| 1 |
From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001 |
| 2 |
From: Clemens Lang <cllang@redhat.com> |
| 3 |
Date: Thu, 17 Nov 2022 19:33:02 +0100 |
| 4 |
Subject: [PATCH 1/3] signature: Add indicator for PSS salt length |
| 5 |
MIME-Version: 1.0 |
| 6 |
Content-Type: text/plain; charset=UTF-8 |
| 7 |
Content-Transfer-Encoding: 8bit |
| 8 |
|
| 9 |
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection |
| 10 |
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the |
| 11 |
salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen, where hLen is the length of |
| 12 |
the hash function output block (in bytes)." |
| 13 |
|
| 14 |
It is not exactly clear from this text whether hLen refers to the |
| 15 |
message digest or the hash function used for the mask generation |
| 16 |
function MGF1. PKCS#1 v2.1 suggests it is the former: |
| 17 |
|
| 18 |
| Typical salt lengths in octets are hLen (the length of the output of |
| 19 |
| the hash function Hash) and 0. In both cases the security of |
| 20 |
| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1. |
| 21 |
| Bellare and Rogaway [4] give a tight lower bound for the security of |
| 22 |
| the original RSA-PSS scheme, which corresponds roughly to the former |
| 23 |
| case, while Coron [12] gives a lower bound for the related Full Domain |
| 24 |
| Hashing scheme, which corresponds roughly to the latter case. In [13] |
| 25 |
| Coron provides a general treatment with various salt lengths ranging |
| 26 |
| from 0 to hLen; see [27] for discussion. See also [31], which adapts |
| 27 |
| the security proofs in [4][13] to address the differences between the |
| 28 |
| original and the present version of RSA-PSS as listed in Note 1 above. |
| 29 |
|
| 30 |
Since OpenSSL defaults to creating signatures with the maximum salt |
| 31 |
length, blocking the use of longer salts would probably lead to |
| 32 |
significant problems in practice. Instead, introduce an explicit |
| 33 |
indicator that can be obtained from the EVP_PKEY_CTX object using |
| 34 |
EVP_PKEY_CTX_get_params() with the |
| 35 |
OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR |
| 36 |
parameter. |
| 37 |
|
| 38 |
Signed-off-by: Clemens Lang <cllang@redhat.com> |
| 39 |
--- |
| 40 |
include/openssl/core_names.h | 1 + |
| 41 |
include/openssl/evp.h | 4 ++++ |
| 42 |
providers/implementations/signature/rsa_sig.c | 18 ++++++++++++++++++ |
| 43 |
3 files changed, 23 insertions(+) |
| 44 |
|
| 45 |
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h |
| 46 |
index 94fab83193..69c59f0b46 100644 |
| 47 |
--- a/include/openssl/core_names.h |
| 48 |
+++ b/include/openssl/core_names.h |
| 49 |
@@ -453,6 +453,7 @@ extern "C" { |
| 50 |
#define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \ |
| 51 |
OSSL_PKEY_PARAM_MGF1_PROPERTIES |
| 52 |
#define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE |
| 53 |
+#define OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" |
| 54 |
|
| 55 |
/* Asym cipher parameters */ |
| 56 |
#define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST |
| 57 |
diff --git a/include/openssl/evp.h b/include/openssl/evp.h |
| 58 |
index a5e78efd6e..f239200465 100644 |
| 59 |
--- a/include/openssl/evp.h |
| 60 |
+++ b/include/openssl/evp.h |
| 61 |
@@ -797,6 +797,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, |
| 62 |
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, |
| 63 |
int *outl); |
| 64 |
|
| 65 |
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 |
| 66 |
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1 |
| 67 |
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 |
| 68 |
+ |
| 69 |
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, |
| 70 |
EVP_PKEY *pkey); |
| 71 |
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, |
| 72 |
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c |
| 73 |
index 49e7f9158a..0c45008a00 100644 |
| 74 |
--- a/providers/implementations/signature/rsa_sig.c |
| 75 |
+++ b/providers/implementations/signature/rsa_sig.c |
| 76 |
@@ -1127,6 +1127,21 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) |
| 77 |
} |
| 78 |
} |
| 79 |
|
| 80 |
+#ifdef FIPS_MODULE |
| 81 |
+ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR); |
| 82 |
+ if (p != NULL) { |
| 83 |
+ int fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED; |
| 84 |
+ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { |
| 85 |
+ if (prsactx->md == NULL) { |
| 86 |
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED; |
| 87 |
+ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) { |
| 88 |
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED; |
| 89 |
+ } |
| 90 |
+ } |
| 91 |
+ return OSSL_PARAM_set_int(p, fips_indicator); |
| 92 |
+ } |
| 93 |
+#endif |
| 94 |
+ |
| 95 |
return 1; |
| 96 |
} |
| 97 |
|
| 98 |
@@ -1136,6 +1151,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { |
| 99 |
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), |
| 100 |
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
| 101 |
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
| 102 |
+#ifdef FIPS_MODULE |
| 103 |
+ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR, NULL), |
| 104 |
+#endif |
| 105 |
OSSL_PARAM_END |
| 106 |
}; |
| 107 |
|
| 108 |
-- |
| 109 |
2.38.1 |
| 110 |
|
Parent Directory
| 
Revision Log
| 
Revision Graph
