openssl3/contribs10/0078-Add-FIPS-indicator-parameter-to-HKDF.patch

From 0c4aaedf29a1ed1559762515bfeaa5923925e18f Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 11 Aug 2022 09:27:12 +0200
Subject: [PATCH 1/2] Add FIPS indicator parameter to HKDF

NIST considers HKDF only acceptable when used as in TLS 1.3, and
otherwise unapproved. Add an explicit indicator attached to the
EVP_KDF_CTX that can be queried using EVP_KDF_CTX_get_params() to
determine whether the KDF operation was approved after performing it.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Related: rhbz#2114772
---
 include/crypto/evp.h                  |  7 ++++
 include/openssl/core_names.h          |  1 +
 include/openssl/kdf.h                 |  4 ++
 providers/implementations/kdfs/hkdf.c | 53 +++++++++++++++++++++++++++
 4 files changed, 65 insertions(+)

diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index e70d8e9e84..76fb990de4 100644
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
@@ -219,6 +219,13 @@ struct evp_mac_st {
     OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
 };
 
+#ifdef FIPS_MODULE
+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
+ * Additional Keys from a Cryptographic Key, "[t]he length of the
+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
+#endif
+
 struct evp_kdf_st {
     OSSL_PROVIDER *prov;
     int name_id;
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 21c94d0488..c019afbbb0 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -223,6 +223,7 @@ extern "C" {
 #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO    "supp-pubinfo"
 #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO   "supp-privinfo"
 #define OSSL_KDF_PARAM_X942_USE_KEYBITS     "use-keybits"
+#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
 
 /* Known KDF names */
 #define OSSL_KDF_NAME_HKDF           "HKDF"
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
index 0983230a48..86171635ea 100644
--- a/include/openssl/kdf.h
+++ b/include/openssl/kdf.h
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
 # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY        1
 # define EVP_KDF_HKDF_MODE_EXPAND_ONLY         2
 
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED     1
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
 #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV     65
 #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI     66
 #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
index afdb7138e1..6f06fa58fe 100644
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@@ -298,6 +298,56 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
             return 0;
         return OSSL_PARAM_set_size_t(p, sz);
     }
+
+#ifdef FIPS_MODULE
+    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
+            != NULL) {
+        int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED;
+        switch (ctx->mode) {
+        case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
+            /* TLS 1.3 never uses extract-and-expand */
+            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+            break;
+        case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
+            {
+                /* When TLS 1.3 uses extract, the following holds:
+                 * 1. The salt length matches the hash length, and either
+                 * 2.1. the key is all zeroes and matches the hash length, or
+                 * 2.2. the key originates from a PSK (resumption_master_secret
+                 *   or some externally esablished key), or an ECDH or DH key
+                 *   derivation. See
+                 *   https://www.rfc-editor.org/rfc/rfc8446#section-7.1.
+                 * Unfortunately at this point, we cannot verify where the key
+                 * comes from, so all we can do is check the salt length.
+                 */
+                const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+                if (md != NULL && ctx->salt_len == (size_t) EVP_MD_get_size(md))
+                    fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
+                else
+                    fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+            }
+            break;
+        case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
+            /* When TLS 1.3 uses expand, it always provides a label that
+             * contains an uint16 for the length, followed by between 7 and 255
+             * bytes for a label string that starts with "tls13 " or "dtls13".
+             * For compatibility with future versions, we only check for "tls"
+             * or "dtls". See
+             * https://www.rfc-editor.org/rfc/rfc8446#section-7.1 and
+             * https://www.rfc-editor.org/rfc/rfc9147#section-5.9. */
+            if (ctx->label != NULL
+                    && ctx->label_len >= 2 /* length */ + 4 /* "dtls" */
+                    && (strncmp("tls", (const char *)ctx->label + 2, 3) == 0 ||
+                        strncmp("dtls", (const char *)ctx->label + 2, 4) == 0))
+                fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
+            else
+                fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+            break;
+        }
+        return OSSL_PARAM_set_int(p, fips_indicator);
+    }
+#endif /* defined(FIPS_MODULE) */
+
     return -2;
 }
 
@@ -306,6 +356,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
 {
     static const OSSL_PARAM known_gettable_ctx_params[] = {
         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+        OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
         OSSL_PARAM_END
     };
     return known_gettable_ctx_params;
-- 
2.38.1

1	jpp	1.1	From 0c4aaedf29a1ed1559762515bfeaa5923925e18f Mon Sep 17 00:00:00 2001
2			From: Clemens Lang <cllang@redhat.com>
3			Date: Thu, 11 Aug 2022 09:27:12 +0200
4			Subject: [PATCH 1/2] Add FIPS indicator parameter to HKDF
5
6			NIST considers HKDF only acceptable when used as in TLS 1.3, and
7			otherwise unapproved. Add an explicit indicator attached to the
8			EVP_KDF_CTX that can be queried using EVP_KDF_CTX_get_params() to
9			determine whether the KDF operation was approved after performing it.
10
11			Signed-off-by: Clemens Lang <cllang@redhat.com>
12			Related: rhbz#2114772
13			---
14			include/crypto/evp.h \| 7 ++++
15			include/openssl/core_names.h \| 1 +
16			include/openssl/kdf.h \| 4 ++
17			providers/implementations/kdfs/hkdf.c \| 53 +++++++++++++++++++++++++++
18			4 files changed, 65 insertions(+)
19
20			diff --git a/include/crypto/evp.h b/include/crypto/evp.h
21			index e70d8e9e84..76fb990de4 100644
22			--- a/include/crypto/evp.h
23			+++ b/include/crypto/evp.h
24			@@ -219,6 +219,13 @@ struct evp_mac_st {
25			OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
26			};
27
28			+#ifdef FIPS_MODULE
29			+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
30			+ * Additional Keys from a Cryptographic Key, "[t]he length of the
31			+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
32			+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
33			+#endif
34			+
35			struct evp_kdf_st {
36			OSSL_PROVIDER *prov;
37			int name_id;
38			diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
39			index 21c94d0488..c019afbbb0 100644
40			--- a/include/openssl/core_names.h
41			+++ b/include/openssl/core_names.h
42			@@ -223,6 +223,7 @@ extern "C" {
43			#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo"
44			#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo"
45			#define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits"
46			+#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
47
48			/* Known KDF names */
49			#define OSSL_KDF_NAME_HKDF "HKDF"
50			diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
51			index 0983230a48..86171635ea 100644
52			--- a/include/openssl/kdf.h
53			+++ b/include/openssl/kdf.h
54			@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
55			# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
56			# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
57
58			+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
59			+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
60			+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
61			+
62			#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
63			#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
64			#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
65			diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
66			index afdb7138e1..6f06fa58fe 100644
67			--- a/providers/implementations/kdfs/hkdf.c
68			+++ b/providers/implementations/kdfs/hkdf.c
69			@@ -298,6 +298,56 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
70			return 0;
71			return OSSL_PARAM_set_size_t(p, sz);
72			}
73			+
74			+#ifdef FIPS_MODULE
75			+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
76			+ != NULL) {
77			+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED;
78			+ switch (ctx->mode) {
79			+ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
80			+ /* TLS 1.3 never uses extract-and-expand */
81			+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
82			+ break;
83			+ case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
84			+ {
85			+ /* When TLS 1.3 uses extract, the following holds:
86			+ * 1. The salt length matches the hash length, and either
87			+ * 2.1. the key is all zeroes and matches the hash length, or
88			+ * 2.2. the key originates from a PSK (resumption_master_secret
89			+ * or some externally esablished key), or an ECDH or DH key
90			+ * derivation. See
91			+ * https://www.rfc-editor.org/rfc/rfc8446#section-7.1.
92			+ * Unfortunately at this point, we cannot verify where the key
93			+ * comes from, so all we can do is check the salt length.
94			+ */
95			+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
96			+ if (md != NULL && ctx->salt_len == (size_t) EVP_MD_get_size(md))
97			+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
98			+ else
99			+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
100			+ }
101			+ break;
102			+ case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
103			+ /* When TLS 1.3 uses expand, it always provides a label that
104			+ * contains an uint16 for the length, followed by between 7 and 255
105			+ * bytes for a label string that starts with "tls13 " or "dtls13".
106			+ * For compatibility with future versions, we only check for "tls"
107			+ * or "dtls". See
108			+ * https://www.rfc-editor.org/rfc/rfc8446#section-7.1 and
109			+ * https://www.rfc-editor.org/rfc/rfc9147#section-5.9. */
110			+ if (ctx->label != NULL
111			+ && ctx->label_len >= 2 /* length / + 4 / "dtls" */
112			+ && (strncmp("tls", (const char *)ctx->label + 2, 3) == 0 \|\|
113			+ strncmp("dtls", (const char *)ctx->label + 2, 4) == 0))
114			+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
115			+ else
116			+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
117			+ break;
118			+ }
119			+ return OSSL_PARAM_set_int(p, fips_indicator);
120			+ }
121			+#endif /* defined(FIPS_MODULE) */
122			+
123			return -2;
124			}
125
126			@@ -306,6 +356,9 @@ static const OSSL_PARAM kdf_hkdf_gettable_ctx_params(ossl_unused void ctx,
127			{
128			static const OSSL_PARAM known_gettable_ctx_params[] = {
129			OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
130			+#ifdef FIPS_MODULE
131			+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
132			+#endif /* defined(FIPS_MODULE) */
133			OSSL_PARAM_END
134			};
135			return known_gettable_ctx_params;
136			--
137			2.38.1
138