[release/9.0] Use OpenSSL 3's KBKDF for SP800-108 if it is available #106893
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #106779 to release/9.0
/cc @bartonjs @jeffhandley
Customer Impact
This changes the
SP800108HmacCounterKdf
to use OpenSSL's KBKDF functionality instead of a managed implementation. If the OpenSSL version on the system does not support KBKDF, the implementation continues to fall back to the managed implementation.This is a reaction to NIST having a CAVP on SP800-108. This change helps customers meet compliance needs by using a FIPS component from OpenSSL if it is available. The managed implementation that was used on Linux previously is not FIPS validated.
Regression
Testing
Extensive unit tests existed for this functionality and were used to validate the OpenSSL implementation is compatible with the managed implementation.
Risk
Low. Tests ensure the new OpenSSL functionality works as expected.