From 6cc65d80787fedb20e1133f132a1ff0e717154c7 Mon Sep 17 00:00:00 2001 From: Sean McGrail Date: Tue, 27 Aug 2024 18:43:06 +0000 Subject: [PATCH] Address feedback --- .../service_indicator/service_indicator.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/crypto/fipsmodule/service_indicator/service_indicator.c b/crypto/fipsmodule/service_indicator/service_indicator.c index 05be833453..7e1ff73831 100644 --- a/crypto/fipsmodule/service_indicator/service_indicator.c +++ b/crypto/fipsmodule/service_indicator/service_indicator.c @@ -485,6 +485,16 @@ void TLSKDF_verify_service_indicator(const EVP_MD *dgst, const char *label, } } +// "Whenever a hash function is employed (including as the primitive used by HMAC), an +// approved hash function shall be used. FIPS 180 and FIPS 202 specify approved hash +// functions" +// +// * FIPS 180 covers the SHA-1 and SHA-2* family of algorithms +// * FIPS 202 covers the SHA3-* family of algorithms +// +// Sourced from NIST.SP.800-56Cr2 Section 7: Selecting Hash Functions and MAC Algorithms +// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf + void SSKDF_digest_verify_service_indicator(const EVP_MD *dgst) { switch (dgst->type) { case NID_sha1: @@ -505,6 +515,15 @@ void SSKDF_digest_verify_service_indicator(const EVP_MD *dgst) { } } +// "Whenever a hash function is employed (including as the primitive used by HMAC), an +// approved hash function shall be used. FIPS 180 and FIPS 202 specify approved hash +// functions" +// +// * FIPS 180 covers the SHA-1 and SHA-2* family of algorithms +// * FIPS 202 covers the SHA3-* family of algorithms (Note: AWS-LC does not currently support SHA-3 with HMAC) +// +// Sourced from NIST.SP.800-56Cr2 Section 7: Selecting Hash Functions and MAC Algorithms +// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf void SSKDF_hmac_verify_service_indicator(const EVP_MD *dgst) { switch (dgst->type) { case NID_sha1: