From 20ab0c731eea95327c8c2dc296461b612c6e98ae Mon Sep 17 00:00:00 2001

From: Nathaniel McCallum <npmccallum@redhat.com>

Date: Wed, 21 Feb 2018 23:39:55 -0500

Subject: [PATCH] Fix OTP validation in FIPS mode

NSS doesn't allow keys to be loaded directly in FIPS mode. To work around

this, we encrypt the input key using an ephemeral key and then unwrap the

encrypted key.

https://pagure.io/freeipa/issue/7168

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 daemons/ipa-slapi-plugins/libotp/hotp.c | 47 +++++++++++++++++++++++++++++++--

 1 file changed, 45 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c

index 619bc63ab1bee99d71c2f0fb887809762107c94c..0c9de96d37183e597867b736d6324db60fa1b3bb 100644

--- a/daemons/ipa-slapi-plugins/libotp/hotp.c

+++ b/daemons/ipa-slapi-plugins/libotp/hotp.c

@@ -46,6 +46,7 @@

 #include <time.h>

 #include <nss.h>

+#include <blapit.h>

 #include <pk11pub.h>

 #include <hasht.h>

 #include <prnetdb.h>

@@ -66,6 +67,49 @@ static const struct {

     { }

 };

+static PK11SymKey *

+import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)

+{

+    uint8_t ct[(key->len / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE];

+    uint8_t iv[AES_BLOCK_SIZE] = {};

+    SECItem ivitem = { .data = iv, .len = sizeof(iv), .type = siBuffer };

+    SECItem ctitem = { .data = ct, .len = sizeof(ct), .type = siBuffer };

+    PK11SymKey *ekey = NULL;

+    PK11SymKey *skey = NULL;

+

+    /* Try to import the key directly. */

+    skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,

+                             CKA_SIGN, key, NULL);

+    if (skey)

+        return skey;

+

+    /* If we get here, we are probably in FIPS mode. Let's encrypt the key so

+     * that we can unseal it instead of loading it directly. */

+

+    /* Generate an ephemeral key. */

+    ekey = PK11_TokenKeyGenWithFlags(slot, CKM_AES_CBC_PAD, NULL,

+                                     AES_128_KEY_LENGTH, NULL,

+                                     CKF_ENCRYPT | CKF_UNWRAP,

+                                     PK11_ATTR_SESSION |

+                                     PK11_ATTR_PRIVATE |

+                                     PK11_ATTR_SENSITIVE, NULL);

+    if (!ekey)

+        goto egress;

+

+    /* Encrypt the input key. */

+    if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len,

+                     ctitem.len, key->data, key->len) != SECSuccess)

+        goto egress;

+

+    /* Unwrap the input key. */

+    skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem,

+                             &ctitem, mech, CKA_SIGN, key->len);

+

+egress:

+    PK11_FreeSymKey(ekey);

+    return skey;

+}

+

 /*

  * This code is mostly cargo-cult taken from here:

  *   http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html

@@ -90,8 +134,7 @@ static bool hmac(SECItem *key, CK_MECHANISM_TYPE mech, const SECItem *in,

         }

     }

-    symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,

-                               CKA_SIGN, key, NULL);

+    symkey = import_key(slot, mech, key);

     if (symkey == NULL)

         goto done;

-- 

2.14.3