forked from pool/openssl-3
Pedro Monreal Gonzalez
6bc57d937f
* SHA-1 is not allowed anymore in FIPS 186-5 for signature
verification operations. After 12/31/2030, NIST will disallow
SHA-1 for all of its usages.
* Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
- FIPS: RSA keygen PCT requirements.
* Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the
self-test requirements are covered by do_rsa_pct() for both
RSA-OAEP and RSA signatures [bsc#1221760]
* Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753]
* Add openssl-3-FIPS-PCT_rsa_keygen.patch
- FIPS: Check that the fips provider is available before setting
it as the default provider in FIPS mode. [bsc#1220523]
* Rebase openssl-Force-FIPS.patch
- FIPS: Port openssl to use jitterentropy [bsc#1220523]
* Set the module in error state if the jitter RNG fails either on
initialization or entropy gathering because health tests failed.
* Add jitterentropy as a seeding source output also in crypto/info.c
* Move the jitter entropy collector and the associated lock out
of the header file to avoid redefinitions.
* Add the fips_local.cnf symlink to the spec file. This simlink
points to the openssl_fips.config file that is provided by the
crypto-policies package.
* Rebase openssl-3-jitterentropy-3.4.0.patch
* Rebase openssl-FIPS-enforce-EMS-support.patch
- FIPS: Block non-Approved Elliptic Curves [bsc#1221786]
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110
150 lines
6.3 KiB
Diff
150 lines
6.3 KiB
Diff
From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001
|
|
From: Clemens Lang <cllang@redhat.com>
|
|
Date: Thu, 17 Nov 2022 19:33:02 +0100
|
|
Subject: [PATCH] signature: Add indicator for PSS salt length
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
|
5.5 "PKCS #1" says: "For RSASSA-PSS [...] the length (in bytes) of the
|
|
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
|
|
the hash function output block (in bytes)."
|
|
|
|
It is not exactly clear from this text whether hLen refers to the
|
|
message digest or the hash function used for the mask generation
|
|
function MGF1. PKCS#1 v2.1 suggests it is the former:
|
|
|
|
| Typical salt lengths in octets are hLen (the length of the output of
|
|
| the hash function Hash) and 0. In both cases the security of
|
|
| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
|
|
| Bellare and Rogaway [4] give a tight lower bound for the security of
|
|
| the original RSA-PSS scheme, which corresponds roughly to the former
|
|
| case, while Coron [12] gives a lower bound for the related Full Domain
|
|
| Hashing scheme, which corresponds roughly to the latter case. In [13]
|
|
| Coron provides a general treatment with various salt lengths ranging
|
|
| from 0 to hLen; see [27] for discussion. See also [31], which adapts
|
|
| the security proofs in [4][13] to address the differences between the
|
|
| original and the present version of RSA-PSS as listed in Note 1 above.
|
|
|
|
Since OpenSSL defaults to creating signatures with the maximum salt
|
|
length, blocking the use of longer salts would probably lead to
|
|
significant problems in practice. Instead, introduce an explicit
|
|
indicator that can be obtained from the EVP_PKEY_CTX object using
|
|
EVP_PKEY_CTX_get_params() with the
|
|
OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR
|
|
parameter.
|
|
|
|
We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch.
|
|
Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
|
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
---
|
|
include/openssl/evp.h | 4 ++++
|
|
providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++
|
|
util/perl/OpenSSL/paramnames.pm | 23 ++++++++++---------
|
|
3 files changed, 37 insertions(+), 11 deletions(-)
|
|
|
|
Index: openssl-3.1.4/include/openssl/evp.h
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/include/openssl/evp.h
|
|
+++ openssl-3.1.4/include/openssl/evp.h
|
|
@@ -801,6 +801,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CT
|
|
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
|
|
int *outl);
|
|
|
|
+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED 0
|
|
+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED 1
|
|
+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
|
|
+
|
|
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
|
|
EVP_PKEY *pkey);
|
|
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
|
|
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
|
|
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
|
|
@@ -1167,6 +1167,24 @@ static int rsa_get_ctx_params(void *vprs
|
|
}
|
|
}
|
|
|
|
+#ifdef FIPS_MODULE
|
|
+ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR);
|
|
+ if (p != NULL) {
|
|
+ int fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED;
|
|
+ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
|
|
+ if (prsactx->md == NULL) {
|
|
+ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED;
|
|
+ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
|
|
+ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+ }
|
|
+ } else if (prsactx->pad_mode == RSA_NO_PADDING) {
|
|
+ if (prsactx->md == NULL) /* Should always be the case */
|
|
+ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
+ }
|
|
+ return OSSL_PARAM_set_int(p, fips_indicator);
|
|
+ }
|
|
+#endif
|
|
+
|
|
return 1;
|
|
}
|
|
|
|
@@ -1176,6 +1194,9 @@ static const OSSL_PARAM known_gettable_c
|
|
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
|
|
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
|
|
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
|
|
+#ifdef FIPS_MODULE
|
|
+ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR, NULL),
|
|
+#endif
|
|
OSSL_PARAM_END
|
|
};
|
|
|
|
Index: openssl-3.1.4/include/openssl/core_names.h
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/include/openssl/core_names.h
|
|
+++ openssl-3.1.4/include/openssl/core_names.h
|
|
@@ -458,6 +458,7 @@ extern "C" {
|
|
#define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \
|
|
OSSL_PKEY_PARAM_MGF1_PROPERTIES
|
|
#define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE
|
|
+#define OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator"
|
|
|
|
/* Asym cipher parameters */
|
|
#define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST
|
|
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
|
|
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
|
|
@@ -696,8 +696,13 @@ static int rsa_verify_recover(void *vprs
|
|
size_t rsabits = RSA_bits(prsactx->rsa);
|
|
|
|
if (rsabits < 2048) {
|
|
- ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
|
- return 0;
|
|
+ if (rsabits != 1024
|
|
+ && rsabits != 1280
|
|
+ && rsabits != 1536
|
|
+ && rsabits != 1792) {
|
|
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
|
+ return 0;
|
|
+ }
|
|
}
|
|
# endif
|
|
|
|
@@ -792,8 +797,13 @@ static int rsa_verify(void *vprsactx, co
|
|
size_t rsabits = RSA_bits(prsactx->rsa);
|
|
|
|
if (rsabits < 2048) {
|
|
- ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
|
- return 0;
|
|
+ if (rsabits != 1024
|
|
+ && rsabits != 1280
|
|
+ && rsabits != 1536
|
|
+ && rsabits != 1792) {
|
|
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
|
+ return 0;
|
|
+ }
|
|
}
|
|
# endif
|
|
|