Commit Graph

212 Commits

Author SHA1 Message Date
Clemens Lang
1bd49c394a Add explicit FIPS indicator to RSA encryption and RSASVE
NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
confirmation (section 6.4.2.3.2), or assurance from a trusted third
party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
agreement schemes, but explicit key confirmation is not implemented and
cannot be implemented without protocol changes, and the FIPS provider
does not implement trusted third party validation, since it relies on
its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE
as unapproved until we have received clarification from NIST on how
library modules such as OpenSSL should implement TTP validation.

This does not affect RSA-OAEP decryption, because it is approved as
a component according to the FIPS 140-3 IG, section 2.4.G.

Resolves: rhbz#2179379
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-17 16:54:55 +01:00
Clemens Lang
21d2b9fb47 Fix X942KDF indicator for short output key lengths
In testing, we noticed that using output keys shorter than 14 bytes with
the X9.42 KDF does not set the explicit FIPS indicator to unapproved as
it should. The relevant check was implemented, but the state in the
implementation's context was not exposed.

Resolves: rhbz#2175864
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-16 16:40:54 +01:00
Clemens Lang
e5f783d552 Fix Wpointer-sign compiler warning
```
providers/implementations/signature/ecdsa_sig.c: scope_hint: In function 'do_ec_pct'
providers/implementations/signature/ecdsa_sig.c:594:46: warning[-Wpointer-sign]: pointer targets in passing argument 2 of 'ecdsa_digest_signverify_update' differ in signedness
providers/implementations/signature/ecdsa_sig.c:325:69: note: expected 'const unsigned char *' but argument is of type 'const char *'
```

```
providers/implementations/signature/rsa_sig.c: scope_hint: In function 'do_rsa_pct'
providers/implementations/signature/rsa_sig.c:1518:44: warning[-Wpointer-sign]: pointer targets in passing argument 2 of 'rsa_digest_signverify_update' differ in signedness
providers/implementations/signature/rsa_sig.c:910:62: note: expected 'const unsigned char *' but argument is of type 'const char *'
```

Resolves: rhbz#2178034
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-16 14:08:55 +01:00
Dmitry Belyavskiy
6eb72dd621 Increase RNG seeding buffer size to 32
Related: rhbz#2168224
2023-03-14 17:30:33 +01:00
Dmitry Belyavskiy
fb4b72ff2f DH PCT should abort on failure
Resolves: rhbz#2178039
2023-03-14 17:29:33 +01:00
Dmitry Belyavskiy
bfdbb139b4 Disable DHX keys completely in FIPS mode
Resolves: rhbz#2178030
2023-03-14 17:28:24 +01:00
Dmitry Belyavskiy
960e6deebf Abort on PCT failure
Related: rhbz#2168324
2023-03-14 17:27:20 +01:00
Dmitry Belyavskiy
dd6f0d33c8 Remove previous low-level PCT
Related: rhbz#2168324
2023-03-14 17:27:20 +01:00
Dmitry Belyavskiy
fa195e46a2 Pairwise consistency tests should use Digest+Sign/Verify
Resolves: rhbz#2178034
2023-03-14 17:27:15 +01:00
Dmitry Belyavskiy
d2996a9b03 Limit RSA_NO_PADDING for encryption and signature in FIPS mode
Resolves: rhbz#2178029
2023-03-14 17:25:30 +01:00
Clemens Lang
d60644ea6a Add explicit FIPS indicator for PBKDF2
Also use test vector with FIPS-compliant salt in PBKDF2 FIPS self-test.

Resolves: rhbz#2178137
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-14 17:23:22 +01:00
Clemens Lang
50cb33e688 GCM: Implement explicit FIPS indicator for IV gen
Implementation Guidance for FIPS 140-3 and the Cryptographic Module
Verification Program, Section C.H requires guarantees about the
uniqueness of key/iv pairs, and proposes a few approaches to ensure
this. Provide an indicator for option 2 "The IV may be generated
internally at its entirety randomly."

Resolves: rhbz#2175868
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-14 17:23:22 +01:00
Clemens Lang
58955140b6 Zeroize FIPS module integrity check MAC after check
Resolves: rhbz#2175873
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-14 17:23:22 +01:00
Clemens Lang
6a9e17a8c1 KDF: Add FIPS indicators
FIPS requires a number of restrictions on the parameters of the various
key derivation functions implemented in OpenSSL. The KDFs that use
digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
C.C). Additionally, some application-specific KDFs have further
restrictions defined in SP 800-135r1.

Generally, all KDFs shall use a key-derivation key length of at least
112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
to generate and output length of less than 112 bits will also set the
indicator to unapproved.

Add explicit indicators to all KDFs usable in FIPS mode except for
PBKDF2 (which has its specific FIPS limits already implemented). The
indicator can be queried using EVP_KDF_CTX_get_params() after setting
the required parameters and keys for the KDF.

Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
truncated variants -224 and -384) and SHA3 (-256 and -512, and the
truncated versions -224 and -384), as well as SHAKE-128 and -256.

The SHAKE functions are generally not allowed in KDFs. For the rest, the
support matrix is:

 KDF         | SHA-1 | SHA-2 | SHA-2 truncated  | SHA-3 | SHA-3 truncated
==========================================================================
KBKDF        |   x   |   x   |         x        |   x   |     x
HKDF         |   x   |   x   |         x        |   x   |     x
TLS1PRF      |       | SHA-{256,384,512} only   |       |
SSHKDF       |   x   |   x   |         x        |       |
SSKDF        |   x   |   x   |         x        |   x   |     x
X9.63KDF     |       |   x   |         x        |   x   |     x
X9.42-ASN1   |   x   |   x   |         x        |   x   |     x
TLS1.3PRF    |       | SHA-{256,384} only       |       |

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2175860 rhbz#2175864
2023-03-14 17:23:20 +01:00
Dmitry Belyavskiy
9ebabfa10a Stop everlasting RNG reseeding
Resolves: rhbz#2168224
2023-03-08 12:27:50 +01:00
Dmitry Belyavskiy
9d8f618208 Fixed NULL dereference during PKCS7 data verification
Resolves: CVE-2023-0401
2023-02-08 17:54:13 +01:00
Dmitry Belyavskiy
8673fb7c22 Fixed X.400 address type confusion in X.509 GeneralName
Resolves: 0107-CVE-2023-0286-X400.patch
2023-02-08 17:54:13 +01:00
Dmitry Belyavskiy
0f4062ead5 Fixed NULL dereference validating DSA public key
Resolves: CVE-2023-0217
2023-02-08 17:54:13 +01:00
Dmitry Belyavskiy
5e4feef220 Fixed Invalid pointer dereference in d2i_PKCS7 functions
Resolves: CVE-2023-0216
2023-02-08 17:54:13 +01:00
Dmitry Belyavskiy
b889341096 Fixed Use-after-free following BIO_new_NDEF
Resolves: CVE-2023-0215
2023-02-08 17:54:13 +01:00
Dmitry Belyavskiy
529db6cf12 Fixed Double free after calling PEM_read_bio_ex
Resolves: CVE-2022-4450
2023-02-08 17:54:13 +01:00
Dmitry Belyavskiy
c5b0dc92d3 Fixed Timing Oracle in RSA Decryption
Resolves: CVE-2022-4304
2023-02-08 17:54:13 +01:00
Dmitry Belyavskiy
593a315f09 Fixed X.509 Name Constraints Read Buffer Overflow
Resolves: CVE-2022-4203
2023-02-08 17:54:11 +01:00
Clemens Lang
770dcce08b Disallow SHAKE in OAEP decryption in FIPS mode
This was already blocked for encryption and for both signature creation
and verification in RSASSA-PSS, but RSA-OAEP decryption was missing.

Resolves: rhbz#2142121
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-01-11 14:12:12 +01:00
Dmitry Belyavskiy
b19d91aec3 Refactor OpenSSL fips module MAC verification
Resolves: rhbz#2157965
2023-01-05 11:42:50 +01:00
Clemens Lang
c0667361a5 Fix explicit indicator for PSS salt length
The previous state of the patch did not work correctly when used with
negative salt lengths, which OpenSSL uses a magic values. Setting the
saltlength to max would yield an approved state in the indicator, while
it is not approved.

Additionally, update the patch to change the default PSS salt length
with the current state of discussion upstream (see
https://github.com/openssl/openssl/pull/19724).

Resolves: rhbz#2142087
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-11-29 13:23:25 +01:00
Dmitry Belyavskiy
657265459d Backport of ppc64le Montgomery multiply enhancement
Resolves: rhbz#2130708
2022-11-29 12:00:38 +01:00
Dmitry Belyavskiy
c29e183891 Adjusting include for the FIPS_mode macro
Resolves: rhbz#2083879
2022-11-28 17:37:27 +01:00
Dmitry Belyavskiy
d60bf2b343 Removed recommended package for openssl-libs
Resolves: rhbz#2093804
2022-11-28 13:00:03 +01:00
Dmitry Belyavskiy
f2a49ef424 We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream
Resolves: rhbz#2133809
2022-11-25 19:23:22 +01:00
Dmitry Belyavskiy
0f139ead1a Various provider-related imrovements necessary for PKCS#11 provider correct operations
Resolves: rhbz#2142517
2022-11-25 11:42:25 +01:00
Dmitry Belyavskiy
07892fe646 Rebasing to OpenSSL 3.0.7 - removing redundant patches
Resolves: rhbz#2129063
2022-11-24 10:31:36 +01:00
Dmitry Belyavskiy
477d91adec Rebasing to OpenSSL 3.0.7
Resolves: rhbz#2129063
2022-11-24 10:31:36 +01:00
Dmitry Belyavskiy
5d738bdd7f Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode
Resolves: rhbz#2145170
2022-11-23 14:00:05 +01:00
Clemens Lang
80de7ffd9c Add explicit indicator & clamp default PSS salt len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen, where hLen is the length of
the hash function output block (in bytes)."

It is not exactly clear from this text whether hLen refers to the
message digest or the hash function used for the mask generation
function MGF1. PKCS#1 v2.1 suggests it is the former:

| Typical salt lengths in octets are hLen (the length of the output of
| the hash function Hash) and 0. In both cases the security of
| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
| Bellare and Rogaway [4] give a tight lower bound for the security of
| the original RSA-PSS scheme, which corresponds roughly to the former
| case, while Coron [12] gives a lower bound for the related Full Domain
| Hashing scheme, which corresponds roughly to the latter case. In [13]
| Coron provides a general treatment with various salt lengths ranging
| from 0 to hLen; see [27] for discussion. See also [31], which adapts
| the security proofs in [4][13] to address the differences between the
| original and the present version of RSA-PSS as listed in Note 1 above.

Since OpenSSL defaults to creating signatures with the maximum salt
length, blocking the use of longer salts would probably lead to
significant problems in practice. Instead, introduce an explicit
indicator that can be obtained from the EVP_PKEY_CTX object using
EVP_PKEY_CTX_get_params() with the
  OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR
parameter.

Change the default automatic behavior when signing to use at most the
digest size as salt length.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2144012
2022-11-21 10:42:43 +01:00
Clemens Lang
fe09690308 pbkdf2: Set minimum password length of 8 bytes
The Implementation Guidance for FIPS 140-3 says in section D.N
"Password-Based Key Derivation for Storage Applications" that "the
vendor shall document in the module’s Security Policy the length of
a password/passphrase used in key derivation and establish an upper
bound for the probability of having this parameter guessed at random.
This probability shall take into account not only the length of the
password/passphrase, but also the difficulty of guessing it. The
decision on the minimum length of a password used for key derivation is
the vendor’s, but the vendor shall at a minimum informally justify the
decision."

We are choosing a minimum password length of 8 bytes, because NIST's
ACVP testing uses passwords as short as 8 bytes, and requiring longer
passwords combined with an implicit indicator (i.e., returning an error)
would cause the module to fail ACVP testing.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2144003
2022-11-21 10:42:43 +01:00
Clemens Lang
438a2c64b7 Add indicator for HMAC with short key lengths
NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"
specifies key lengths < 112 bytes are disallowed for HMAC generation and
are legacy use for HMAC verification.

Add an explicit indicator that will mark shorter key lengths as
unsupported. The indicator can be queries from the EVP_MAC_CTX object
using EVP_MAC_CTX_get_params() with the
  OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR
parameter.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2144000
2022-11-21 10:42:43 +01:00
Clemens Lang
105cc32a20 Add indicator for SP 800-108 KDFs w/short keys
NIST SP 800-131Ar2, section 8 "Deriving Additional Keys from
a Cryptographic Key" says that for KDFs defined in SP 800-108, "[t]he
length of the key-derivation key shall be at least 112 bits". It further
specifies that HMAC-based KDFs "with a key whose length is at least 112
bits" are acceptable.

Add an explicit indicator for SP 800-108 KDFs that will mark shorter key
lengths as unapproved. The indicator can be queried from the EVP_KDF_CTX
object using EVP_KDF_CTX_get_params() with the
  OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR
parameter.

This also modifies the previously applied HKDF indicator patch to use
the same interface to query its FIPS indicator. This provides better
consistency across the various KDFs with explicit indicators.
Additionally, the new constants are clearly marked as being specific to
Red Hat.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2144019
2022-11-21 10:42:43 +01:00
Clemens Lang
066be87ccd Remove support for X9.31 signature padding in FIPS mode
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
information in Appendix E:

> ANSI X9.31 was withdrawn, so X9.31 RSA signatures were removed from
> this standard.

Since this situation is unlikely to change in future revisions of the
draft, and future FIPS 140-3 validations of the provider will require
X9.31 to be disabled or marked as not approved with an explicit
indicator, disallow this padding mode now.

Remove the X9.31 tests from the acvp test, since they will always fail
now.

 [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2144015
2022-11-21 10:42:34 +01:00
Dmitry Belyavskiy
2bd2c7ac27 FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC
Resolves: rhbz#2144017
2022-11-21 10:39:28 +01:00
Dmitry Belyavskiy
fb8fee4b43 FIPS RSA CRT tests must use correct parameters
Resolves: rhbz#2144006
2022-11-21 10:38:27 +01:00
Dmitry Belyavskiy
474a112b98 Avoid memory leaks in TLS
Resolves: rhbz#2144008
2022-11-21 10:35:15 +01:00
Dmitry Belyavskiy
6c57fc8dcc SHAKE-128/256 are not allowed with RSA in FIPS mode
Resolves: rhbz#2144010
2022-11-21 10:23:09 +01:00
Dmitry Belyavskiy
39f800af50 CVE-2022-3602, CVE-2022-3786: X.509 Email Address Buffer Overflow
Resolves: CVE-2022-3602
Resolves: CVE-2022-3786
2022-11-01 18:23:58 +01:00
Clemens Lang
ff78525169 .gitignore: Stop ignoring 000*.patch
We have tracked patches named 000*.patch, and we want to keep those, so
this .gitignore line is incorrect. Additionally, this line makes packit
source-git update-dist-git fail.

Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-09-12 15:55:19 +02:00
Clemens Lang
7c8235f8cd Zeroize public keys, add HKDF FIPS indicator
Resolves: rhbz#2102542
Resolves: rhbz#2114772
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-08-11 15:36:09 +02:00
Dmitry Belyavskiy
730ccadf04 Extra zeroization related to FIPS-140-3 requirements
Related: rhbz#2102542
2022-08-05 14:31:48 +02:00
Dmitry Belyavskiy
fc45520150 Reseed all the parent DRBGs in chain on reseeding a DRBG
Related: rhbz#2102541
2022-08-05 14:31:48 +02:00
Dmitry Belyavskiy
a0907c129c Use signature for RSA pairwise test according FIPS-140-3 requirements
Related: rhbz#2102540
2022-08-05 14:31:48 +02:00
Dmitry Belyavskiy
f1dba9d301 Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements
Related: rhbz#2102537
2022-08-05 14:31:48 +02:00