From 7c8235f8cd3ebb244a475b3015fba5c6311804d7 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 11 Aug 2022 15:12:42 +0200
Subject: [PATCH] Zeroize public keys, add HKDF FIPS indicator

Resolves: rhbz#2102542
Resolves: rhbz#2114772
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
 ...Add-FIPS-indicator-parameter-to-HKDF.patch | 119 ++++++++++++++++++
 openssl.spec                                  |  12 +-
 2 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 0078-Add-FIPS-indicator-parameter-to-HKDF.patch

diff --git a/0078-Add-FIPS-indicator-parameter-to-HKDF.patch b/0078-Add-FIPS-indicator-parameter-to-HKDF.patch
new file mode 100644
index 0000000..31e3c7d
--- /dev/null
+++ b/0078-Add-FIPS-indicator-parameter-to-HKDF.patch
@@ -0,0 +1,119 @@
+From c4b086fc4de06128695e1fe428f56d776d25e748 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Thu, 11 Aug 2022 09:27:12 +0200
+Subject: [PATCH] Add FIPS indicator parameter to HKDF
+
+NIST considers HKDF only acceptable when used as in TLS 1.3, and
+otherwise unapproved. Add an explicit indicator attached to the
+EVP_KDF_CTX that can be queried using EVP_KDF_CTX_get_params() to
+determine whether the KDF operation was approved after performing it.
+
+Related: rhbz#2114772
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ include/openssl/core_names.h          |  1 +
+ include/openssl/kdf.h                 |  4 ++
+ providers/implementations/kdfs/hkdf.c | 53 +++++++++++++++++++++++++++
+ 3 files changed, 58 insertions(+)
+
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index 21c94d0488..87786680d7 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -223,6 +223,7 @@ extern "C" {
+ #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO    "supp-pubinfo"
+ #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO   "supp-privinfo"
+ #define OSSL_KDF_PARAM_X942_USE_KEYBITS     "use-keybits"
++#define OSSL_KDF_PARAM_HKDF_REDHAT_FIPS_INDICATOR "hkdf-fips-indicator"
+ 
+ /* Known KDF names */
+ #define OSSL_KDF_NAME_HKDF           "HKDF"
+diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
+index 0983230a48..869f23d8fb 100644
+--- a/include/openssl/kdf.h
++++ b/include/openssl/kdf.h
+@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
+ # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY        1
+ # define EVP_KDF_HKDF_MODE_EXPAND_ONLY         2
+ 
++# define EVP_KDF_HKDF_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_KDF_HKDF_FIPS_INDICATOR_APPROVED     1
++# define EVP_KDF_HKDF_FIPS_INDICATOR_NOT_APPROVED 2
++
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV     65
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI     66
+ #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
+diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
+index afdb7138e1..9d28d292d8 100644
+--- a/providers/implementations/kdfs/hkdf.c
++++ b/providers/implementations/kdfs/hkdf.c
+@@ -298,6 +298,56 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+             return 0;
+         return OSSL_PARAM_set_size_t(p, sz);
+     }
++
++#ifdef FIPS_MODULE
++    if ((p = OSSL_PARAM_locate(params,
++                OSSL_KDF_PARAM_HKDF_REDHAT_FIPS_INDICATOR)) != NULL) {
++        int fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_UNDETERMINED;
++        switch (ctx->mode) {
++        case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
++            /* TLS 1.3 never uses extract-and-expand */
++            fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_NOT_APPROVED;
++            break;
++        case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
++            {
++                /* When TLS 1.3 uses extract, the following holds:
++                 * 1. The salt length matches the hash length, and either
++                 * 2.1. the key is all zeroes and matches the hash length, or
++                 * 2.2. the key originates from a PSK (resumption_master_secret
++                 *   or some externally esablished key), or an ECDH or DH key
++                 *   derivation. See
++                 *   https://www.rfc-editor.org/rfc/rfc8446#section-7.1.
++                 * Unfortunately at this point, we cannot verify where the key
++                 * comes from, so all we can do is check the salt length.
++                 */
++                const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
++                if (md != NULL && ctx->salt_len == EVP_MD_get_size(md))
++                    fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_APPROVED;
++                else
++                    fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_NOT_APPROVED;
++            }
++            break;
++        case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
++            /* When TLS 1.3 uses expand, it always provides a label that
++             * contains an uint16 for the length, followed by between 7 and 255
++             * bytes for a label string that starts with "tls13 " or "dtls13".
++             * For compatibility with future versions, we only check for "tls"
++             * or "dtls". See
++             * https://www.rfc-editor.org/rfc/rfc8446#section-7.1 and
++             * https://www.rfc-editor.org/rfc/rfc9147#section-5.9. */
++            if (ctx->label != NULL
++                    && ctx->label_len >= 2 /* length */ + 4 /* "dtls" */
++                    && (strncmp("tls", (const char *)ctx->label + 2, 3) == 0 ||
++                        strncmp("dtls", (const char *)ctx->label + 2, 4) == 0))
++                fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_APPROVED;
++            else
++                fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_NOT_APPROVED;
++            break;
++        }
++        return OSSL_PARAM_set_int(p, fips_indicator);
++    }
++#endif /* defined(FIPS_MODULE) */
++
+     return -2;
+ }
+ 
+@@ -306,6 +356,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_HKDF_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+-- 
+2.37.1
+
diff --git a/openssl.spec b/openssl.spec
index 29dbd89..4b4688a 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 40%{?dist}
+Release: 41%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -158,6 +158,10 @@ Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
 # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
 # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
 Patch76: 0076-FIPS-140-3-DRBG.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2102542
+Patch77: 0077-FIPS-140-3-zeroization.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2114772
+Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -488,6 +492,12 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Aug 11 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-41
+- Zeroize public keys as required by FIPS 140-3
+  Related: rhbz#2102542
+- Add FIPS indicator for HKDF
+  Related: rhbz#2114772
+
 * Fri Aug 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-40
 - Deal with DH keys in FIPS mode according FIPS-140-3 requirements
   Related: rhbz#2102536