Commit Graph

189 Commits

Author SHA1 Message Date
Daiki Ueno
d53f31aa80 Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers
Resolves: RHEL-40823
Signed-off-by: Daiki Ueno <dueno@redhat.com>
2024-06-12 20:19:44 +09:00
Dmitry Belyavskiy
ed09ce6530 Rebase to OpenSSL 3.2.2. Fixes CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, and Minerva attack.
Resolves: RHEL-32148
Resolves: RHEL-36792
Resolves: RHEL-38514
Resolves: RHEL-39111
2024-06-05 15:07:02 +02:00
Dmitry Belyavskiy
bd9060b13c Update RNG changing for FIPS purpose
Resolves: RHEL-35380
2024-06-05 15:07:02 +02:00
Dmitry Belyavskiy
2c5c3fcced Rebasing to OpenSSL 3.2.1
Resolves: RHEL-26271
2024-04-15 10:41:31 +02:00
Dmitry Belyavskiy
8e5beb7708 Use certified FIPS module instead of freshly built one in Red Hat distribution
Related: RHEL-23474
2024-02-21 10:46:29 +00:00
Dmitry Belyavskiy
b9f699b8a8 Use certified FIPS module instead of freshly built one in Red Hat distribution
Resolves: RHEL-23474
2024-02-07 10:10:17 +00:00
Dmitry Belyavskiy
50997010d1 Add a directory for OpenSSL providers configuration
Related: RHEL-17193
2024-01-31 16:39:33 +01:00
Dmitry Belyavskiy
e6e479521b Denial of service via null dereference in PKCS#12
Resolves: RHEL-22486
2024-01-29 13:30:00 +01:00
Dmitry Belyavskiy
08c722bcd1 SSL ECDHE Kex fails when pkcs11 engine is set in config file
Resolves: RHEL-20249
2024-01-19 15:18:50 +01:00
Dmitry Belyavskiy
0707122b95 Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
Resolves: RHEL-21654
2024-01-19 15:07:58 +01:00
Dmitry Belyavskiy
3c49cf388a POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129)
Resolves: RHEL-21151
2024-01-19 14:59:04 +01:00
Dmitry Belyavskiy
6c9dd70b94 Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context
Resolves: RHEL-19515
2024-01-19 14:49:51 +01:00
Dmitry Belyavskiy
e7c35f0ede Add a directory for OpenSSL providers configuration
Resolves: RHEL-17193
2023-11-28 11:32:05 +01:00
Clemens Lang
db02879351 FIPS: abort on rsa_keygen_pairwise_test failure
ISO 19790 AS10.09 says the module shall not perform any cryptographic
operations or output data in an error state, but OpenSSL does not have
checks for the module state in EVP_DigestUpdate() and
EVP_EncryptUpdate().

Upstream and their certification lab says these checks aren't needed,
our lab disagrees. We asked for clarification from CMVP. While we are
waiting for that, add a change that will allow us to submit. We will
drop this patch one we found a solution together with upstream.

See #22506 for the discussion upstream.

Resolves: RHEL-17104
2023-11-21 12:32:41 +01:00
Dmitry Belyavskiy
67bb06894f Avoid implicit function declaration when building openssl
Related: RHEL-1780
2023-11-21 12:11:01 +01:00
Dmitry Belyavskiy
f1d5ccdb6e Excessive time spent in DH check/generation with large Q parameter value (CVE-2023-5678)
Resolves: RHEL-15954
2023-11-08 12:39:41 +01:00
Dmitry Belyavskiy
72772f737e Add missing ECDH Public Key Check in FIPS mode
Resolves: RHEL-15990
2023-11-08 12:38:23 +01:00
Clemens Lang
9a075c13c3 Mark RSA-OAEP as approved in FIPS mode
Switch explicit FIPS indicator for RSA-OAEP to approved following
clarification with CMVP. Additionally, backport a check required by
SP800-56Br2 6.4.1.2.1 (3.c).

Resolves: RHEL-14083
2023-10-26 12:42:29 +02:00
Dmitry Belyavskiy
66dddb942c Fix incorrect cipher key and IV length processing (CVE-2023-5363)
Resolves: RHEL-13251
2023-10-25 12:08:21 +02:00
Dmitry Belyavskiy
6e0d3b16e6 Excessive time spent checking DH q parameter value
Resolves: RHEL-5308
2023-10-18 11:20:31 +02:00
Dmitry Belyavskiy
d6248f76c4 Excessive time spent checking DH keys and parameters
Resolves: RHEL-5306
2023-10-18 11:18:44 +02:00
Dmitry Belyavskiy
6775e82636 AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries
Resolves: RHEL-5302
2023-10-18 11:15:19 +02:00
Dmitry Belyavskiy
fa5df9d74b Forbid explicit curves when created via EVP_PKEY_fromdata
Resolves: RHEL-5304
2023-10-17 13:26:14 +02:00
Dmitry Belyavskiy
92436854f9 Avoid implicit function declaration when building openssl
Resolves: RHEL-1780
2023-10-17 13:09:34 +02:00
Dmitry Belyavskiy
ec6d7cf272 Provide empty evp_properties section in main OpenSSL configuration file
Resolves: RHEL-11439
2023-10-17 12:56:38 +02:00
Dmitry Belyavskiy
223304543a Don't limit using SHA1 in KDFs in non-FIPS mode.
Resolves: RHEL-5295
2023-10-16 11:06:43 +02:00
Dmitry Belyavskiy
131e7d1602 Provide relevant diagnostics when FIPS checksum is corrupted
Resolves: RHEL-5317
2023-10-16 11:06:43 +02:00
Dmitry Belyavskiy
d30c497ed1 Make FIPS module configuration more crypto-policies friendly
Related: rhbz#2216256
2023-07-12 17:59:35 +02:00
Dmitry Belyavskiy
217cd631e8 Add a workaround for lack of EMS in FIPS mode
Resolves: rhbz#2216256
2023-07-12 15:56:26 +02:00
Sahana Prasad
8fb737bf79 Remove unsupported ec curves from nist_curves
Resolves: rhbz#2069336

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2023-07-06 10:38:36 +02:00
Sahana Prasad
05b87f449d Remove the listing of brainpool curves in FIPS mode
Related: rhbz#2188180
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2023-06-26 10:23:11 +02:00
Dmitry Belyavskiy
d1a87553bb Release the DRBG in global default libctx early
Resolves: rhbz#2211340
2023-05-31 16:21:07 +02:00
Dmitry Belyavskiy
df4dd7dd7f Fix possible DoS translating ASN.1 object identifiers
Resolves: CVE-2023-2650
2023-05-31 16:18:19 +02:00
Clemens Lang
b1d3f019d4 FIPS: Re-enable DHX, disable FIPS 186-4 groups
For DH parameter and key pair generation/verification, the DSA
procedures specified in FIPS 186-4 are used. With the release of FIPS
186-5 and the removal of DSA, the approved status of these groups is in
peril. Once the transition for DSA ends (this transition will be 1 year
long and start once CMVP has published the guidance), no more
submissions claiming DSA will be allowed. Hence, FIPS 186-type
parameters will also be automatically non-approved.

Previously, we had addressed this by completely disabling the DHX key
type in the OpenSSL FIPS provider, but the default encoding for DHX-type
keys is X9.42 DH, which is used, for example, by kerberos.

Re-enable DHX-type keys in the FIPS provider, but disable import and
validation of any DH parameters that are not well-known groups, and
remove DH parameter generation completely.

Adjust tests to use well-known groups or larger DH groups where this
change would now cause failures, and skip tests that are expected to
fail due to this change.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2169757
2023-05-23 14:01:14 +02:00
Dmitry Belyavskiy
57f6d8f4a4 Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode
Resolves: rhbz#2160797
2023-05-22 10:58:28 +02:00
Dmitry Belyavskiy
032dc0839c Enforce using EMS in FIPS mode - better alerts
Related: rhbz#2157951
2023-05-09 12:44:49 +02:00
Sahana Prasad
05bbcc9920 - Upload new upstream sources without manually hobbling them.
- Remove the hobbling script as it is redundant. It is now allowed to ship
  the sources of patented EC curves, however it is still made unavailable to use
  by compiling with the 'no-ec2m' Configure option. The additional forbidden
  curves such as P-160, P-192, wap-tls curves are manually removed by updating
  0011-Remove-EC-curves.patch.
- Enable Brainpool curves.
- Apply the changes to ec_curve.c and  ectest.c as a new patch
  0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them.
- Modify 0011-Remove-EC-curves.patch to allow Brainpool curves.
- Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M.
  Resolves: rhbz#2130618, rhbz#2188180

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2023-05-02 11:44:53 +02:00
Dmitry Belyavskiy
45cb3a6b4e Backport implicit rejection for RSA PKCS#1 v1.5 encryption
Resolves: rhbz#215347
2023-04-28 19:10:51 +02:00
Dmitry Belyavskiy
7680abf05d Input buffer over-read in AES-XTS implementation on 64 bit ARM
Resolves: rhbz#2188554
2023-04-21 12:33:25 +02:00
Dmitry Belyavskiy
4999352324 OpenSSL rsa_verify_recover key length checks in FIPS mode
Resolves: rhbz#2186819
2023-04-18 09:47:08 +02:00
Dmitry Belyavskiy
ba8edd5ea8 Certificate policy check not enabled
Resolves: rhbz#2187431
2023-04-18 09:46:41 +02:00
Dmitry Belyavskiy
70a27e0ae3 Fix invalid certificate policies in leaf certificates check
Resolves: rhbz#2187429
2023-04-18 09:45:07 +02:00
Dmitry Belyavskiy
90306b7fd8 Fix excessive resource usage in verifying X509 policy constraints
Resolves: rhbz#2186661
2023-04-18 09:43:21 +02:00
Dmitry Belyavskiy
35f22d134e Enforce using EMS in FIPS mode
Resolves: rhbz#2157951
2023-04-18 09:40:37 +02:00
Clemens Lang
0dea6db970 Change explicit FIPS indicator for RSA decryption to unapproved
Resolves: rhbz#2179379
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-24 16:00:24 +01:00
Clemens Lang
1bd2a0cee3 Add missing patchfile, fix gettable params
Add the patchfile that was committed but not referenced in the spec
file. Fix the patch to apply on openssl 3.0.7 and fix the gettable FIPS
indicator parameter for the RSA asymmetric cipher implementation.

Resolves: rhbz#2179379
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-21 12:08:19 +01:00
Clemens Lang
1bd49c394a Add explicit FIPS indicator to RSA encryption and RSASVE
NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
confirmation (section 6.4.2.3.2), or assurance from a trusted third
party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
agreement schemes, but explicit key confirmation is not implemented and
cannot be implemented without protocol changes, and the FIPS provider
does not implement trusted third party validation, since it relies on
its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE
as unapproved until we have received clarification from NIST on how
library modules such as OpenSSL should implement TTP validation.

This does not affect RSA-OAEP decryption, because it is approved as
a component according to the FIPS 140-3 IG, section 2.4.G.

Resolves: rhbz#2179379
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-17 16:54:55 +01:00
Clemens Lang
21d2b9fb47 Fix X942KDF indicator for short output key lengths
In testing, we noticed that using output keys shorter than 14 bytes with
the X9.42 KDF does not set the explicit FIPS indicator to unapproved as
it should. The relevant check was implemented, but the state in the
implementation's context was not exposed.

Resolves: rhbz#2175864
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-16 16:40:54 +01:00
Clemens Lang
e5f783d552 Fix Wpointer-sign compiler warning
```
providers/implementations/signature/ecdsa_sig.c: scope_hint: In function 'do_ec_pct'
providers/implementations/signature/ecdsa_sig.c:594:46: warning[-Wpointer-sign]: pointer targets in passing argument 2 of 'ecdsa_digest_signverify_update' differ in signedness
providers/implementations/signature/ecdsa_sig.c:325:69: note: expected 'const unsigned char *' but argument is of type 'const char *'
```

```
providers/implementations/signature/rsa_sig.c: scope_hint: In function 'do_rsa_pct'
providers/implementations/signature/rsa_sig.c:1518:44: warning[-Wpointer-sign]: pointer targets in passing argument 2 of 'rsa_digest_signverify_update' differ in signedness
providers/implementations/signature/rsa_sig.c:910:62: note: expected 'const unsigned char *' but argument is of type 'const char *'
```

Resolves: rhbz#2178034
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-16 14:08:55 +01:00
Dmitry Belyavskiy
6eb72dd621 Increase RNG seeding buffer size to 32
Related: rhbz#2168224
2023-03-14 17:30:33 +01:00