/[smecontribs]/rpms/openssl3/contribs10/0078-Add-FIPS-indicator-parameter-to-HKDF.patch
ViewVC logotype

Contents of /rpms/openssl3/contribs10/0078-Add-FIPS-indicator-parameter-to-HKDF.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Wed Jan 31 17:24:46 2024 UTC (9 months, 3 weeks ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 From 0c4aaedf29a1ed1559762515bfeaa5923925e18f Mon Sep 17 00:00:00 2001
2 From: Clemens Lang <cllang@redhat.com>
3 Date: Thu, 11 Aug 2022 09:27:12 +0200
4 Subject: [PATCH 1/2] Add FIPS indicator parameter to HKDF
5
6 NIST considers HKDF only acceptable when used as in TLS 1.3, and
7 otherwise unapproved. Add an explicit indicator attached to the
8 EVP_KDF_CTX that can be queried using EVP_KDF_CTX_get_params() to
9 determine whether the KDF operation was approved after performing it.
10
11 Signed-off-by: Clemens Lang <cllang@redhat.com>
12 Related: rhbz#2114772
13 ---
14 include/crypto/evp.h | 7 ++++
15 include/openssl/core_names.h | 1 +
16 include/openssl/kdf.h | 4 ++
17 providers/implementations/kdfs/hkdf.c | 53 +++++++++++++++++++++++++++
18 4 files changed, 65 insertions(+)
19
20 diff --git a/include/crypto/evp.h b/include/crypto/evp.h
21 index e70d8e9e84..76fb990de4 100644
22 --- a/include/crypto/evp.h
23 +++ b/include/crypto/evp.h
24 @@ -219,6 +219,13 @@ struct evp_mac_st {
25 OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
26 };
27
28 +#ifdef FIPS_MODULE
29 +/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
30 + * Additional Keys from a Cryptographic Key, "[t]he length of the
31 + * key-derivation key [i.e., the input key] shall be at least 112 bits". */
32 +# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
33 +#endif
34 +
35 struct evp_kdf_st {
36 OSSL_PROVIDER *prov;
37 int name_id;
38 diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
39 index 21c94d0488..c019afbbb0 100644
40 --- a/include/openssl/core_names.h
41 +++ b/include/openssl/core_names.h
42 @@ -223,6 +223,7 @@ extern "C" {
43 #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo"
44 #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo"
45 #define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits"
46 +#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
47
48 /* Known KDF names */
49 #define OSSL_KDF_NAME_HKDF "HKDF"
50 diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
51 index 0983230a48..86171635ea 100644
52 --- a/include/openssl/kdf.h
53 +++ b/include/openssl/kdf.h
54 @@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
55 # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
56 # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
57
58 +# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
59 +# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
60 +# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
61 +
62 #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
63 #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
64 #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
65 diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
66 index afdb7138e1..6f06fa58fe 100644
67 --- a/providers/implementations/kdfs/hkdf.c
68 +++ b/providers/implementations/kdfs/hkdf.c
69 @@ -298,6 +298,56 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
70 return 0;
71 return OSSL_PARAM_set_size_t(p, sz);
72 }
73 +
74 +#ifdef FIPS_MODULE
75 + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
76 + != NULL) {
77 + int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED;
78 + switch (ctx->mode) {
79 + case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
80 + /* TLS 1.3 never uses extract-and-expand */
81 + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
82 + break;
83 + case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
84 + {
85 + /* When TLS 1.3 uses extract, the following holds:
86 + * 1. The salt length matches the hash length, and either
87 + * 2.1. the key is all zeroes and matches the hash length, or
88 + * 2.2. the key originates from a PSK (resumption_master_secret
89 + * or some externally esablished key), or an ECDH or DH key
90 + * derivation. See
91 + * https://www.rfc-editor.org/rfc/rfc8446#section-7.1.
92 + * Unfortunately at this point, we cannot verify where the key
93 + * comes from, so all we can do is check the salt length.
94 + */
95 + const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
96 + if (md != NULL && ctx->salt_len == (size_t) EVP_MD_get_size(md))
97 + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
98 + else
99 + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
100 + }
101 + break;
102 + case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
103 + /* When TLS 1.3 uses expand, it always provides a label that
104 + * contains an uint16 for the length, followed by between 7 and 255
105 + * bytes for a label string that starts with "tls13 " or "dtls13".
106 + * For compatibility with future versions, we only check for "tls"
107 + * or "dtls". See
108 + * https://www.rfc-editor.org/rfc/rfc8446#section-7.1 and
109 + * https://www.rfc-editor.org/rfc/rfc9147#section-5.9. */
110 + if (ctx->label != NULL
111 + && ctx->label_len >= 2 /* length */ + 4 /* "dtls" */
112 + && (strncmp("tls", (const char *)ctx->label + 2, 3) == 0 ||
113 + strncmp("dtls", (const char *)ctx->label + 2, 4) == 0))
114 + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
115 + else
116 + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
117 + break;
118 + }
119 + return OSSL_PARAM_set_int(p, fips_indicator);
120 + }
121 +#endif /* defined(FIPS_MODULE) */
122 +
123 return -2;
124 }
125
126 @@ -306,6 +356,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
127 {
128 static const OSSL_PARAM known_gettable_ctx_params[] = {
129 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
130 +#ifdef FIPS_MODULE
131 + OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
132 +#endif /* defined(FIPS_MODULE) */
133 OSSL_PARAM_END
134 };
135 return known_gettable_ctx_params;
136 --
137 2.38.1
138

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed