Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: DSA parameter validation in FIPS mode #3756

Closed
wants to merge 3 commits into from

Conversation

stefanmb
Copy link
Contributor

For DSA signatures FIPS 180-4 Section 4.2 requires one of the following well-known parameter combinations: (L, N) pairs must be (1024, 160), (2048, 224), (2048, 256), or (3072, 256). Due to a bug in OpenSSL's error checking and memory allocation using an unacceptable combination will cause OpenSSL to overwrite random uninitialized pointers and it will mostly likely segfault instead of producing a friendly error. To prevent crashes we must do the checks before calling out to OpenSSL.

For the OpenSSL bug, see handling of 'BIGNUM m' in dsa_do_sign():
https://github.com/openssl/openssl/blob/OpenSSL-fips-2_0-dev/crypto/dsa/dsa_ossl.c

This bug has been previously found and reported to OpenSSL here: https://www.mail-archive.com/openssl-dev@openssl.org/msg36826.html

@mscdex mscdex added crypto Issues and PRs related to the crypto subsystem. c++ Issues and PRs that require attention from people who are familiar with C++. labels Nov 11, 2015
@indutny
Copy link
Member

indutny commented Nov 11, 2015

LGTM

@indutny
Copy link
Member

indutny commented Nov 11, 2015

cc @nodejs/crypto I would like to have one more LGTM on this, just to be sure

@shigeki
Copy link
Contributor

shigeki commented Nov 12, 2015

It is better to add a test to check if an error is thrown when it has a different key length in FIPS mode.

@stefanmb
Copy link
Contributor Author

@shigeki Do you mean it is better to check if OpenSSL returns an error rather than doing the key length checks in Node?

If so, that is not possible because their error checking is broken and the process will segfault. We have to duplicate these checks inside Node until the bug is fixed in OpenSSL.

@stefanmb
Copy link
Contributor Author

Removed superfluous newlines and switched to using NODE_FIPS_MODE.

FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an
invalid combination is used, so we must check the input sanity first.
@shigeki
Copy link
Contributor

shigeki commented Nov 13, 2015

We can have the test by using a different key length specified in FIPS. For example, 1025bit dsa key (actually 1088 bit) shows the following errors.

var crypto = require('crypto');
var fs = require('fs');

var input = 'hello';

var dsapub = fs.readFileSync('./dsapub_1025.pem');
var dsapri = fs.readFileSync('./dsapri_1025.pem');
var sign = crypto.createSign('DSS1');
sign.update(input);
var signature = sign.sign(dsapri);

var verify = crypto.createVerify('DSS1');
verify.update(input);
console.log(verify.verify(dsapub, signature));
$ ~/github/node_fips/node test2.js
crypto.js:279
  var ret = this._handle.sign(toBuf(key), null, passphrase);
                         ^

Error: PEM_read_bio_PrivateKey failed

Check that invalid DSA key sizes are rejected in FIPS mode.
@stefanmb
Copy link
Contributor Author

@shigeki

Done, thank you for the explanation!

@jasnell
Copy link
Member

jasnell commented Nov 13, 2015

LGTM

Utility function for tests to check if OpenSSL is using
a FIPS verified cryptographic provider.
@shigeki
Copy link
Contributor

shigeki commented Nov 14, 2015

That's fine. LGTM.

jasnell pushed a commit that referenced this pull request Nov 14, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an
invalid combination is used, so we must check the input sanity first.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request Nov 14, 2015
Check that invalid DSA key sizes are rejected in FIPS mode.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request Nov 14, 2015
Utility function for tests to check if OpenSSL is using
a FIPS verified cryptographic provider.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
@jasnell
Copy link
Member

jasnell commented Nov 14, 2015

Landed in multiple commits.

@jasnell jasnell closed this Nov 14, 2015
Fishrock123 pushed a commit that referenced this pull request Nov 17, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an
invalid combination is used, so we must check the input sanity first.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
Fishrock123 pushed a commit that referenced this pull request Nov 17, 2015
Check that invalid DSA key sizes are rejected in FIPS mode.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
Fishrock123 pushed a commit that referenced this pull request Nov 17, 2015
Utility function for tests to check if OpenSSL is using
a FIPS verified cryptographic provider.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Nov 30, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an
invalid combination is used, so we must check the input sanity first.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Nov 30, 2015
Check that invalid DSA key sizes are rejected in FIPS mode.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Nov 30, 2015
Utility function for tests to check if OpenSSL is using
a FIPS verified cryptographic provider.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
rvagg pushed a commit that referenced this pull request Dec 4, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an
invalid combination is used, so we must check the input sanity first.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
rvagg pushed a commit that referenced this pull request Dec 4, 2015
Check that invalid DSA key sizes are rejected in FIPS mode.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
rvagg pushed a commit that referenced this pull request Dec 4, 2015
Utility function for tests to check if OpenSSL is using
a FIPS verified cryptographic provider.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
@jasnell jasnell mentioned this pull request Dec 17, 2015
jasnell pushed a commit that referenced this pull request Dec 17, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an
invalid combination is used, so we must check the input sanity first.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request Dec 17, 2015
Check that invalid DSA key sizes are rejected in FIPS mode.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request Dec 17, 2015
Utility function for tests to check if OpenSSL is using
a FIPS verified cryptographic provider.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request Dec 23, 2015
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an
invalid combination is used, so we must check the input sanity first.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request Dec 23, 2015
Check that invalid DSA key sizes are rejected in FIPS mode.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request Dec 23, 2015
Utility function for tests to check if OpenSSL is using
a FIPS verified cryptographic provider.

PR-URL: #3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants