From 50cb33e688ab6bef3f73d35e3360421578db8a46 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 17 Feb 2023 18:39:37 +0100
Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen

Implementation Guidance for FIPS 140-3 and the Cryptographic Module
Verification Program, Section C.H requires guarantees about the
uniqueness of key/iv pairs, and proposes a few approaches to ensure
this. Provide an indicator for option 2 "The IV may be generated
internally at its entirety randomly."

Resolves: rhbz#2175868
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
 ...t-explicit-FIPS-indicator-for-IV-gen.patch | 101 ++++++++++++++++++
 openssl.spec                                  |   4 +
 2 files changed, 105 insertions(+)
 create mode 100644 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch

diff --git a/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch b/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
new file mode 100644
index 0000000..5cb8ce4
--- /dev/null
+++ b/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
@@ -0,0 +1,101 @@
+From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Fri, 17 Feb 2023 15:31:08 +0100
+Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen
+
+Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+Verification Program, Section C.H requires guarantees about the
+uniqueness of key/iv pairs, and proposes a few approaches to ensure
+this. Provide an indicator for option 2 "The IV may be generated
+internally at its entirety randomly."
+
+Resolves: rhbz#2168289
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ include/openssl/core_names.h                  |  1 +
+ include/openssl/evp.h                         |  4 +++
+ .../implementations/ciphers/ciphercommon.c    |  4 +++
+ .../ciphers/ciphercommon_gcm.c                | 25 +++++++++++++++++++
+ 4 files changed, 34 insertions(+)
+
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index 680bfbc7cc..832502a034 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -97,6 +97,7 @@ extern "C" {
+ #define OSSL_CIPHER_PARAM_CTS_MODE             "cts_mode"     /* utf8_string */
+ /* For passing the AlgorithmIdentifier parameter in DER form */
+ #define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS  "alg_id_param" /* octet_string */
++#define OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
+ 
+ #define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT                    \
+     "tls1multi_maxsndfrag" /* uint */
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index 49e8e1df78..ec2ba46fbd 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -746,6 +746,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
+ void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
+ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
+ 
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED     1
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                            const unsigned char *key, const unsigned char *iv);
+ /*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
+diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
+index fa383165d8..716add7339 100644
+--- a/providers/implementations/ciphers/ciphercommon.c
++++ b/providers/implementations/ciphers/ciphercommon.c
+@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
+     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
+     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
+     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
++    /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
++     * not work in ciphercommon.c because it is compiled only once into
++     * libcommon.a */
++    OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+     OSSL_PARAM_END
+ };
+ const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
+diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c
+index ed95c97ff4..db7910eb0e 100644
+--- a/providers/implementations/ciphers/ciphercommon_gcm.c
++++ b/providers/implementations/ciphers/ciphercommon_gcm.c
+@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
+             || !getivgen(ctx, p->data, p->data_size))
+             return 0;
+     }
++
++    /* We would usually hide this under #ifdef FIPS_MODULE, but
++     * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
++     * not work here. */
++    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section C.H requires guarantees about the
++         * uniqueness of key/iv pairs, and proposes a few approaches to ensure
++         * this. This provides an indicator for option 2 "The IV may be
++         * generated internally at its entirety randomly." Note that one of the
++         * conditions of this option is that "The IV length shall be at least
++         * 96 bits (per SP 800-38D)." We do not specically check for this
++         * condition here, because gcm_iv_generate will fail in this case. */
++        if (ctx->enc && !ctx->iv_gen_rand)
++            fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator)) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
++            return 0;
++        }
++    }
++
+     return 1;
+ }
+ 
+-- 
+2.39.1
+
diff --git a/openssl.spec b/openssl.spec
index 4b75c23..47f6c92 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -168,6 +168,8 @@ Patch108: 0108-CVE-2023-0401-pkcs7-md.patch
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=2169314
 Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2168289
+Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -503,6 +505,8 @@ install -m644 %{SOURCE9} \
   Resolves: rhbz#2175860 rhbz#2175864
 - Zeroize FIPS module integrity check MAC after check
   Resolves: rhbz#2175873
+- Add explicit FIPS indicator for IV generation in AES-GCM
+  Resolves: rhbz#2175868
 
 * Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
 - Fixes RNG slowdown in FIPS mode