Skip to content

Zero key for FIPS#1590

Merged
jyao1 merged 3 commits into
DMTF:mainfrom
Wenxing-hou:zero_dhe_secret
Jan 18, 2023
Merged

Zero key for FIPS#1590
jyao1 merged 3 commits into
DMTF:mainfrom
Wenxing-hou:zero_dhe_secret

Conversation

@Wenxing-hou

@Wenxing-hou Wenxing-hou commented Jan 6, 2023

Copy link
Copy Markdown
Contributor

Reference: #1260

2023/1/7 Commit 1: Zero key for FIPS when encode and decode.
2023/1/13 Commit 2: Fix unit test because of the salt change.
2023/1/9 Commit 3: Zero salt1 in libspdm_generate_session_data_key.

Signed-off-by: Wenxing Hou wenxing.hou@intel.com

@Wenxing-hou Wenxing-hou marked this pull request as draft January 6, 2023 09:00

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need zero key in any return path.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I have added the salt zero in every return path.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need zero key in any return path.

@steven-bellock

Copy link
Copy Markdown
Contributor

Why does the key need to be on the stack at all? Why not use

secured_message_context->handshake_secret.request_handshake_encryption_key

directly?

@jyao1

jyao1 commented Jan 6, 2023

Copy link
Copy Markdown
Member

Yes, I think we can change to uint8_t *key.

@Wenxing-hou Wenxing-hou force-pushed the zero_dhe_secret branch 2 times, most recently from ef0f9fe to 5fcc457 Compare January 9, 2023 00:59
@Wenxing-hou

Copy link
Copy Markdown
Contributor Author

Yes, I think we can change to uint8_t *key.

Thanks. I have changed the key from array to pointer.

@Wenxing-hou Wenxing-hou marked this pull request as ready for review January 11, 2023 06:23

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove /*zero salt for security*/. No need to say it every where.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I have removed the comments except the first comment.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can also make the salt a pointer.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If so, the XOR sequence_number need to be: *(uint64_t *)salt ^ (sequence_number - 1) ^ sequence_number

Please test it between old version and new version.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I have changed the salt to pointer and added a new commit to fix the unit test.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And I have tested pass the emu.
the array salt is old version; the pointer salt is new version. The following test has passed.

new version requester <---> new version responder
old version requester <---> new version responder
new version requester <---> old version responder

@Wenxing-hou Wenxing-hou force-pushed the zero_dhe_secret branch 5 times, most recently from 0147734 to b05163d Compare January 15, 2023 03:27
Reference: DMTF#1260

Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
Reference: DMTF#1260

Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
@steven-bellock steven-bellock added enhancement New feature or request security An issue that impacts security labels Jan 16, 2023
@steven-bellock steven-bellock added this to the Q1 2023 milestone Jan 16, 2023
uint8_t key[LIBSPDM_MAX_AEAD_KEY_SIZE];
uint8_t salt[LIBSPDM_MAX_AEAD_IV_SIZE];
const uint8_t *key;
uint8_t *salt;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The salt should stay const, like the key.
Also we'll need to declare uint8_t iv[LIBSPDM_MAX_AEAD_IV_SIZE], that actually gets fed into libspdm_aead_encryption.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need define uint8_t iv[LIBSPDM_MAX_AEAD_IV_SIZE]. That will go back to original problem.


*(uint64_t *)salt = *(uint64_t *)salt ^ sequence_number;
if (sequence_number > 0) {
*(uint64_t *)salt = *(uint64_t *)salt ^ (sequence_number - 1) ^ sequence_number;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This (and the 2.3 version) is misleading as once the assignment occurs this value is no longer the salt, it's the IV. So here I would zero-extend sequence_number and XOR it with salt and assign it (libspdm_copy_mem) to iv[].

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the name is confusing, I think we can rename to uint8_t *iv. I don't see the need to cache the iv[].

@steven-bellock

Copy link
Copy Markdown
Contributor

Ok. Feel free to merge this and I'll file an issue.

@jyao1 jyao1 merged commit cd0664b into DMTF:main Jan 18, 2023
@Wenxing-hou Wenxing-hou deleted the zero_dhe_secret branch March 23, 2023 07:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request security An issue that impacts security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants