forked from rpms/openssl
Add explicit FIPS indicator for PBKDF2
Also use test vector with FIPS-compliant salt in PBKDF2 FIPS self-test. Resolves: rhbz#2178137 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
parent
50cb33e688
commit
d60644ea6a
82
0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch
Normal file
82
0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
From 56090fca0a0c8b6cf1782aced0a02349358aae7d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Fri, 3 Mar 2023 12:22:03 +0100
|
||||||
|
Subject: [PATCH 1/2] fips: Use salt >= 16 bytes in PBKDF2 selftest
|
||||||
|
|
||||||
|
NIST SP 800-132 [1] section 5.1 says "[t]he length of the
|
||||||
|
randomly-generated portion of the salt shall be at least
|
||||||
|
128 bits", which implies that the salt for PBKDF2 must be at least 16
|
||||||
|
bytes long (see also Appendix A.2.1).
|
||||||
|
|
||||||
|
The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the
|
||||||
|
properties of the Password and Salt parameters, as well as the desired
|
||||||
|
length of the Master Key used in a CAST shall be among those supported
|
||||||
|
by the module in the approved mode."
|
||||||
|
|
||||||
|
As a consequence, the salt length in the self test must be at least 16
|
||||||
|
bytes long for FIPS 140-3 compliance. Switch the self test to use the
|
||||||
|
only test vector from RFC 6070 that uses salt that is long enough to
|
||||||
|
fulfil this requirement. Since RFC 6070 does not provide expected
|
||||||
|
results for PBKDF2 with HMAC-SHA256, use the output from [3], which was
|
||||||
|
generated with python cryptography, which was tested against the RFC
|
||||||
|
6070 vectors with HMAC-SHA1.
|
||||||
|
|
||||||
|
[1]: https://doi.org/10.6028/NIST.SP.800-132
|
||||||
|
[2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
|
||||||
|
[3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md
|
||||||
|
|
||||||
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
(Merged from https://github.com/openssl/openssl/pull/20429)
|
||||||
|
|
||||||
|
(cherry picked from commit 451cb23c41c90d5a02902b3a77551aa9ee1c6956)
|
||||||
|
---
|
||||||
|
providers/fips/self_test_data.inc | 22 ++++++++++++++++------
|
||||||
|
1 file changed, 16 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
||||||
|
index 8ae8cd6f4a..03adf28f3c 100644
|
||||||
|
--- a/providers/fips/self_test_data.inc
|
||||||
|
+++ b/providers/fips/self_test_data.inc
|
||||||
|
@@ -361,19 +361,29 @@ static const ST_KAT_PARAM x963kdf_params[] = {
|
||||||
|
};
|
||||||
|
|
||||||
|
static const char pbkdf2_digest[] = "SHA256";
|
||||||
|
+/*
|
||||||
|
+ * Input parameters from RFC 6070, vector 5 (because it is the only one with
|
||||||
|
+ * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The
|
||||||
|
+ * expected output is taken from
|
||||||
|
+ * https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md,
|
||||||
|
+ * which ran these test vectors with SHA-256.
|
||||||
|
+ */
|
||||||
|
static const unsigned char pbkdf2_password[] = {
|
||||||
|
- 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72,
|
||||||
|
- 0x64
|
||||||
|
+ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53,
|
||||||
|
+ 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64
|
||||||
|
};
|
||||||
|
static const unsigned char pbkdf2_salt[] = {
|
||||||
|
- 0x73, 0x61, 0x00, 0x6c, 0x74
|
||||||
|
+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74,
|
||||||
|
+ 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54,
|
||||||
|
+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74
|
||||||
|
};
|
||||||
|
static const unsigned char pbkdf2_expected[] = {
|
||||||
|
- 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89,
|
||||||
|
- 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87,
|
||||||
|
+ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8,
|
||||||
|
+ 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
|
||||||
|
+ 0x1c
|
||||||
|
};
|
||||||
|
static int pbkdf2_iterations = 4096;
|
||||||
|
-static int pbkdf2_pkcs5 = 1;
|
||||||
|
+static int pbkdf2_pkcs5 = 0;
|
||||||
|
static const ST_KAT_PARAM pbkdf2_params[] = {
|
||||||
|
ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest),
|
||||||
|
ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password),
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -0,0 +1,80 @@
|
|||||||
|
From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Mon, 6 Mar 2023 12:32:04 +0100
|
||||||
|
Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks
|
||||||
|
|
||||||
|
The pbkdf2 implementation in the FIPS provider supports the checks
|
||||||
|
required by NIST, but allows disabling these checks by setting the
|
||||||
|
OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate
|
||||||
|
that the use of this configuration is not approved in FIPS mode. Add an
|
||||||
|
explicit indicator to provide this indication.
|
||||||
|
|
||||||
|
Resolves: rhbz#2175145
|
||||||
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||||
|
---
|
||||||
|
providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
|
||||||
|
1 file changed, 37 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
|
||||||
|
index aa0adce5e6..6df8c6d321 100644
|
||||||
|
--- a/providers/implementations/kdfs/pbkdf2.c
|
||||||
|
+++ b/providers/implementations/kdfs/pbkdf2.c
|
||||||
|
@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
|
||||||
|
|
||||||
|
static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
|
{
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
OSSL_PARAM *p;
|
||||||
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||||
|
+
|
||||||
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
||||||
|
+ != NULL) {
|
||||||
|
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* The lower_bound_checks parameter enables checks required by FIPS. If
|
||||||
|
+ * those checks are disabled, the PBKDF2 implementation will also
|
||||||
|
+ * support non-approved parameters (e.g., salt lengths < 16 bytes, see
|
||||||
|
+ * NIST SP 800-132 section 5.1). */
|
||||||
|
+ if (!ctx->lower_bound_checks)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
|
||||||
|
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||||
|
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||||
|
- return -2;
|
||||||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ any_valid = 1;
|
||||||
|
+ }
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+
|
||||||
|
+ if (!any_valid)
|
||||||
|
+ return -2;
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
{
|
||||||
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
OSSL_PARAM_END
|
||||||
|
};
|
||||||
|
return known_gettable_ctx_params;
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -170,6 +170,9 @@ Patch108: 0108-CVE-2023-0401-pkcs7-md.patch
|
|||||||
Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch
|
Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2168289
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2168289
|
||||||
Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2175145
|
||||||
|
Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch
|
||||||
|
Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
@ -507,6 +510,9 @@ install -m644 %{SOURCE9} \
|
|||||||
Resolves: rhbz#2175873
|
Resolves: rhbz#2175873
|
||||||
- Add explicit FIPS indicator for IV generation in AES-GCM
|
- Add explicit FIPS indicator for IV generation in AES-GCM
|
||||||
Resolves: rhbz#2175868
|
Resolves: rhbz#2175868
|
||||||
|
- Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant
|
||||||
|
salt in PBKDF2 FIPS self-test
|
||||||
|
Resolves: rhbz#2178137
|
||||||
|
|
||||||
* Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
|
* Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
|
||||||
- Fixes RNG slowdown in FIPS mode
|
- Fixes RNG slowdown in FIPS mode
|
||||||
|
Loading…
Reference in New Issue
Block a user