Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hkdf: when HMAC key is all zeros, still set a valid key length #24204

Closed
wants to merge 1 commit into from
Closed

hkdf: when HMAC key is all zeros, still set a valid key length #24204

wants to merge 1 commit into from

Conversation

xnox
Copy link
Contributor

@xnox xnox commented Apr 19, 2024

By itself, this is no change in any computation. However, this will unlock enforcing minimum key lengths for NIST and FIPS 140-3 requirements.

Also reading RFC8448 and RFC5869, this seems to be strictly correct too.

Submitting this separately from #24199 because this may seem as potentially critical change.

Checklist
  • documentation is added or updated
  • tests are added or updated

No tests adjusted as the expectations are to remain the same.

@xnox
hkdf: when HMAC key is all zeros, still set a valid key length
d657b03 
By itself, this is no change in any computation. However, this will
unlock enforcing minimum key lengths for NIST and FIPS 140-3
requirements.

Also reading RFC8448 and RFC5869, this seems to be strictly correct
too.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label Apr 19, 2024
@xnox xnox mentioned this pull request Apr 19, 2024
Draft
2 tasks
@t8m t8m added branch: master Merge to master branch approval: review pending This pull request needs review by a committer approval: otc review pending This pull request needs review by an OTC member triaged: bug The issue/pr is/fixes a bug branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 hold: needs tests The PR needs tests to be added to it branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 labels Apr 19, 2024
@t8m
Copy link
Member

t8m commented Apr 19, 2024

Hmm... given RFC5869 this is really a bug in our implementation. Apparently we do not test this case at all and we should. But the bug seems to be already in HKDF_Extract() - it should handle NULL salt properly - using the all zeros of mdlen.

@slontis
Copy link
Member

slontis commented Apr 24, 2024

The change seems fine to me..

HKDF_Extract() calls MAC_Init() which calls HMAC_Init_ex()..
And HMAC_Init_ex() does memset(&keytmp[keytmp_length], 0, 144 - keytmp_length);

So pre and post this change the same result will occur.

@slontis slontis removed the approval: otc review pending This pull request needs review by an OTC member label Apr 24, 2024
@slontis
Copy link
Member

slontis commented Apr 24, 2024

I think the change should only happen on master, since it makes no difference to the result.
The change is intended for a new FIPS provider moving forward - so should not be backported.

@t8m t8m added tests: exempted The PR is exempt from requirements for testing triaged: refactor The issue/pr requests/implements refactoring and removed hold: needs tests The PR needs tests to be added to it triaged: bug The issue/pr is/fixes a bug branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 labels Apr 24, 2024
t8m
t8m approved these changes Apr 24, 2024
View reviewed changes
Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I did not realize that the HMAC does padding of the key implicitly.

@t8m t8m added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Apr 24, 2024
@openssl-machine openssl-machine removed the approval: done This pull request has the required number of approvals label Apr 25, 2024
@openssl-machine openssl-machine added the approval: ready to merge The 24 hour grace period has passed, ready to merge label Apr 25, 2024
@openssl-machine
Copy link
Collaborator

This pull request is ready to merge

@t8m
Copy link
Member

t8m commented Apr 25, 2024

Merged to the master branch. Thank you for your contribution.

@t8m t8m closed this Apr 25, 2024
openssl-machine pushed a commit that referenced this pull request Apr 25, 2024
@xnox @t8m
hkdf: when HMAC key is all zeros, still set a valid key length
15d6114 
By itself, this is no change in any computation. However, this will
unlock enforcing minimum key lengths for NIST and FIPS 140-3
requirements.

Also reading RFC8448 and RFC5869, this seems to be strictly correct
too.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #24204)
xnox added a commit to xnox/openssl that referenced this pull request May 13, 2024
@xnox
hkdf: when HMAC key is all zeros, still set a valid key length
fd36c86 
By itself, this is no change in any computation. However, this will
unlock enforcing minimum key lengths for NIST and FIPS 140-3
requirements.

Also reading RFC8448 and RFC5869, this seems to be strictly correct
too.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#24204)

(cherry picked from commit 15d6114)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@t8m t8m t8m approved these changes

@shahsb shahsb shahsb approved these changes

@slontis slontis slontis approved these changes

Assignees
No one assigned
Labels
approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Merge to master branch severity: fips change The pull request changes FIPS provider sources tests: exempted The PR is exempt from requirements for testing triaged: refactor The issue/pr requests/implements refactoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@xnox @t8m @slontis @openssl-machine @shahsb