Skip to content

[release/9.0] Use OpenSSL 3's KBKDF for SP800-108 if it is available #106893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 23, 2024
Merged

[release/9.0] Use OpenSSL 3's KBKDF for SP800-108 if it is available #106893

merged 1 commit into from
Aug 23, 2024

Conversation

vcsjones
Copy link
Member

@vcsjones vcsjones commented Aug 23, 2024
edited by jeffhandley
Loading

Backport of #106779 to release/9.0

/cc @bartonjs @jeffhandley

Customer Impact

  • Customer reported
  • Found internally

This changes the SP800108HmacCounterKdf to use OpenSSL's KBKDF functionality instead of a managed implementation. If the OpenSSL version on the system does not support KBKDF, the implementation continues to fall back to the managed implementation.

This is a reaction to NIST having a CAVP on SP800-108. This change helps customers meet compliance needs by using a FIPS component from OpenSSL if it is available. The managed implementation that was used on Linux previously is not FIPS validated.

Regression

  • Yes
  • No

Testing

Extensive unit tests existed for this functionality and were used to validate the OpenSSL implementation is compatible with the managed implementation.

Risk

Low. Tests ensure the new OpenSSL functionality works as expected.

@ghost ghost added the area-System.Security label Aug 23, 2024
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@bartonjs bartonjs requested a review from jeffhandley August 23, 2024 18:41
@teo-tsirpanis teo-tsirpanis added this to the 9.0.0 milestone Aug 23, 2024
@vcsjones vcsjones added the cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. label Aug 23, 2024
@jeffhandley
Copy link
Member

@artl93 - For your review for .NET 9 RC2. This is a change in the theme of security and helping customers remain FIPS compliant in reaction to a recent change from NIST, and we would service for it.

@artl93 artl93 added the Servicing-approved Approved for servicing release label Aug 23, 2024
@build-analysis build-analysis bot mentioned this pull request Aug 23, 2024
Closed
@jeffhandley
Copy link
Member

/ba-g The failures are unrelated known test issues occurring on many PRs right now

@artl93 artl93 merged commit 2937bf3 into dotnet:release/9.0 Aug 23, 2024
97 of 103 checks passed
@vcsjones vcsjones deleted the backport-106779-to-release-9.0 branch August 23, 2024 22:56
@github-actions github-actions bot locked and limited conversation to collaborators Sep 23, 2024
@bartonjs bartonjs added the tracking This issue is tracking the completion of other related issues. label Oct 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jeffhandley jeffhandley jeffhandley approved these changes

@artl93 artl93 artl93 approved these changes

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels
area-System.Security cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. Servicing-approved Approved for servicing release tracking This issue is tracking the completion of other related issues.
Projects
None yet
Milestone
9.0.0
Development

Successfully merging this pull request may close these issues.
5 participants
@vcsjones @jeffhandley @artl93 @bartonjs @teo-tsirpanis