Disallow SHAKE in OAEP decryption in FIPS mode

This was already blocked for encryption and for both signature creation
and verification in RSASSA-PSS, but RSA-OAEP decryption was missing.

Resolves: rhbz#2142121
Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang 2023-01-11 14:10:26 +01:00
parent b19d91aec3
commit 770dcce08b
2 changed files with 70 additions and 12 deletions

View File

@ -1,7 +1,32 @@
diff -up openssl-3.0.1/crypto/rsa/rsa_oaep.c.oaep openssl-3.0.1/crypto/rsa/rsa_oaep.c From 52b347703ba2b98a0efee86c1a483c2f0f9f73d6 Mon Sep 17 00:00:00 2001
--- openssl-3.0.1/crypto/rsa/rsa_oaep.c.oaep 2022-11-14 13:45:05.970402064 +0100 From: Clemens Lang <cllang@redhat.com>
+++ openssl-3.0.1/crypto/rsa/rsa_oaep.c 2022-11-14 13:51:20.725741198 +0100 Date: Wed, 11 Jan 2023 12:52:59 +0100
@@ -78,8 +78,22 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1 Subject: [PATCH] rsa: Disallow SHAKE in OAEP and PSS in FIPS prov
According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
must not be used in higher-level algorithms (such as RSA-OAEP and
RSASSA-PSS):
"To be used in an approved mode of operation, the SHA-3 hash functions
may be implemented either as part of an approved higher-level algorithm,
for example, a digital signature algorithm, or as the standalone
functions. The SHAKE128 and SHAKE256 extendable-output functions may
only be used as the standalone algorithms."
Add a check to prevent their use as message digest in PSS signatures and
as MGF1 hash function in both OAEP and PSS.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++
crypto/rsa/rsa_pss.c | 16 ++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index d9be1a4f98..dfe9c9f0e8 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -73,9 +73,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
return 0; return 0;
#endif #endif
} }
@ -14,20 +39,46 @@ diff -up openssl-3.0.1/crypto/rsa/rsa_oaep.c.oaep openssl-3.0.1/crypto/rsa/rsa_o
+#endif +#endif
if (mgf1md == NULL) if (mgf1md == NULL)
mgf1md = md; mgf1md = md;
+
+#ifdef FIPS_MODULE +#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { + if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); + ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
+ return 0; + return 0;
+ } + }
+#endif +#endif
+
mdlen = EVP_MD_get_size(md); mdlen = EVP_MD_get_size(md);
if (mdlen <= 0) { if (mdlen <= 0) {
diff -up openssl-3.0.1/crypto/rsa/rsa_pss.c.oaep openssl-3.0.1/crypto/rsa/rsa_pss.c ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH);
--- openssl-3.0.1/crypto/rsa/rsa_pss.c.oaep 2022-11-15 14:53:11.103467808 +0100 @@ -181,9 +195,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+++ openssl-3.0.1/crypto/rsa/rsa_pss.c 2022-11-15 15:00:07.233966865 +0100 #endif
@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, }
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
+ return -1;
+ }
+#endif
+
if (mgf1md == NULL)
mgf1md = md;
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
+ return -1;
+ }
+#endif
+
mdlen = EVP_MD_get_size(md);
if (tlen <= 0 || flen <= 0)
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index 33874bfef8..e8681b0351 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
if (mgf1Hash == NULL) if (mgf1Hash == NULL)
mgf1Hash = Hash; mgf1Hash = Hash;
@ -42,7 +93,7 @@ diff -up openssl-3.0.1/crypto/rsa/rsa_pss.c.oaep openssl-3.0.1/crypto/rsa/rsa_ps
hLen = EVP_MD_get_size(Hash); hLen = EVP_MD_get_size(Hash);
if (hLen < 0) if (hLen < 0)
goto err; goto err;
@@ -164,6 +172,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA * @@ -164,6 +172,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
if (mgf1Hash == NULL) if (mgf1Hash == NULL)
mgf1Hash = Hash; mgf1Hash = Hash;
@ -57,3 +108,6 @@ diff -up openssl-3.0.1/crypto/rsa/rsa_pss.c.oaep openssl-3.0.1/crypto/rsa/rsa_ps
hLen = EVP_MD_get_size(Hash); hLen = EVP_MD_get_size(Hash);
if (hLen < 0) if (hLen < 0)
goto err; goto err;
--
2.39.0

View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.0.7 Version: 3.0.7
Release: 3%{?dist} Release: 4%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -484,6 +484,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed Jan 11 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-4
- Disallow SHAKE in RSA-OAEP decryption in FIPS mode
Resolves: rhbz#2142121
* Thu Jan 05 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-3 * Thu Jan 05 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-3
- Refactor OpenSSL fips module MAC verification - Refactor OpenSSL fips module MAC verification
Resolves: rhbz#2157965 Resolves: rhbz#2157965