Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: document OpenSSL-FIPS restriction on RSA key size #4654

Merged
merged 11 commits into from
Aug 8, 2024
Merged

chore: document OpenSSL-FIPS restriction on RSA key size #4654

merged 11 commits into from
Aug 8, 2024

Conversation

jouho
Copy link
Contributor

@jouho jouho commented Jul 17, 2024
edited
Loading

Resolved issues:

Resolves #4651

Description of changes:

Description of the error:

Error message:

FAILED test 76
!(((s2n_test_cert_permutation_load_server_chain(&cert, "rsae", "pkcs", "512", "sha1"))) == (-1)) is not true  (s2n_security_policy_cert_preferences_test.c:317)
Error Message: 'size mismatch'
 Debug String: 'Error encountered in s2n_rsa.c:123'
 System Error: Success (0)

RSA_public_encrypt() returns -1, which causes "size mismatch" error:

s2n-tls/crypto/s2n_rsa.c

Lines 121 to 123 in b20075b

int r = RSA_public_encrypt(in->size, (unsigned char *) in->data, (unsigned char *) out->data,
s2n_unsafe_rsa_get_non_const(pub_key), RSA_PKCS1_PADDING);
POSIX_ENSURE((int64_t) r == (int64_t) out->size, S2N_ERR_SIZE_MISMATCH);

This is because in openssl fips module, a function checks to see if RSA key size is bigger than or equal to 1024, and returns -1 when the check fails. openssl-fips-2.0.13 is the fips module we use for openssl-1.0.2-fips. This fips module can be downloaded from here. (Not sure if there is publicly accessible page to view the code on browser)

# RSA_eay_public_encrypt() inside openssl-fips-2.0.13/crypto/rsa/rsa_eay.c
if (FIPS_module_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
    && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
    {
    RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
    return -1;
    }

Therefore using 512 bits cert causes the error above. aws_lc_fips doesn't seem to have this minimum requirement for RSA key size.

Testing:

No functional changes

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Jul 17, 2024
@jouho jouho marked this pull request as ready for review July 17, 2024 20:14
@jouho jouho requested review from jmayclin and maddeleine July 17, 2024 20:16
@jouho jouho changed the title Chore: document OpenSSL-FIPS restriction on RSA key size chore: document OpenSSL-FIPS restriction on RSA key size Jul 17, 2024
lrstewart
lrstewart reviewed Jul 18, 2024
View reviewed changes
Copy link
Contributor

@lrstewart lrstewart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job figuring this out!

@jouho jouho requested a review from lrstewart July 18, 2024 22:40
lrstewart
lrstewart reviewed Jul 18, 2024
View reviewed changes
jmayclin
jmayclin reviewed Jul 23, 2024
View reviewed changes
tests/unit/s2n_security_policy_cert_preferences_test.c Outdated
@@ -314,11 +315,19 @@ int main(int argc, char **argv)
{
DEFER_CLEANUP(struct s2n_cert_chain_and_key *cert = NULL, s2n_cert_chain_and_key_ptr_free);
/* use a very insecure cert that would not be included in any reasonable cert preferences */
EXPECT_SUCCESS(s2n_test_cert_permutation_load_server_chain(&cert, "rsae", "pkcs", "1024", "sha1"));
if (s2n_is_in_fips_mode() && !s2n_libcrypto_is_awslc()) {
/* OpenSSL FIPS module requires the key size for RSA to be bigger than or equal to 1024 bits.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it just 1.0.2 FIPs that has this restriction, or does 3.x also have this restriction?

Copy link
Contributor Author

@jouho jouho Jul 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not too sure if 3.x has the same restriction, but I wasn't able to find the same function that checks for rsa key size in 3.x.

This if (s2n_is_in_fips_mode() && !s2n_libcrypto_is_awslc()) check wouldn't include 3.x though, because the way we are detecting FIPS is not supported in 3.0 and higher. We call FIPS_mode() to determine if libcrypto is in fips mode. This function is not present in 3.x

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In 3.X, it seems the minimum key size for RSA is 2048:
https://github.com/openssl/openssl/blob/4f5febe2c684a803553171940634c1b6f4b7ba40/include/openssl/rsa.h#L48

@jouho jouho requested a review from jmayclin July 25, 2024 16:18
jouho added 2 commits July 31, 2024 00:03
@jouho
address PR feedback
6faed05 
- use the 1024 certs for test
- simplify test with 1024 certs
@jouho
remove unnecessary import
11aaf09
@jouho jouho requested a review from lrstewart July 31, 2024 00:07
lrstewart
lrstewart reviewed Aug 5, 2024
View reviewed changes
@jouho
address PR feedback
d616c0d 
- fix the error condition
- comment fix
@jouho jouho requested a review from lrstewart August 6, 2024 21:16
@jouho jouho enabled auto-merge (squash) August 7, 2024 23:52
@jouho jouho merged commit f6a5c2f into main Aug 8, 2024
38 checks passed
@jouho jouho deleted the document-512-bits-RSA-failure-with-OSSL-FIPS branch August 8, 2024 01:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lrstewart lrstewart lrstewart approved these changes

@jmayclin jmayclin jmayclin approved these changes

@maddeleine maddeleine Awaiting requested review from maddeleine

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

openssl 1.0.2 fips: unexpected failure with 512 bit RSA
3 participants
@jouho @lrstewart @jmayclin