1930806 - FIPS changes need to be upstreamed

Status: RESOLVED FIXED

(NSS :: Libraries, enhancement)

Description

[Robert Relyea]

The following FIPS changes need to be picked up from downstream:

1. adding a new policy to require ems and abort non-ems connections if using tls1.2.
2. various fips indicator fixes including:
   adding checks for imbedded hash mechanism in PKCS #11 that those mechanism are appropriate for the global mechanism (prf, etc).
   add checks for target length of keys when the mechanism has both an input and output key.
   make sure the aes-gcm counter selection is FIPS approved.
   add specialized indicator checks for PBKDF2.
3. Add explicit KEA checks in KEA_Verify (only called in FIPS mode). This aids the review.
4. Move FIPS indicator checks earlier in C_GenerateKey().
5. The current guidance for KEX/KEM style pairwise consistency check is to regenerate the public key from the private key rather then creating a fake key exchange operation.
6. Check the generator as well as the prime for known primes to make sure we are using the same generator.

Comment 1

[Robert Relyea]

Attachment: Bug 1930806 FIPS changes need to be upstreamed

Incorporate FIPS changes.

1. Add safe zero function to prevent compiliers from optimizing a way zeroing stack variables.
2. Add explicit check for keys in KEA_Verify (this check is redundant, but I'm tired of explaining that to the lab and this call is only used in FIPS mode).
3. Verify d is == 1 mod phi in RSA when generating a new key.
4. Create a fatal error in FIPS mode if our private key operation fails to decrypt properly.
5. Update the rng for FIPS 140-3 if NSS_FIPS_140_3 has been defined.
6. Add policy to require EMS in TLS 1.2. The policy value is off by default.
7. Update the fips_algorithms code:
   7a. move the enums and data structure to pkcs11u.c so that old versions of
   fips_algorithms.h can be used with new versions of NSS.
   7b. update to the lastest red hat value (including checking the sizes on
   both input and output keys if appropriate).
   7c. add special checks for various kdf mechanism that take different macs to verify the given mac is approved for that kdf.
   7d. add explicit indicator check in sftk_CryptMessage to verify the generator.
   7e. add indicators for RSA OAEP.
   7f. update length function with Edwards and Montgomery curves so that they don't get a fips indicator.
8. Increase the salt length in the selfests for pbkdf.
9. update the derive key pairwise check to the FIPS 140-3 standards. The standars are to redrive the public key from the private key and verify that the new public key is the same as the old key.
10. in DH, verify that the generator is also known when checking for a known prime.
11. add indicator checks to GenerateKeyPair.
12. update hkdf to only have an indicator if it is being used in TLS style usage.

Comment 2

[Robert Relyea]

Attachment: Bug 1930806 FIPS changes need to be upstreamed: FIPS 140-3 RNG

For FIPS-140-3 our seed RNG needs to meet certain standards. On Linux this is accomplished by calling getrandom using GRND_RANDOM. This causes us to pull from the /dev/random pool rather than /dev/urandom pool. This drains the entropy in /dev/random counter, so you only want to do this if you are in FIPS mode. We also don't want to fallback onto to the old /dev/urandom devices in this case.

Comment 3

[Robert Relyea]

Attachment: Bug 1930806 FIPS changes need to be upstreamed: Add SafeZero

1. Add safe zero function to prevent compiliers from optimizing away zeroing stack variables.

   • this is platform dependent, the dependency is handled in secport.h

   There is not programmatic way of testing this as it is tested in the lab by putting the code in the debugger and seeing if the key material is actually freed.

Comment 4

[Robert Relyea]

Attachment: Bug 1930806 FIPS changes need to be upstreamed: updated key checks.

FIPS 140-3 have updated our key checks requirements:

1. Add explicit check for keys in KEA_Verify (this check is redundant, but I'm tired of explaining that to the lab and this call is only used in FIPS mode).
2. Verify d is == 1 mod phi in RSA when generating a new key.
3. Create a fatal error in FIPS mode if our private key operation fails to decrypt properly.
4. update the derive key pairwise check to the FIPS 140-3 standards. The standars are to redrive the public key from the private key and verify that the new public key is the same as the old key.
5. in DH, verify that the generator is also known when checking for a known prime.

Comment 5

[Robert Relyea]

Attachment: Bug 1930806 FIPS changes need to be upstreamed: force ems policy

This patch creates an ems policy which forces the use of ems in ssl for tls 1.0, tls 1.1 and tls 1.2. FIPS requires ems. We enforce FIPS algorithm usage by policy, so we need a policy which allows us to force the use of ems.

The code enforces policy be checking if the policy value is set if we are about to use non ems Master secret generation and fail if the policy is set. The policy is off by default, it can be turned on explicitly. if someone says disable=all in the policy, the policy will still be off.

This check makes sure use of non-ems is prevented in tls (1.0-1.2). It doesn't always lead to pretty error messages. It might be worthwhile adding a check at the end of both the handle client hello and handle server hello to make sure the ems is negotiated for tls 1.0-1.2 connections if this policy is set. That is not in this patch. Even if we add it, it's good to have the paranoia fallback to make sure we can't accidentally use non-ems master secrets if the policy is turned on.

Comment 6

[Robert Relyea]

Attachment: Bug 1930806 FIPS changes need to be upstreamed - updated POST

We need to increase the length of salt in our Power On Self Test for HKDF.