Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zeroize rsa->p,rsa->q on error #24358

Closed
wants to merge 1 commit into from
Closed

zeroize rsa->p,rsa->q on error #24358

wants to merge 1 commit into from

Conversation

Sashan
Copy link
Contributor

@Sashan Sashan commented May 10, 2024
edited

this is rquired by fips-186-5 section A.1.6, step 7:
Zeroize the internally generated values that are not returned

In OpenSSL code we need to zero p, q members of rsa structure. The rsa structure is provided by ossl_rsa_fips186_4_gen_prob_primes() caller.

The remaining values (variables) mentioned by standard are zeroed already in functions we call from ossl_rsa_fips186_4_gen_prob_primes().

@kroeckx
Copy link
Member

kroeckx commented May 10, 2024

typo: fipd -> fips

@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label May 10, 2024
@Sashan Sashan mentioned this pull request May 10, 2024
Closed
@Sashan Sashan requested a review from slontis May 10, 2024 08:04
@t8m t8m added branch: master Merge to master branch approval: review pending This pull request needs review by a committer approval: otc review pending This pull request needs review by an OTC member triaged: feature The issue/pr requests/adds a feature tests: exempted The PR is exempt from requirements for testing labels May 10, 2024
@t8m t8m removed the approval: otc review pending This pull request needs review by an OTC member label May 10, 2024
@t8m
Copy link
Member

t8m commented May 10, 2024
edited

Typos in commit message can be fixed when merging.

kroeckx
kroeckx reviewed May 10, 2024
View reviewed changes
crypto/rsa/rsa_sp800_56b_gen.c
@@ -147,11 +147,15 @@ int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test,
ret = 1;
err:
/* Zeroize any internally generated values that are not returned */
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this comment is out of date.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the comment is still valid for Xp0, Xq0 and tmp. Perhaps newly added code should come with comment saying clear p and q in RSA structure too on failure. I decided not to add more comments. IMO the code here explain itself.

@t8m t8m added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels May 10, 2024
shahsb
shahsb approved these changes May 10, 2024
View reviewed changes
crypto/rsa/rsa_sp800_56b_gen.c Show resolved Hide resolved
paulidale
paulidale reviewed May 10, 2024
View reviewed changes
Copy link
Contributor

@paulidale paulidale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The clearing ought to be wrapped by #ifdef FIPS_MODULE.
This is a NIST requirement, so we have to do it for FIPS.
It is a pointless requirement, so we don't want to do it outsize of FIPS.

@openssl-machine openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels May 11, 2024
@openssl-machine
Copy link
Collaborator

This pull request is ready to merge

slontis
slontis requested changes May 13, 2024
View reviewed changes
Copy link
Member

@slontis slontis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#ifdef FIPS_MODULE is required here.

@paulidale paulidale added the hold: need otc decision The OTC needs to make a decision label May 13, 2024
@paulidale
Copy link
Contributor

Not so much an OTC question, just a hold until the conditioning is put in.

@t8m
Copy link
Member

t8m commented May 13, 2024

Actually here I prefer keeping the PR as is without the FIPS_MODULE ifdef. The reason is that it prevents reusing the previous p/q if they were set or some intermediate p/q values by the caller if it ignores the failure. Yeah, possibly this could be just BN_free() and not BN_clear_free() outside of FIPS_MODULE, but I do not think it is worth it as this is just an error case.

@t8m
Copy link
Member

t8m commented May 13, 2024

So @paulidale please reconsider your hold.

@t8m
Copy link
Member

t8m commented May 14, 2024

OTC: This is a good practice and p, q are private values. PR is OK as is.

@t8m t8m removed the hold: need otc decision The OTC needs to make a decision label May 14, 2024
@mattcaswell
Copy link
Member

@Sashan: The author email address in the commit looks wrong here - I would have expected to see your openssl.org email address

@Sashan
zeroize rsa->p,rsa->q on error
b63e675 
this is rquired by fipd-186-5 section A.1.6, step 7:
	Zeroize the internally generated values that are not returned

In OpenSSL code we need to zero p, q members of rsa structure. The rsa
structure is provided by ossl_rsa_fips186_4_gen_prob_primes() caller.

The remaining values (variables) mentioned by standard are zeroed
already in functions we call from ossl_rsa_fips186_4_gen_prob_primes().
@t8m
Copy link
Member

t8m commented May 14, 2024

Merged to the master branch. Thank you.

@t8m t8m closed this May 14, 2024
openssl-machine pushed a commit that referenced this pull request May 14, 2024
@Sashan @t8m
zeroize rsa->p,rsa->q on error
fb323b2 
this is rquired by fipd-186-5 section A.1.6, step 7:
	Zeroize the internally generated values that are not returned

In OpenSSL code we need to zero p, q members of rsa structure. The rsa
structure is provided by ossl_rsa_fips186_4_gen_prob_primes() caller.

The remaining values (variables) mentioned by standard are zeroed
already in functions we call from ossl_rsa_fips186_4_gen_prob_primes().

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #24358)
xnox pushed a commit to xnox/openssl that referenced this pull request May 14, 2024
@Sashan @xnox
zeroize rsa->p,rsa->q on error
2d34d02 
this is rquired by fipd-186-5 section A.1.6, step 7:
	Zeroize the internally generated values that are not returned

In OpenSSL code we need to zero p, q members of rsa structure. The rsa
structure is provided by ossl_rsa_fips186_4_gen_prob_primes() caller.

The remaining values (variables) mentioned by standard are zeroed
already in functions we call from ossl_rsa_fips186_4_gen_prob_primes().

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#24358)

(cherry picked from commit fb323b2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kroeckx kroeckx kroeckx left review comments

@paulidale paulidale paulidale left review comments

@slontis slontis slontis requested changes

@xnox xnox xnox approved these changes

@nhorman nhorman nhorman approved these changes

@t8m t8m t8m approved these changes

@shahsb shahsb shahsb approved these changes

Assignees
No one assigned
Labels
approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Merge to master branch severity: fips change The pull request changes FIPS provider sources tests: exempted The PR is exempt from requirements for testing triaged: feature The issue/pr requests/adds a feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@Sashan @kroeckx @t8m @openssl-machine @paulidale @mattcaswell @xnox @nhorman @shahsb @slontis