From d60644ea6a153b5e09d7f5350436a44798c635da Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 6 Mar 2023 13:06:21 +0100
Subject: [PATCH] Add explicit FIPS indicator for PBKDF2

Also use test vector with FIPS-compliant salt in PBKDF2 FIPS self-test.

Resolves: rhbz#2178137
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
 ...Use-salt-16-bytes-in-PBKDF2-selftest.patch | 82 +++++++++++++++++++
 ...cator-if-pkcs5-param-disabled-checks.patch | 80 ++++++++++++++++++
 openssl.spec                                  |  6 ++
 3 files changed, 168 insertions(+)
 create mode 100644 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch
 create mode 100644 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch

diff --git a/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch b/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch
new file mode 100644
index 0000000..3868089
--- /dev/null
+++ b/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch
@@ -0,0 +1,82 @@
+From 56090fca0a0c8b6cf1782aced0a02349358aae7d Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Fri, 3 Mar 2023 12:22:03 +0100
+Subject: [PATCH 1/2] fips: Use salt >= 16 bytes in PBKDF2 selftest
+
+NIST SP 800-132 [1] section 5.1 says "[t]he length of the
+randomly-generated portion of the salt shall be at least
+128 bits", which implies that the salt for PBKDF2 must be at least 16
+bytes long (see also Appendix A.2.1).
+
+The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the
+properties of the Password and Salt parameters, as well as the desired
+length of the Master Key used in a CAST shall be among those supported
+by the module in the approved mode."
+
+As a consequence, the salt length in the self test must be at least 16
+bytes long for FIPS 140-3 compliance. Switch the self test to use the
+only test vector from RFC 6070 that uses salt that is long enough to
+fulfil this requirement. Since RFC 6070 does not provide expected
+results for PBKDF2 with HMAC-SHA256, use the output from [3], which was
+generated with python cryptography, which was tested against the RFC
+6070 vectors with HMAC-SHA1.
+
+ [1]: https://doi.org/10.6028/NIST.SP.800-132
+ [2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
+ [3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20429)
+
+(cherry picked from commit 451cb23c41c90d5a02902b3a77551aa9ee1c6956)
+---
+ providers/fips/self_test_data.inc | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index 8ae8cd6f4a..03adf28f3c 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -361,19 +361,29 @@ static const ST_KAT_PARAM x963kdf_params[] = {
+ };
+ 
+ static const char pbkdf2_digest[] = "SHA256";
++/*
++ * Input parameters from RFC 6070, vector 5 (because it is the only one with
++ * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The
++ * expected output is taken from
++ *   https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md,
++ * which ran these test vectors with SHA-256.
++ */
+ static const unsigned char pbkdf2_password[] = {
+-    0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72,
+-    0x64
++    0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53,
++    0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64
+ };
+ static const unsigned char pbkdf2_salt[] = {
+-    0x73, 0x61, 0x00, 0x6c, 0x74
++    0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74,
++    0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54,
++    0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74
+ };
+ static const unsigned char pbkdf2_expected[] = {
+-    0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89,
+-    0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87,
++    0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8,
++    0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
++    0x1c
+ };
+ static int pbkdf2_iterations = 4096;
+-static int pbkdf2_pkcs5 = 1;
++static int pbkdf2_pkcs5 = 0;
+ static const ST_KAT_PARAM pbkdf2_params[] = {
+     ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest),
+     ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password),
+-- 
+2.39.2
+
diff --git a/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch b/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
new file mode 100644
index 0000000..2e869e2
--- /dev/null
+++ b/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
@@ -0,0 +1,80 @@
+From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Mon, 6 Mar 2023 12:32:04 +0100
+Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks
+
+The pbkdf2 implementation in the FIPS provider supports the checks
+required by NIST, but allows disabling these checks by setting the
+OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate
+that the use of this configuration is not approved in FIPS mode. Add an
+explicit indicator to provide this indication.
+
+Resolves: rhbz#2175145
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
+ 1 file changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
+index aa0adce5e6..6df8c6d321 100644
+--- a/providers/implementations/kdfs/pbkdf2.c
++++ b/providers/implementations/kdfs/pbkdf2.c
+@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
+ 
+ static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
++#ifdef FIPS_MODULE
++    KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
++#endif /* defined(FIPS_MODULE) */
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
++
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++        any_valid = 1;
++
++        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++            return 0;
++    }
++
++#ifdef FIPS_MODULE
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
++            != NULL) {
++        int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++        /* The lower_bound_checks parameter enables checks required by FIPS. If
++         * those checks are disabled, the PBKDF2 implementation will also
++         * support non-approved parameters (e.g., salt lengths < 16 bytes, see
++         * NIST SP 800-132 section 5.1). */
++        if (!ctx->lower_bound_checks)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ 
+-    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+-        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+-    return -2;
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++
++        any_valid = 1;
++    }
++#endif /* defined(FIPS_MODULE) */
++
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
+@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+-- 
+2.39.2
+
diff --git a/openssl.spec b/openssl.spec
index 47f6c92..baa961c 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -170,6 +170,9 @@ Patch108: 0108-CVE-2023-0401-pkcs7-md.patch
 Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2168289
 Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2175145
+Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch
+Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -507,6 +510,9 @@ install -m644 %{SOURCE9} \
   Resolves: rhbz#2175873
 - Add explicit FIPS indicator for IV generation in AES-GCM
   Resolves: rhbz#2175868
+- Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant
+  salt in PBKDF2 FIPS self-test
+  Resolves: rhbz#2178137
 
 * Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
 - Fixes RNG slowdown in FIPS mode