Mark RSA-OAEP as approved in FIPS mode

Switch explicit FIPS indicator for RSA-OAEP to approved following clarification with CMVP. Additionally, backport a check required by SP800-56Br2 6.4.1.2.1 (3.c). Resolves: RHEL-14083
2023-10-19 12:47:52 +02:00 · 2023-10-19 12:47:52 +02:00 · 9a075c13c3
commit 9a075c13c3
parent 66dddb942c
3 changed files with 75 additions and 21 deletions
--- a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
+++ b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
@ -9,21 +9,23 @@ party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
 agreement schemes, but explicit key confirmation is not implemented and
 cannot be implemented without protocol changes, and the FIPS provider
 does not implement trusted third party validation, since it relies on
-its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE
+its callers to do that. A request for guidance sent to NIST did clarify
-as unapproved until we have received clarification from NIST on how
+that OpenSSL can claim KTS-OAEP and RSASVE as approved, but we did add
-library modules such as OpenSSL should implement TTP validation.
+an indicator to mark them as unapproved previously and should thus keep
 the indicator available.
 This does not affect RSA-OAEP decryption, because it is approved as
 a component according to the FIPS 140-3 IG, section 2.4.G.
 Resolves: rhbz#2179331
 Resolves: RHEL-14083
 Signed-off-by: Clemens Lang <cllang@redhat.com>
 ---
 include/openssl/core_names.h                  |  2 ++
 include/openssl/evp.h                         |  4 +++
- .../implementations/asymciphers/rsa_enc.c     | 24 +++++++++++++++
+ .../implementations/asymciphers/rsa_enc.c     | 19 ++++++++++++
- providers/implementations/kem/rsa_kem.c       | 30 ++++++++++++++++++-
+ providers/implementations/kem/rsa_kem.c       | 29 ++++++++++++++++++-
- 4 files changed, 59 insertions(+), 1 deletion(-)
+ 4 files changed, 53 insertions(+), 1 deletion(-)
 diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
 index 832502a034..e15d208421 100644
@ -37,7 +39,7 @@ index 832502a034..e15d208421 100644
 /*
  * Encoder / decoder parameters
-@@ -503,6 +504,7 @@ extern "C" {
+@@ -511,6 +512,7 @@ extern "C" {
 /* KEM parameters */
 #define OSSL_KEM_PARAM_OPERATION            "operation"
@ -49,7 +51,7 @@ diff --git a/include/openssl/evp.h b/include/openssl/evp.h
 index ec2ba46fbd..3803b03422 100644
 --- a/include/openssl/evp.h
 +++ b/include/openssl/evp.h
-@@ -1757,6 +1757,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
+@@ -1764,6 +1764,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
 OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
 # endif
@ -64,25 +66,22 @@ diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/impleme
 index 568452ec56..2e7ea632d7 100644
 --- a/providers/implementations/asymciphers/rsa_enc.c
 +++ b/providers/implementations/asymciphers/rsa_enc.c
-@@ -399,6 +399,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
+@@ -452,6 +452,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
     if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
         return 0;
 +#ifdef FIPS_MODULE
 +    p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
 +    if (p != NULL) {
 +        int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
 +
 +        /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
 +         * confirmation (section 6.4.2.3.2), or assurance from a trusted third
 +         * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
 +         * explicit key confirmation is not implemented here and cannot be
 +         * implemented without protocol changes, and the FIPS provider does not
 +         * implement trusted third party validation, since it relies on its
-+         * callers to do that. We must thus mark RSA-OAEP as unapproved until
+         * callers to do that. A request for guidance sent to NIST resulted in
-+         * we have received clarification from NIST on how library modules such
+         * further clarification which allows OpenSSL to claim RSA-OAEP. */
-+         * as OpenSSL should implement TTP validation. */
+        int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
 +        fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        if (!OSSL_PARAM_set_int(p, fips_indicator))
 +            return 0;
@ -92,7 +91,7 @@ index 568452ec56..2e7ea632d7 100644
     return 1;
 }
-@@ -465,6 +493,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
+@@ -465,6 +483,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
 #ifdef FIPS_MODULE
     OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
@ -104,7 +103,7 @@ diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations
 index 882cf16125..b4cc0f9237 100644
 --- a/providers/implementations/kem/rsa_kem.c
 +++ b/providers/implementations/kem/rsa_kem.c
-@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
+@@ -151,11 +151,38 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
 static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
 {
     PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
@ -124,10 +123,9 @@ index 882cf16125..b4cc0f9237 100644
 +         * explicit key confirmation is not implemented here and cannot be
 +         * implemented without protocol changes, and the FIPS provider does not
 +         * implement trusted third party validation, since it relies on its
-+         * callers to do that. We must thus mark RSASVE unapproved until we
+         * callers to do that. A request for guidance sent to NIST resulted in
-+         * have received clarification from NIST on how library modules such as
+         * further clarification which allows OpenSSL to claim RSASVE. */
-+         * OpenSSL should implement TTP validation. */
+        int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
 +        int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        if (!OSSL_PARAM_set_int(p, fips_indicator))
 +            return 0;
--- a/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch
+++ b/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch
@ -0,0 +1,49 @@
 From 0d873f9f647764df147d818a6e998b1c318bac31 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Mon, 16 Oct 2023 15:30:26 +0200
 Subject: [PATCH] rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check
 The code did not yet check that the length of the RSA key is positive
 and even.
 Signed-off-by: Clemens Lang <cllang@redhat.com>
 Upstream-Status: Backport [8b268541d9aabee51699aef22963407362830ef9]
 ---
 crypto/rsa/rsa_sp800_56b_check.c | 5 +++++
 test/rsa_sp800_56b_test.c        | 4 ++++
 2 files changed, 9 insertions(+)
 diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
 index fc8f19b487..e6b79e953d 100644
 --- a/crypto/rsa/rsa_sp800_56b_check.c
 +++ b/crypto/rsa/rsa_sp800_56b_check.c
@@ -403,6 +403,11 @@ int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed,
         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
         return 0;
     }
 +    /* (Step 3.c): check that the modulus length is a positive even integer */
 +    if (nbits <= 0 || (nbits & 0x1)) {
 +        ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
 +        return 0;
 +    }
     ctx = BN_CTX_new_ex(rsa->libctx);
     if (ctx == NULL)
 diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c
 index 7660019f47..aa58bbbe6c 100644
 --- a/test/rsa_sp800_56b_test.c
 +++ b/test/rsa_sp800_56b_test.c
@@ -458,6 +458,10 @@ static int test_invalid_keypair(void)
           && TEST_true(BN_add_word(n, 1))
           && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048))
           && TEST_true(BN_sub_word(n, 1))
 +          /* check that validation fails if len(n) is not even */
 +          && TEST_true(BN_lshift1(n, n))
 +          && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049))
 +          && TEST_true(BN_rshift1(n, n))
           /* check p  */
           && TEST_true(BN_sub_word(p, 2))
           && TEST_true(BN_mul(n, p, q, ctx))
 -- 
 2.41.0
--- a/openssl.spec
+++ b/openssl.spec
@ -201,6 +201,8 @@ Patch125: 0125-CVE-2023-2975.patch
 Patch126: 0126-CVE-2023-3446.patch
 Patch127: 0127-CVE-2023-3817.patch
 Patch128: 0128-CVE-2023-5363.patch
 # https://github.com/openssl/openssl/pull/22403
 Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch
 License: ASL 2.0
 URL: http://www.openssl.org/
@ -546,6 +548,11 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
  Resolves: RHEL-5308
 - Fix incorrect cipher key and IV length processing (CVE-2023-5363)
  Resolves: RHEL-13251
 - Switch explicit FIPS indicator for RSA-OAEP to approved following
  clarification with CMVP
  Resolves: RHEL-14083
 - Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c)
  Resolves: RHEL-14083
 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
 - Make FIPS module configuration more crypto-policies friendly