Fix X942KDF indicator for short output key lengths

In testing, we noticed that using output keys shorter than 14 bytes with
the X9.42 KDF does not set the explicit FIPS indicator to unapproved as
it should. The relevant check was implemented, but the state in the
implementation's context was not exposed.

Resolves: rhbz#2175864
Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang 2023-03-16 16:39:03 +01:00
parent e5f783d552
commit 21d2b9fb47
2 changed files with 22 additions and 8 deletions

View File

@ -1,4 +1,4 @@
From 2f89e15407b7f3947768f93d11adeafd73c0b6d6 Mon Sep 17 00:00:00 2001 From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com> From: Clemens Lang <cllang@redhat.com>
Date: Thu, 11 Aug 2022 09:27:12 +0200 Date: Thu, 11 Aug 2022 09:27:12 +0200
Subject: KDF: Add FIPS indicators Subject: KDF: Add FIPS indicators
@ -49,8 +49,8 @@ Related: rhbz#2114772 rhbz#2141695
providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++- providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
providers/implementations/kdfs/x942kdf.c | 57 +++++++++++- providers/implementations/kdfs/x942kdf.c | 67 ++++++++++++++-
9 files changed, 478 insertions(+), 22 deletions(-) 9 files changed, 488 insertions(+), 22 deletions(-)
diff --git a/include/crypto/evp.h b/include/crypto/evp.h diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index e70d8e9e84..76fb990de4 100644 index e70d8e9e84..76fb990de4 100644
@ -791,7 +791,7 @@ index a4d64b9352..f6782a6ca2 100644
}; };
return known_gettable_ctx_params; return known_gettable_ctx_params;
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
index b1bc6f7e1b..f4ac8ca3f5 100644 index b1bc6f7e1b..8173fc2cc7 100644
--- a/providers/implementations/kdfs/x942kdf.c --- a/providers/implementations/kdfs/x942kdf.c
+++ b/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c
@@ -13,10 +13,13 @@ @@ -13,10 +13,13 @@
@ -829,7 +829,7 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
der, der_len, ctr, key, keylen); der, der_len, ctr, key, keylen);
OPENSSL_free(der); OPENSSL_free(der);
@@ -563,10 +573,48 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) @@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{ {
KDF_X942 *ctx = (KDF_X942 *)vctx; KDF_X942 *ctx = (KDF_X942 *)vctx;
OSSL_PARAM *p; OSSL_PARAM *p;
@ -860,6 +860,16 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ +
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module + /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 + * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
+ * extendable-output functions may only be used as the standalone + * extendable-output functions may only be used as the standalone
+ * algorithms." */ + * algorithms." */
@ -881,7 +891,7 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
} }
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -574,6 +622,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, @@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
{ {
static const OSSL_PARAM known_gettable_ctx_params[] = { static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
@ -892,5 +902,5 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
}; };
return known_gettable_ctx_params; return known_gettable_ctx_params;
-- --
2.39.1 2.39.2

View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.0.7 Version: 3.0.7
Release: 8%{?dist} Release: 9%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -505,6 +505,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Thu Mar 16 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-9
- Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes
Resolves: rhbz#2175864
* Thu Mar 16 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-8 * Thu Mar 16 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-8
- Fix Wpointer-sign compiler warning - Fix Wpointer-sign compiler warning
Resolves: rhbz#2178034 Resolves: rhbz#2178034