openssl-3/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch

From 915990e450e769e370fcacbfd8ed58ab6afaf2bf Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 15:47:55 +0200
Subject: [PATCH 39/48] 
 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch

Patch-name: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Patch-id: 84
---
 providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index 349c3dd657..11820d1e69 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -35,6 +35,21 @@
 #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
 #define KDF_PBKDF2_MIN_ITERATIONS 1000
 #define KDF_PBKDF2_MIN_SALT_LEN   (128 / 8)
+/* The Implementation Guidance for FIPS 140-3 says in section D.N
+ * "Password-Based Key Derivation for Storage Applications" that "the vendor
+ * shall document in the module’s Security Policy the length of
+ * a password/passphrase used in key derivation and establish an upper bound
+ * for the probability of having this parameter guessed at random. This
+ * probability shall take into account not only the length of the
+ * password/passphrase, but also the difficulty of guessing it. The decision on
+ * the minimum length of a password used for key derivation is the vendor’s,
+ * but the vendor shall at a minimum informally justify the decision."
+ *
+ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP
+ * testing uses passwords as short as 8 bytes, and requiring longer passwords
+ * combined with an implicit indicator (i.e., returning an error) would cause
+ * the module to fail ACVP testing. */
+#define KDF_PBKDF2_MIN_PASSWORD_LEN (20)
 
 static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
 static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
@@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
         ctx->lower_bound_checks = pkcs5 == 0;
     }
 
-    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
+    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) {
+        if (ctx->lower_bound_checks != 0
+            && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+            return 0;
+        }
         if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
             return 0;
+    }
 
     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
         if (ctx->lower_bound_checks != 0
@@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
     }
 
     if (lower_bound_checks) {
+        if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+            return 0;
+        }
         if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
             ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
             return 0;
-- 
2.41.0
-												- FIPS: Deny SHA-1 signature verification in FIPS provider [bsc#1221365]
  * SHA-1 is not allowed anymore in FIPS 186-5 for signature
    verification operations. After 12/31/2030, NIST will disallow
    SHA-1 for all of its usages.
  * Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch

- FIPS: RSA keygen PCT requirements.
  * Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the
    self-test requirements are covered by do_rsa_pct() for both
    RSA-OAEP and RSA signatures [bsc#1221760]
  * Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753]
  * Add openssl-3-FIPS-PCT_rsa_keygen.patch

- FIPS: Check that the fips provider is available before setting
  it as the default provider in FIPS mode. [bsc#1220523]
  * Rebase openssl-Force-FIPS.patch

- FIPS: Port openssl to use jitterentropy [bsc#1220523]
  * Set the module in error state if the jitter RNG fails either on
    initialization or entropy gathering because health tests failed.
  * Add jitterentropy as a seeding source output also in crypto/info.c
  * Move the jitter entropy collector and the associated lock out
    of the header file to avoid redefinitions.
  * Add the fips_local.cnf symlink to the spec file. This simlink
    points to the openssl_fips.config file that is provided by the
    crypto-policies package.
  * Rebase openssl-3-jitterentropy-3.4.0.patch
  * Rebase openssl-FIPS-enforce-EMS-support.patch

- FIPS: Block non-Approved Elliptic Curves [bsc#1221786]

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110
											
										
										
											2024-08-07 23:54:42 +02:00
+								From 915990e450e769e370fcacbfd8ed58ab6afaf2bf Mon Sep 17 00:00:00 2001
 								From: Dmitry Belyavskiy <dbelyavs@redhat.com>
 								Date: Mon, 21 Aug 2023 15:47:55 +0200
 								Subject: [PATCH 39/48]
 -pbkdf2-Set-minimum-password-length-of-8-bytes.patch
 								Patch-name: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
 								Patch-id: 84
 								---
 								 providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++-
 file changed, 26 insertions(+), 1 deletion(-)
 								diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
 								index 349c3dd657..11820d1e69 100644
 								--- a/providers/implementations/kdfs/pbkdf2.c
 								+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -35,6 +35,21 @@
 								 #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
 								 #define KDF_PBKDF2_MIN_ITERATIONS 1000
 								 #define KDF_PBKDF2_MIN_SALT_LEN   (128 / 8)
 								+/* The Implementation Guidance for FIPS 140-3 says in section D.N
 								+ * "Password-Based Key Derivation for Storage Applications" that "the vendor
 								+ * shall document in the module’s Security Policy the length of
 								+ * a password/passphrase used in key derivation and establish an upper bound
 								+ * for the probability of having this parameter guessed at random. This
 								+ * probability shall take into account not only the length of the
 								+ * password/passphrase, but also the difficulty of guessing it. The decision on
 								+ * the minimum length of a password used for key derivation is the vendor’s,
 								+ * but the vendor shall at a minimum informally justify the decision."
 								+ *
 								+ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP
 								+ * testing uses passwords as short as 8 bytes, and requiring longer passwords
 								+ * combined with an implicit indicator (i.e., returning an error) would cause
 								+ * the module to fail ACVP testing. */
 								+#define KDF_PBKDF2_MIN_PASSWORD_LEN (20)
 								 static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
 								 static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
@@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
 								         ctx->lower_bound_checks = pkcs5 == 0;
 								     }
 								-    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
 								+    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) {
 								+        if (ctx->lower_bound_checks != 0
 								+            && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) {
 								+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
 								+            return 0;
 								+        }
 								         if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
 								             return 0;
 								+    }
 								     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
 								         if (ctx->lower_bound_checks != 0
@@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
 								     }
 								     if (lower_bound_checks) {
 								+        if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
 								+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
 								+            return 0;
 								+        }
 								         if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
 								             ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
 								             return 0;
 								--
 .41.0