Bug 2168289

Summary: In FIPS mode, openssl should provide an indicator for AES-GCM to query whether the IV was generated internally or provided externally
Product: Red Hat Enterprise Linux 9 Reporter: Clemens Lang <cllang>
Component: opensslAssignee: Clemens Lang <cllang>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: urgent Docs Contact:
Priority: high    
Version: 9.0CC: cllang, dbelyavs, hkario, ssorce
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openssl-3.0.7-17.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2175868 2175869 2175870 (view as bug list) Environment:
Last Closed: 2023-11-07 08:52:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2175868, 2175869, 2175870    
Attachments:
Description Flags
AES-GCM reproducer that prints the FIPS indicator status
none
AES-GCM reproducer that prints the FIPS indicator status
none
AES-GCM reproducer that prints the FIPS indicator status (updated for both encryption & decryption) none

Description Clemens Lang 2023-02-08 16:34:21 UTC 
Created attachment 1942927 [details]
AES-GCM reproducer that prints the FIPS indicator status

Description of problem:
FIPS 140-3 IG, section C.H asks us to guarantee key/iv pair uniqueness, which OpenSSL cannot enforce when IVs are specified externally when encrypting. For FIPS compliance, IVs should always be generated internally by OpenSSL for this reason.

Add an indicator that allows users to query whether the IV was generated internally and thus complies with FIPS 140-3 IG C.H.


Version-Release number of selected component (if applicable):
openssl-3.0.1-44.el9_0.1

How reproducible:
Run attached reproducer. It should provide an indication of whether the IV was generated internally.

Steps to Reproduce:
1. $(head -1 aes-gcm.c | sed -E 's@^// @@g') && ./aes-gcm aad false 12 16 aes-gcm aes-gcm.enc
   should print FIPS approved indicator since internal IV generated is used
2. $(head -1 aes-gcm.c | sed -E 's@^// @@g') && ./aes-gcm aad true 12 16 aes-gcm aes-gcm.enc
   should print FIPS unapproved indicator since internal IV generated is used

Actual results:
No indicators are printed at all

Expected results:
Output indicates whether internal IV generation compliant with FIPS 140-3 IG C.H was used. 

Additional info:
https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
Comment 1 Clemens Lang 2023-02-17 18:04:42 UTC 
Created attachment 1944805 [details]
AES-GCM reproducer that prints the FIPS indicator status
Comment 6 Clemens Lang 2023-03-13 15:35:39 UTC 
Created attachment 1950251 [details]
AES-GCM reproducer that prints the FIPS indicator status (updated for both encryption & decryption)
Comment 17 errata-xmlrpc 2023-11-07 08:52:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssl bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6627