登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
14 Star 0 Fork 12

ocs-commit/openssl

forked from OpenCloudOS Stream/openssl 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
0042-hmac-Add-explicit-FIPS-indicator-for-key-length.patch 4.39 KB
一键复制 编辑 原始数据 按行查看 历史
冯玮耀 提交于 2024-01-17 16:05 . upgrade to 3.0.12 and Resolves: CVE-2023-5678, CVE-2023-6129
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112
From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001

From: Clemens Lang <cllang@redhat.com>

Date: Thu, 17 Nov 2022 18:08:24 +0100

Subject: [PATCH] hmac: Add explicit FIPS indicator for key length



NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"

specifies key lengths < 112 bytes are disallowed for HMAC generation and

are legacy use for HMAC verification.



Add an explicit indicator that will mark shorter key lengths as

unsupported. The indicator can be queries from the EVP_MAC_CTX object

using EVP_MAC_CTX_get_params() with the

  OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR

parameter.



Signed-off-by: Clemens Lang <cllang@redhat.com>

---

 include/crypto/evp.h                       |  7 +++++++

 include/openssl/core_names.h               |  1 +

 include/openssl/evp.h                      |  3 +++

 providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++

 4 files changed, 28 insertions(+)



diff --git a/include/crypto/evp.h b/include/crypto/evp.h

index 76fb990de4..1e2240516e 100644

--- a/include/crypto/evp.h

+++ b/include/crypto/evp.h

@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void);

 const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);

 const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);

 

+#ifdef FIPS_MODULE

+/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key

+ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for

+ * HMAC verification. */

+# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)

+#endif

+

 struct evp_mac_st {

     OSSL_PROVIDER *prov;

     int name_id;

diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h

index c019afbbb0..94fab83193 100644

--- a/include/openssl/core_names.h

+++ b/include/openssl/core_names.h

@@ -173,6 +173,7 @@ extern "C" {

 #define OSSL_MAC_PARAM_SIZE             "size"                    /* size_t */

 #define OSSL_MAC_PARAM_BLOCK_SIZE       "block-size"              /* size_t */

 #define OSSL_MAC_PARAM_TLS_DATA_SIZE    "tls-data-size"           /* size_t */

+#define OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"

 

 /* Known MAC names */

 #define OSSL_MAC_NAME_BLAKE2BMAC    "BLAKE2BMAC"

diff --git a/include/openssl/evp.h b/include/openssl/evp.h

index 49e8e1df78..a5e78efd6e 100644

--- a/include/openssl/evp.h

+++ b/include/openssl/evp.h

@@ -1192,6 +1192,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,

                             void *arg);

 

 /* MAC stuff */

+# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0

+# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED     1

+# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2

 

 EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,

                        const char *properties);

diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c

index 52ebb08b8f..cf5c3ecbe7 100644

--- a/providers/implementations/macs/hmac_prov.c

+++ b/providers/implementations/macs/hmac_prov.c

@@ -21,6 +21,8 @@

 #include <openssl/evp.h>

 #include <openssl/hmac.h>

 

+#include "crypto/evp.h"

+

 #include "prov/implementations.h"

 #include "prov/provider_ctx.h"

 #include "prov/provider_util.h"

@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,

 static const OSSL_PARAM known_gettable_ctx_params[] = {

     OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),

     OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),

+#ifdef FIPS_MODULE

+    OSSL_PARAM_int(OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR, NULL),

+#endif /* defined(FIPS_MODULE) */

     OSSL_PARAM_END

 };

 static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,

@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])

             && !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))

         return 0;

 

+#ifdef FIPS_MODULE

+    if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR)) != NULL) {

+        int fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED;

+        /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms

+         * specifies key lengths < 112 bytes are disallowed for HMAC generation

+         * and legacy use for HMAC verification. */

+        if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)

+            fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED;

+        return OSSL_PARAM_set_int(p, fips_indicator);

+    }

+#endif /* defined(FIPS_MODULE) */

+

     return 1;

 }

 

-- 

2.38.1
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/ocs-commit/openssl.git
git@gitee.com:ocs-commit/openssl.git
ocs-commit
openssl
openssl
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部