Commit Graph

197 Commits

Author SHA1 Message Date
Clemens Lang
96926ffe00 Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode"
Disabling EVP_PKEY_sign and EVP_PKEY_verify also breaks EVP_SignFinal,
which is used by many applications, among them OpenSSH. This change thus
broke sshd in FIPS mode. Revert it for now until we found a better
solution.

Related: rhbz#2087147
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-05-27 12:35:18 +02:00
Dmitry Belyavskiy
794d81540e CVE-2022-1292 openssl: c_rehash script allows command injection
Resolves: rhbz#2090362
2022-05-26 12:14:19 +02:00
Dmitry Belyavskiy
a63915eb2b CVE-2022-1343 openssl: inacurate verification when using OCSP_NOCHECKS
Resolves: rhbz#2087911
2022-05-26 12:07:22 +02:00
Dmitry Belyavskiy
ac312e8ff7 CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory
Resolves: rhbz#2089444
2022-05-26 11:57:12 +02:00
Dmitry Belyavskiy
b5de6bd830 In FIPS mode limit key sizes for signature verification
Resolves: rhbz#2077884
2022-05-23 19:16:11 +02:00
Dmitry Belyavskiy
7bc4f9f094 Ciphersuites with RSA KX should be filterd in FIPS mode
Related: rhbz#2085088
2022-05-23 19:16:11 +02:00
Dmitry Belyavskiy
b393177f7d openssl ecparam -list_curves lists only FIPS-approved curves in FIPS mode
Resolves: rhbz#2083240
2022-05-23 19:16:09 +02:00
Clemens Lang
389313b118 FIPS: Disable SHA1 signs and EVP_PKEY_{sign,verify}
1. Deny SHA-1 signature verification in FIPS provider

For RHEL, we already disable SHA-1 signatures by default in the default
provider, so it is unexpected that the FIPS provider would have a more
lenient configuration in this regard. Additionally, we do not think
continuing to accept SHA-1 signatures is a good idea due to the
published chosen-prefix collision attacks.

As a consequence, disable verification of SHA-1 signatures in the FIPS
provider.

This requires adjusting a few tests that would otherwise fail:
- 30-test_acvp: Remove the test vectors that use SHA-1.
- 30-test_evp: Mark tests in evppkey_rsa_common.txt and
  evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
  which will not run them when the FIPS provider is enabled.
- 80-test_cms: Re-generate all certificates in test/smime-certificates
  using the mksmime-certs.sh script, because most of them were signed
  with SHA-1 and thus fail verification in the FIPS provider. Keep
  smec3.pem, which was used to sign static test data in
  test/recipes/80-test_cms_data/ciphertext_from_1_1_1.cms, which would
  otherwise no longer verify. Note that smec3.pem was signed with
  a smroot.pem, which was now re-generated. This does not affect the
  test.
  Fix some other tests by explicitly running them in the default
  provider, where SHA-1 is available.
- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
  the FIPS provider.

2. Disable EVP_PKEY_{sign,verify} in FIPS provider

The APIs to compute both digest and signature in one step,
EVP_DigestSign*/EVP_DigestVerify* and EVP_Sign*/EVP_Verify*, should be
used instead. This ensures that the digest is computed inside of the
FIPS module, and that only approved digests are used.

Update documentation for EVP_PKEY_{sign,verify} to reflect this.

Since the KATs use EVP_PKEY_sign/EVP_PKEY_verify, modify the tests to
set the OSSL_SIGNATURE_PARAM_KAT parameter and use EVP_PKEY_sign_init_ex
and EVP_PKEY_verify_init_ex where these parameters can be passed on
creation and allow EVP_PKEY_sign/EVP_PKEY_verify when this parameter is
set and evaluates as true.

Move tests that use the EVP_PKEY API to only run in the default
provider, since they would fail in the FIPS provider. This also affects
a number of CMS tests where error handling is insufficient and failure
to sign would only show up when verifying the CMS structure due to
a parse error.

Resolves: rhbz#2087147
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-05-23 17:02:25 +02:00
Dmitry Belyavskiy
87f109e9fb Use KAT for ECDSA signature tests
Resolves: rhbz#2069235
2022-05-16 18:54:17 +02:00
Dmitry Belyavskiy
69c1abb4df openssl req defaults on PKCS#8 encryption changed to AES-256-CBC
Resolves: rhbz#2063947
2022-05-12 13:45:42 +02:00
Dmitry Belyavskiy
b4d281e4de -config argument of openssl app should work properly
Resolves: rhbz#2083274
2022-05-12 13:29:27 +02:00
Dmitry Belyavskiy
1b2d08b2c2 Adaptation of upstream patches disabling explicit EC parameters in FIPS mode
Resolves: rhbz#2058663
2022-05-06 17:41:32 +02:00
Dmitry Belyavskiy
4dc19fe033 Reworked patch forbidding explicit EC parameters
Resolves: rhbz#2066412
2022-05-06 16:51:28 +02:00
Clemens Lang
1447e64bc3 Include hash in FIPS module version
Include a hash of specfile, patches, and sources in the FIPS module
version. This should allow us to uniquely identify a build that we do,
so that we can be sure which specific binary is being submitted for
validation and was certified.

The previous solution used $(date +%Y%m%d), which had some risks related
to build server timezone and build date differences on different
architectures.

Resolves: rhbz#2070550
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-05-06 13:16:36 +02:00
Dmitry Belyavskiy
ad863e9fc8 OpenSSL FIPS module should not build in non-approved algorithms
Resolves: rhbz#2081378
2022-05-05 17:34:49 +02:00
Dmitry Belyavskiy
6ba0e5efa3 When FIPS provider is in use, we forbid only some padding modes - spec
Resolves: rhbz#2053289
2022-05-02 18:33:35 +02:00
Dmitry Belyavskiy
067b6b249b When FIPS provider is in use, we forbid only some padding modes
Resolves: rhbz#2053289
2022-05-02 17:42:54 +02:00
Dmitry Belyavskiy
02c75e5a65 We dont'want totally forbid RSA encryption.
Related: rhbz#2053289
2022-05-02 15:54:28 +02:00
Clemens Lang
9afaa3d1f4 Fix regression in evp_pkey_name2type caused by tr_TR locale fix
Resolves: rhbz#2071631
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-04-28 13:39:35 +02:00
Dmitry Belyavskiy
a711ac2e4f Fix openssl curl error with LANG=tr_TR.utf8
Resolves: rhbz#2071631
2022-04-21 15:16:46 +02:00
Dmitry Belyavskiy
c0744a0cbf Temporary manual test 2022-04-21 13:20:27 +02:00
Dmitry Belyavskiy
7a1c7b28bc FIPS provider doesn't block RSA encryption for key transport
Resolves: rhbz#2053289
2022-03-29 13:32:47 +02:00
Clemens Lang
93ff3f8fe5 Fix occasional internal error in TLS when DHE is used
Resolves: rhbz#2004915
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-22 13:04:16 +01:00
Clemens Lang
153f593fa6 Fix SHA1 certs in LEGACY without openssl lib ctxt
Resolves: rhbz#2065400
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-18 13:36:55 +01:00
Clemens Lang
4eb630f7d5 Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes
Resolves: rhbz#2065400
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-18 09:27:51 +01:00
Dmitry Belyavskiy
03697fff80 CVE-2022-0778 fix
Resolves: rhbz#2062315
2022-03-16 15:03:25 +01:00
Clemens Lang
bc7dfd9722 Fix RSA PSS padding with SHA-1 disabled
Invocations of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING)
before setting an allowed digest with EVP_PKEY_CTX_set_signature_md()
would fail with SHA-1 use in signatures disabled, because OpenSSL's
internal default for the digest was SHA-1.

This isn't documented in any of the manpages, hence we expect users to
always call both EVP_PKEY_CTX_set_rsa_padding() and
EVP_PKEY_CTX_set_signature_md(). We do not want set_rsa_padding() to
fail if users set a non-SHA-1 signature algorithm after setting the
padding mode, though, so change the internal default to SHA-256 if SHA-1
is disabled.

Resolves: rhbz#2062640
2022-03-10 13:29:29 +01:00
Clemens Lang
3c66c99bd5 Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
We want legacy policy to be able to talk to older RHEL that only
supports SHA1 signature algorithms, so allow SHA1 signatures even in
seclevel 2 if rh-allow-sha1-signatures is set to yes.

Resolves: rhbz#2060510
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-04 10:19:04 +01:00
Clemens Lang
ede38fcb54 Prevent use of SHA1 with ECDSA
providers/implementations/signature/{ec,}dsa_sig.c accept a NID_undef
digest, so to prevent SHA1 from working with ECDSA and DSA, we must
return a negative value in securitycheck.c.

Resolves: rhbz#2031742
2022-02-25 14:45:22 +01:00
Dmitry Belyavskiy
ea9f0a5726 OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
Resolves: rhbz#1977867
2022-02-25 12:37:01 +01:00
Peter Robinson
849a9965ee Support KBKDF (NIST SP800-108) with an R value of 8bits Resolves: rhbz#2027261
Signed-off-by: Peter Robinson <pbrobinson@redhat.com>
2022-02-24 10:14:16 +00:00
Clemens Lang
53f53fedec Allow SHA1 usage in MGF1 for RSASSA-PSS signatures
Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-23 17:53:55 +01:00
Dmitry Belyavskiy
b33dfd3fc3 Spec bump
Resolves: rhbz#2031742
2022-02-23 11:47:25 +01:00
Clemens Lang
5a9ab1160e Allow SHA1 usage in HMAC in TLS
The EVP_DigestSign API is used in TLS to compute a SHA1 HMAC, which is
OK from our point of view, but was blocked so far. Modify
0049-Selectively-disallow-SHA1-signatures.patch to check the EVP_PKEY
type for HMAC (and TLS1-PRF and HKDF), and allow SHA1 for these cases.

Note that TLS1.1 signs a MD5-SHA1 hash with a private key, which does
not work with rh-allow-sha1-signatures = no, so the minimum TLS version
will be TLS 1.2.

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-22 19:40:20 +01:00
Dmitry Belyavskiy
53b85f538c OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
Resolves: rhbz#1977867
2022-02-22 16:32:34 +01:00
Dmitry Belyavskiy
d79f404164 Allows non-fips KDF for PKCS#12
Related: rhbz#2049265
2022-02-22 16:30:16 +01:00
Clemens Lang
78fb78d307 Disable SHA1 signature creation and verification by default
Set rh-allow-sha1-signatures = yes to re-enable

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-22 12:25:35 +01:00
Sahana Prasad
0a5c81da78 s_server: correctly handle 2^14 byte long records
Resolves: rhbz#2042011

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2022-02-03 15:37:48 +01:00
Dmitry Belyavskiy
922b5301ea Adjust FIPS provider version
FIPS provider version is now autofilled from release and date
Related: rhbz#2026445
2022-02-01 16:02:01 +01:00
Dmitry Belyavskiy
8c3b745547 On the s390x, zeroize all the copies of TLS premaster secret
Related: rhbz#2040448
2022-01-26 16:50:19 +01:00
Dmitry Belyavskiy
92e721fa5d Rebuild
Related: rhbz#2026445
2022-01-21 14:40:57 +01:00
Dmitry Belyavskiy
691c22b61c Remove volatile attribute from HMAC to make annocheck happy
Related: rhbz#1985362
2022-01-21 13:48:28 +01:00
Dmitry Belyavskiy
d237e7f301 Restoring fips=yes to SHA-1
Related: rhbz#2026445
2022-01-21 13:48:28 +01:00
Dmitry Belyavskiy
9df33eabbe KATS self-tests should run before HMAC verifcation
Related: rhbz#2041994
2022-01-21 13:48:28 +01:00
Sahana Prasad
f5421022ee Adds enable-buildtest-c++ to the configure options.
Related: rhbz#1990814

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2022-01-20 16:37:50 +01:00
Sahana Prasad
78a467efcc Rebase to upstream version 3.0.1
Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl
Resolves: rhbz#2038910, rhbz#2035148

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2022-01-18 18:30:10 +01:00
Dmitry Belyavskiy
e63c4b68b2 Update spec file, remove fipsmodule.cnf
Related: rhbz#2026445
2022-01-17 14:18:22 +01:00
Dmitry Belyavskiy
6cdaa527d8 Explicitly permit SHA1 HMAC
Related: rhbz#2026445
2022-01-17 13:19:40 +01:00
Dmitry Belyavskiy
cc37486d86 Minimize the list of services allowed for FIPS
Related: rhbz#2026445
2022-01-17 13:19:29 +01:00
Dmitry Belyavskiy
225b6d37b9 openssl speed should run in FIPS mode
Related: rhbz#1977318
2021-12-21 16:16:07 +01:00