forked from rpms/openssl
Fix X942KDF indicator for short output key lengths
In testing, we noticed that using output keys shorter than 14 bytes with the X9.42 KDF does not set the explicit FIPS indicator to unapproved as it should. The relevant check was implemented, but the state in the implementation's context was not exposed. Resolves: rhbz#2175864 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang
parent
e5f783d552
commit
21d2b9fb47
@ -1,4 +1,4 @@
|
||||
From 2f89e15407b7f3947768f93d11adeafd73c0b6d6 Mon Sep 17 00:00:00 2001
|
||||
From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Thu, 11 Aug 2022 09:27:12 +0200
|
||||
Subject: KDF: Add FIPS indicators
|
||||
@ -49,8 +49,8 @@ Related: rhbz#2114772 rhbz#2141695
|
||||
providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
|
||||
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
|
||||
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
|
||||
providers/implementations/kdfs/x942kdf.c | 57 +++++++++++-
|
||||
9 files changed, 478 insertions(+), 22 deletions(-)
|
||||
providers/implementations/kdfs/x942kdf.c | 67 ++++++++++++++-
|
||||
9 files changed, 488 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
||||
index e70d8e9e84..76fb990de4 100644
|
||||
@ -791,7 +791,7 @@ index a4d64b9352..f6782a6ca2 100644
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
|
||||
index b1bc6f7e1b..f4ac8ca3f5 100644
|
||||
index b1bc6f7e1b..8173fc2cc7 100644
|
||||
--- a/providers/implementations/kdfs/x942kdf.c
|
||||
+++ b/providers/implementations/kdfs/x942kdf.c
|
||||
@@ -13,10 +13,13 @@
|
||||
@ -829,7 +829,7 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
|
||||
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
|
||||
der, der_len, ctr, key, keylen);
|
||||
OPENSSL_free(der);
|
||||
@@ -563,10 +573,48 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
KDF_X942 *ctx = (KDF_X942 *)vctx;
|
||||
OSSL_PARAM *p;
|
||||
@ -860,6 +860,16 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||
+ * extendable-output functions may only be used as the standalone
|
||||
+ * algorithms." */
|
||||
@ -881,7 +891,7 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -574,6 +622,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
@ -892,5 +902,5 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
--
|
||||
2.39.1
|
||||
2.39.2
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.7
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -505,6 +505,10 @@ install -m644 %{SOURCE9} \
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Thu Mar 16 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-9
|
||||
- Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes
|
||||
Resolves: rhbz#2175864
|
||||
|
||||
* Thu Mar 16 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-8
|
||||
- Fix Wpointer-sign compiler warning
|
||||
Resolves: rhbz#2178034
|
||||
|
||||
Loading…
Reference in New Issue
Block a user