crypto: DSA parameter validation in FIPS mode #3756
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mscdex
added
crypto
|
LGTM |
|
cc @nodejs/crypto I would like to have one more LGTM on this, just to be sure |
|
It is better to add a test to check if an error is thrown when it has a different key length in FIPS mode. |
|
@shigeki Do you mean it is better to check if OpenSSL returns an error rather than doing the key length checks in Node? If so, that is not possible because their error checking is broken and the process will segfault. We have to duplicate these checks inside Node until the bug is fixed in OpenSSL. |
stefanmb
force-pushed
the
fips-cs5-openssl-bug
branch
from
ff92715
to
c07bbb0
Compare
|
Removed superfluous newlines and switched to using NODE_FIPS_MODE. |
stefanmb
force-pushed
the
fips-cs5-openssl-bug
branch
from
c07bbb0
to
13af0ae
Compare
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first.
stefanmb
force-pushed
the
fips-cs5-openssl-bug
branch
from
13af0ae
to
c308612
Compare
|
We can have the test by using a different key length specified in FIPS. For example, 1025bit dsa key (actually 1088 bit) shows the following errors. var crypto = require('crypto');
var fs = require('fs');
var input = 'hello';
var dsapub = fs.readFileSync('./dsapub_1025.pem');
var dsapri = fs.readFileSync('./dsapri_1025.pem');
var sign = crypto.createSign('DSS1');
sign.update(input);
var signature = sign.sign(dsapri);
var verify = crypto.createVerify('DSS1');
verify.update(input);
console.log(verify.verify(dsapub, signature));$ ~/github/node_fips/node test2.js
crypto.js:279
var ret = this._handle.sign(toBuf(key), null, passphrase);
^
Error: PEM_read_bio_PrivateKey failed |
Check that invalid DSA key sizes are rejected in FIPS mode.
|
Done, thank you for the explanation! |
|
LGTM |
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider.
stefanmb
force-pushed
the
fips-cs5-openssl-bug
branch
from
45e4dd6
to
76f50a9
Compare
|
That's fine. LGTM. |
jasnell
pushed a commit
that referenced
this pull request
Nov 14, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell
pushed a commit
that referenced
this pull request
Nov 14, 2015
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell
pushed a commit
that referenced
this pull request
Nov 14, 2015
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
|
Landed in multiple commits. |
Fishrock123
pushed a commit
that referenced
this pull request
Nov 17, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Fishrock123
pushed a commit
that referenced
this pull request
Nov 17, 2015
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Fishrock123
pushed a commit
that referenced
this pull request
Nov 17, 2015
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Nov 30, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Nov 30, 2015
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Nov 30, 2015
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
rvagg
pushed a commit
that referenced
this pull request
Dec 4, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
rvagg
pushed a commit
that referenced
this pull request
Dec 4, 2015
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
rvagg
pushed a commit
that referenced
this pull request
Dec 4, 2015
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Closed
jasnell
pushed a commit
that referenced
this pull request
Dec 17, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell
pushed a commit
that referenced
this pull request
Dec 17, 2015
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell
pushed a commit
that referenced
this pull request
Dec 17, 2015
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell
pushed a commit
that referenced
this pull request
Dec 23, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell
pushed a commit
that referenced
this pull request
Dec 23, 2015
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell
pushed a commit
that referenced
this pull request
Dec 23, 2015
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For DSA signatures FIPS 180-4 Section 4.2 requires one of the following well-known parameter combinations: (L, N) pairs must be (1024, 160), (2048, 224), (2048, 256), or (3072, 256). Due to a bug in OpenSSL's error checking and memory allocation using an unacceptable combination will cause OpenSSL to overwrite random uninitialized pointers and it will mostly likely segfault instead of producing a friendly error. To prevent crashes we must do the checks before calling out to OpenSSL.
For the OpenSSL bug, see handling of 'BIGNUM m' in dsa_do_sign():
https://github.com/openssl/openssl/blob/OpenSSL-fips-2_0-dev/crypto/dsa/dsa_ossl.c
This bug has been previously found and reported to OpenSSL here: https://www.mail-archive.com/openssl-dev@openssl.org/msg36826.html