New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Fips module checks to provider key operations #12745
Conversation
This PR has been broken up into separate commits to hopefully make it easier to review. |
So doing these tests is not a FIPS requirement. Are we sure that, for example, they are not invoked in any of these paths?
I think the safest thing to do is wrap all those checks in a new ifdef. Yes, I really dislike adding a new ifdef, but we are concerned that these checks, which are now required for Common Criteria, but not required for FIPS, will end up being invoked through some codepath that we haven't analyzed. Especially so close to the BETA freeze. (Of course the absolute safest is to not put this into OpenSSL, which only promises FIPS not Common Criteria.) |
They might not be required by FIPS 140-2, but they will be effectively required by FIPS 140-3. Also they are good idea anyway as they help the application to be FIPS compliant. Once you use such non-approved key sizes you're out of FIPS compliance. If you care about real FIPS compliance and not just paper compliance you need to use approved key sizes. |
As you say, it is not currently required. I am concerned that it will break some of our deployed customers. |
So they do not really care about FIPS compliance? |
I mean either they care about FIPS compliance and then they cannot use non-approved key sizes. Or they do not, but then why they would be using FIPS provider. |
We care about FIPS 140-2, not 140-3. If the project wants to do 140-3, then presumably it will discuss this among the OMC and the FIPS project sponsors. |
I am sorry for not being clear. FIPS 140-2 requires you to use approved key sizes, it just does not require the software to enforce the requirement. The compliance can be achieved by simply not using non-approved key sizes by the means of the system administrator (the FIPS module operator) diligence. So if the sysadmin uses wrong key sizes, the resulting operation is not FIPS compliant. And it can even invalidate keys if you for example use properly FIPS compliant RSA key to create signature with non-approved hash (which is even sha1 now for signatures) it invalidates the compliance of the RSA key, even if you would like to later use it with an approved hash. So the key size checks are actually very much useful even with FIPS 140-2. |
Please see the archives on the fips-sponsors list. 140-2 says nothing about certificates, for example. |
If you are signing with SHA1 for example - then you are not fips compliant. Ticking the fips box, and then allowing non secure operations is just sticking your head in the sand. Ideally any cert or key that is not trusted should also be doing a key check also, there are many rules as to what part of the key needs to be validated (especially with key agreement). https://csrc.nist.gov/projects/cryptographic-module-validation-program/announcements mentions SP800-131A quite a lot. If you read https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf it does set limits on keysizes, and it also mentions key assurances in section 3.3. |
I am going to stand by what Ashit said on that list. This is moving decisions that were in policy, to being enforced in code, and it's not for 140-2 but for Common Criteria and 140-3. This will break some of our customers. |
Having an option to have technical enforcement of items which are allowed to be handled by policy (i.e. passed to the user as their responsibility) is a useful thing to do - however it should also be able to be disabled and such a disabling should not be in violation of the security policy. There are actually contexts in which things are permitted to be used without breaking FIPS requirements which depend on application knowledge that sits outside of the FIPS module itself. Yes - I'm agreeing with both @slontis and @richsalz at the same time - with the modification that it should be able to be configured on or off in the configuration file. That enables meeting both objectives which apply to different situations. |
I can acccept @t-j-h's proposal. I'd add that the default should be settable via the fipsinstall program. |
I was thinking the same things in terms of it being optional..
The default should be that the checks are on,
My personal opinion is that the security policy would need to state that you are not fips compliant if you disable it - i.e you are allowing non secure operations (which may be required by P11 devices for example)
Whilst I understand that it has the potential to break things, I have also seen many instances in production environments where developers think they are fips compliant,
and have no idea that they are not even close to being secure….
Another thing to note is that a lot of these restrictions are many years old, which means people remain unaware that they are insecure and will remain so whilst we continue to control this via policy.
I am unsure if this option should be in the fips config file that is produced from fipsinstall - to me that is encouraging people to disable the checks. Tim do you have an opinion on this?
Cheers,
Shane
… On 3 Sep 2020, at 8:52 am, Tim Hudson ***@***.***> wrote:
Having an option to have technical enforcement of items which are allowed to be handled by policy (i.e. passed to the user as their responsibility) is a useful thing to do - however it should also be able to be disabled and such a disabling should not be in violation of the security policy. There are actually contexts in which things are permitted to be used without breaking FIPS requirements which depend on application knowledge that sits outside of the FIPS module itself.
Yes - I'm agreeing with both @slontis <https://urldefense.com/v3/__https://github.com/slontis__;!!GqivPVa7Brio!Nj72opLpDJojCRLE9i4KYu9B1kLFxIKap7vvUN6NhavlADNE4K06SkgBzrw_uOivUg$> and @richsalz <https://urldefense.com/v3/__https://github.com/richsalz__;!!GqivPVa7Brio!Nj72opLpDJojCRLE9i4KYu9B1kLFxIKap7vvUN6NhavlADNE4K06SkgBzrz5Q-GjGQ$> at the same time - with the modification that it should be able to be configured on or off in the configuration file. That enables meeting both objectives which apply to different situations.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <https://urldefense.com/v3/__https://github.com/openssl/openssl/pull/12745*issuecomment-686069302__;Iw!!GqivPVa7Brio!Nj72opLpDJojCRLE9i4KYu9B1kLFxIKap7vvUN6NhavlADNE4K06SkgBzrzhCJ-rjg$>, or unsubscribe <https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AJUSG6S7VJKKKHSHZPNAO53SD3EELANCNFSM4QOXNNCA__;!!GqivPVa7Brio!Nj72opLpDJojCRLE9i4KYu9B1kLFxIKap7vvUN6NhavlADNE4K06SkgBzrxFO9XBEA$>.
|
I disagree. It should state that compliance is determined via administrative guidance. Just like other guidances we're going to have.
Without that, how does someone change from admin-style guidance to code-enforcement? Rewrite their app? Install a differently-built module? |
It will be up to whoever writes the security policy to determine what to do with this. |
I see nothing wrong with on-by-default for the checks. However it defeats the point if you basically add a requirement in the security policy for this setting to always be on - FIPS allows for non-technical enforcement - if it didn't then all modules would be required to enforce. There are good reasons why this is the case for FIPS but that is a longer conversation that needed for this threat. Simple summary: |
@t-j-h's comments in #12745 (comment) meet our needs and also seem to meet the FIPS requirements as well. I can help with the config file stuff, and wiring it through to the checks if you want. |
26d9027
to
70d4225
Compare
Yes that would be helpful if you could.. |
@richsalz - I have added a config option 'fips-securitychecks'.. If you look in security_check_fips.c you will see a TODO(3.0) item where the check should be placed.. |
I mailed you a patch. |
Thanks for that.. I did not quite know how to put the global variable in either, I was interested to see what you would do :) |
0940d69
to
7d86897
Compare
Changes merged from a patch by @richsalz.
5d0ae8e
to
ddb13a2
Compare
rebased to fix commit message.. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, good work!
This pull request is ready to merge |
In fips mode SHA1 should not be allowed for signing, but may be present for verifying. Add keysize check. Add missing 'ossl_unused' to gettable and settable methods. Update fips related tests that have these restrictions. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
For key agreement only NIST curves that have a security strength of 112 bits or more are allowed. Fixed tests so they obey these restrictions when testing in fips mode. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
The ordering of this option is important so inform the user if they do it incorrectly. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
…checks Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12745)
Pushed. |
For key operations the fips module now checks for approved digests, named curves, safe prime groups, and minimum security strength for keys .
Note that for encryption, signing and exchange operations 112 bits of security strength are required, but lower values are allowed for decryption and verifying for legacy purposes.
These checks are not done by the default providers for backwards compatibility reasons.
Checklist