Commit Graph

198 Commits

Author SHA1 Message Date
Dmitry Belyavskiy
e7c35f0ede Add a directory for OpenSSL providers configuration
Resolves: RHEL-17193
2023-11-28 11:32:05 +01:00
Clemens Lang
db02879351 FIPS: abort on rsa_keygen_pairwise_test failure
ISO 19790 AS10.09 says the module shall not perform any cryptographic
operations or output data in an error state, but OpenSSL does not have
checks for the module state in EVP_DigestUpdate() and
EVP_EncryptUpdate().

Upstream and their certification lab says these checks aren't needed,
our lab disagrees. We asked for clarification from CMVP. While we are
waiting for that, add a change that will allow us to submit. We will
drop this patch one we found a solution together with upstream.

See #22506 for the discussion upstream.

Resolves: RHEL-17104
2023-11-21 12:32:41 +01:00
Dmitry Belyavskiy
67bb06894f Avoid implicit function declaration when building openssl
Related: RHEL-1780
2023-11-21 12:11:01 +01:00
Dmitry Belyavskiy
f1d5ccdb6e Excessive time spent in DH check/generation with large Q parameter value (CVE-2023-5678)
Resolves: RHEL-15954
2023-11-08 12:39:41 +01:00
Dmitry Belyavskiy
72772f737e Add missing ECDH Public Key Check in FIPS mode
Resolves: RHEL-15990
2023-11-08 12:38:23 +01:00
Clemens Lang
9a075c13c3 Mark RSA-OAEP as approved in FIPS mode
Switch explicit FIPS indicator for RSA-OAEP to approved following
clarification with CMVP. Additionally, backport a check required by
SP800-56Br2 6.4.1.2.1 (3.c).

Resolves: RHEL-14083
2023-10-26 12:42:29 +02:00
Dmitry Belyavskiy
66dddb942c Fix incorrect cipher key and IV length processing (CVE-2023-5363)
Resolves: RHEL-13251
2023-10-25 12:08:21 +02:00
Dmitry Belyavskiy
6e0d3b16e6 Excessive time spent checking DH q parameter value
Resolves: RHEL-5308
2023-10-18 11:20:31 +02:00
Dmitry Belyavskiy
d6248f76c4 Excessive time spent checking DH keys and parameters
Resolves: RHEL-5306
2023-10-18 11:18:44 +02:00
Dmitry Belyavskiy
6775e82636 AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries
Resolves: RHEL-5302
2023-10-18 11:15:19 +02:00
Dmitry Belyavskiy
fa5df9d74b Forbid explicit curves when created via EVP_PKEY_fromdata
Resolves: RHEL-5304
2023-10-17 13:26:14 +02:00
Dmitry Belyavskiy
92436854f9 Avoid implicit function declaration when building openssl
Resolves: RHEL-1780
2023-10-17 13:09:34 +02:00
Dmitry Belyavskiy
ec6d7cf272 Provide empty evp_properties section in main OpenSSL configuration file
Resolves: RHEL-11439
2023-10-17 12:56:38 +02:00
Dmitry Belyavskiy
223304543a Don't limit using SHA1 in KDFs in non-FIPS mode.
Resolves: RHEL-5295
2023-10-16 11:06:43 +02:00
Dmitry Belyavskiy
131e7d1602 Provide relevant diagnostics when FIPS checksum is corrupted
Resolves: RHEL-5317
2023-10-16 11:06:43 +02:00
Dmitry Belyavskiy
d30c497ed1 Make FIPS module configuration more crypto-policies friendly
Related: rhbz#2216256
2023-07-12 17:59:35 +02:00
Dmitry Belyavskiy
217cd631e8 Add a workaround for lack of EMS in FIPS mode
Resolves: rhbz#2216256
2023-07-12 15:56:26 +02:00
Sahana Prasad
8fb737bf79 Remove unsupported ec curves from nist_curves
Resolves: rhbz#2069336

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2023-07-06 10:38:36 +02:00
Sahana Prasad
05b87f449d Remove the listing of brainpool curves in FIPS mode
Related: rhbz#2188180
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2023-06-26 10:23:11 +02:00
Dmitry Belyavskiy
d1a87553bb Release the DRBG in global default libctx early
Resolves: rhbz#2211340
2023-05-31 16:21:07 +02:00
Dmitry Belyavskiy
df4dd7dd7f Fix possible DoS translating ASN.1 object identifiers
Resolves: CVE-2023-2650
2023-05-31 16:18:19 +02:00
Daiki Ueno
103d3109dc ci.fmf: Enable golang tests as reverse dependency
This will trigger the tests for the golang package when the openssl
package is updated, which would be particularly useful when openssl
adds a new algorithm tightning.

Manual configuration is necessary as Go applications dlopen's
libcrypto.so.* and openssl doesn't normally appear as a dependency at
RPM level.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
2023-05-29 10:01:36 +02:00
Peter Leitmann
34e7dd5be4 Add interop rpm-tmt-tests 2023-05-24 15:41:56 +00:00
Clemens Lang
b1d3f019d4 FIPS: Re-enable DHX, disable FIPS 186-4 groups
For DH parameter and key pair generation/verification, the DSA
procedures specified in FIPS 186-4 are used. With the release of FIPS
186-5 and the removal of DSA, the approved status of these groups is in
peril. Once the transition for DSA ends (this transition will be 1 year
long and start once CMVP has published the guidance), no more
submissions claiming DSA will be allowed. Hence, FIPS 186-type
parameters will also be automatically non-approved.

Previously, we had addressed this by completely disabling the DHX key
type in the OpenSSL FIPS provider, but the default encoding for DHX-type
keys is X9.42 DH, which is used, for example, by kerberos.

Re-enable DHX-type keys in the FIPS provider, but disable import and
validation of any DH parameters that are not well-known groups, and
remove DH parameter generation completely.

Adjust tests to use well-known groups or larger DH groups where this
change would now cause failures, and skip tests that are expected to
fail due to this change.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2169757
2023-05-23 14:01:14 +02:00
Dmitry Belyavskiy
57f6d8f4a4 Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode
Resolves: rhbz#2160797
2023-05-22 10:58:28 +02:00
Dmitry Belyavskiy
032dc0839c Enforce using EMS in FIPS mode - better alerts
Related: rhbz#2157951
2023-05-09 12:44:49 +02:00
Sahana Prasad
05bbcc9920 - Upload new upstream sources without manually hobbling them.
- Remove the hobbling script as it is redundant. It is now allowed to ship
  the sources of patented EC curves, however it is still made unavailable to use
  by compiling with the 'no-ec2m' Configure option. The additional forbidden
  curves such as P-160, P-192, wap-tls curves are manually removed by updating
  0011-Remove-EC-curves.patch.
- Enable Brainpool curves.
- Apply the changes to ec_curve.c and  ectest.c as a new patch
  0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them.
- Modify 0011-Remove-EC-curves.patch to allow Brainpool curves.
- Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M.
  Resolves: rhbz#2130618, rhbz#2188180

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2023-05-02 11:44:53 +02:00
Dmitry Belyavskiy
45cb3a6b4e Backport implicit rejection for RSA PKCS#1 v1.5 encryption
Resolves: rhbz#215347
2023-04-28 19:10:51 +02:00
Dmitry Belyavskiy
7680abf05d Input buffer over-read in AES-XTS implementation on 64 bit ARM
Resolves: rhbz#2188554
2023-04-21 12:33:25 +02:00
Dmitry Belyavskiy
4999352324 OpenSSL rsa_verify_recover key length checks in FIPS mode
Resolves: rhbz#2186819
2023-04-18 09:47:08 +02:00
Dmitry Belyavskiy
ba8edd5ea8 Certificate policy check not enabled
Resolves: rhbz#2187431
2023-04-18 09:46:41 +02:00
Dmitry Belyavskiy
70a27e0ae3 Fix invalid certificate policies in leaf certificates check
Resolves: rhbz#2187429
2023-04-18 09:45:07 +02:00
Dmitry Belyavskiy
90306b7fd8 Fix excessive resource usage in verifying X509 policy constraints
Resolves: rhbz#2186661
2023-04-18 09:43:21 +02:00
Dmitry Belyavskiy
35f22d134e Enforce using EMS in FIPS mode
Resolves: rhbz#2157951
2023-04-18 09:40:37 +02:00
Clemens Lang
0dea6db970 Change explicit FIPS indicator for RSA decryption to unapproved
Resolves: rhbz#2179379
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-24 16:00:24 +01:00
Clemens Lang
1bd2a0cee3 Add missing patchfile, fix gettable params
Add the patchfile that was committed but not referenced in the spec
file. Fix the patch to apply on openssl 3.0.7 and fix the gettable FIPS
indicator parameter for the RSA asymmetric cipher implementation.

Resolves: rhbz#2179379
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-21 12:08:19 +01:00
Clemens Lang
1bd49c394a Add explicit FIPS indicator to RSA encryption and RSASVE
NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
confirmation (section 6.4.2.3.2), or assurance from a trusted third
party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
agreement schemes, but explicit key confirmation is not implemented and
cannot be implemented without protocol changes, and the FIPS provider
does not implement trusted third party validation, since it relies on
its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE
as unapproved until we have received clarification from NIST on how
library modules such as OpenSSL should implement TTP validation.

This does not affect RSA-OAEP decryption, because it is approved as
a component according to the FIPS 140-3 IG, section 2.4.G.

Resolves: rhbz#2179379
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-17 16:54:55 +01:00
Clemens Lang
21d2b9fb47 Fix X942KDF indicator for short output key lengths
In testing, we noticed that using output keys shorter than 14 bytes with
the X9.42 KDF does not set the explicit FIPS indicator to unapproved as
it should. The relevant check was implemented, but the state in the
implementation's context was not exposed.

Resolves: rhbz#2175864
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-16 16:40:54 +01:00
Clemens Lang
e5f783d552 Fix Wpointer-sign compiler warning
```
providers/implementations/signature/ecdsa_sig.c: scope_hint: In function 'do_ec_pct'
providers/implementations/signature/ecdsa_sig.c:594:46: warning[-Wpointer-sign]: pointer targets in passing argument 2 of 'ecdsa_digest_signverify_update' differ in signedness
providers/implementations/signature/ecdsa_sig.c:325:69: note: expected 'const unsigned char *' but argument is of type 'const char *'
```

```
providers/implementations/signature/rsa_sig.c: scope_hint: In function 'do_rsa_pct'
providers/implementations/signature/rsa_sig.c:1518:44: warning[-Wpointer-sign]: pointer targets in passing argument 2 of 'rsa_digest_signverify_update' differ in signedness
providers/implementations/signature/rsa_sig.c:910:62: note: expected 'const unsigned char *' but argument is of type 'const char *'
```

Resolves: rhbz#2178034
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-16 14:08:55 +01:00
Dmitry Belyavskiy
6eb72dd621 Increase RNG seeding buffer size to 32
Related: rhbz#2168224
2023-03-14 17:30:33 +01:00
Dmitry Belyavskiy
fb4b72ff2f DH PCT should abort on failure
Resolves: rhbz#2178039
2023-03-14 17:29:33 +01:00
Dmitry Belyavskiy
bfdbb139b4 Disable DHX keys completely in FIPS mode
Resolves: rhbz#2178030
2023-03-14 17:28:24 +01:00
Dmitry Belyavskiy
960e6deebf Abort on PCT failure
Related: rhbz#2168324
2023-03-14 17:27:20 +01:00
Dmitry Belyavskiy
dd6f0d33c8 Remove previous low-level PCT
Related: rhbz#2168324
2023-03-14 17:27:20 +01:00
Dmitry Belyavskiy
fa195e46a2 Pairwise consistency tests should use Digest+Sign/Verify
Resolves: rhbz#2178034
2023-03-14 17:27:15 +01:00
Dmitry Belyavskiy
d2996a9b03 Limit RSA_NO_PADDING for encryption and signature in FIPS mode
Resolves: rhbz#2178029
2023-03-14 17:25:30 +01:00
Clemens Lang
d60644ea6a Add explicit FIPS indicator for PBKDF2
Also use test vector with FIPS-compliant salt in PBKDF2 FIPS self-test.

Resolves: rhbz#2178137
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-14 17:23:22 +01:00
Clemens Lang
50cb33e688 GCM: Implement explicit FIPS indicator for IV gen
Implementation Guidance for FIPS 140-3 and the Cryptographic Module
Verification Program, Section C.H requires guarantees about the
uniqueness of key/iv pairs, and proposes a few approaches to ensure
this. Provide an indicator for option 2 "The IV may be generated
internally at its entirety randomly."

Resolves: rhbz#2175868
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-14 17:23:22 +01:00
Clemens Lang
58955140b6 Zeroize FIPS module integrity check MAC after check
Resolves: rhbz#2175873
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-14 17:23:22 +01:00
Clemens Lang
6a9e17a8c1 KDF: Add FIPS indicators
FIPS requires a number of restrictions on the parameters of the various
key derivation functions implemented in OpenSSL. The KDFs that use
digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
C.C). Additionally, some application-specific KDFs have further
restrictions defined in SP 800-135r1.

Generally, all KDFs shall use a key-derivation key length of at least
112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
to generate and output length of less than 112 bits will also set the
indicator to unapproved.

Add explicit indicators to all KDFs usable in FIPS mode except for
PBKDF2 (which has its specific FIPS limits already implemented). The
indicator can be queried using EVP_KDF_CTX_get_params() after setting
the required parameters and keys for the KDF.

Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
truncated variants -224 and -384) and SHA3 (-256 and -512, and the
truncated versions -224 and -384), as well as SHAKE-128 and -256.

The SHAKE functions are generally not allowed in KDFs. For the rest, the
support matrix is:

 KDF         | SHA-1 | SHA-2 | SHA-2 truncated  | SHA-3 | SHA-3 truncated
==========================================================================
KBKDF        |   x   |   x   |         x        |   x   |     x
HKDF         |   x   |   x   |         x        |   x   |     x
TLS1PRF      |       | SHA-{256,384,512} only   |       |
SSHKDF       |   x   |   x   |         x        |       |
SSKDF        |   x   |   x   |         x        |   x   |     x
X9.63KDF     |       |   x   |         x        |   x   |     x
X9.42-ASN1   |   x   |   x   |         x        |   x   |     x
TLS1.3PRF    |       | SHA-{256,384} only       |       |

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2175860 rhbz#2175864
2023-03-14 17:23:20 +01:00