openssl/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch

From 136988155862ce2b45683ef8045e7a8cdd11e215 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:13:46 +0200
Subject: [PATCH 47/48] 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch

Patch-name: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
Patch-id: 113
---
 include/openssl/core_names.h                  |  2 ++
 include/openssl/evp.h                         |  4 +++
 .../implementations/asymciphers/rsa_enc.c     | 22 ++++++++++++++
 providers/implementations/kem/rsa_kem.c       | 30 ++++++++++++++++++-
 4 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 29459049ad..9af0b1847d 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -480,6 +480,7 @@ extern "C" {
 #ifdef FIPS_MODULE
 #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED     "redhat-kat-oaep-seed"
 #endif
+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR    "redhat-fips-indicator"
 
 /*
  * Encoder / decoder parameters
@@ -514,6 +515,7 @@ extern "C" {
 
 /* KEM parameters */
 #define OSSL_KEM_PARAM_OPERATION            "operation"
+#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
 
 /* OSSL_KEM_PARAM_OPERATION values */
 #define OSSL_KEM_PARAM_OPERATION_RSASVE     "RSASVE"
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index f1a33ff6f2..dadbf46a5a 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1767,6 +1767,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
 OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
 # endif
 
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED     1
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
 EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
                                const char *properties);
 int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index d169bfd396..bd4dcb4e27 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -466,6 +466,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
     if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
         return 0;
 
+#ifdef FIPS_MODULE
+    p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
+    if (p != NULL) {
+        int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
+
+        /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
+         * confirmation (section 6.4.2.3.2), or assurance from a trusted third
+         * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
+         * explicit key confirmation is not implemented here and cannot be
+         * implemented without protocol changes, and the FIPS provider does not
+         * implement trusted third party validation, since it relies on its
+         * callers to do that. We must thus mark RSA-OAEP as unapproved until
+         * we have received clarification from NIST on how library modules such
+         * as OpenSSL should implement TTP validation. */
+        fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+        if (!OSSL_PARAM_set_int(p, fips_indicator))
+            return 0;
+    }
+#endif /* defined(FIPS_MODULE) */
+
     return 1;
 }
 
@@ -480,6 +501,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
 #ifdef FIPS_MODULE
     OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
+    OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
 #endif /* FIPS_MODULE */
     OSSL_PARAM_END
 };
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index 8a6f585d0b..f4b7415074 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -152,11 +152,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
 static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
 {
     PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
+#ifdef FIPS_MODULE
+    OSSL_PARAM *p;
+#endif /* defined(FIPS_MODULE) */
+
+    if (ctx == NULL)
+        return 0;
+
+#ifdef FIPS_MODULE
+    p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR);
+    if (p != NULL) {
+        /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
+         * confirmation (section 6.4.2.3.2), or assurance from a trusted third
+         * party (section 6.4.2.3.1) for key agreement or key transport, but
+         * explicit key confirmation is not implemented here and cannot be
+         * implemented without protocol changes, and the FIPS provider does not
+         * implement trusted third party validation, since it relies on its
+         * callers to do that. We must thus mark RSASVE unapproved until we
+         * have received clarification from NIST on how library modules such as
+         * OpenSSL should implement TTP validation. */
+        int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+        if (!OSSL_PARAM_set_int(p, fips_indicator))
+            return 0;
+    }
+#endif /* defined(FIPS_MODULE) */
 
-    return ctx != NULL;
+    return 1;
 }
 
 static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
+#ifdef FIPS_MODULE
+    OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
     OSSL_PARAM_END
 };
 
-- 
2.41.0