-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Perform key size check for HMAC, HKDF, SSHKDF and TLS KDF #23900
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good effort.
I'm not convinced that pedantic
should be exposed outside the FIPS provider. It's not used by the default provider at all and thus would be better omitted.
Test failures seem relevant.
* Set pedantic to zero to allow a salt with arbitrary length. | ||
*/ | ||
int pedantic = 0; | ||
OSSL_PARAM mac_params[] = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, this won't build for some platforms which consider &pedantic to not be constant.
Does this impact FIPS compliance?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
Our lab think it only need to ensure that HMAC function and key are strong enough. Therefore, I think the length of salt should not impact the compliance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You misunderstood. Taking the address of pedantic
is not considered a constant initialiser on some platforms. I.e. this code will not compile.
This is why we use other methods to construct OSSL_PARAM arrays at runtime.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The method to construct OSSL_PARAM arrays changed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest that this PR is somewhat dependent on fips indicators being resolved. See #23609. We definitely want a consistent way of addressing all of the issues (not just the keysize checks).
For the MAC, I think there are multiple things to consider
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mandate changes to the build.cfg files?
* Set pedantic to zero to allow a salt with arbitrary length. | ||
*/ | ||
int pedantic = 0; | ||
OSSL_PARAM mac_params[] = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You misunderstood. Taking the address of pedantic
is not considered a constant initialiser on some platforms. I.e. this code will not compile.
This is why we use other methods to construct OSSL_PARAM arrays at runtime.
@paulidale Sorry that I don't understand your meaning. Do you want to known whether this changes also need to modify build.info files? |
Title = HKDF bad key size test | ||
|
||
Availablein = fips | ||
KDF = HKDF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are going to need a line specifying which provider version this test is supported by....
(Because we test against old providers with the current source).
i.e. (Assuming OpenSSL 3.3 has been released)..
FIPSVersion = >=3.4.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Until 3.3 is release you will have to use >= 3.3.0, and then change it later
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed to FIPSversion = >=3.3.0
because v3.3.0 is still in alpha stage.
/* | ||
* According to RFC 9000, the length of destination connection ID must be | ||
* at least 8 bytes. It means that the length of destination connection ID | ||
* may be less than the minimum length for HKDF required by FIPS provider. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure this should be done here.. It should probably break in FIPS mode.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The operation may fail if FIPS provider is used with old libssl.so.
I think it cannot be avoided unless
- move the
ossl_quic_hkdf_extract
function into FIPS provider - or has a global pedantic flag, which is turned off in default for back-compatibility, in fipsmodule.cnf
If I am wrong, please correct me. Thank you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@t8m or @paulidale Do you have an opinion on this, technically it should fall over here..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah #$%@! FIPS rules bite again. The initial secret where this is used is not really security relevant so IMO OK to set pedantic to 0.
@@ -43,7 +43,16 @@ Output = d06139889fffac1e3a71865f504aa5d0d2a2e89506c6f2279b670c3e1b74f531016a253 | |||
|
|||
# Missing digest. | |||
KDF = TLS1-PRF | |||
Ctrl.Pedantic = pedantic:0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this needed here and in other places? It is FIPS specific..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Current implementation performs key size check in set_ctx_params function.
The secret to set in this test case is only 8 bits.
Therefore, it is needed to set pedantic flag to zero to make it pass through the logic for checking digest.
Update:
I will make this test case only available in default provider and remove Ctrl.Pedantic
in next commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make this test case only available in default provider.
Pauli is asking whether you checked the build.info files for any files that you have added #ifdef FIPS_MODULE to... The related .o file needs to go into both libdefault and libfips. |
For fips indicator purposes there should also be a getter |
@paulidale All files that I have added
@slontis A getter has been added. |
test failures are relevant. |
Rebased dev branch onto current master branch. To make test pass, the commit from #23833 picked and it will be removed in the future. |
de6e90e
to
cb64d51
Compare
Rebase dev branch onto current master branch, and change |
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
According to SP 800-131Ar2, the length of the key-derivation key shall be at least 112 bits.
This PR introduces key size checks in HMAC, HKDF, SSHKDF and TLS KDF.
Since the key shorter than 112 bits can be used for legacy use in HMAC generation, a
pedantic
flag is introduced to control whether to perform the check in HMAC.Similarly, a
pedantic
flag is also introduced in KDFs to turn off the check for some scenario, such as ignoring salt length check.With this changes, we can use API return value to indicate whether the operation is approved.
This PR depends on #23833.
Checklist