xref: /openssl/doc/designs/fips_indicator.md (revision 7845ff76)
1OpenSSL FIPS Indicators
2=======================
3
4The following document refers to behaviour required by the OpenSSL FIPS provider,
5the changes should not affect the default provider.
6
7References
8----------
9
10- [1] FIPS 140-3 Standards: <https://csrc.nist.gov/projects/cryptographic-module-validation-program/fips-140-3-standards>
11- [2] Approved Security Functions: <https://csrc.nist.gov/projects/cryptographic-module-validation-program/sp-800-140-series-supplemental-information/sp800-140c>
12- [3] Approved SSP generation and Establishment methods: <https://csrc.nist.gov/projects/cryptographic-module-validation-program/sp-800-140-series-supplemental-information/sp800-140d>
13- [4] Key transitions: <https://csrc.nist.gov/pubs/sp/800/131/a/r2/final>
14- [5] FIPS 140-3 Implementation Guidance: <https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips 140-3/FIPS 140-3 IG.pdf>
15
16Requirements
17------------
18
19The following information was extracted from the FIPS 140-3 IG [5] “2.4.C Approved Security Service Indicator”
20
21- A module must have an approved mode of operation that requires at least one service to use an approved security function (defined by [2] and [3]).
22- A FIPS 140-3 compliant module requires a built-in service indicator capable of indicating the use of approved security services
23- If a module only supports approved services in an approved manner an implicit indicator can be used (e.g. successful completion of a service is an indicator).
24- An approved algorithm is not considered to be an approved implementation if it does not have a CAVP certificate or does not include its required self-tests. (i.e. My interpretation of this is that if the CAVP certificate lists an algorithm with only a subset of key sizes, digests, and/or ciphers compared to the implementation, the differences ARE NOT APPROVED. In many places we have no restrictions on the digest or cipher selected).
25- Documentation is required to demonstrate how to use indicators for each approved cryptographic algorithm.
26- Testing is required to execute all services and verify that the indicator provides an unambiguous indication of whether the service utilizes an approved cryptographic algorithm, security function or process in an approved manner or not.
27- The Security Policy may require updates related to indicators. AWS/google have added a table in their security policy called ‘Non-Approved Algorithms not allowed in the approved mode of operation’. An example is RSA with a keysize of < 2048 bits (which has been enforced by [4]).
28
29Since any new FIPS restrictions added could possibly break existing applications
30the following additional OpenSSL requirements are also needed:
31
32- The FIPS restrictions should be able to be disabled using Configuration file options (This results in unapproved mode and requires an indicator).
33- A mechanism for logging the details of any unapproved mode operations that have been triggered (e.g. DSA Signing)
34- The FIPS restrictions should be able to be enabled/disabled per algorithm context.
35- If the per algorithm context value is not set, then the  Configuration file option is used.
36
37Solution
38--------
39
40In OpenSSL most of the existing code in the FIPS provider is using
41implicit indicators i.e. An error occurs if existing FIPS rules are violated.
42
43The following rules will apply to any code that currently is not FIPS approved,
44but needs to be.
45
46- The fipsinstall application will have a configurable item added for each algorithm that requires a change. These options will be passed to the FIPS provider in a manner similar to existing code.
47
48- A user defined callback similar to OSSL_SELF_TEST will be added. This callback will be triggered whenever an approved mode test fails.
49
50It may be set up by the user using
51
52```c
53typedef int (OSSL_INDICATOR_CALLBACK)(const char *type,
54                                      const char *desc,
55                                      const OSSL_PARAM params[]);
56
57void OSSL_INDICATOR_set_callback(OSSL_LIB_CTX *libctx,
58                                 OSSL_INDICATOR_CALLBACK *cb);
59```
60
61The callback can be changed at any time.
62
63- A getter is also supplied (which is also used internally)
64
65```c
66void OSSL_INDICATOR_get_callback(OSSL_LIB_CTX *libctx,
67                                 OSSL_INDICATOR_CALLBACK **cb);
68```
69
70An application's indicator OSSL_INDICATOR_CALLBACK can be used to log that an
71indicator was triggered. The callback should normally return non zero.
72Returning 0 allows the algorithm to fail, in the same way that a strict check
73would fail.
74
75- To control an algorithm context's checks via code requires a setter for each individual check e.g OSSL_PKEY_PARAM_FIPS_KEY_CHECK.
76
77```c
78    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FIPS_KEY_CHECK);
79    if (p != NULL
80        && !OSSL_PARAM_get_int(p, &ctx->key_check))
81        return 0;
82```
83
84The setter is initially -1 (unknown) and can be set to 0 or 1 via a set_ctx call.
85If the setter is needed it must be set BEFORE the FIPS related check is done.
86
87If the FIPS related approved mode check fails and either the ctx setter is zero
88OR the related FIPS configuration option is zero then the callback is triggered.
89If neither the setter of config option are zero then the algorithm should fail.
90If the callback is triggered a flag is set in the algorithm ctx that indicates
91that this algorithm is unapproved. Once the context is unapproved it will
92remain in this state.
93
94- To access the indicator via code requires a getter
95
96```c
97    p = OSSL_PARAM_locate(params, OSSL_ALG_PARAM_FIPS_APPROVED_INDICATOR);
98    if (p != NULL && !OSSL_PARAM_set_int(p, ctx->approved))
99        return 0;
100```
101
102This initially has a value of 1, and may be set to 0 if the algorithm is
103unapproved. The getter allows you to access the indicator value after the
104operation has completed (e.g. Final or Derive related functions)
105
106- Example Algorithm Check
107
108```c
109void alg_init(ALG_CTX *ctx)
110{
111    ctx->strict_checks = -1;
112    ctx->approved = 1;
113}
114
115void alg_set_params(ALG_CTX *ctx, OSSL_PARAMS params[])
116{
117    p = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_STRICT_CHECKS);
118    if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->strict_checks))
119        return 0;
120}
121
122int alg_check_approved(ALG_CTX *ctx)
123{
124    int approved;
125
126    approved = some_fips_test_passes(ctx->libctx); // Check FIPS restriction for alg
127    if (!approved) {
128        ctx->approved = 0;
129        if (ctx->strict_checks == 0
130                || fips_config_get(ctx->libctx, op) == 0) {
131            if (!indicator_cb(ctx->libctx, "ALG NAME", "ALG DESC"))
132                return 0;
133        }
134    }
135    return 1;
136}
137```
138
139- Existing security check changes
140
141OpenSSL already uses FIPS configuration options to perform security_checks, but
142the existing code needs to change to work with indicators.
143
144e.g. existing code
145
146```c
147    if (ossl_securitycheck_enabled(ctx)) {
148       pass = do_some_alg_test(ctx);
149       if (!pass)
150        return 0; /* Produce an error */
151    }
152```
153
154In updated code for indicators the test always runs.. i.e.
155
156```c
157    pass = do_some_alg_test(ctx);
158    // Do code similar to alg_check_approved() above
159    // which will conditionally decide whether to return an error
160    // or trigger the indicator callback.
161```
162
163Issues with per algorithm ctx setters
164------------------------------------------------
165
166Normally a user would set params (such as OSSL_PKEY_PARAM_FIPS_KEY_CHECK) using
167set_ctx_params(), but some algorithms currently do checks in their init operation.
168These init functions normally pass an OSSL_PARAM[] argument, but this still
169requires the user to set the ctx params in their init.
170
171e.g.
172
173```c
174int strict = 0;
175params[0] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_FIPS_KEY_CHECK, strict);
176EVP_DigestSignInit_ex(ctx, &pctx, name, libctx, NULL, pkey, params);
177// using EVP_PKEY_CTX_set_params() here would be too late
178```
179
180Delaying the check to after the init would be possible, but it would be a change
181in existing behaviour. For example the keysize checks are done in the init since
182this is when the key is setup.
183
184Notes
185-----
186
187There was discussion related to also having a global config setting that could
188turn off FIPS mode. This will not be added at this stage.
189
190MACROS
191------
192
193A generic object is used internally to embed the variables required for
194indicators into each algorithm ctx. The object contains the ctx settables and
195the approved flag.
196
197```c
198typedef struct ossl_fips_ind_st {
199    unsigned char approved;
200    signed char settable[OSSL_FIPS_IND_SETTABLE_MAX];
201} OSSL_FIPS_IND;
202```
203
204Since there are a lot of algorithms where indicators are needed it was decided
205to use MACROS to simplify the process.
206The following macros are only defined for the FIPS provider.
207
208- OSSL_FIPS_IND_DECLARE
209
210OSSL_FIPS_IND should be placed into the algorithm objects struct that is
211returned by a new()
212
213- OSSL_FIPS_IND_COPY(dst, src)
214
215This is used to copy the OSSL_FIPS_IND when calling a dup(). If the dup() uses
216*dst = *src then it is not required.
217
218- OSSL_FIPS_IND_INIT(ctx)
219
220Initializes the OSSL_FIPS_IND object. It should be called in the new().
221
222- OSSL_FIPS_IND_ON_UNAPPROVED(ctx, id, libctx, algname, opname, configopt_fn)
223
224This triggers the callback, id is the settable index and must also be used
225by OSSL_FIPS_IND_SET_CTX_PARAM(), algname and opname are strings that are passed
226to the indicator callback, configopt_fn is the FIPS configuration option.
227Where this is triggered depends on the algorithm. In most cases this can be done
228in the set_ctx().
229
230- OSSL_FIPS_IND_SETTABLE_CTX_PARAM(name)
231
232This must be put into the algorithms settable ctx_params table.
233The name is the settable 'key' name such as OSSL_PKEY_PARAM_FIPS_KEY_CHECK.
234There should be a matching name used by OSSL_FIPS_IND_SET_CTX_PARAM().
235There may be multiple of these.
236
237- OSSL_FIPS_IND_SET_CTX_PARAM(ctx, id, params, name)
238
239This should be put at the top of the algorithms set_ctx_params().
240There may be multiple of these. The name should match an
241OSSL_FIPS_IND_SETTABLE_CTX_PARAM() entry.
242The id should match an OSSL_FIPS_IND_ON_UNAPPROVED() entry.
243
244- OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
245
246This must be placed in the algorithms gettable_ctx_params table
247
248- OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params)
249
250This must be placed in the algorithms get_ctx_params(),
251
252Some existing algorithms will require set_ctx_params()/settable_ctx_params()
253and/or get_ctx_params()/gettable_ctx_params() to be added if required.
254
255New Changes Required
256--------------------
257
258The following changes are required for FIPS 140-3 and will require indicators.
259On a cases by case basis we must decide what to do when unapproved mode is
260detected.
261The mechanism using FIPS configuration options and the indicator callback should
262be used for most of these unapproved cases (rather than always returning an error).
263
264### key size >= 112 bits
265
266There are a few places where we do not enforce key size that need to be addressed.
267
268- HMAC  Which applies to all algorithms that use HMAC also (e.g. HKDF, SSKDF, KBKDF)
269- CMAC
270- KMAC
271
272### Algorithm Transitions
273
274- DES_EDE3_ECB.  Disallowed for encryption, allowed for legacy decryption
275- DSA.  Keygen and Signing are no longer approved, verify is still allowed.
276- ECDSA B & K curves are deprecated, but still approved according to (IG C.K Resolution 4).\
277  If we chose not to remove them , then we need to check that OSSL_PKEY_PARAM_USE_COFACTOR_ECDH is set for key agreement if the cofactor is not 1.
278- ED25519/ED448 is now approved.
279- X25519/X448 is not approved currently. keygen and keyexchange would also need an indicator if we allow it?
280- RSA encryption(for key agreement/key transport) using PKCSV15 is no longer allowed. (Note that this breaks TLS 1.2 using RSA for KeyAgreement),
281  Padding mode updates required. Check RSA KEM also.
282- RSA signing using PKCS1 is still allowed (i.e. signature uses shaXXXWithRSAEncryption)
283- RSA signing using X931 is no longer allowed. (Still allowed for verification). Check if PSS saltlen needs a indicator (Note FIPS 186-4 Section 5.5 bullet(e). Padding mode updates required in rsa_check_padding(). Check if sha1 is allowed?
284- RSA (From SP800-131Ar2) RSA >= 2048 is approved for keygen, signatures and key transport. Verification allows 1024 also. Note also that according to the (IG section C.F) that fips 186-2 verification is also allowed (So this may need either testing OR an indicator, it also mentions the modulus size must be a multiple of 256). Check that rsa_keygen_pairwise_test() and RSA self tests are all compliant with the above RSA restrictions.
285- TLS1_PRF  If we are only trying to support TLS1.2 here then we should remove the tls1.0/1.1 code from the FIPS MODULE.
286- ECDSA Verify using prehashed message is not allowed.
287
288### Digest Checks
289
290Any algorithms that use a digest need to make sure that the CAVP certificate lists all supported FIPS digests otherwise an indicator is required.
291This applies to the following algorithms:
292
293- TLS_1_3_KDF (Only SHA256 and SHA384 Are allowed due to RFC 8446  Appendix B.4)
294- TLS1_PRF (Only SHA256,SHA384,SHA512 are allowed)
295- X963KDF (SHA1 is not allowed)
296- X942KDF
297- PBKDF2
298- HKDF
299- KBKDF
300- SSKDF
301- SSHKDF
302- HMAC
303- KMAC
304- Any signature algorithms such as RSA, DSA, ECDSA.
305
306The FIPS 140-3 IG Section C.B & C.C have notes related to Vendor affirmation.
307
308Note many of these (such as KDF's will not support SHAKE).
309See <https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0078-KDF-Add-FIPS-indicators.patch?ref_type=heads>
310ECDSA and RSA-PSS Signatures allow use of SHAKE.
311
312KECCAK-KMAC-128 and KECCAK-KMAC-256 should not be allowed for anything other than KMAC.
313Do we need to check which algorithms allow SHA1 also?
314
315Test that Deterministic ECDSA does not allow SHAKE (IG C.K Additional Comments 6)
316
317### Cipher Checks
318
319- CMAC
320- KBKDF CMAC
321- GMAC
322
323We should only allow AES. We currently just check the mode.
324
325### Configurable options
326
327- PBKDF2 'lower_bound_checks' needs to be part of the indicator check
328
329Other Changes
330-------------
331
332- AES-GCM Security Policy must list AES GCM IV generation scenarios
333- TEST_RAND is not approved.
334- SSKDF  The security policy needs to be specific about what it supports i.e. hash, kmac 128/256, hmac-hash. There are also currently no limitations on the digest for hash and hmac
335- KBKDF  Security policy should list KMAC-128, KMAC-256 otherwise it should be removed.
336- KMAC may need a lower bound check on the output size (SP800-185 Section 8.4.2)
337- HMAC (FIPS 140-3 IG Section C.D has notes about the output length when using a Truncated HMAC)
338