151 lines
6.3 KiB
Diff
151 lines
6.3 KiB
Diff
|
From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001
|
||
|
From: Clemens Lang <cllang@redhat.com>
|
||
|
Date: Fri, 17 Mar 2023 15:39:15 +0100
|
||
|
Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator
|
||
|
|
||
|
NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||
|
confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||
|
party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
|
||
|
agreement schemes, but explicit key confirmation is not implemented and
|
||
|
cannot be implemented without protocol changes, and the FIPS provider
|
||
|
does not implement trusted third party validation, since it relies on
|
||
|
its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE
|
||
|
as unapproved until we have received clarification from NIST on how
|
||
|
library modules such as OpenSSL should implement TTP validation.
|
||
|
|
||
|
This does not affect RSA-OAEP decryption, because it is approved as
|
||
|
a component according to the FIPS 140-3 IG, section 2.4.G.
|
||
|
|
||
|
Resolves: rhbz#2179331
|
||
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||
|
---
|
||
|
include/openssl/core_names.h | 2 ++
|
||
|
include/openssl/evp.h | 4 +++
|
||
|
.../implementations/asymciphers/rsa_enc.c | 24 +++++++++++++++
|
||
|
providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++-
|
||
|
4 files changed, 59 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||
|
index 832502a034..e15d208421 100644
|
||
|
--- a/include/openssl/core_names.h
|
||
|
+++ b/include/openssl/core_names.h
|
||
|
@@ -477,6 +477,7 @@ extern "C" {
|
||
|
#ifdef FIPS_MODULE
|
||
|
#define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed"
|
||
|
#endif
|
||
|
+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
|
||
|
|
||
|
/*
|
||
|
* Encoder / decoder parameters
|
||
|
@@ -503,6 +504,7 @@ extern "C" {
|
||
|
|
||
|
/* KEM parameters */
|
||
|
#define OSSL_KEM_PARAM_OPERATION "operation"
|
||
|
+#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
|
||
|
|
||
|
/* OSSL_KEM_PARAM_OPERATION values */
|
||
|
#define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE"
|
||
|
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||
|
index ec2ba46fbd..3803b03422 100644
|
||
|
--- a/include/openssl/evp.h
|
||
|
+++ b/include/openssl/evp.h
|
||
|
@@ -1757,6 +1757,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
|
||
|
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
|
||
|
# endif
|
||
|
|
||
|
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||
|
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||
|
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||
|
+
|
||
|
EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
|
||
|
const char *properties);
|
||
|
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
|
||
|
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
||
|
index 568452ec56..2e7ea632d7 100644
|
||
|
--- a/providers/implementations/asymciphers/rsa_enc.c
|
||
|
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
||
|
@@ -399,6 +399,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||
|
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
|
||
|
return 0;
|
||
|
|
||
|
+#ifdef FIPS_MODULE
|
||
|
+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
|
||
|
+ if (p != NULL) {
|
||
|
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
||
|
+
|
||
|
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||
|
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||
|
+ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
|
||
|
+ * explicit key confirmation is not implemented here and cannot be
|
||
|
+ * implemented without protocol changes, and the FIPS provider does not
|
||
|
+ * implement trusted third party validation, since it relies on its
|
||
|
+ * callers to do that. We must thus mark RSA-OAEP as unapproved until
|
||
|
+ * we have received clarification from NIST on how library modules such
|
||
|
+ * as OpenSSL should implement TTP validation. */
|
||
|
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||
|
+
|
||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||
|
+ return 0;
|
||
|
+ }
|
||
|
+#endif /* defined(FIPS_MODULE) */
|
||
|
+
|
||
|
return 1;
|
||
|
}
|
||
|
|
||
|
@@ -465,6 +493,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||
|
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
|
||
|
#ifdef FIPS_MODULE
|
||
|
OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
|
||
|
+ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||
|
#endif /* FIPS_MODULE */
|
||
|
OSSL_PARAM_END
|
||
|
};
|
||
|
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
|
||
|
index 882cf16125..b4cc0f9237 100644
|
||
|
--- a/providers/implementations/kem/rsa_kem.c
|
||
|
+++ b/providers/implementations/kem/rsa_kem.c
|
||
|
@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
|
||
|
static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||
|
{
|
||
|
PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
|
||
|
+#ifdef FIPS_MODULE
|
||
|
+ OSSL_PARAM *p;
|
||
|
+#endif /* defined(FIPS_MODULE) */
|
||
|
+
|
||
|
+ if (ctx == NULL)
|
||
|
+ return 0;
|
||
|
+
|
||
|
+#ifdef FIPS_MODULE
|
||
|
+ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR);
|
||
|
+ if (p != NULL) {
|
||
|
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||
|
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||
|
+ * party (section 6.4.2.3.1) for key agreement or key transport, but
|
||
|
+ * explicit key confirmation is not implemented here and cannot be
|
||
|
+ * implemented without protocol changes, and the FIPS provider does not
|
||
|
+ * implement trusted third party validation, since it relies on its
|
||
|
+ * callers to do that. We must thus mark RSASVE unapproved until we
|
||
|
+ * have received clarification from NIST on how library modules such as
|
||
|
+ * OpenSSL should implement TTP validation. */
|
||
|
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||
|
+
|
||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||
|
+ return 0;
|
||
|
+ }
|
||
|
+#endif /* defined(FIPS_MODULE) */
|
||
|
|
||
|
- return ctx != NULL;
|
||
|
+ return 1;
|
||
|
}
|
||
|
|
||
|
static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
|
||
|
+#ifdef FIPS_MODULE
|
||
|
+ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||
|
+#endif /* defined(FIPS_MODULE) */
|
||
|
OSSL_PARAM_END
|
||
|
};
|
||
|
|
||
|
--
|
||
|
2.39.2
|
||
|
|