-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: DSA parameter validation in FIPS mode #3756
Conversation
LGTM |
cc @nodejs/crypto I would like to have one more LGTM on this, just to be sure |
It is better to add a test to check if an error is thrown when it has a different key length in FIPS mode. |
@shigeki Do you mean it is better to check if OpenSSL returns an error rather than doing the key length checks in Node? If so, that is not possible because their error checking is broken and the process will segfault. We have to duplicate these checks inside Node until the bug is fixed in OpenSSL. |
ff92715
to
c07bbb0
Compare
Removed superfluous newlines and switched to using NODE_FIPS_MODE. |
c07bbb0
to
13af0ae
Compare
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first.
13af0ae
to
c308612
Compare
We can have the test by using a different key length specified in FIPS. For example, 1025bit dsa key (actually 1088 bit) shows the following errors. var crypto = require('crypto');
var fs = require('fs');
var input = 'hello';
var dsapub = fs.readFileSync('./dsapub_1025.pem');
var dsapri = fs.readFileSync('./dsapri_1025.pem');
var sign = crypto.createSign('DSS1');
sign.update(input);
var signature = sign.sign(dsapri);
var verify = crypto.createVerify('DSS1');
verify.update(input);
console.log(verify.verify(dsapub, signature)); $ ~/github/node_fips/node test2.js
crypto.js:279
var ret = this._handle.sign(toBuf(key), null, passphrase);
^
Error: PEM_read_bio_PrivateKey failed |
Check that invalid DSA key sizes are rejected in FIPS mode.
Done, thank you for the explanation! |
LGTM |
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider.
45e4dd6
to
76f50a9
Compare
That's fine. LGTM. |
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Landed in multiple commits. |
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an invalid combination is used, so we must check the input sanity first. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Check that invalid DSA key sizes are rejected in FIPS mode. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Utility function for tests to check if OpenSSL is using a FIPS verified cryptographic provider. PR-URL: #3756 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
For DSA signatures FIPS 180-4 Section 4.2 requires one of the following well-known parameter combinations: (L, N) pairs must be (1024, 160), (2048, 224), (2048, 256), or (3072, 256). Due to a bug in OpenSSL's error checking and memory allocation using an unacceptable combination will cause OpenSSL to overwrite random uninitialized pointers and it will mostly likely segfault instead of producing a friendly error. To prevent crashes we must do the checks before calling out to OpenSSL.
For the OpenSSL bug, see handling of 'BIGNUM m' in dsa_do_sign():
https://github.com/openssl/openssl/blob/OpenSSL-fips-2_0-dev/crypto/dsa/dsa_ossl.c
This bug has been previously found and reported to OpenSSL here: https://www.mail-archive.com/openssl-dev@openssl.org/msg36826.html