Commit Graph

188 Commits

Author SHA1 Message Date
Dmitry Belyavskiy
b19d91aec3 Refactor OpenSSL fips module MAC verification
Resolves: rhbz#2157965
2023-01-05 11:42:50 +01:00
Clemens Lang
c0667361a5 Fix explicit indicator for PSS salt length
The previous state of the patch did not work correctly when used with
negative salt lengths, which OpenSSL uses a magic values. Setting the
saltlength to max would yield an approved state in the indicator, while
it is not approved.

Additionally, update the patch to change the default PSS salt length
with the current state of discussion upstream (see
https://github.com/openssl/openssl/pull/19724).

Resolves: rhbz#2142087
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-11-29 13:23:25 +01:00
Dmitry Belyavskiy
657265459d Backport of ppc64le Montgomery multiply enhancement
Resolves: rhbz#2130708
2022-11-29 12:00:38 +01:00
Dmitry Belyavskiy
c29e183891 Adjusting include for the FIPS_mode macro
Resolves: rhbz#2083879
2022-11-28 17:37:27 +01:00
Dmitry Belyavskiy
d60bf2b343 Removed recommended package for openssl-libs
Resolves: rhbz#2093804
2022-11-28 13:00:03 +01:00
Dmitry Belyavskiy
f2a49ef424 We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream
Resolves: rhbz#2133809
2022-11-25 19:23:22 +01:00
Dmitry Belyavskiy
0f139ead1a Various provider-related imrovements necessary for PKCS#11 provider correct operations
Resolves: rhbz#2142517
2022-11-25 11:42:25 +01:00
Dmitry Belyavskiy
07892fe646 Rebasing to OpenSSL 3.0.7 - removing redundant patches
Resolves: rhbz#2129063
2022-11-24 10:31:36 +01:00
Dmitry Belyavskiy
477d91adec Rebasing to OpenSSL 3.0.7
Resolves: rhbz#2129063
2022-11-24 10:31:36 +01:00
Dmitry Belyavskiy
5d738bdd7f Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode
Resolves: rhbz#2145170
2022-11-23 14:00:05 +01:00
Clemens Lang
80de7ffd9c Add explicit indicator & clamp default PSS salt len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen, where hLen is the length of
the hash function output block (in bytes)."

It is not exactly clear from this text whether hLen refers to the
message digest or the hash function used for the mask generation
function MGF1. PKCS#1 v2.1 suggests it is the former:

| Typical salt lengths in octets are hLen (the length of the output of
| the hash function Hash) and 0. In both cases the security of
| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
| Bellare and Rogaway [4] give a tight lower bound for the security of
| the original RSA-PSS scheme, which corresponds roughly to the former
| case, while Coron [12] gives a lower bound for the related Full Domain
| Hashing scheme, which corresponds roughly to the latter case. In [13]
| Coron provides a general treatment with various salt lengths ranging
| from 0 to hLen; see [27] for discussion. See also [31], which adapts
| the security proofs in [4][13] to address the differences between the
| original and the present version of RSA-PSS as listed in Note 1 above.

Since OpenSSL defaults to creating signatures with the maximum salt
length, blocking the use of longer salts would probably lead to
significant problems in practice. Instead, introduce an explicit
indicator that can be obtained from the EVP_PKEY_CTX object using
EVP_PKEY_CTX_get_params() with the
  OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR
parameter.

Change the default automatic behavior when signing to use at most the
digest size as salt length.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2144012
2022-11-21 10:42:43 +01:00
Clemens Lang
fe09690308 pbkdf2: Set minimum password length of 8 bytes
The Implementation Guidance for FIPS 140-3 says in section D.N
"Password-Based Key Derivation for Storage Applications" that "the
vendor shall document in the module’s Security Policy the length of
a password/passphrase used in key derivation and establish an upper
bound for the probability of having this parameter guessed at random.
This probability shall take into account not only the length of the
password/passphrase, but also the difficulty of guessing it. The
decision on the minimum length of a password used for key derivation is
the vendor’s, but the vendor shall at a minimum informally justify the
decision."

We are choosing a minimum password length of 8 bytes, because NIST's
ACVP testing uses passwords as short as 8 bytes, and requiring longer
passwords combined with an implicit indicator (i.e., returning an error)
would cause the module to fail ACVP testing.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2144003
2022-11-21 10:42:43 +01:00
Clemens Lang
438a2c64b7 Add indicator for HMAC with short key lengths
NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"
specifies key lengths < 112 bytes are disallowed for HMAC generation and
are legacy use for HMAC verification.

Add an explicit indicator that will mark shorter key lengths as
unsupported. The indicator can be queries from the EVP_MAC_CTX object
using EVP_MAC_CTX_get_params() with the
  OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR
parameter.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2144000
2022-11-21 10:42:43 +01:00
Clemens Lang
105cc32a20 Add indicator for SP 800-108 KDFs w/short keys
NIST SP 800-131Ar2, section 8 "Deriving Additional Keys from
a Cryptographic Key" says that for KDFs defined in SP 800-108, "[t]he
length of the key-derivation key shall be at least 112 bits". It further
specifies that HMAC-based KDFs "with a key whose length is at least 112
bits" are acceptable.

Add an explicit indicator for SP 800-108 KDFs that will mark shorter key
lengths as unapproved. The indicator can be queried from the EVP_KDF_CTX
object using EVP_KDF_CTX_get_params() with the
  OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR
parameter.

This also modifies the previously applied HKDF indicator patch to use
the same interface to query its FIPS indicator. This provides better
consistency across the various KDFs with explicit indicators.
Additionally, the new constants are clearly marked as being specific to
Red Hat.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2144019
2022-11-21 10:42:43 +01:00
Clemens Lang
066be87ccd Remove support for X9.31 signature padding in FIPS mode
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
information in Appendix E:

> ANSI X9.31 was withdrawn, so X9.31 RSA signatures were removed from
> this standard.

Since this situation is unlikely to change in future revisions of the
draft, and future FIPS 140-3 validations of the provider will require
X9.31 to be disabled or marked as not approved with an explicit
indicator, disallow this padding mode now.

Remove the X9.31 tests from the acvp test, since they will always fail
now.

 [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2144015
2022-11-21 10:42:34 +01:00
Dmitry Belyavskiy
2bd2c7ac27 FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC
Resolves: rhbz#2144017
2022-11-21 10:39:28 +01:00
Dmitry Belyavskiy
fb8fee4b43 FIPS RSA CRT tests must use correct parameters
Resolves: rhbz#2144006
2022-11-21 10:38:27 +01:00
Dmitry Belyavskiy
474a112b98 Avoid memory leaks in TLS
Resolves: rhbz#2144008
2022-11-21 10:35:15 +01:00
Dmitry Belyavskiy
6c57fc8dcc SHAKE-128/256 are not allowed with RSA in FIPS mode
Resolves: rhbz#2144010
2022-11-21 10:23:09 +01:00
Dmitry Belyavskiy
39f800af50 CVE-2022-3602, CVE-2022-3786: X.509 Email Address Buffer Overflow
Resolves: CVE-2022-3602
Resolves: CVE-2022-3786
2022-11-01 18:23:58 +01:00
Clemens Lang
ff78525169 .gitignore: Stop ignoring 000*.patch
We have tracked patches named 000*.patch, and we want to keep those, so
this .gitignore line is incorrect. Additionally, this line makes packit
source-git update-dist-git fail.

Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-09-12 15:55:19 +02:00
Clemens Lang
7c8235f8cd Zeroize public keys, add HKDF FIPS indicator
Resolves: rhbz#2102542
Resolves: rhbz#2114772
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-08-11 15:36:09 +02:00
Dmitry Belyavskiy
730ccadf04 Extra zeroization related to FIPS-140-3 requirements
Related: rhbz#2102542
2022-08-05 14:31:48 +02:00
Dmitry Belyavskiy
fc45520150 Reseed all the parent DRBGs in chain on reseeding a DRBG
Related: rhbz#2102541
2022-08-05 14:31:48 +02:00
Dmitry Belyavskiy
a0907c129c Use signature for RSA pairwise test according FIPS-140-3 requirements
Related: rhbz#2102540
2022-08-05 14:31:48 +02:00
Dmitry Belyavskiy
f1dba9d301 Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements
Related: rhbz#2102537
2022-08-05 14:31:48 +02:00
Dmitry Belyavskiy
3f7cd79d02 Deal with DH keys in FIPS mode according FIPS-140-3 requirements
Related: rhbz#2102536
2022-08-05 14:31:48 +02:00
Clemens Lang
61f739868e FIPS: Fix memory leak in digest_sign self-test
Contrary to what the documentation for EVP_DigestSignInit(3) and
EVP_DigestVerifyInit(3) says, the EVP_PKEY_CTX created by these
functions is not automatically released inside of the FIPS provider due
to an #ifndef FIPS_MODULE in evp_md_ctx_reset_ex.

Resolves: rhbz#2102535
2022-08-03 18:04:36 +02:00
Clemens Lang
08d6c35051 FIPS self-test: RSA-OAEP, FFDHE2048, digest_sign
Use RSA-OAEP in FIPS self-tests and support a fixed OAEP seed to make
the test deterministic as required for a known-answer test.

Switch the signature FIPS self-test to use the digest_sign and
digest_verify provider functions using the EVP_DigestSign and
EVP_DigestVerify APIs, as the existing signature self-test does not
cover hash computation.

Switch the existing Diffie-Hellman FIPS self-test to use FFDHE2048,
a known safe prime from RFC 7919.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2102535
2022-08-01 17:18:12 +02:00
Clemens Lang
3e6d5a385b Improve AES-GCM & ChaCha20 perf on Power9+ ppc64le
Backport patches that improve performance of AES-GCM on Power9 and
newer, and ChaCha20 on Power10.

Resolves: rhbz#2051312
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-07-14 18:19:36 +02:00
Clemens Lang
c64694b961 Fix segfault in EVP_PKEY_Q_keygen()
When OpenSSL was not previously initialized, EVP_PKEY_Q_keygen() would
cause a segmentation fault. Avoid this by backporting a fix from
upstream.

Resolves: rhbz#2103289
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-07-14 14:49:48 +02:00
Clemens Lang
5901637dea CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
Resolves: CVE-2022-2097
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-07-05 14:04:20 +02:00
Dmitry Belyavskiy
f3b52e907b CVE-2022-2068: the c_rehash script allows command injection
Related: rhbz#2098277
2022-06-24 17:17:35 +02:00
Dmitry Belyavskiy
fea833cb56 Strict certificates validation shouldn't allow explicit EC parameters
Related: rhbz#2058663
2022-06-24 17:17:35 +02:00
Dmitry Belyavskiy
ea75c725ee Fix PPC64 Montgomery multiplication bug
Related: rhbz#2098199
2022-06-24 17:17:35 +02:00
Dmitry Belyavskiy
f4e1bded66 Improve diagnostics when passing unsupported groups in TLS
Related: rhbz#2070197
2022-06-24 17:17:35 +02:00
Dmitry Belyavskiy
cbe5a9ff12 FIPS provider should block RSA encryption for key transport.
Other RSA encryption options should still be available if key length is enough
Related: rhbz#2053289
2022-06-24 17:17:35 +02:00
Dmitry Belyavskiy
8638196167 Ciphersuites with RSAPSK KX should be filterd in FIPS mode
Related: rhbz#2085088
2022-06-16 15:06:45 +02:00
Clemens Lang
8b08b372c8 FIPS: Expose explicit indicator from fips.so
FIPS 140-3 requires us to indicate whether an operation was using
approved services or not. The FIPS 140-3 implementation guidelines
provide two basic approaches to doing this: implicit indicators, and
explicit indicators.

Implicit indicators are basically the concept of "if the operation
passes, it was approved". We were originally aiming for implicit
indicators in our copy of OpenSSL. However, this proved to be a problem,
because we wanted to certify a signature service, and FIPS 140-3
requires that a signature service computes the digest to be signed
within the boundaries of the FIPS module. Since we were planning to
certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify
would have to be blocked. Unfortunately, EVP_SignFinal uses
EVP_PKEY_sign internally, but outside of fips.so and thus outside of the
FIPS module boundary. This means that using implicit indicators in
combination with certifying only fips.so would require us to block both
EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used
by most users of OpenSSL for signatures.

EVP_DigestSign would be acceptable, but has only been added in 3.0 and
is thus not yet widely used.

As a consequence, we've decided to introduce explicit indicators so that
EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but
FIPS-aware applications can query the explicit indicator to check
whether the operation was approved.

To avoid affecting the ABI and public API too much, this is implemented
as an exported symbol in fips.so and a private header, so applications
that wish to use this will have to dlopen(3) fips.so, locate the
function using dlsym(3), and then call it. These applications will have
to build against the private header in order to use the returned
pointer.

Modify util/mkdef.pl to support exposing a symbol only for a specific
provider identified by its name and path.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2087147
2022-06-09 17:13:33 +02:00
Dmitry Belyavskiy
e859029ea0 Replace expired certificates
Resolves: rhbz#2092456
2022-06-03 15:31:56 +02:00
Dmitry Belyavskiy
a8a3a389ee Use KAT for ECDSA signature tests, s390 arch
Resolves: rhbz#2069235
2022-05-30 18:22:47 +02:00
Clemens Lang
96926ffe00 Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode"
Disabling EVP_PKEY_sign and EVP_PKEY_verify also breaks EVP_SignFinal,
which is used by many applications, among them OpenSSH. This change thus
broke sshd in FIPS mode. Revert it for now until we found a better
solution.

Related: rhbz#2087147
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-05-27 12:35:18 +02:00
Dmitry Belyavskiy
794d81540e CVE-2022-1292 openssl: c_rehash script allows command injection
Resolves: rhbz#2090362
2022-05-26 12:14:19 +02:00
Dmitry Belyavskiy
a63915eb2b CVE-2022-1343 openssl: inacurate verification when using OCSP_NOCHECKS
Resolves: rhbz#2087911
2022-05-26 12:07:22 +02:00
Dmitry Belyavskiy
ac312e8ff7 CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory
Resolves: rhbz#2089444
2022-05-26 11:57:12 +02:00
Dmitry Belyavskiy
b5de6bd830 In FIPS mode limit key sizes for signature verification
Resolves: rhbz#2077884
2022-05-23 19:16:11 +02:00
Dmitry Belyavskiy
7bc4f9f094 Ciphersuites with RSA KX should be filterd in FIPS mode
Related: rhbz#2085088
2022-05-23 19:16:11 +02:00
Dmitry Belyavskiy
b393177f7d openssl ecparam -list_curves lists only FIPS-approved curves in FIPS mode
Resolves: rhbz#2083240
2022-05-23 19:16:09 +02:00
Clemens Lang
389313b118 FIPS: Disable SHA1 signs and EVP_PKEY_{sign,verify}
1. Deny SHA-1 signature verification in FIPS provider

For RHEL, we already disable SHA-1 signatures by default in the default
provider, so it is unexpected that the FIPS provider would have a more
lenient configuration in this regard. Additionally, we do not think
continuing to accept SHA-1 signatures is a good idea due to the
published chosen-prefix collision attacks.

As a consequence, disable verification of SHA-1 signatures in the FIPS
provider.

This requires adjusting a few tests that would otherwise fail:
- 30-test_acvp: Remove the test vectors that use SHA-1.
- 30-test_evp: Mark tests in evppkey_rsa_common.txt and
  evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
  which will not run them when the FIPS provider is enabled.
- 80-test_cms: Re-generate all certificates in test/smime-certificates
  using the mksmime-certs.sh script, because most of them were signed
  with SHA-1 and thus fail verification in the FIPS provider. Keep
  smec3.pem, which was used to sign static test data in
  test/recipes/80-test_cms_data/ciphertext_from_1_1_1.cms, which would
  otherwise no longer verify. Note that smec3.pem was signed with
  a smroot.pem, which was now re-generated. This does not affect the
  test.
  Fix some other tests by explicitly running them in the default
  provider, where SHA-1 is available.
- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
  the FIPS provider.

2. Disable EVP_PKEY_{sign,verify} in FIPS provider

The APIs to compute both digest and signature in one step,
EVP_DigestSign*/EVP_DigestVerify* and EVP_Sign*/EVP_Verify*, should be
used instead. This ensures that the digest is computed inside of the
FIPS module, and that only approved digests are used.

Update documentation for EVP_PKEY_{sign,verify} to reflect this.

Since the KATs use EVP_PKEY_sign/EVP_PKEY_verify, modify the tests to
set the OSSL_SIGNATURE_PARAM_KAT parameter and use EVP_PKEY_sign_init_ex
and EVP_PKEY_verify_init_ex where these parameters can be passed on
creation and allow EVP_PKEY_sign/EVP_PKEY_verify when this parameter is
set and evaluates as true.

Move tests that use the EVP_PKEY API to only run in the default
provider, since they would fail in the FIPS provider. This also affects
a number of CMS tests where error handling is insufficient and failure
to sign would only show up when verifying the CMS structure due to
a parse error.

Resolves: rhbz#2087147
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-05-23 17:02:25 +02:00
Dmitry Belyavskiy
87f109e9fb Use KAT for ECDSA signature tests
Resolves: rhbz#2069235
2022-05-16 18:54:17 +02:00