forked from rpms/openssl
Add explicit FIPS indicator for PBKDF2
Also use test vector with FIPS-compliant salt in PBKDF2 FIPS self-test. Resolves: rhbz#2178137 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
parent
50cb33e688
commit
d60644ea6a
82
0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch
Normal file
82
0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch
Normal file
@ -0,0 +1,82 @@
|
||||
From 56090fca0a0c8b6cf1782aced0a02349358aae7d Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 3 Mar 2023 12:22:03 +0100
|
||||
Subject: [PATCH 1/2] fips: Use salt >= 16 bytes in PBKDF2 selftest
|
||||
|
||||
NIST SP 800-132 [1] section 5.1 says "[t]he length of the
|
||||
randomly-generated portion of the salt shall be at least
|
||||
128 bits", which implies that the salt for PBKDF2 must be at least 16
|
||||
bytes long (see also Appendix A.2.1).
|
||||
|
||||
The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the
|
||||
properties of the Password and Salt parameters, as well as the desired
|
||||
length of the Master Key used in a CAST shall be among those supported
|
||||
by the module in the approved mode."
|
||||
|
||||
As a consequence, the salt length in the self test must be at least 16
|
||||
bytes long for FIPS 140-3 compliance. Switch the self test to use the
|
||||
only test vector from RFC 6070 that uses salt that is long enough to
|
||||
fulfil this requirement. Since RFC 6070 does not provide expected
|
||||
results for PBKDF2 with HMAC-SHA256, use the output from [3], which was
|
||||
generated with python cryptography, which was tested against the RFC
|
||||
6070 vectors with HMAC-SHA1.
|
||||
|
||||
[1]: https://doi.org/10.6028/NIST.SP.800-132
|
||||
[2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
|
||||
[3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/20429)
|
||||
|
||||
(cherry picked from commit 451cb23c41c90d5a02902b3a77551aa9ee1c6956)
|
||||
---
|
||||
providers/fips/self_test_data.inc | 22 ++++++++++++++++------
|
||||
1 file changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
||||
index 8ae8cd6f4a..03adf28f3c 100644
|
||||
--- a/providers/fips/self_test_data.inc
|
||||
+++ b/providers/fips/self_test_data.inc
|
||||
@@ -361,19 +361,29 @@ static const ST_KAT_PARAM x963kdf_params[] = {
|
||||
};
|
||||
|
||||
static const char pbkdf2_digest[] = "SHA256";
|
||||
+/*
|
||||
+ * Input parameters from RFC 6070, vector 5 (because it is the only one with
|
||||
+ * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The
|
||||
+ * expected output is taken from
|
||||
+ * https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md,
|
||||
+ * which ran these test vectors with SHA-256.
|
||||
+ */
|
||||
static const unsigned char pbkdf2_password[] = {
|
||||
- 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72,
|
||||
- 0x64
|
||||
+ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53,
|
||||
+ 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64
|
||||
};
|
||||
static const unsigned char pbkdf2_salt[] = {
|
||||
- 0x73, 0x61, 0x00, 0x6c, 0x74
|
||||
+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74,
|
||||
+ 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54,
|
||||
+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74
|
||||
};
|
||||
static const unsigned char pbkdf2_expected[] = {
|
||||
- 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89,
|
||||
- 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87,
|
||||
+ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8,
|
||||
+ 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
|
||||
+ 0x1c
|
||||
};
|
||||
static int pbkdf2_iterations = 4096;
|
||||
-static int pbkdf2_pkcs5 = 1;
|
||||
+static int pbkdf2_pkcs5 = 0;
|
||||
static const ST_KAT_PARAM pbkdf2_params[] = {
|
||||
ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest),
|
||||
ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password),
|
||||
--
|
||||
2.39.2
|
||||
|
@ -0,0 +1,80 @@
|
||||
From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 6 Mar 2023 12:32:04 +0100
|
||||
Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks
|
||||
|
||||
The pbkdf2 implementation in the FIPS provider supports the checks
|
||||
required by NIST, but allows disabling these checks by setting the
|
||||
OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate
|
||||
that the use of this configuration is not approved in FIPS mode. Add an
|
||||
explicit indicator to provide this indication.
|
||||
|
||||
Resolves: rhbz#2175145
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
|
||||
1 file changed, 37 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
|
||||
index aa0adce5e6..6df8c6d321 100644
|
||||
--- a/providers/implementations/kdfs/pbkdf2.c
|
||||
+++ b/providers/implementations/kdfs/pbkdf2.c
|
||||
@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
|
||||
|
||||
static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
+#ifdef FIPS_MODULE
|
||||
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
+
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
||||
+ != NULL) {
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ /* The lower_bound_checks parameter enables checks required by FIPS. If
|
||||
+ * those checks are disabled, the PBKDF2 implementation will also
|
||||
+ * support non-approved parameters (e.g., salt lengths < 16 bytes, see
|
||||
+ * NIST SP 800-132 section 5.1). */
|
||||
+ if (!ctx->lower_bound_checks)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
|
||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||
- return -2;
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+ }
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
--
|
||||
2.39.2
|
||||
|
@ -170,6 +170,9 @@ Patch108: 0108-CVE-2023-0401-pkcs7-md.patch
|
||||
Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2168289
|
||||
Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2175145
|
||||
Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch
|
||||
Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
||||
|
||||
License: ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -507,6 +510,9 @@ install -m644 %{SOURCE9} \
|
||||
Resolves: rhbz#2175873
|
||||
- Add explicit FIPS indicator for IV generation in AES-GCM
|
||||
Resolves: rhbz#2175868
|
||||
- Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant
|
||||
salt in PBKDF2 FIPS self-test
|
||||
Resolves: rhbz#2178137
|
||||
|
||||
* Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
|
||||
- Fixes RNG slowdown in FIPS mode
|
||||
|
Loading…
Reference in New Issue
Block a user