diff --git a/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch b/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch new file mode 100644 index 0000000..3868089 --- /dev/null +++ b/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch @@ -0,0 +1,82 @@ +From 56090fca0a0c8b6cf1782aced0a02349358aae7d Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 3 Mar 2023 12:22:03 +0100 +Subject: [PATCH 1/2] fips: Use salt >= 16 bytes in PBKDF2 selftest + +NIST SP 800-132 [1] section 5.1 says "[t]he length of the +randomly-generated portion of the salt shall be at least +128 bits", which implies that the salt for PBKDF2 must be at least 16 +bytes long (see also Appendix A.2.1). + +The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the +properties of the Password and Salt parameters, as well as the desired +length of the Master Key used in a CAST shall be among those supported +by the module in the approved mode." + +As a consequence, the salt length in the self test must be at least 16 +bytes long for FIPS 140-3 compliance. Switch the self test to use the +only test vector from RFC 6070 that uses salt that is long enough to +fulfil this requirement. Since RFC 6070 does not provide expected +results for PBKDF2 with HMAC-SHA256, use the output from [3], which was +generated with python cryptography, which was tested against the RFC +6070 vectors with HMAC-SHA1. + + [1]: https://doi.org/10.6028/NIST.SP.800-132 + [2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf + [3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md + +Signed-off-by: Clemens Lang + +Reviewed-by: Paul Dale +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/20429) + +(cherry picked from commit 451cb23c41c90d5a02902b3a77551aa9ee1c6956) +--- + providers/fips/self_test_data.inc | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 8ae8cd6f4a..03adf28f3c 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -361,19 +361,29 @@ static const ST_KAT_PARAM x963kdf_params[] = { + }; + + static const char pbkdf2_digest[] = "SHA256"; ++/* ++ * Input parameters from RFC 6070, vector 5 (because it is the only one with ++ * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The ++ * expected output is taken from ++ * https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md, ++ * which ran these test vectors with SHA-256. ++ */ + static const unsigned char pbkdf2_password[] = { +- 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72, +- 0x64 ++ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53, ++ 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 + }; + static const unsigned char pbkdf2_salt[] = { +- 0x73, 0x61, 0x00, 0x6c, 0x74 ++ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, ++ 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, ++ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74 + }; + static const unsigned char pbkdf2_expected[] = { +- 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89, +- 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87, ++ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8, ++ 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, ++ 0x1c + }; + static int pbkdf2_iterations = 4096; +-static int pbkdf2_pkcs5 = 1; ++static int pbkdf2_pkcs5 = 0; + static const ST_KAT_PARAM pbkdf2_params[] = { + ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest), + ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password), +-- +2.39.2 + diff --git a/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch b/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch new file mode 100644 index 0000000..2e869e2 --- /dev/null +++ b/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch @@ -0,0 +1,80 @@ +From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 6 Mar 2023 12:32:04 +0100 +Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks + +The pbkdf2 implementation in the FIPS provider supports the checks +required by NIST, but allows disabling these checks by setting the +OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate +that the use of this configuration is not approved in FIPS mode. Add an +explicit indicator to provide this indication. + +Resolves: rhbz#2175145 +Signed-off-by: Clemens Lang +--- + providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 3 deletions(-) + +diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c +index aa0adce5e6..6df8c6d321 100644 +--- a/providers/implementations/kdfs/pbkdf2.c ++++ b/providers/implementations/kdfs/pbkdf2.c +@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx, + + static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { ++#ifdef FIPS_MODULE ++ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) ++ != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ /* The lower_bound_checks parameter enables checks required by FIPS. If ++ * those checks are disabled, the PBKDF2 implementation will also ++ * support non-approved parameters (e.g., salt lengths < 16 bytes, see ++ * NIST SP 800-132 section 5.1). */ ++ if (!ctx->lower_bound_checks) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ ++ any_valid = 1; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, +@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +-- +2.39.2 + diff --git a/openssl.spec b/openssl.spec index 47f6c92..baa961c 100644 --- a/openssl.spec +++ b/openssl.spec @@ -170,6 +170,9 @@ Patch108: 0108-CVE-2023-0401-pkcs7-md.patch Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2168289 Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2175145 +Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch +Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -507,6 +510,9 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2175873 - Add explicit FIPS indicator for IV generation in AES-GCM Resolves: rhbz#2175868 +- Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant + salt in PBKDF2 FIPS self-test + Resolves: rhbz#2178137 * Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode