/[smecontribs]/rpms/openssl3/contribs10/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:47 2024 UTC (9 months, 4 weeks ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 jpp 1.1 From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001
2     From: Clemens Lang <cllang@redhat.com>
3     Date: Thu, 17 Nov 2022 18:08:24 +0100
4     Subject: [PATCH] hmac: Add explicit FIPS indicator for key length
5    
6     NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"
7     specifies key lengths < 112 bytes are disallowed for HMAC generation and
8     are legacy use for HMAC verification.
9    
10     Add an explicit indicator that will mark shorter key lengths as
11     unsupported. The indicator can be queries from the EVP_MAC_CTX object
12     using EVP_MAC_CTX_get_params() with the
13     OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR
14     parameter.
15    
16     Signed-off-by: Clemens Lang <cllang@redhat.com>
17     ---
18     include/crypto/evp.h | 7 +++++++
19     include/openssl/core_names.h | 1 +
20     include/openssl/evp.h | 3 +++
21     providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
22     4 files changed, 28 insertions(+)
23    
24     diff --git a/include/crypto/evp.h b/include/crypto/evp.h
25     index 76fb990de4..1e2240516e 100644
26     --- a/include/crypto/evp.h
27     +++ b/include/crypto/evp.h
28     @@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void);
29     const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
30     const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
31    
32     +#ifdef FIPS_MODULE
33     +/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key
34     + * lengths < 112 bytes are disallowed for HMAC generation and legacy use for
35     + * HMAC verification. */
36     +# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)
37     +#endif
38     +
39     struct evp_mac_st {
40     OSSL_PROVIDER *prov;
41     int name_id;
42     diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
43     index c019afbbb0..94fab83193 100644
44     --- a/include/openssl/core_names.h
45     +++ b/include/openssl/core_names.h
46     @@ -173,6 +173,7 @@ extern "C" {
47     #define OSSL_MAC_PARAM_SIZE "size" /* size_t */
48     #define OSSL_MAC_PARAM_BLOCK_SIZE "block-size" /* size_t */
49     #define OSSL_MAC_PARAM_TLS_DATA_SIZE "tls-data-size" /* size_t */
50     +#define OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
51    
52     /* Known MAC names */
53     #define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC"
54     diff --git a/include/openssl/evp.h b/include/openssl/evp.h
55     index 49e8e1df78..a5e78efd6e 100644
56     --- a/include/openssl/evp.h
57     +++ b/include/openssl/evp.h
58     @@ -1192,6 +1192,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
59     void *arg);
60    
61     /* MAC stuff */
62     +# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
63     +# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1
64     +# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
65    
66     EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
67     const char *properties);
68     diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c
69     index 52ebb08b8f..cf5c3ecbe7 100644
70     --- a/providers/implementations/macs/hmac_prov.c
71     +++ b/providers/implementations/macs/hmac_prov.c
72     @@ -21,6 +21,8 @@
73     #include <openssl/evp.h>
74     #include <openssl/hmac.h>
75    
76     +#include "crypto/evp.h"
77     +
78     #include "prov/implementations.h"
79     #include "prov/provider_ctx.h"
80     #include "prov/provider_util.h"
81     @@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,
82     static const OSSL_PARAM known_gettable_ctx_params[] = {
83     OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
84     OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
85     +#ifdef FIPS_MODULE
86     + OSSL_PARAM_int(OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR, NULL),
87     +#endif /* defined(FIPS_MODULE) */
88     OSSL_PARAM_END
89     };
90     static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
91     @@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])
92     && !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
93     return 0;
94    
95     +#ifdef FIPS_MODULE
96     + if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR)) != NULL) {
97     + int fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED;
98     + /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms
99     + * specifies key lengths < 112 bytes are disallowed for HMAC generation
100     + * and legacy use for HMAC verification. */
101     + if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)
102     + fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
103     + return OSSL_PARAM_set_int(p, fips_indicator);
104     + }
105     +#endif /* defined(FIPS_MODULE) */
106     +
107     return 1;
108     }
109    
110     --
111     2.38.1
112    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed