HMAC (& other size limiting) for FIPS 140-3

[paulidale]

This is related to #223 but unlike KMAC, NIST is permitting legacy use with shorter keys/IV for verification only. We don't distinguish the two cases generally.

Refer to SP 800-131Ar2 section 10 which states:

• HMAC Generation:
  • Any approved hash function may be used.
  • Keys less than 112 bits in length are disallowed for HMAC generation.
  • The use of key lengths ≥ 112 bits is acceptable for HMAC generation.
• HMAC Verification:
  • The use of key lengths < 112 bits for HMAC verification is allowed for legacy use.
  • The use of key lengths ≥ 112 bits for HMAC verification is acceptable.
• CMAC Generation:
  • Effective as of the final publication of this revision of SP 800-131A, the use of three- key TDEA for CMAC generation is deprecated through December 31, 2023. Three- key TDEA may be used for CMAC generation in existing applications but shall not be used in new applications.
  • After December 31, 2023, three-key TDEA is disallowed for CMAC generation unless specifically allowed by other NIST guidance.
  • The use of AES-128, AES-192 and AES-256 for CMAC generation is acceptable. CMAC Verification:
  • The use of two-key TDEA and three-key TDEA for CMAC verification is allowed for legacy use.
  • The use of AES for CMAC verification is acceptable.
• GMAC Generation and Verification:
  • The use of GMAC for MAC generation and verification is acceptable when using AES-128, AES-192 or AES-256.
• KMAC Generation and Verification:
  • Keys less than 112 bits in length are disallowed for KMAC generation.
  • The use of key lengths ≥ 112 bits is acceptable for KMAC generation.

Notes

• CMAC shouldn't be a concern because we're not including TDES as an approved algorithm. This will likely require an indicator however.
• GMAC is fine as it is.
• KMAC is covered by #223

[arapov]

Investigate; Design; Implement; ref: https://github.com/openssl/project/issues/223