Perform key size check for HMAC, HKDF, SSHKDF and TLS KDF

[0140454]

According to SP 800-131Ar2, the length of the key-derivation key shall be at least 112 bits.

This PR introduces key size checks in HMAC, HKDF, SSHKDF and TLS KDF.

Since the key shorter than 112 bits can be used for legacy use in HMAC generation, a pedantic flag is introduced to control whether to perform the check in HMAC.

Similarly, a pedantic flag is also introduced in KDFs to turn off the check for some scenario, such as ignoring salt length check.

With this changes, we can use API return value to indicate whether the operation is approved.

This PR depends on #23833.

Checklist

• documentation is added or updated
• tests are added or updated

[paulidale]

Good effort.

I'm not convinced that pedantic should be exposed outside the FIPS provider. It's not used by the default provider at all and thus would be better omitted.

Test failures seem relevant.

[paulidale]

Unfortunately, this won't build for some platforms which consider &pedantic to not be constant.

Does this impact FIPS compliance?

[0140454]

Fixed.

Our lab think it only need to ensure that HMAC function and key are strong enough. Therefore, I think the length of salt should not impact the compliance.

[paulidale]

You misunderstood. Taking the address of pedantic is not considered a constant initialiser on some platforms. I.e. this code will not compile.

This is why we use other methods to construct OSSL_PARAM arrays at runtime.

[0140454]

The method to construct OSSL_PARAM arrays changed.

[slontis]

I would suggest that this PR is somewhat dependent on fips indicators being resolved. See #23609. We definitely want a consistent way of addressing all of the issues (not just the keysize checks).

[slontis]

For the MAC, I think there are multiple things to consider

1. There is currently no way to distinguish the difference between a MAC generate and a MAC verify operation... I would consider the MAC verify to be the 'legacy' operation that may allow a smaller key size.
2. This depends on what we decide to do with fips indicators - but if we use the a 'strict' mode- inside the FIPS provider it could have the pedantic flag on by default - at least for HMAC generation.

[paulidale]

Does this mandate changes to the build.cfg files?

[paulidale]

You misunderstood. Taking the address of pedantic is not considered a constant initialiser on some platforms. I.e. this code will not compile.

This is why we use other methods to construct OSSL_PARAM arrays at runtime.

[0140454]

Does this mandate changes to the build.cfg files?

@paulidale Sorry that I don't understand your meaning. Do you want to known whether this changes also need to modify build.info files?

[slontis]

These are going to need a line specifying which provider version this test is supported by....
(Because we test against old providers with the current source).

i.e. (Assuming OpenSSL 3.3 has been released)..
FIPSVersion = >=3.4.0

[slontis]

Until 3.3 is release you will have to use >= 3.3.0, and then change it later

[0140454]

Changed to FIPSversion = >=3.3.0 because v3.3.0 is still in alpha stage.

[slontis]

Not sure this should be done here.. It should probably break in FIPS mode.

[0140454]

The operation may fail if FIPS provider is used with old libssl.so.

I think it cannot be avoided unless

• move the ossl_quic_hkdf_extract function into FIPS provider
• or has a global pedantic flag, which is turned off in default for back-compatibility, in fipsmodule.cnf

If I am wrong, please correct me. Thank you.

[slontis]

@t8m or @paulidale Do you have an opinion on this, technically it should fall over here..

[t8m]

Yeah #$%@! FIPS rules bite again. The initial secret where this is used is not really security relevant so IMO OK to set pedantic to 0.

[slontis]

Is this needed here and in other places? It is FIPS specific..

[0140454]

Current implementation performs key size check in set_ctx_params function.

The secret to set in this test case is only 8 bits.
Therefore, it is needed to set pedantic flag to zero to make it pass through the logic for checking digest.

Update:

I will make this test case only available in default provider and remove Ctrl.Pedantic in next commit.

[0140454]

Make this test case only available in default provider.

[slontis]

Pauli is asking whether you checked the build.info files for any files that you have added #ifdef FIPS_MODULE to...

The related .o file needs to go into both libdefault and libfips.

[slontis]

For fips indicator purposes there should also be a getter

[0140454]

Pauli is asking whether you checked the build.info files for any files that you have added #ifdef FIPS_MODULE to...

The related .o file needs to go into both libdefault and libfips.

@paulidale All files that I have added #ifdef FIPS_MODULE have been included in libdefault.a and libfips.a before this PR.

For fips indicator purposes there should also be a getter

@slontis A getter has been added.

[slontis]

test failures are relevant.
Hopefully soon OTC will agree on the way forward with fips indicators. I would prefer to wait till that point before approving.

[0140454]

Rebased dev branch onto current master branch.

To make test pass, the commit from #23833 picked and it will be removed in the future.

[0140454]

Rebase dev branch onto current master branch, and change FIPSversion = >=3.3.0 to FIPSversion = >=3.4.0 because v3.3.0 released.

[openssl-machine]

This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago