Bug 2136250
| Summary: | HMAC generation should reject key lengths < 112 bits or provide an indicator in FIPS mode | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Clemens Lang <cllang> | ||||||
| Component: | openssl | Assignee: | Clemens Lang <cllang> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Alicja Kario <hkario> | ||||||
| Severity: | urgent | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 9.0 | CC: | cllang, hkario, ssorce | ||||||
| Target Milestone: | rc | Keywords: | Triaged, ZStream | ||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | openssl-3.0.7-1.el9 | Doc Type: | No Doc Update | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 2144000 2144001 (view as bug list) | Environment: | |||||||
| Last Closed: | 2023-05-09 08:20:47 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 2144000, 2144001 | ||||||||
| Attachments: |
|
||||||||
Correcting myself: it's key lengths < 112 bits, not bytes. I'm attaching an updated reproducer that uses and EVP_MAC_CTX and also supports reading and printing the indicator status from that context. I tested that this indicator correctly identifies short keys: $> $(head -n1 hmac.c | sed -E 's#^// ##g') && echo "" | ./hmac 14 OK (indicator: approved): 24dce023336611b9485adf35c9cd9c1686db0eecab76aa1c9fbb1a4ccfe883c9 $> $(head -n1 hmac.c | sed -E 's#^// ##g') && echo "" | ./hmac 13 OK (indicator: unapproved): aaf492fa7114fcb1880d0906077e7f3f7cdb74fecbd787bc6cc93bc7df9ede04 Created attachment 1925084 [details]
Updated reproducer that uses EVP_MAC_CTX and supports indicators
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: openssl security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2523 |
Created attachment 1919136 [details] reproducer that computes an HMAC using EVP_Q_mac() with a user-defined key length Description of problem: According to NIST Special Publication 800-131Ar2, Table 9: Approval Status of MAC Algorithms, key lengths < 112 bytes are disallowed for HMAC generation. OpenSSL should either reject shorter keys with an error message, or provide an explicit indication that short keys are not FIPS-approved. Version-Release number of selected component (if applicable): 3.0.1-41.el9_0 How reproducible: Run the attached reproducer with values other than the permitted ones. Steps to Reproduce: 1. gcc -std=c99 -Wall -Werror -pedantic -o hmac hmac.c -lcrypto 2. ./hmac 2 foo Actual results: e554d415b4a2c69a6afa1d8b154bcd89bba6371d5f6c5ebdcbc356096ce1cfc6 (or some other HMAC, the key is randomly generated) Expected results: Failure because a short key was used. Additional info: