diff --git a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch new file mode 100644 index 0000000..4cda828 --- /dev/null +++ b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -0,0 +1,159 @@ +From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 17 Mar 2023 15:39:15 +0100 +Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator + +NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key +confirmation (section 6.4.2.3.2), or assurance from a trusted third +party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key +agreement schemes, but explicit key confirmation is not implemented and +cannot be implemented without protocol changes, and the FIPS provider +does not implement trusted third party validation, since it relies on +its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE +as unapproved until we have received clarification from NIST on how +library modules such as OpenSSL should implement TTP validation. + +This does not affect RSA-OAEP decryption, because it is approved as +a component according to the FIPS 140-3 IG, section 2.4.G. + +Resolves: rhbz#2179331 +Signed-off-by: Clemens Lang +--- + include/openssl/core_names.h | 2 ++ + include/openssl/evp.h | 4 +++ + .../implementations/asymciphers/rsa_enc.c | 31 +++++++++++++++++++ + providers/implementations/kem/rsa_kem.c | 30 +++++++++++++++++- + 4 files changed, 66 insertions(+), 1 deletion(-) + +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 832502a034..e15d208421 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -469,6 +469,7 @@ extern "C" { + #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" + #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" + #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" ++#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" + + /* + * Encoder / decoder parameters +@@ -503,6 +504,7 @@ extern "C" { + + /* KEM parameters */ + #define OSSL_KEM_PARAM_OPERATION "operation" ++#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */ + + /* OSSL_KEM_PARAM_OPERATION values */ + #define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE" +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index ec2ba46fbd..3803b03422 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -1757,6 +1757,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); + OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); + # endif + ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, + const char *properties); + int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt); +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 568452ec56..0a9adb4056 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -399,6 +399,34 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) + return 0; + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ if (prsactx->operation == EVP_PKEY_OP_ENCRYPT) { ++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key ++ * confirmation (section 6.4.2.3.2), or assurance from a trusted ++ * third party (section 6.4.2.3.1) for the KTS-OAEP key transport ++ * scheme, but explicit key confirmation is not implemented here ++ * and cannot be implemented without protocol changes, and the FIPS ++ * provider does not implement trusted third party validation, ++ * since it relies on its callers to do that. We must thus mark ++ * RSA-OAEP as unapproved until we have received clarification from ++ * NIST on how library modules such as OpenSSL should implement TTP ++ * validation. ++ * ++ * This does not affect decryption, because it is approved as ++ * a component according to the FIPS 140-3 IG, section 2.4.G. ++ */ ++ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + return 1; + } + +@@ -410,6 +438,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + +diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c +index 882cf16125..b4cc0f9237 100644 +--- a/providers/implementations/kem/rsa_kem.c ++++ b/providers/implementations/kem/rsa_kem.c +@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, + static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + { + PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; ++#ifdef FIPS_MODULE ++ OSSL_PARAM *p; ++#endif /* defined(FIPS_MODULE) */ + +- return ctx != NULL; ++ if (ctx == NULL) ++ return 0; ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key ++ * confirmation (section 6.4.2.3.2), or assurance from a trusted third ++ * party (section 6.4.2.3.1) for key agreement or key transport, but ++ * explicit key confirmation is not implemented here and cannot be ++ * implemented without protocol changes, and the FIPS provider does not ++ * implement trusted third party validation, since it relies on its ++ * callers to do that. We must thus mark RSASVE unapproved until we ++ * have received clarification from NIST on how library modules such as ++ * OpenSSL should implement TTP validation. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ return 1; + } + + static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = { ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + +-- +2.39.2 + diff --git a/openssl.spec b/openssl.spec index 97641a7..a3b1f73 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -505,6 +505,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Fri Mar 17 2023 Clemens Lang - 1:3.0.7-10 +- Add explicit FIPS indicator to RSA encryption and RSASVE + Resolves: rhbz#2179379 + * Thu Mar 16 2023 Clemens Lang - 1:3.0.7-9 - Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes Resolves: rhbz#2175864