openssl3/0113-asymciphers-kem-Add-ex...

From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 17 Mar 2023 15:39:15 +0100
Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator

NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
confirmation (section 6.4.2.3.2), or assurance from a trusted third
party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
agreement schemes, but explicit key confirmation is not implemented and
cannot be implemented without protocol changes, and the FIPS provider
does not implement trusted third party validation, since it relies on
its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE
as unapproved until we have received clarification from NIST on how
library modules such as OpenSSL should implement TTP validation.

This does not affect RSA-OAEP decryption, because it is approved as
a component according to the FIPS 140-3 IG, section 2.4.G.

Resolves: rhbz#2179331
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
 include/openssl/core_names.h                  |  2 ++
 include/openssl/evp.h                         |  4 +++
 .../implementations/asymciphers/rsa_enc.c     | 31 +++++++++++++++++++
 providers/implementations/kem/rsa_kem.c       | 30 +++++++++++++++++-
 4 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 832502a034..e15d208421 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -469,6 +469,7 @@ extern "C" {
 #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL               "oaep-label"
 #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION       "tls-client-version"
 #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION   "tls-negotiated-version"
+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR    "redhat-fips-indicator"
 
 /*
  * Encoder / decoder parameters
@@ -503,6 +504,7 @@ extern "C" {
 
 /* KEM parameters */
 #define OSSL_KEM_PARAM_OPERATION            "operation"
+#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
 
 /* OSSL_KEM_PARAM_OPERATION values */
 #define OSSL_KEM_PARAM_OPERATION_RSASVE     "RSASVE"
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index ec2ba46fbd..3803b03422 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1757,6 +1757,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
 OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
 # endif
 
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED     1
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
 EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
                                const char *properties);
 int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 568452ec56..0a9adb4056 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -399,6 +399,34 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
     if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
         return 0;
 
+#ifdef FIPS_MODULE
+    p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
+    if (p != NULL) {
+        int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
+
+        if (prsactx->operation == EVP_PKEY_OP_ENCRYPT) {
+            /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
+             * confirmation (section 6.4.2.3.2), or assurance from a trusted
+             * third party (section 6.4.2.3.1) for the KTS-OAEP key transport
+             * scheme, but explicit key confirmation is not implemented here
+             * and cannot be implemented without protocol changes, and the FIPS
+             * provider does not implement trusted third party validation,
+             * since it relies on its callers to do that. We must thus mark
+             * RSA-OAEP as unapproved until we have received clarification from
+             * NIST on how library modules such as OpenSSL should implement TTP
+             * validation.
+             *
+             * This does not affect decryption, because it is approved as
+             * a component according to the FIPS 140-3 IG, section 2.4.G.
+             */
+            fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+        }
+
+        if (!OSSL_PARAM_set_int(p, fips_indicator))
+            return 0;
+    }
+#endif /* defined(FIPS_MODULE) */
+
     return 1;
 }
 
@@ -410,6 +438,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
                     NULL, 0),
     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
+#ifdef FIPS_MODULE
+    OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
     OSSL_PARAM_END
 };
 
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index 882cf16125..b4cc0f9237 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
 static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
 {
     PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
+#ifdef FIPS_MODULE
+    OSSL_PARAM *p;
+#endif /* defined(FIPS_MODULE) */
 
-    return ctx != NULL;
+    if (ctx == NULL)
+        return 0;
+
+#ifdef FIPS_MODULE
+    p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR);
+    if (p != NULL) {
+        /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
+         * confirmation (section 6.4.2.3.2), or assurance from a trusted third
+         * party (section 6.4.2.3.1) for key agreement or key transport, but
+         * explicit key confirmation is not implemented here and cannot be
+         * implemented without protocol changes, and the FIPS provider does not
+         * implement trusted third party validation, since it relies on its
+         * callers to do that. We must thus mark RSASVE unapproved until we
+         * have received clarification from NIST on how library modules such as
+         * OpenSSL should implement TTP validation. */
+        int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+        if (!OSSL_PARAM_set_int(p, fips_indicator))
+            return 0;
+    }
+#endif /* defined(FIPS_MODULE) */
+
+    return 1;
 }
 
 static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
+#ifdef FIPS_MODULE
+    OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
     OSSL_PARAM_END
 };
 
-- 
2.39.2
Add explicit FIPS indicator to RSA encryption and RSASVE NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key confirmation (section 6.4.2.3.2), or assurance from a trusted third party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key agreement schemes, but explicit key confirmation is not implemented and cannot be implemented without protocol changes, and the FIPS provider does not implement trusted third party validation, since it relies on its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE as unapproved until we have received clarification from NIST on how library modules such as OpenSSL should implement TTP validation. This does not affect RSA-OAEP decryption, because it is approved as a component according to the FIPS 140-3 IG, section 2.4.G. Resolves: rhbz#2179379 Signed-off-by: Clemens Lang <cllang@redhat.com> 2 years ago			`From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001`
			`From: Clemens Lang <cllang@redhat.com>`
			`Date: Fri, 17 Mar 2023 15:39:15 +0100`
			`Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator`

			`NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key`
			`confirmation (section 6.4.2.3.2), or assurance from a trusted third`
			`party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key`
			`agreement schemes, but explicit key confirmation is not implemented and`
			`cannot be implemented without protocol changes, and the FIPS provider`
			`does not implement trusted third party validation, since it relies on`
			`its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE`
			`as unapproved until we have received clarification from NIST on how`
			`library modules such as OpenSSL should implement TTP validation.`

			`This does not affect RSA-OAEP decryption, because it is approved as`
			`a component according to the FIPS 140-3 IG, section 2.4.G.`

			`Resolves: rhbz#2179331`
			`Signed-off-by: Clemens Lang <cllang@redhat.com>`
			`---`
			`include/openssl/core_names.h \| 2 ++`
			`include/openssl/evp.h \| 4 +++`
			`.../implementations/asymciphers/rsa_enc.c \| 31 +++++++++++++++++++`
			`providers/implementations/kem/rsa_kem.c \| 30 +++++++++++++++++-`
			`4 files changed, 66 insertions(+), 1 deletion(-)`

			`diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h`
			`index 832502a034..e15d208421 100644`
			`--- a/include/openssl/core_names.h`
			`+++ b/include/openssl/core_names.h`
			`@@ -469,6 +469,7 @@ extern "C" {`
			`#define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"`
			`#define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"`
			`#define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"`
			`+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"`

			`/*`
			`* Encoder / decoder parameters`
			`@@ -503,6 +504,7 @@ extern "C" {`

			`/* KEM parameters */`
			`#define OSSL_KEM_PARAM_OPERATION "operation"`
			`+#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */`

			`/* OSSL_KEM_PARAM_OPERATION values */`
			`#define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE"`
			`diff --git a/include/openssl/evp.h b/include/openssl/evp.h`
			`index ec2ba46fbd..3803b03422 100644`
			`--- a/include/openssl/evp.h`
			`+++ b/include/openssl/evp.h`
			`@@ -1757,6 +1757,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);`
			`OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);`
			`# endif`

			`+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0`
			`+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1`
			`+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2`
			`+`
			`EVP_KEYMGMT EVP_KEYMGMT_fetch(OSSL_LIB_CTX ctx, const char *algorithm,`
			`const char *properties);`
			`int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);`
			`diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c`
			`index 568452ec56..0a9adb4056 100644`
			`--- a/providers/implementations/asymciphers/rsa_enc.c`
			`+++ b/providers/implementations/asymciphers/rsa_enc.c`
			`@@ -399,6 +399,34 @@ static int rsa_get_ctx_params(void vprsactx, OSSL_PARAM params)`
			`if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))`
			`return 0;`

			`+#ifdef FIPS_MODULE`
			`+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);`
			`+ if (p != NULL) {`
			`+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;`
			`+`
			`+ if (prsactx->operation == EVP_PKEY_OP_ENCRYPT) {`
			`+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key`
			`+ * confirmation (section 6.4.2.3.2), or assurance from a trusted`
			`+ * third party (section 6.4.2.3.1) for the KTS-OAEP key transport`
			`+ * scheme, but explicit key confirmation is not implemented here`
			`+ * and cannot be implemented without protocol changes, and the FIPS`
			`+ * provider does not implement trusted third party validation,`
			`+ * since it relies on its callers to do that. We must thus mark`
			`+ * RSA-OAEP as unapproved until we have received clarification from`
			`+ * NIST on how library modules such as OpenSSL should implement TTP`
			`+ * validation.`
			`+ *`
			`+ * This does not affect decryption, because it is approved as`
			`+ * a component according to the FIPS 140-3 IG, section 2.4.G.`
			`+ */`
			`+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;`
			`+ }`
			`+`
			`+ if (!OSSL_PARAM_set_int(p, fips_indicator))`
			`+ return 0;`
			`+ }`
			`+#endif /* defined(FIPS_MODULE) */`
			`+`
			`return 1;`
			`}`

			`@@ -410,6 +438,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {`
			`NULL, 0),`
			`OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),`
			`OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),`
			`+#ifdef FIPS_MODULE`
			`+ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),`
			`+#endif /* defined(FIPS_MODULE) */`
			`OSSL_PARAM_END`
			`};`

			`diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c`
			`index 882cf16125..b4cc0f9237 100644`
			`--- a/providers/implementations/kem/rsa_kem.c`
			`+++ b/providers/implementations/kem/rsa_kem.c`
			`@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void vprsactx, void vrsa,`
			`static int rsakem_get_ctx_params(void vprsactx, OSSL_PARAM params)`
			`{`
			`PROV_RSA_CTX ctx = (PROV_RSA_CTX )vprsactx;`
			`+#ifdef FIPS_MODULE`
			`+ OSSL_PARAM *p;`
			`+#endif /* defined(FIPS_MODULE) */`

			`- return ctx != NULL;`
			`+ if (ctx == NULL)`
			`+ return 0;`
			`+`
			`+#ifdef FIPS_MODULE`
			`+ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR);`
			`+ if (p != NULL) {`
			`+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key`
			`+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third`
			`+ * party (section 6.4.2.3.1) for key agreement or key transport, but`
			`+ * explicit key confirmation is not implemented here and cannot be`
			`+ * implemented without protocol changes, and the FIPS provider does not`
			`+ * implement trusted third party validation, since it relies on its`
			`+ * callers to do that. We must thus mark RSASVE unapproved until we`
			`+ * have received clarification from NIST on how library modules such as`
			`+ * OpenSSL should implement TTP validation. */`
			`+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;`
			`+`
			`+ if (!OSSL_PARAM_set_int(p, fips_indicator))`
			`+ return 0;`
			`+ }`
			`+#endif /* defined(FIPS_MODULE) */`
			`+`
			`+ return 1;`
			`}`

			`static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {`
			`+#ifdef FIPS_MODULE`
			`+ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL),`
			`+#endif /* defined(FIPS_MODULE) */`
			`OSSL_PARAM_END`
			`};`

			`--`
			`2.39.2`