From 21d2b9fb4712e7b77b2d892bec36138e15570c32 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 16 Mar 2023 16:39:03 +0100
Subject: [PATCH] Fix X942KDF indicator for short output key lengths

In testing, we noticed that using output keys shorter than 14 bytes with
the X9.42 KDF does not set the explicit FIPS indicator to unapproved as
it should. The relevant check was implemented, but the state in the
implementation's context was not exposed.

Resolves: rhbz#2175864
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
 0078-KDF-Add-FIPS-indicators.patch | 24 +++++++++++++++++-------
 openssl.spec                       |  6 +++++-
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/0078-KDF-Add-FIPS-indicators.patch b/0078-KDF-Add-FIPS-indicators.patch
index d8496ce..1090ffa 100644
--- a/0078-KDF-Add-FIPS-indicators.patch
+++ b/0078-KDF-Add-FIPS-indicators.patch
@@ -1,4 +1,4 @@
-From 2f89e15407b7f3947768f93d11adeafd73c0b6d6 Mon Sep 17 00:00:00 2001
+From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Thu, 11 Aug 2022 09:27:12 +0200
 Subject: KDF: Add FIPS indicators
@@ -49,8 +49,8 @@ Related: rhbz#2114772 rhbz#2141695
  providers/implementations/kdfs/sshkdf.c   |  75 +++++++++++++++-
  providers/implementations/kdfs/sskdf.c    | 100 +++++++++++++++++++++-
  providers/implementations/kdfs/tls1_prf.c |  74 +++++++++++++++-
- providers/implementations/kdfs/x942kdf.c  |  57 +++++++++++-
- 9 files changed, 478 insertions(+), 22 deletions(-)
+ providers/implementations/kdfs/x942kdf.c  |  67 ++++++++++++++-
+ 9 files changed, 488 insertions(+), 22 deletions(-)
 
 diff --git a/include/crypto/evp.h b/include/crypto/evp.h
 index e70d8e9e84..76fb990de4 100644
@@ -791,7 +791,7 @@ index a4d64b9352..f6782a6ca2 100644
      };
      return known_gettable_ctx_params;
 diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
-index b1bc6f7e1b..f4ac8ca3f5 100644
+index b1bc6f7e1b..8173fc2cc7 100644
 --- a/providers/implementations/kdfs/x942kdf.c
 +++ b/providers/implementations/kdfs/x942kdf.c
 @@ -13,10 +13,13 @@
@@ -829,7 +829,7 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
      ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
                             der, der_len, ctr, key, keylen);
      OPENSSL_free(der);
-@@ -563,10 +573,48 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
  {
      KDF_X942 *ctx = (KDF_X942 *)vctx;
      OSSL_PARAM *p;
@@ -860,6 +860,16 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
 +            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
 +         * extendable-output functions may only be used as the standalone
 +         * algorithms." */
@@ -881,7 +891,7 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
  }
  
  static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
-@@ -574,6 +622,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
  {
      static const OSSL_PARAM known_gettable_ctx_params[] = {
          OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
@@ -892,5 +902,5 @@ index b1bc6f7e1b..f4ac8ca3f5 100644
      };
      return known_gettable_ctx_params;
 -- 
-2.39.1
+2.39.2
 
diff --git a/openssl.spec b/openssl.spec
index 50a3bb4..97641a7 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.7
-Release: 8%{?dist}
+Release: 9%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -505,6 +505,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Mar 16 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-9
+- Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes
+  Resolves: rhbz#2175864
+
 * Thu Mar 16 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-8
 - Fix Wpointer-sign compiler warning 
   Resolves: rhbz#2178034