips: rework the option handling code

Add option for restricting digests available to DRBGs.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

2 files changed, 11 insertions, 1 deletions

diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 0d07efcedc..2fba1e7b72 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -27,6 +27,7 @@ extern "C" {
 #define OSSL_PROV_PARAM_STATUS             "status"              /* uint */
 #define OSSL_PROV_PARAM_SECURITY_CHECKS    "security-checks"     /* uint */
 #define OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"  /* uint */
+#define OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST  "drbg-no-trunc-md"    /* uint */
 
 /* Self test callback parameters */
 #define OSSL_PROV_PARAM_SELF_TEST_PHASE  "st-phase" /* utf8_string */
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
index 3f29369b3f..67aa1c7e42 100644
--- a/include/openssl/fips_names.h
+++ b/include/openssl/fips_names.h
@@ -49,6 +49,7 @@ extern "C" {
 
 /*
  * A boolean that determines if the runtime FIPS security checks are performed.
+ * This is enabled by default.
  * Type: OSSL_PARAM_UTF8_STRING
  */
 # define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks"
@@ -56,11 +57,19 @@ extern "C" {
 /*
  * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
  * This is disabled by default.
- *
  * Type: OSSL_PARAM_UTF8_STRING
  */
 # define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
 
+/*
+ * A boolean that determines if truncated digests can be used with Hash and HMAC
+ * DRBGs.  FIPS 140-3 IG D.R disallows such use for efficiency rather than
+ * security reasons.
+ * This is disabled by default.
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST  "drbg-no-trunc-md"
+
 # ifdef __cplusplus
 }
 # endif