In FIPS mode, openssl should reject SHA-224, SHA-384, SHA-512-224, and SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after 2023-05-16
.DRBGs in OpenSSL can use only SHA-1, SHA-256, and SHA-512 in FIPS mode
According to FIPS 140-3 IG, modules certified after May 16th, 2023 must not support the use of digest algorithms that truncate their output. With this update, OpenSSL requires Deterministic Random Bit Generators (DRBGs) to use only SHA-1, SHA-256, and SHA-512 digest algorithms.
Created attachment 1923619[details]
rand.c
Description of problem:
According to FIPS 140-3 IG, section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs", modules certified after May 16th, 2023 must not support the use of
- SHA-224
- SHA-384
- SHA512-224
- SHA512-256
- SHA3-224
- SHA3-384
and, potentially SHA3-256 and SHA3-512, since those are not yet specified.
We should either reject these hash algorithms with an error message, or provide an explicit indication that they are not FIPS-approved.
Version-Release number of selected component (if applicable):
3.0.1-43.el9_0
How reproducible:
Run the attached reproducer with any of the unapproved hash algorithms in both HMAC-DRBG and HASH-DRBG mode.
Steps to Reproduce:
1. cc -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600 -o rand rand.c -lcrypto
2. for type in hash hmac; do for hash in SHA-224 SHA-384 SHA512-224 SHA512-256 SHA3-224 SHA3-384 SHA3-256 SHA3-512 do; ./rand "$type" "$hash" 128 1 64; done
Actual results:
OK HASH-DRBG SHA-224
OK( 1/ 1): 0x8f8773473c6b43bc558b38e319b8f61358a7e14befa3135737e3750778dbb2c3bda567175ae596ab7556946c2d3864760c352e5717bccbe2a6b3a3cbffffb308
OK HASH-DRBG SHA-384
OK( 1/ 1): 0xc2861a62aa267de8979b9cb74be074e5bea8fe594ff196c02d983ef325b1290224ecf185ac194b78cfcd887ac1fab08d6d49abcd6197df942430982a5a2c9a93
OK HASH-DRBG SHA512-224
OK( 1/ 1): 0xa1ff9320c1ffe08ebe57ab0c30ea58cc7882ce8820ddd31a5efb1dd59f84eb48ef082a162a3f13745e2aedf973ccf748c179d432cd89fabe424f32757a8943bb
OK HASH-DRBG SHA512-256
OK( 1/ 1): 0x40ed12417a15ae654bd35505d0979711e3a26829328d5ce4f4a46be71b790d0f8a3aada28a442d3729c032830b50ed5ce95e40ae05cf2df39fe4a7fb4058d755
OK HASH-DRBG SHA3-224
OK( 1/ 1): 0xb70c2611b09c98e55293bd48f958b1075dd3a1defd141dc0d7665c3bd5a8d8cb8f96fc24d8d1f5e86ca84b283b976a0442a5c2efc80e6f9431e20a9f3e71b5b4
OK HASH-DRBG SHA3-384
OK( 1/ 1): 0xc218cc69eed0ef5bc5df3e169edd13602108892ec725f03fc59e75d69d073adecba1d78b708161a2d6430506525e8720113cc8c7162e11615c6813c2d1bb6c7e
OK HASH-DRBG SHA3-256
OK( 1/ 1): 0x75906f678785939315d3873521f32ba39e9efcce15a66a8125b8c76afdc6f25446bc17a7cfa6df930f51b6a266099c787e2897aa7bf26880a8ba939177726743
OK HASH-DRBG SHA3-512
OK( 1/ 1): 0x9c9ca9b95f5f931075e540e791cd75198670db2a29809edd180ff8f206a6fe86330c37bf2e4cc040e51280e87ea275769499aaa95e8ec1be4948816c0578d899
OK HMAC-DRBG SHA-224
OK( 1/ 1): 0x2aa7d043e1ab3ef26e8429a1572cd50ef7a75aef162e35be1cbdb01a261b5c9d9d669bb5e1996cff411a1829cf5e1df8cd421de4265016248b5137419ddc84ee
OK HMAC-DRBG SHA-384
OK( 1/ 1): 0xb975c606a15fd85b1224bb12c5f708e83edfce2e7a78339ed3f94cf765e55dd1884107db67abba331f7a05fc0318c9938c955688424e8cac5061ec73d7edad09
OK HMAC-DRBG SHA512-224
OK( 1/ 1): 0x31f070f29206d7253e52ca3d49b5273d870ac2163f9cb87d75599e771dd691fde3e86563809834dc2b0dbbbe23b412d6724eb0c16ec05cf58fe49c3138c4450a
OK HMAC-DRBG SHA512-256
OK( 1/ 1): 0xd73cb47d735533fdbf26835a36be2b1619d32e4b1c1ce88627efc5c79486d0069d75ac758c7e5c95f6171550cbb3532998f33c5e88fe4f98750118644f35cfe8
OK HMAC-DRBG SHA3-224
OK( 1/ 1): 0x94867fb14a0bf739936a9faec5367a400539827f63ab797d77d2f5702802449445d2294f797ed964911e2481c5553681b1c7c0673177cf2bebda5f3889644b4d
OK HMAC-DRBG SHA3-384
OK( 1/ 1): 0x0440ac7cbe3f5b70dcf0fa751a469a561704f70735e9112a4362457fd0e525fa0eed78e7a135ad623c849167e6c92b554ef7f9fb3afa49323ad5b66a2db56a98
OK HMAC-DRBG SHA3-256
OK( 1/ 1): 0xd1b14479a337f5c1c55bae625d93e6c23a4eb91db3cc6aec4345aa8a4fe36c061de0186dba868dffa8dcfcd87b2ba796efe55e4cfe267229d5757129853c7b9d
OK HMAC-DRBG SHA3-512
OK( 1/ 1): 0x9cfc6058d4cf39467cc155959b8e3b4eacd44ba99db04d201fd67884e8b4138ec8bdc75178c892b68c6abfe9031c0cc4f57676662c95452d283dbd5119764a48
Expected results:
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-384')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-256')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-384')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-256')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-512')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-384')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-256')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-384')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-256')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-512')
Additional info:
Note that we only need to fix this if we do not submit before May 16th, 2023. However, if we do not fix it now, we will have to for the next iteration.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Low: openssl security and bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2023:2523
Created attachment 1923619 [details] rand.c Description of problem: According to FIPS 140-3 IG, section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs", modules certified after May 16th, 2023 must not support the use of - SHA-224 - SHA-384 - SHA512-224 - SHA512-256 - SHA3-224 - SHA3-384 and, potentially SHA3-256 and SHA3-512, since those are not yet specified. We should either reject these hash algorithms with an error message, or provide an explicit indication that they are not FIPS-approved. Version-Release number of selected component (if applicable): 3.0.1-43.el9_0 How reproducible: Run the attached reproducer with any of the unapproved hash algorithms in both HMAC-DRBG and HASH-DRBG mode. Steps to Reproduce: 1. cc -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600 -o rand rand.c -lcrypto 2. for type in hash hmac; do for hash in SHA-224 SHA-384 SHA512-224 SHA512-256 SHA3-224 SHA3-384 SHA3-256 SHA3-512 do; ./rand "$type" "$hash" 128 1 64; done Actual results: OK HASH-DRBG SHA-224 OK( 1/ 1): 0x8f8773473c6b43bc558b38e319b8f61358a7e14befa3135737e3750778dbb2c3bda567175ae596ab7556946c2d3864760c352e5717bccbe2a6b3a3cbffffb308 OK HASH-DRBG SHA-384 OK( 1/ 1): 0xc2861a62aa267de8979b9cb74be074e5bea8fe594ff196c02d983ef325b1290224ecf185ac194b78cfcd887ac1fab08d6d49abcd6197df942430982a5a2c9a93 OK HASH-DRBG SHA512-224 OK( 1/ 1): 0xa1ff9320c1ffe08ebe57ab0c30ea58cc7882ce8820ddd31a5efb1dd59f84eb48ef082a162a3f13745e2aedf973ccf748c179d432cd89fabe424f32757a8943bb OK HASH-DRBG SHA512-256 OK( 1/ 1): 0x40ed12417a15ae654bd35505d0979711e3a26829328d5ce4f4a46be71b790d0f8a3aada28a442d3729c032830b50ed5ce95e40ae05cf2df39fe4a7fb4058d755 OK HASH-DRBG SHA3-224 OK( 1/ 1): 0xb70c2611b09c98e55293bd48f958b1075dd3a1defd141dc0d7665c3bd5a8d8cb8f96fc24d8d1f5e86ca84b283b976a0442a5c2efc80e6f9431e20a9f3e71b5b4 OK HASH-DRBG SHA3-384 OK( 1/ 1): 0xc218cc69eed0ef5bc5df3e169edd13602108892ec725f03fc59e75d69d073adecba1d78b708161a2d6430506525e8720113cc8c7162e11615c6813c2d1bb6c7e OK HASH-DRBG SHA3-256 OK( 1/ 1): 0x75906f678785939315d3873521f32ba39e9efcce15a66a8125b8c76afdc6f25446bc17a7cfa6df930f51b6a266099c787e2897aa7bf26880a8ba939177726743 OK HASH-DRBG SHA3-512 OK( 1/ 1): 0x9c9ca9b95f5f931075e540e791cd75198670db2a29809edd180ff8f206a6fe86330c37bf2e4cc040e51280e87ea275769499aaa95e8ec1be4948816c0578d899 OK HMAC-DRBG SHA-224 OK( 1/ 1): 0x2aa7d043e1ab3ef26e8429a1572cd50ef7a75aef162e35be1cbdb01a261b5c9d9d669bb5e1996cff411a1829cf5e1df8cd421de4265016248b5137419ddc84ee OK HMAC-DRBG SHA-384 OK( 1/ 1): 0xb975c606a15fd85b1224bb12c5f708e83edfce2e7a78339ed3f94cf765e55dd1884107db67abba331f7a05fc0318c9938c955688424e8cac5061ec73d7edad09 OK HMAC-DRBG SHA512-224 OK( 1/ 1): 0x31f070f29206d7253e52ca3d49b5273d870ac2163f9cb87d75599e771dd691fde3e86563809834dc2b0dbbbe23b412d6724eb0c16ec05cf58fe49c3138c4450a OK HMAC-DRBG SHA512-256 OK( 1/ 1): 0xd73cb47d735533fdbf26835a36be2b1619d32e4b1c1ce88627efc5c79486d0069d75ac758c7e5c95f6171550cbb3532998f33c5e88fe4f98750118644f35cfe8 OK HMAC-DRBG SHA3-224 OK( 1/ 1): 0x94867fb14a0bf739936a9faec5367a400539827f63ab797d77d2f5702802449445d2294f797ed964911e2481c5553681b1c7c0673177cf2bebda5f3889644b4d OK HMAC-DRBG SHA3-384 OK( 1/ 1): 0x0440ac7cbe3f5b70dcf0fa751a469a561704f70735e9112a4362457fd0e525fa0eed78e7a135ad623c849167e6c92b554ef7f9fb3afa49323ad5b66a2db56a98 OK HMAC-DRBG SHA3-256 OK( 1/ 1): 0xd1b14479a337f5c1c55bae625d93e6c23a4eb91db3cc6aec4345aa8a4fe36c061de0186dba868dffa8dcfcd87b2ba796efe55e4cfe267229d5757129853c7b9d OK HMAC-DRBG SHA3-512 OK( 1/ 1): 0x9cfc6058d4cf39467cc155959b8e3b4eacd44ba99db04d201fd67884e8b4138ec8bdc75178c892b68c6abfe9031c0cc4f57676662c95452d283dbd5119764a48 Expected results: ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-224') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-384') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-224') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-256') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-224') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-384') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-256') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-512') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-224') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-384') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-224') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-256') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-224') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-384') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-256') ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-512') Additional info: