Address feedback

aws · Aug 30, 2024 · 6cc65d8 · 6cc65d8
1 parent f21fe64
commit 6cc65d8
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/crypto/fipsmodule/service_indicator/service_indicator.c b/crypto/fipsmodule/service_indicator/service_indicator.c
@@ -485,6 +485,16 @@ void TLSKDF_verify_service_indicator(const EVP_MD *dgst, const char *label,
   }
 }
 
+// "Whenever a hash function is employed (including as the primitive used by HMAC), an
+// approved hash function shall be used. FIPS 180 and FIPS 202 specify approved hash
+// functions"
+//
+// * FIPS 180 covers the SHA-1 and SHA-2* family of algorithms
+// * FIPS 202 covers the SHA3-* family of algorithms
+//
+// Sourced from NIST.SP.800-56Cr2 Section 7: Selecting Hash Functions and MAC Algorithms
+// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
+
 void SSKDF_digest_verify_service_indicator(const EVP_MD *dgst) {
   switch (dgst->type) {
     case NID_sha1:
@@ -505,6 +515,15 @@ void SSKDF_digest_verify_service_indicator(const EVP_MD *dgst) {
   }
 }
 
+// "Whenever a hash function is employed (including as the primitive used by HMAC), an
+// approved hash function shall be used. FIPS 180 and FIPS 202 specify approved hash
+// functions"
+//
+// * FIPS 180 covers the SHA-1 and SHA-2* family of algorithms
+// * FIPS 202 covers the SHA3-* family of algorithms (Note: AWS-LC does not currently support SHA-3 with HMAC)
+//
+// Sourced from NIST.SP.800-56Cr2 Section 7: Selecting Hash Functions and MAC Algorithms
+// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
 void SSKDF_hmac_verify_service_indicator(const EVP_MD *dgst) {
   switch (dgst->type) {
     case NID_sha1: