Commit Graph

96 Commits

Author SHA1 Message Date
Clemens Lang
08d6c35051 FIPS self-test: RSA-OAEP, FFDHE2048, digest_sign
Use RSA-OAEP in FIPS self-tests and support a fixed OAEP seed to make
the test deterministic as required for a known-answer test.

Switch the signature FIPS self-test to use the digest_sign and
digest_verify provider functions using the EVP_DigestSign and
EVP_DigestVerify APIs, as the existing signature self-test does not
cover hash computation.

Switch the existing Diffie-Hellman FIPS self-test to use FFDHE2048,
a known safe prime from RFC 7919.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2102535
2022-08-01 17:18:12 +02:00
Clemens Lang
3e6d5a385b Improve AES-GCM & ChaCha20 perf on Power9+ ppc64le
Backport patches that improve performance of AES-GCM on Power9 and
newer, and ChaCha20 on Power10.

Resolves: rhbz#2051312
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-07-14 18:19:36 +02:00
Clemens Lang
c64694b961 Fix segfault in EVP_PKEY_Q_keygen()
When OpenSSL was not previously initialized, EVP_PKEY_Q_keygen() would
cause a segmentation fault. Avoid this by backporting a fix from
upstream.

Resolves: rhbz#2103289
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-07-14 14:49:48 +02:00
Clemens Lang
5901637dea CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
Resolves: CVE-2022-2097
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-07-05 14:04:20 +02:00
Dmitry Belyavskiy
f3b52e907b CVE-2022-2068: the c_rehash script allows command injection
Related: rhbz#2098277
2022-06-24 17:17:35 +02:00
Dmitry Belyavskiy
fea833cb56 Strict certificates validation shouldn't allow explicit EC parameters
Related: rhbz#2058663
2022-06-24 17:17:35 +02:00
Dmitry Belyavskiy
ea75c725ee Fix PPC64 Montgomery multiplication bug
Related: rhbz#2098199
2022-06-24 17:17:35 +02:00
Dmitry Belyavskiy
f4e1bded66 Improve diagnostics when passing unsupported groups in TLS
Related: rhbz#2070197
2022-06-24 17:17:35 +02:00
Dmitry Belyavskiy
cbe5a9ff12 FIPS provider should block RSA encryption for key transport.
Other RSA encryption options should still be available if key length is enough
Related: rhbz#2053289
2022-06-24 17:17:35 +02:00
Dmitry Belyavskiy
8638196167 Ciphersuites with RSAPSK KX should be filterd in FIPS mode
Related: rhbz#2085088
2022-06-16 15:06:45 +02:00
Clemens Lang
8b08b372c8 FIPS: Expose explicit indicator from fips.so
FIPS 140-3 requires us to indicate whether an operation was using
approved services or not. The FIPS 140-3 implementation guidelines
provide two basic approaches to doing this: implicit indicators, and
explicit indicators.

Implicit indicators are basically the concept of "if the operation
passes, it was approved". We were originally aiming for implicit
indicators in our copy of OpenSSL. However, this proved to be a problem,
because we wanted to certify a signature service, and FIPS 140-3
requires that a signature service computes the digest to be signed
within the boundaries of the FIPS module. Since we were planning to
certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify
would have to be blocked. Unfortunately, EVP_SignFinal uses
EVP_PKEY_sign internally, but outside of fips.so and thus outside of the
FIPS module boundary. This means that using implicit indicators in
combination with certifying only fips.so would require us to block both
EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used
by most users of OpenSSL for signatures.

EVP_DigestSign would be acceptable, but has only been added in 3.0 and
is thus not yet widely used.

As a consequence, we've decided to introduce explicit indicators so that
EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but
FIPS-aware applications can query the explicit indicator to check
whether the operation was approved.

To avoid affecting the ABI and public API too much, this is implemented
as an exported symbol in fips.so and a private header, so applications
that wish to use this will have to dlopen(3) fips.so, locate the
function using dlsym(3), and then call it. These applications will have
to build against the private header in order to use the returned
pointer.

Modify util/mkdef.pl to support exposing a symbol only for a specific
provider identified by its name and path.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2087147
2022-06-09 17:13:33 +02:00
Dmitry Belyavskiy
e859029ea0 Replace expired certificates
Resolves: rhbz#2092456
2022-06-03 15:31:56 +02:00
Dmitry Belyavskiy
a8a3a389ee Use KAT for ECDSA signature tests, s390 arch
Resolves: rhbz#2069235
2022-05-30 18:22:47 +02:00
Clemens Lang
96926ffe00 Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode"
Disabling EVP_PKEY_sign and EVP_PKEY_verify also breaks EVP_SignFinal,
which is used by many applications, among them OpenSSH. This change thus
broke sshd in FIPS mode. Revert it for now until we found a better
solution.

Related: rhbz#2087147
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-05-27 12:35:18 +02:00
Dmitry Belyavskiy
794d81540e CVE-2022-1292 openssl: c_rehash script allows command injection
Resolves: rhbz#2090362
2022-05-26 12:14:19 +02:00
Dmitry Belyavskiy
a63915eb2b CVE-2022-1343 openssl: inacurate verification when using OCSP_NOCHECKS
Resolves: rhbz#2087911
2022-05-26 12:07:22 +02:00
Dmitry Belyavskiy
ac312e8ff7 CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory
Resolves: rhbz#2089444
2022-05-26 11:57:12 +02:00
Dmitry Belyavskiy
b5de6bd830 In FIPS mode limit key sizes for signature verification
Resolves: rhbz#2077884
2022-05-23 19:16:11 +02:00
Dmitry Belyavskiy
7bc4f9f094 Ciphersuites with RSA KX should be filterd in FIPS mode
Related: rhbz#2085088
2022-05-23 19:16:11 +02:00
Dmitry Belyavskiy
b393177f7d openssl ecparam -list_curves lists only FIPS-approved curves in FIPS mode
Resolves: rhbz#2083240
2022-05-23 19:16:09 +02:00
Clemens Lang
389313b118 FIPS: Disable SHA1 signs and EVP_PKEY_{sign,verify}
1. Deny SHA-1 signature verification in FIPS provider

For RHEL, we already disable SHA-1 signatures by default in the default
provider, so it is unexpected that the FIPS provider would have a more
lenient configuration in this regard. Additionally, we do not think
continuing to accept SHA-1 signatures is a good idea due to the
published chosen-prefix collision attacks.

As a consequence, disable verification of SHA-1 signatures in the FIPS
provider.

This requires adjusting a few tests that would otherwise fail:
- 30-test_acvp: Remove the test vectors that use SHA-1.
- 30-test_evp: Mark tests in evppkey_rsa_common.txt and
  evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
  which will not run them when the FIPS provider is enabled.
- 80-test_cms: Re-generate all certificates in test/smime-certificates
  using the mksmime-certs.sh script, because most of them were signed
  with SHA-1 and thus fail verification in the FIPS provider. Keep
  smec3.pem, which was used to sign static test data in
  test/recipes/80-test_cms_data/ciphertext_from_1_1_1.cms, which would
  otherwise no longer verify. Note that smec3.pem was signed with
  a smroot.pem, which was now re-generated. This does not affect the
  test.
  Fix some other tests by explicitly running them in the default
  provider, where SHA-1 is available.
- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
  the FIPS provider.

2. Disable EVP_PKEY_{sign,verify} in FIPS provider

The APIs to compute both digest and signature in one step,
EVP_DigestSign*/EVP_DigestVerify* and EVP_Sign*/EVP_Verify*, should be
used instead. This ensures that the digest is computed inside of the
FIPS module, and that only approved digests are used.

Update documentation for EVP_PKEY_{sign,verify} to reflect this.

Since the KATs use EVP_PKEY_sign/EVP_PKEY_verify, modify the tests to
set the OSSL_SIGNATURE_PARAM_KAT parameter and use EVP_PKEY_sign_init_ex
and EVP_PKEY_verify_init_ex where these parameters can be passed on
creation and allow EVP_PKEY_sign/EVP_PKEY_verify when this parameter is
set and evaluates as true.

Move tests that use the EVP_PKEY API to only run in the default
provider, since they would fail in the FIPS provider. This also affects
a number of CMS tests where error handling is insufficient and failure
to sign would only show up when verifying the CMS structure due to
a parse error.

Resolves: rhbz#2087147
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-05-23 17:02:25 +02:00
Dmitry Belyavskiy
87f109e9fb Use KAT for ECDSA signature tests
Resolves: rhbz#2069235
2022-05-16 18:54:17 +02:00
Dmitry Belyavskiy
69c1abb4df openssl req defaults on PKCS#8 encryption changed to AES-256-CBC
Resolves: rhbz#2063947
2022-05-12 13:45:42 +02:00
Dmitry Belyavskiy
b4d281e4de -config argument of openssl app should work properly
Resolves: rhbz#2083274
2022-05-12 13:29:27 +02:00
Dmitry Belyavskiy
1b2d08b2c2 Adaptation of upstream patches disabling explicit EC parameters in FIPS mode
Resolves: rhbz#2058663
2022-05-06 17:41:32 +02:00
Clemens Lang
1447e64bc3 Include hash in FIPS module version
Include a hash of specfile, patches, and sources in the FIPS module
version. This should allow us to uniquely identify a build that we do,
so that we can be sure which specific binary is being submitted for
validation and was certified.

The previous solution used $(date +%Y%m%d), which had some risks related
to build server timezone and build date differences on different
architectures.

Resolves: rhbz#2070550
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-05-06 13:16:36 +02:00
Dmitry Belyavskiy
ad863e9fc8 OpenSSL FIPS module should not build in non-approved algorithms
Resolves: rhbz#2081378
2022-05-05 17:34:49 +02:00
Dmitry Belyavskiy
6ba0e5efa3 When FIPS provider is in use, we forbid only some padding modes - spec
Resolves: rhbz#2053289
2022-05-02 18:33:35 +02:00
Clemens Lang
9afaa3d1f4 Fix regression in evp_pkey_name2type caused by tr_TR locale fix
Resolves: rhbz#2071631
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-04-28 13:39:35 +02:00
Dmitry Belyavskiy
a711ac2e4f Fix openssl curl error with LANG=tr_TR.utf8
Resolves: rhbz#2071631
2022-04-21 15:16:46 +02:00
Dmitry Belyavskiy
7a1c7b28bc FIPS provider doesn't block RSA encryption for key transport
Resolves: rhbz#2053289
2022-03-29 13:32:47 +02:00
Clemens Lang
93ff3f8fe5 Fix occasional internal error in TLS when DHE is used
Resolves: rhbz#2004915
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-22 13:04:16 +01:00
Clemens Lang
153f593fa6 Fix SHA1 certs in LEGACY without openssl lib ctxt
Resolves: rhbz#2065400
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-18 13:36:55 +01:00
Clemens Lang
4eb630f7d5 Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes
Resolves: rhbz#2065400
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-18 09:27:51 +01:00
Dmitry Belyavskiy
03697fff80 CVE-2022-0778 fix
Resolves: rhbz#2062315
2022-03-16 15:03:25 +01:00
Clemens Lang
bc7dfd9722 Fix RSA PSS padding with SHA-1 disabled
Invocations of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING)
before setting an allowed digest with EVP_PKEY_CTX_set_signature_md()
would fail with SHA-1 use in signatures disabled, because OpenSSL's
internal default for the digest was SHA-1.

This isn't documented in any of the manpages, hence we expect users to
always call both EVP_PKEY_CTX_set_rsa_padding() and
EVP_PKEY_CTX_set_signature_md(). We do not want set_rsa_padding() to
fail if users set a non-SHA-1 signature algorithm after setting the
padding mode, though, so change the internal default to SHA-256 if SHA-1
is disabled.

Resolves: rhbz#2062640
2022-03-10 13:29:29 +01:00
Clemens Lang
3c66c99bd5 Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
We want legacy policy to be able to talk to older RHEL that only
supports SHA1 signature algorithms, so allow SHA1 signatures even in
seclevel 2 if rh-allow-sha1-signatures is set to yes.

Resolves: rhbz#2060510
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-04 10:19:04 +01:00
Clemens Lang
ede38fcb54 Prevent use of SHA1 with ECDSA
providers/implementations/signature/{ec,}dsa_sig.c accept a NID_undef
digest, so to prevent SHA1 from working with ECDSA and DSA, we must
return a negative value in securitycheck.c.

Resolves: rhbz#2031742
2022-02-25 14:45:22 +01:00
Dmitry Belyavskiy
ea9f0a5726 OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
Resolves: rhbz#1977867
2022-02-25 12:37:01 +01:00
Peter Robinson
849a9965ee Support KBKDF (NIST SP800-108) with an R value of 8bits Resolves: rhbz#2027261
Signed-off-by: Peter Robinson <pbrobinson@redhat.com>
2022-02-24 10:14:16 +00:00
Clemens Lang
53f53fedec Allow SHA1 usage in MGF1 for RSASSA-PSS signatures
Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-23 17:53:55 +01:00
Dmitry Belyavskiy
b33dfd3fc3 Spec bump
Resolves: rhbz#2031742
2022-02-23 11:47:25 +01:00
Clemens Lang
5a9ab1160e Allow SHA1 usage in HMAC in TLS
The EVP_DigestSign API is used in TLS to compute a SHA1 HMAC, which is
OK from our point of view, but was blocked so far. Modify
0049-Selectively-disallow-SHA1-signatures.patch to check the EVP_PKEY
type for HMAC (and TLS1-PRF and HKDF), and allow SHA1 for these cases.

Note that TLS1.1 signs a MD5-SHA1 hash with a private key, which does
not work with rh-allow-sha1-signatures = no, so the minimum TLS version
will be TLS 1.2.

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-22 19:40:20 +01:00
Dmitry Belyavskiy
53b85f538c OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
Resolves: rhbz#1977867
2022-02-22 16:32:34 +01:00
Clemens Lang
78fb78d307 Disable SHA1 signature creation and verification by default
Set rh-allow-sha1-signatures = yes to re-enable

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-22 12:25:35 +01:00
Sahana Prasad
0a5c81da78 s_server: correctly handle 2^14 byte long records
Resolves: rhbz#2042011

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2022-02-03 15:37:48 +01:00
Dmitry Belyavskiy
922b5301ea Adjust FIPS provider version
FIPS provider version is now autofilled from release and date
Related: rhbz#2026445
2022-02-01 16:02:01 +01:00
Dmitry Belyavskiy
8c3b745547 On the s390x, zeroize all the copies of TLS premaster secret
Related: rhbz#2040448
2022-01-26 16:50:19 +01:00
Dmitry Belyavskiy
92e721fa5d Rebuild
Related: rhbz#2026445
2022-01-21 14:40:57 +01:00
Dmitry Belyavskiy
d237e7f301 Restoring fips=yes to SHA-1
Related: rhbz#2026445
2022-01-21 13:48:28 +01:00