RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2141748 - In FIPS mode, openssl should reject SHA-224, SHA-384, SHA-512-224, and SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after 2023-05-16
Summary: In FIPS mode, openssl should reject SHA-224, SHA-384, SHA-512-224, and SHA-51...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: openssl
Version: 9.0
Hardware: x86_64
OS: Linux
high
low
Target Milestone: rc
: ---
Assignee: Clemens Lang
QA Contact: Hubert Kario
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks: 2144017 2144018
TreeView+ depends on / blocked
 
Reported: 2022-11-10 17:06 UTC by Clemens Lang
Modified: 2023-05-09 10:31 UTC (History)
6 users (show)

Fixed In Version: openssl-3.0.7-2.el9
Doc Type: Deprecated Functionality
Doc Text:
.DRBGs in OpenSSL can use only SHA-1, SHA-256, and SHA-512 in FIPS mode According to FIPS 140-3 IG, modules certified after May 16th, 2023 must not support the use of digest algorithms that truncate their output. With this update, OpenSSL requires Deterministic Random Bit Generators (DRBGs) to use only SHA-1, SHA-256, and SHA-512 digest algorithms.
Clone Of:
: 2144017 2144018 (view as bug list)
Environment:
Last Closed: 2023-05-09 08:20:47 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
rand.c (5.10 KB, text/x-csrc)
2022-11-10 17:06 UTC, Clemens Lang 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-8766 0 None None None 2022-11-16 10:29:39 UTC
Red Hat Issue Tracker RHELPLAN-139057 0 None None None 2022-11-10 17:12:47 UTC
Red Hat Product Errata RHSA-2023:2523 0 None None None 2023-05-09 08:21:25 UTC

Description Clemens Lang 2022-11-10 17:06:52 UTC 
Created attachment 1923619 [details]
rand.c

Description of problem:
According to FIPS 140-3 IG, section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs", modules certified after May 16th, 2023 must not support the use of
 - SHA-224
 - SHA-384
 - SHA512-224
 - SHA512-256
 - SHA3-224
 - SHA3-384
and, potentially SHA3-256 and SHA3-512, since those are not yet specified.

We should either reject these hash algorithms with an error message, or provide an explicit indication that they are not FIPS-approved.

Version-Release number of selected component (if applicable):
3.0.1-43.el9_0

How reproducible:
Run the attached reproducer with any of the unapproved hash algorithms in both HMAC-DRBG and HASH-DRBG mode.

Steps to Reproduce:
1. cc -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600 -o rand rand.c -lcrypto
2. for type in hash hmac; do for hash in SHA-224 SHA-384 SHA512-224 SHA512-256 SHA3-224 SHA3-384 SHA3-256 SHA3-512 do; ./rand "$type" "$hash" 128 1 64; done

Actual results:
OK HASH-DRBG SHA-224
  OK( 1/ 1): 0x8f8773473c6b43bc558b38e319b8f61358a7e14befa3135737e3750778dbb2c3bda567175ae596ab7556946c2d3864760c352e5717bccbe2a6b3a3cbffffb308
OK HASH-DRBG SHA-384
  OK( 1/ 1): 0xc2861a62aa267de8979b9cb74be074e5bea8fe594ff196c02d983ef325b1290224ecf185ac194b78cfcd887ac1fab08d6d49abcd6197df942430982a5a2c9a93
OK HASH-DRBG SHA512-224
  OK( 1/ 1): 0xa1ff9320c1ffe08ebe57ab0c30ea58cc7882ce8820ddd31a5efb1dd59f84eb48ef082a162a3f13745e2aedf973ccf748c179d432cd89fabe424f32757a8943bb
OK HASH-DRBG SHA512-256
  OK( 1/ 1): 0x40ed12417a15ae654bd35505d0979711e3a26829328d5ce4f4a46be71b790d0f8a3aada28a442d3729c032830b50ed5ce95e40ae05cf2df39fe4a7fb4058d755
OK HASH-DRBG SHA3-224
  OK( 1/ 1): 0xb70c2611b09c98e55293bd48f958b1075dd3a1defd141dc0d7665c3bd5a8d8cb8f96fc24d8d1f5e86ca84b283b976a0442a5c2efc80e6f9431e20a9f3e71b5b4
OK HASH-DRBG SHA3-384
  OK( 1/ 1): 0xc218cc69eed0ef5bc5df3e169edd13602108892ec725f03fc59e75d69d073adecba1d78b708161a2d6430506525e8720113cc8c7162e11615c6813c2d1bb6c7e
OK HASH-DRBG SHA3-256
  OK( 1/ 1): 0x75906f678785939315d3873521f32ba39e9efcce15a66a8125b8c76afdc6f25446bc17a7cfa6df930f51b6a266099c787e2897aa7bf26880a8ba939177726743
OK HASH-DRBG SHA3-512
  OK( 1/ 1): 0x9c9ca9b95f5f931075e540e791cd75198670db2a29809edd180ff8f206a6fe86330c37bf2e4cc040e51280e87ea275769499aaa95e8ec1be4948816c0578d899
OK HMAC-DRBG SHA-224
  OK( 1/ 1): 0x2aa7d043e1ab3ef26e8429a1572cd50ef7a75aef162e35be1cbdb01a261b5c9d9d669bb5e1996cff411a1829cf5e1df8cd421de4265016248b5137419ddc84ee
OK HMAC-DRBG SHA-384
  OK( 1/ 1): 0xb975c606a15fd85b1224bb12c5f708e83edfce2e7a78339ed3f94cf765e55dd1884107db67abba331f7a05fc0318c9938c955688424e8cac5061ec73d7edad09
OK HMAC-DRBG SHA512-224
  OK( 1/ 1): 0x31f070f29206d7253e52ca3d49b5273d870ac2163f9cb87d75599e771dd691fde3e86563809834dc2b0dbbbe23b412d6724eb0c16ec05cf58fe49c3138c4450a
OK HMAC-DRBG SHA512-256
  OK( 1/ 1): 0xd73cb47d735533fdbf26835a36be2b1619d32e4b1c1ce88627efc5c79486d0069d75ac758c7e5c95f6171550cbb3532998f33c5e88fe4f98750118644f35cfe8
OK HMAC-DRBG SHA3-224
  OK( 1/ 1): 0x94867fb14a0bf739936a9faec5367a400539827f63ab797d77d2f5702802449445d2294f797ed964911e2481c5553681b1c7c0673177cf2bebda5f3889644b4d
OK HMAC-DRBG SHA3-384
  OK( 1/ 1): 0x0440ac7cbe3f5b70dcf0fa751a469a561704f70735e9112a4362457fd0e525fa0eed78e7a135ad623c849167e6c92b554ef7f9fb3afa49323ad5b66a2db56a98
OK HMAC-DRBG SHA3-256
  OK( 1/ 1): 0xd1b14479a337f5c1c55bae625d93e6c23a4eb91db3cc6aec4345aa8a4fe36c061de0186dba868dffa8dcfcd87b2ba796efe55e4cfe267229d5757129853c7b9d
OK HMAC-DRBG SHA3-512
  OK( 1/ 1): 0x9cfc6058d4cf39467cc155959b8e3b4eacd44ba99db04d201fd67884e8b4138ec8bdc75178c892b68c6abfe9031c0cc4f57676662c95452d283dbd5119764a48

Expected results:
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-384')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-256')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-384')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-256')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-512')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA-384')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA512-256')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-224')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-384')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-256')
ERR Failed instantiate DRBG using EVP_RAND_instantiate(strength=128, personalization='RHEL-9 DRBG test', digest='SHA3-512')


Additional info:
Comment 1 Clemens Lang 2022-11-10 17:09:15 UTC 
Note that we only need to fix this if we do not submit before May 16th, 2023. However, if we do not fix it now, we will have to for the next iteration.
Comment 2 Clemens Lang 2022-11-10 17:29:26 UTC 
The lab clarified that we should also disable the use of SHA3-256 and SHA3-512 in hash-based DRBGs.
Comment 4 Dmitry Belyavskiy 2022-11-16 12:50:12 UTC 
Wouldn't it better to _permit_ just SHA-256 and SHA-512?
Comment 5 Clemens Lang 2022-11-16 13:13:38 UTC 
Note that SHA-1 is also permitted according to FIPS 140-3 IG D.R, but yes, that will be easier.
Comment 16 errata-xmlrpc 2023-05-09 08:20:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: openssl security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2523
Note You need to log in before you can comment on or make changes to this bug.