FIPS: Expose explicit indicator from fips.so

FIPS 140-3 requires us to indicate whether an operation was using
approved services or not. The FIPS 140-3 implementation guidelines
provide two basic approaches to doing this: implicit indicators, and
explicit indicators.

Implicit indicators are basically the concept of "if the operation
passes, it was approved". We were originally aiming for implicit
indicators in our copy of OpenSSL. However, this proved to be a problem,
because we wanted to certify a signature service, and FIPS 140-3
requires that a signature service computes the digest to be signed
within the boundaries of the FIPS module. Since we were planning to
certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify
would have to be blocked. Unfortunately, EVP_SignFinal uses
EVP_PKEY_sign internally, but outside of fips.so and thus outside of the
FIPS module boundary. This means that using implicit indicators in
combination with certifying only fips.so would require us to block both
EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used
by most users of OpenSSL for signatures.

EVP_DigestSign would be acceptable, but has only been added in 3.0 and
is thus not yet widely used.

As a consequence, we've decided to introduce explicit indicators so that
EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but
FIPS-aware applications can query the explicit indicator to check
whether the operation was approved.

To avoid affecting the ABI and public API too much, this is implemented
as an exported symbol in fips.so and a private header, so applications
that wish to use this will have to dlopen(3) fips.so, locate the
function using dlsym(3), and then call it. These applications will have
to build against the private header in order to use the returned
pointer.

Modify util/mkdef.pl to support exposing a symbol only for a specific
provider identified by its name and path.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2087147
This commit is contained in:
Clemens Lang 2022-06-08 14:05:50 +02:00
parent e859029ea0
commit 8b08b372c8
3 changed files with 473 additions and 452 deletions

View File

@ -1,449 +0,0 @@
From 6f7111801d960952b15cda98d9a95f79f6f0bf7e Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 23 May 2022 13:09:08 +0200
Subject: [PATCH] Disable EVP_PKEY_{sign,verify} in FIPS provider
The APIs to compute both digest and signature in one step,
EVP_DigestSign*/EVP_DigestVerify* and EVP_Sign*/EVP_Verify*, should be
used instead. This ensures that the digest is computed inside of the
FIPS module, and that only approved digests are used.
Update documentation for EVP_PKEY_{sign,verify} to reflect this.
Since the KATs use EVP_PKEY_sign/EVP_PKEY_verify, modify the tests to
set the OSSL_SIGNATURE_PARAM_KAT parameter and use EVP_PKEY_sign_init_ex
and EVP_PKEY_verify_init_ex where these parameters can be passed on
creation and allow EVP_PKEY_sign/EVP_PKEY_verify when this parameter is
set and evaluates as true.
Move tests that use the EVP_PKEY API to only run in the default
provider, since they would fail in the FIPS provider. This also affects
a number of CMS tests where error handling is insufficient and failure
to sign would only show up when verifying the CMS structure due to
a parse error.
Resolves: rhbz#2087147
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
doc/man3/EVP_PKEY_sign.pod | 5 ++++
doc/man3/EVP_PKEY_verify.pod | 5 ++++
providers/fips/self_test_kats.c | 19 ++++++-------
.../implementations/signature/ecdsa_sig.c | 28 +++++++++++++++++++
providers/implementations/signature/rsa_sig.c | 28 +++++++++++++++++++
.../30-test_evp_data/evppkey_ecdsa.txt | 9 +-----
.../30-test_evp_data/evppkey_rsa_common.txt | 14 ++++++++++
test/recipes/80-test_cms.t | 22 +++++++--------
8 files changed, 101 insertions(+), 29 deletions(-)
diff --git a/doc/man3/EVP_PKEY_sign.pod b/doc/man3/EVP_PKEY_sign.pod
index 6752432bd5..f9d2b4f5d1 100644
--- a/doc/man3/EVP_PKEY_sign.pod
+++ b/doc/man3/EVP_PKEY_sign.pod
@@ -41,6 +41,11 @@ normally used to sign digests. For signing arbitrary messages, see the
L<EVP_DigestSignInit(3)> and
L<EVP_SignInit(3)> signing interfaces instead.
+B<WARNING>: Because FIPS 140-3 requires that a signed digest is computed in the
+same module as the signature, this API is disabled on CentOS 9 Stream and Red
+Hat Enterprise Linux in FIPS mode. Use L<EVP_DigestSignInit(3)> and
+L<EVP_SignInit(3)> instead.
+
After the call to EVP_PKEY_sign_init() algorithm specific control
operations can be performed to set any appropriate parameters for the
operation (see L<EVP_PKEY_CTX_ctrl(3)>).
diff --git a/doc/man3/EVP_PKEY_verify.pod b/doc/man3/EVP_PKEY_verify.pod
index 77023cab87..344c39fe07 100644
--- a/doc/man3/EVP_PKEY_verify.pod
+++ b/doc/man3/EVP_PKEY_verify.pod
@@ -33,6 +33,11 @@ signed) is specified using the I<tbs> and I<tbslen> parameters.
=head1 NOTES
+B<WARNING>: Because FIPS 140-3 requires that a signed digest is computed in the
+same module as the signature, this API is disabled on CentOS 9 Stream and Red
+Hat Enterprise Linux in FIPS mode. Use L<EVP_DigestVerifyInit(3)> and
+L<EVP_VerifyInit(3)> instead.
+
After the call to EVP_PKEY_verify_init() algorithm specific control
operations can be performed to set any appropriate parameters for the
operation.
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 064794d9bf..a60cb99983 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -488,24 +488,23 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|| EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
goto err;
- /* Create a EVP_PKEY_CTX to use for the signing operation */
- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
- if (sctx == NULL
- || EVP_PKEY_sign_init(sctx) <= 0)
- goto err;
-
- /* set signature parameters */
+ /* prepare signature parameters */
if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
t->mdalgorithm,
strlen(t->mdalgorithm) + 1))
goto err;
+ if (!OSSL_PARAM_BLD_push_int(bld, OSSL_SIGNATURE_PARAM_KAT, 1))
+ goto err;
params_sig = OSSL_PARAM_BLD_to_param(bld);
- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
+
+ /* Create a EVP_PKEY_CTX to use for the signing operation */
+ sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
+ if (sctx == NULL
+ || EVP_PKEY_sign_init_ex(sctx, params_sig) <= 0)
goto err;
if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
- || EVP_PKEY_verify_init(sctx) <= 0
- || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
+ || EVP_PKEY_verify_init_ex(sctx, params_sig) <= 0)
goto err;
/*
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 44a22832ec..8f10208b59 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -73,6 +73,9 @@ typedef struct {
* by their Final function.
*/
unsigned int flag_allow_md : 1;
+ /* Flag indicating that this context is used in a combined digest/sign or
+ * digest/verify operation. */
+ unsigned int flag_is_digest_sigver : 1;
/* The Algorithm Identifier of the combined signature algorithm */
unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
@@ -134,6 +137,26 @@ static int ecdsa_signverify_init(void *vctx, void *ec,
|| ctx == NULL)
return 0;
+#ifdef FIPS_MODULE
+ {
+ const OSSL_PARAM *katparam = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
+ if (katparam != NULL) {
+ int kattests = 0;
+ if (OSSL_PARAM_get_int(katparam, &kattests) && kattests) {
+ ctx->flag_is_digest_sigver = 1;
+ }
+ }
+ }
+
+ if (!ctx->flag_is_digest_sigver) {
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,
+ "ECDSA signatures are not supported using the "
+ "EVP_PKEY_sign/EVP_PKEY_verify API in FIPS mode, use "
+ "EVP_DigestSign and EVP_DigestVerify.");
+ return 0;
+ }
+#endif
+
if (ec == NULL && ctx->ec == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
return 0;
@@ -287,6 +310,11 @@ static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
if (!ossl_prov_is_running())
return 0;
+ if (ctx == NULL)
+ return 0;
+
+ ctx->flag_is_digest_sigver = 1;
+
if (!ecdsa_signverify_init(vctx, ec, params, operation)
|| !ecdsa_setup_md(ctx, mdname, NULL))
return 0;
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 9a25b6a3de..a0d7b4707d 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -88,6 +88,9 @@ typedef struct {
*/
unsigned int flag_allow_md : 1;
unsigned int mgf1_md_set : 1;
+ /* Flag indicating that this context is used in a combined digest/sign or
+ * digest/verify operation. */
+ unsigned int flag_is_digest_sigver : 1;
/* main digest */
EVP_MD *md;
@@ -394,6 +397,26 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa,
if (!ossl_prov_is_running() || prsactx == NULL)
return 0;
+#ifdef FIPS_MODULE
+ {
+ const OSSL_PARAM *katparam = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
+ if (katparam != NULL) {
+ int kattests = 0;
+ if (OSSL_PARAM_get_int(katparam, &kattests) && kattests) {
+ prsactx->flag_is_digest_sigver = 1;
+ }
+ }
+ }
+
+ if (!prsactx->flag_is_digest_sigver) {
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,
+ "RSA signatures are not supported using the "
+ "EVP_PKEY_sign/EVP_PKEY_verify API in FIPS mode, use "
+ "EVP_DigestSign and EVP_DigestVerify.");
+ return 0;
+ }
+#endif
+
if (vrsa == NULL && prsactx->rsa == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
return 0;
@@ -851,6 +874,11 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
if (!ossl_prov_is_running())
return 0;
+ if (prsactx == NULL)
+ return 0;
+
+ prsactx->flag_is_digest_sigver = 1;
+
if (!rsa_signverify_init(vprsactx, vrsa, params, operation))
return 0;
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
index a96940f026..ac934a2096 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -111,6 +111,7 @@ Input = "Hello World"
Output = 3046022100e7515177ec3817b77a4a94066ab3070817b7aa9d44a8a09f040da250116e8972022100ba59b0f631258e59a9026be5d84f60685f4cf22b9165a0c2736d5c21c8ec1862
# Test that mdsize != tbssize fails
+Availablein = default
Sign = P-256
Ctrl = digest:SHA256
Input = "0123456789ABCDEF1234"
@@ -197,14 +198,6 @@ Key = B-163
Input = "Hello World"
Result = DIGESTSIGNINIT_ERROR
-# Test that SHA1 is not allowed in fips mode for signing
-Availablein = fips
-Sign = P-256
-Securitycheck = 1
-Ctrl = digest:SHA1
-Input = "0123456789ABCDEF1234"
-Result = PKEY_CTRL_ERROR
-
# Invalid non-approved digest
Availablein = fips
DigestVerify = MD5
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
index 37e542e1c2..e8209996ef 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -103,11 +103,13 @@ Input = "0123456789ABCDEF1234"
Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
# Truncated digest
+Availablein = default
Sign = RSA-2048
Ctrl = digest:SHA512-224
Input = "0123456789ABCDEF123456789ABC"
Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
+Availablein = default
Verify = RSA-2048
Ctrl = digest:SHA512-224
Input = "0123456789ABCDEF123456789ABC"
@@ -218,6 +220,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
# no padding
# Too small input
+Availablein = default
Sign = RSA-2048
Ctrl = rsa_padding_mode:none
Input = "0123456789ABCDEF123456789ABC"
@@ -225,6 +228,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
Result = KEYOP_ERROR
# Digest set before padding
+Availablein = default
Sign = RSA-2048
Ctrl = digest:sha256
Ctrl = rsa_padding_mode:none
@@ -233,6 +237,7 @@ Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e37
Result = PKEY_CTRL_ERROR
# Digest set after padding
+Availablein = default
Sign = RSA-2048
Ctrl = rsa_padding_mode:none
Ctrl = digest:sha256
@@ -240,23 +245,27 @@ Input = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234567
Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3
Result = PKEY_CTRL_ERROR
+Availablein = default
Sign = RSA-2048
Ctrl = rsa_padding_mode:none
Input = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3
+Availablein = default
Verify = RSA-2048-PUBLIC
Ctrl = rsa_padding_mode:none
Input = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3
# Plaintext modified
+Availablein = default
Verify = RSA-2048-PUBLIC
Ctrl = rsa_padding_mode:none
Input = 0223456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3
Result = VERIFY_ERROR
+Availablein = default
VerifyRecover = RSA-2048-PUBLIC
Ctrl = rsa_padding_mode:none
Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3
@@ -370,6 +379,7 @@ rQPeR+HETwIDAQAB
PrivPubKeyPair = RSA-PSS:RSA-PSS-BAD2
# Zero salt length makes output deterministic
+Availablein = default
Sign = RSA-2048
Ctrl = digest:sha256
Ctrl = rsa_padding_mode:pss
@@ -378,6 +388,7 @@ Input="0123456789ABCDEF0123456789ABCDEF"
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
# Verify of above signature
+Availablein = default
Verify = RSA-2048-PUBLIC
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:0
@@ -395,6 +406,7 @@ Input="0123456789ABCDEF0123"
Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
# Digest too short
+Availablein = default
Verify = RSA-2048-PUBLIC
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:0
@@ -404,6 +416,7 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
Result = VERIFY_ERROR
# Digest too long
+Availablein = default
Verify = RSA-2048-PUBLIC
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:0
@@ -413,6 +426,7 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
Result = VERIFY_ERROR
# Wrong salt length
+Availablein = default
Verify = RSA-2048
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:2
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 9e7c721eab..d32833f42c 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -72,7 +72,7 @@ my @smime_pkcs7_tests = (
[ "signed content DER format, RSA key",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "DER",
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
@@ -80,7 +80,7 @@ my @smime_pkcs7_tests = (
[ "signed detached content DER format, RSA key",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-signer", $smrsa1, "-out", "{output}.cms" ],
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "DER",
"-CAfile", $smroot, "-out", "{output}.txt",
"-content", $smcont ],
\&final_compare
@@ -90,7 +90,7 @@ my @smime_pkcs7_tests = (
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-stream",
"-signer", $smrsa1, "-out", "{output}.cms" ],
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "DER",
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
@@ -117,7 +117,7 @@ my @smime_pkcs7_tests = (
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
"-signer", $smrsa1, "-out", "{output}2.cms" ],
- [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
"-CAfile", $smroot, "-out", "{output}.txt",
"-content", $smcont ],
\&final_compare
@@ -140,20 +140,20 @@ my @smime_pkcs7_tests = (
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-out", "{output}.cms" ],
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "DER",
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
[ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS",
- [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+ [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "DER",
"-noattr", "-nodetach", "-stream",
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-out", "{output}.cms" ],
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "DER",
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
@@ -182,7 +182,7 @@ my @smime_pkcs7_tests = (
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "{output}.cms" ],
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
@@ -194,7 +194,7 @@ my @smime_pkcs7_tests = (
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "{output}.cms" ],
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
@@ -504,11 +504,11 @@ my @smime_cms_param_tests = (
],
[ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
- [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+ [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-noattr", "-signer", $smrsa1,
"-keyopt", "rsa_padding_mode:pss",
"-out", "{output}.cms" ],
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
--
2.35.3

View File

@ -0,0 +1,466 @@
From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Tue, 7 Jun 2022 12:02:49 +0200
Subject: [PATCH] fips: Expose a FIPS indicator
FIPS 140-3 requires us to indicate whether an operation was using
approved services or not. The FIPS 140-3 implementation guidelines
provide two basic approaches to doing this: implicit indicators, and
explicit indicators.
Implicit indicators are basically the concept of "if the operation
passes, it was approved". We were originally aiming for implicit
indicators in our copy of OpenSSL. However, this proved to be a problem,
because we wanted to certify a signature service, and FIPS 140-3
requires that a signature service computes the digest to be signed
within the boundaries of the FIPS module. Since we were planning to
certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify
would have to be blocked. Unfortunately, EVP_SignFinal uses
EVP_PKEY_sign internally, but outside of fips.so and thus outside of the
FIPS module boundary. This means that using implicit indicators in
combination with certifying only fips.so would require us to block both
EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used
by most users of OpenSSL for signatures.
EVP_DigestSign would be acceptable, but has only been added in 3.0 and
is thus not yet widely used.
As a consequence, we've decided to introduce explicit indicators so that
EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but
FIPS-aware applications can query the explicit indicator to check
whether the operation was approved.
To avoid affecting the ABI and public API too much, this is implemented
as an exported symbol in fips.so and a private header, so applications
that wish to use this will have to dlopen(3) fips.so, locate the
function using dlsym(3), and then call it. These applications will have
to build against the private header in order to use the returned
pointer.
Modify util/mkdef.pl to support exposing a symbol only for a specific
provider identified by its name and path.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
doc/build.info | 6 ++
doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++
providers/fips/fipsprov.c | 71 +++++++++++++
providers/fips/indicator.h | 66 ++++++++++++
util/mkdef.pl | 25 ++++-
util/providers.num | 1 +
6 files changed, 322 insertions(+), 1 deletion(-)
create mode 100644 doc/man7/fips_module_indicators.pod
create mode 100644 providers/fips/indicator.h
diff --git a/doc/build.info b/doc/build.info
index b0aa4297a4..af235113bb 100644
--- a/doc/build.info
+++ b/doc/build.info
@@ -4389,6 +4389,10 @@ DEPEND[html/man7/fips_module.html]=man7/fips_module.pod
GENERATE[html/man7/fips_module.html]=man7/fips_module.pod
DEPEND[man/man7/fips_module.7]=man7/fips_module.pod
GENERATE[man/man7/fips_module.7]=man7/fips_module.pod
+DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
+GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
+DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
+GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod
@@ -4631,6 +4635,7 @@ html/man7/ct.html \
html/man7/des_modes.html \
html/man7/evp.html \
html/man7/fips_module.html \
+html/man7/fips_module_indicators.html \
html/man7/life_cycle-cipher.html \
html/man7/life_cycle-digest.html \
html/man7/life_cycle-kdf.html \
@@ -4754,6 +4759,7 @@ man/man7/ct.7 \
man/man7/des_modes.7 \
man/man7/evp.7 \
man/man7/fips_module.7 \
+man/man7/fips_module_indicators.7 \
man/man7/life_cycle-cipher.7 \
man/man7/life_cycle-digest.7 \
man/man7/life_cycle-kdf.7 \
diff --git a/doc/man7/fips_module_indicators.pod b/doc/man7/fips_module_indicators.pod
new file mode 100644
index 0000000000..23db2b395c
--- /dev/null
+++ b/doc/man7/fips_module_indicators.pod
@@ -0,0 +1,154 @@
+=pod
+
+=head1 NAME
+
+fips_module_indicators - Red Hat OpenSSL FIPS module indicators guide
+
+=head1 DESCRIPTION
+
+This guide documents how the Red Hat Enterprise Linux 9 OpenSSL FIPS provider
+implements Approved Security Service Indicators according to the FIPS 140-3
+Implementation Guidelines, section 2.4.C. See
+L<https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>
+for the FIPS 140-3 Implementation Guidelines.
+
+For all approved services except signatures, the Red Hat OpenSSL FIPS provider
+uses the return code as the indicator as understood by FIPS 140-3. That means
+that every operation that succeeds denotes use of an approved security service.
+Operations that do not succeed may not have been approved security services, or
+may have been used incorrectly.
+
+For signatures, an explicit indicator API is available to determine whether
+a selected operation is an approved security service, in combination with the
+return code of the operation. For a signature operation to be approved, the
+explicit indicator must claim it as approved, and it must succeed.
+
+=head2 Querying the explicit indicator
+
+The Red Hat OpenSSL FIPS provider exports a symbol named
+I<redhat_ossl_query_fipsindicator> that provides information on which signature
+operations are approved security functions. To use this function, either link
+against I<fips.so> directly, or load it at runtime using dlopen(3) and
+dlsym(3).
+
+ #include <openssl/core_dispatch.h>
+ #include "providers/fips/indicator.h"
+
+ void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY);
+ if (provider == NULL) {
+ fprintf(stderr, "%s\n", dlerror());
+ // handle error
+ }
+
+ const OSSL_RH_FIPSINDICATOR_ALORITHM *(*redhat_ossl_query_fipsindicator)(int) \
+ = dlsym(provider, "redhat_ossl_query_fipsindicator");
+ if (redhat_ossl_query_fipsindicator == NULL) {
+ fprintf(stderr, "%s\n", dlerror());
+ fprintf(stderr, "Does your copy of fips.so have the required Red Hat"
+ " patches?\n");
+ // handle error
+ }
+
+Note that this uses the I<providers/fips/indicator.h> header, which is not
+public. Install the I<openssl-debugsource> package from the I<BaseOS-debuginfo>
+repository using I<dnf debuginfo-install openssl> and include
+I</usr/src/debug/openssl-3.*/> in the compiler's include path.
+
+I<redhat_ossl_query_fipsindicator> expects an operation ID as its only
+argument. Currently, the only supported operation ID is I<OSSL_OP_SIGNATURE> to
+obtain the indicators for signature operations. On success, the return value is
+a pointer to an array of I<OSSL_RH_FIPSINDICATOR_STRUCT>s. On failure, NULL is
+returned. The last entry in the array is indicated by I<algorithm_names> being
+NULL.
+
+ typedef struct ossl_rh_fipsindicator_algorithm_st {
+ const char *algorithm_names; /* key */
+ const char *property_definition; /* key */
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
+ } OSSL_RH_FIPSINDICATOR_ALGORITHM;
+
+ typedef struct ossl_rh_fipsindicator_dispatch_st {
+ int function_id;
+ int approved;
+ } OSSL_RH_FIPSINDICATOR_DISPATCH;
+
+The I<algorithm_names> field is a colon-separated list of algorithm names from
+one of the I<PROV_NAMES_...> constants, e.g., I<PROV_NAMES_RSA>. strtok(3) can
+be used to locate the appropriate entry. See the example below, where
+I<algorithm> contains the algorithm name to search for:
+
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL;
+ const OSSL_RH_FIPSINDICATOR_ALGORITHM *indicator =
+ redhat_ossl_query_fipsindicator(operation_id);
+ if (indicator == NULL) {
+ fprintf(stderr, "No indicator for operation, probably using implicit"
+ " indicators.\n");
+ // handle error
+ }
+
+ for (; indicator->algorithm_names != NULL; ++indicator) {
+ char *algorithm_names = strdup(indicator->algorithm_names);
+ if (algorithm_names == NULL) {
+ perror("strdup(3)");
+ // handle error
+ }
+
+ const char *algorithm_name = strtok(algorithm_names, ":");
+ for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) {
+ if (strcasecmp(algorithm_name, algorithm) == 0) {
+ indicator_dispatch = indicator->indicators;
+ free(algorithm_names);
+ algorithm_names = NULL;
+ break;
+ }
+ }
+ free(algorithm_names);
+ }
+ if (indicator_dispatch == NULL) {
+ fprintf(stderr, "No indicator for algorithm %s.\n", algorithm);
+ // handle error
+ }
+
+If an appropriate I<OSSL_RH_FIPSINDICATOR_DISPATCH> array is available for the
+given algorithm name, it maps function IDs to their approval status. The last
+entry is indicated by a zero I<function_id>. I<approved> is
+I<OSSL_RH_FIPSINDICATOR_APPROVED> if the operation is an approved security
+service, or part of an approved security service, or
+I<OSSL_RH_FIPSINDICATOR_UNAPPROVED> otherwise. Any other value is invalid.
+Function IDs are I<OSSL_FUNC_*> constants from I<openssl/core_dispatch.h>,
+e.g., I<OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE> or I<OSSL_FUNC_SIGNATURE_SIGN>.
+
+Assuming I<function_id> is the function in question, the following code can be
+used to query the approval status:
+
+ for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) {
+ if (indicator_dispatch->function_id == function_id) {
+ switch (indicator_dispatch->approved) {
+ case OSSL_RH_FIPSINDICATOR_APPROVED:
+ // approved security service
+ break;
+ case OSSL_RH_FIPSINDICATOR_UNAPPROVED:
+ // unapproved security service
+ break;
+ default:
+ // invalid result
+ break;
+ }
+ break;
+ }
+ }
+
+=head1 SEE ALSO
+
+L<fips_module(7)>, L<provider(7)>
+
+=head1 COPYRIGHT
+
+Copyright 2022 Red Hat, Inc. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index de391ce067..1cfd71c5cf 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -23,6 +23,7 @@
#include "prov/seeding.h"
#include "self_test.h"
#include "internal/core.h"
+#include "indicator.h"
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
@@ -425,6 +426,68 @@ static const OSSL_ALGORITHM fips_signature[] = {
{ NULL, NULL, NULL }
};
+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_rsa_signature_indicators[] = {
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
+};
+
+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_ecdsa_signature_indicators[] = {
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
+};
+
+static const OSSL_RH_FIPSINDICATOR_ALGORITHM redhat_indicator_fips_signature[] = {
+ { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES,
+ redhat_rsa_signature_indicators },
+#ifndef OPENSSL_NO_EC
+ { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES,
+ redhat_ecdsa_signature_indicators },
+#endif
+ { NULL, NULL, NULL }
+};
+
static const OSSL_ALGORITHM fips_asym_cipher[] = {
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions },
{ NULL, NULL, NULL }
@@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) {
freelocale(loc);
}
+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id) {
+ switch (operation_id) {
+ case OSSL_OP_SIGNATURE:
+ return redhat_indicator_fips_signature;
+ }
+ return NULL;
+}
+
static void fips_teardown(void *provctx)
{
OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
diff --git a/providers/fips/indicator.h b/providers/fips/indicator.h
new file mode 100644
index 0000000000..b323efe44c
--- /dev/null
+++ b/providers/fips/indicator.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_FIPS_INDICATOR_H
+# define OPENSSL_FIPS_INDICATOR_H
+# pragma once
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+# define OSSL_RH_FIPSINDICATOR_UNAPPROVED (0)
+# define OSSL_RH_FIPSINDICATOR_APPROVED (1)
+
+/*
+ * FIPS indicator dispatch table element. function_id numbers and the
+ * functions are defined in core_dispatch.h, see macros with
+ * 'OSSL_CORE_MAKE_FUNC' in their names.
+ *
+ * An array of these is always terminated by function_id == 0
+ */
+typedef struct ossl_rh_fipsindicator_dispatch_st {
+ int function_id;
+ int approved;
+} OSSL_RH_FIPSINDICATOR_DISPATCH;
+
+/*
+ * Type to tie together algorithm names, property definition string and the
+ * algorithm implementation's FIPS indicator status in the form of a FIPS
+ * indicator dispatch table.
+ *
+ * An array of these is always terminated by algorithm_names == NULL
+ */
+typedef struct ossl_rh_fipsindicator_algorithm_st {
+ const char *algorithm_names; /* key */
+ const char *property_definition; /* key */
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
+} OSSL_RH_FIPSINDICATOR_ALGORITHM;
+
+/**
+ * Query FIPS indicator status for the given operation. Possible values for
+ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms
+ * use implicit indicators. The return value is an array of
+ * OSSL_RH_FIPSINDICATOR_ALGORITHMs, terminated by an entry with
+ * algorithm_names == NULL. 'algorithm_names' is a colon-separated list of
+ * algorithm names, 'property_definition' a comma-separated list of properties,
+ * and 'indicators' is a list of OSSL_RH_FIPSINDICATOR_DISPATCH structs. This
+ * list is terminated by function_id == 0. 'function_id' is one of the
+ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL.
+ *
+ * If there is no entry in the returned struct for the given operation_id,
+ * algorithm name, or function_id, the algorithm is unapproved.
+ */
+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id);
+
+# ifdef __cplusplus
+}
+# endif
+
+#endif
diff --git a/util/mkdef.pl b/util/mkdef.pl
index a1c76f7c97..eda39b71ee 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -149,7 +149,8 @@ $ordinal_opts{filter} =
return
$item->exists()
&& platform_filter($item)
- && feature_filter($item);
+ && feature_filter($item)
+ && fips_filter($item, $name);
};
my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file);
@@ -205,6 +206,28 @@ sub feature_filter {
return $verdict;
}
+sub fips_filter {
+ my $item = shift;
+ my $name = uc(shift);
+ my @features = ( $item->features() );
+
+ # True if no features are defined
+ return 1 if scalar @features == 0;
+
+ my @matches = grep(/^ONLY_.*$/, @features);
+ if (@matches) {
+ # There is at least one only_* flag on this symbol, check if any of
+ # them match the name
+ for (@matches) {
+ if ($_ eq "ONLY_${name}") {
+ return 1;
+ }
+ }
+ return 0;
+ }
+ return 1;
+}
+
sub sorter_unix {
my $by_name = OpenSSL::Ordinals::by_name();
my %weight = (
diff --git a/util/providers.num b/util/providers.num
index 4e2fa81b98..77879d0e5f 100644
--- a/util/providers.num
+++ b/util/providers.num
@@ -1 +1,2 @@
OSSL_provider_init 1 * EXIST::FUNCTION:
+redhat_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS
--
2.35.3

View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.1
Release: 34%{?dist}
Release: 35%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -118,8 +118,7 @@ Patch58: 0058-FIPS-limit-rsa-encrypt.patch
Patch60: 0060-FIPS-KAT-signature-tests.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
# Disabled for now because it breaks EVP_SignFinal
#Patch62: 0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
# https://github.com/openssl/openssl/pull/18141
Patch63: 0063-CVE-2022-1473.patch
# upstream commits 55c80c222293a972587004c185dc5653ae207a0e 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
@ -459,6 +458,11 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Wed Jun 08 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-35
- Add explicit indicators for signatures in FIPS mode and mark signature
primitives as unapproved.
Resolves: rhbz#2087147
* Fri Jun 03 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-34
- Some OpenSSL test certificates are expired, updating
- Resolves: rhbz#2092456