summaryrefslogtreecommitdiffstats
path: root/Configurations
diff options
context:
space:
mode:
authorslontis <shane.lontis@oracle.com>2024-07-29 09:47:46 +0200
committerPauli <ppzgs1@gmail.com>2024-07-31 01:04:17 +0200
commit4f5febe2c684a803553171940634c1b6f4b7ba40 (patch)
treefba01b55d454194e10c52e1e1d358dfc4f69a9e4 /Configurations
parentAdd negative tests for SHAKE with PBKDF2 and X9.42 KDF (diff)
downloadopenssl-4f5febe2c684a803553171940634c1b6f4b7ba40.tar.xz
openssl-4f5febe2c684a803553171940634c1b6f4b7ba40.zip
Add FIPS indicator to CMAC.
There is a issue currently related to CMAC TDES, when the new provider is tested against older branches. The new strict check caused backwards compatibility issues when using old branch with the new FIPS provider. To get around this CMAC now allows TDES by default, but it can be either enabled via config or a settable. (i.e it uses an indicator) Where the TDES cipher check can be done turned out to be problematic. Shifting the check in the TDES cipherout of the init doesnt work because ciphers can run thru either final or cipher (and checking on every cipher call seemed bad). This means it needs to stay in the cipher init. So the check needs to be done in CMAC BEFORE the underlying TDES cipher does it check. When using an indicator the TDES cipher needs its "encrypt-check" set so that needs to be propagated from the CMAC object. This requires the ability to set the param at the time the cipher ctx is inited. An internal function was required in order to pass params to CMAC_Init. Note also that the check was done where it is, because EVP_Q_mac() calls EVP_MAC_CTX_set_params(ctx, cipher_param) EVP_MAC_CTX_set_params(ctx, params) EVP_MAC_init(ctx, key, keylen, params) Where the second call to set_params would set up "encrypt-check" after "cipher". Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25022)
Diffstat (limited to 'Configurations')
0 files changed, 0 insertions, 0 deletions