All work
- Shibboleth SP - Windows - possible Privilege EscalationSSPCPP-961Resolved issue: SSPCPP-961Rod Widdowson
- Template AttributeResolver doesn't allow Unicode content in templateSSPCPP-940Resolved issue: SSPCPP-940Scott Cantor
- IIS Module not setting Cache-ControlSSPCPP-938Resolved issue: SSPCPP-938Scott Cantor
- Header smuggling bug due to mishandling in IIS7 moduleSSPCPP-934Resolved issue: SSPCPP-934Scott Cantor
- Check for missing DataSealer during cookie recoverySSPCPP-927Resolved issue: SSPCPP-927Scott Cantor
- Crash in SAML logout handler when no metadata presentSSPCPP-924Resolved issue: SSPCPP-924Scott Cantor
- Error templates allow query-based override of variablesSSPCPP-922Resolved issue: SSPCPP-922Scott Cantor
- External overrides break when custom handlers are usedSSPCPP-920Resolved issue: SSPCPP-920Scott Cantor
- native.logger includes a lot of categories specific to shibdSSPCPP-919Resolved issue: SSPCPP-919Scott Cantor
- Fixes to flags on modules and pluginsSSPCPP-917Resolved issue: SSPCPP-917Scott Cantor
- Recreating MDQ cache directory fails with warningSSPCPP-916Resolved issue: SSPCPP-916Scott Cantor
- Macport build fails on Big SurSSPCPP-911Resolved issue: SSPCPP-911Scott Cantor
- Unhandled Exception in iis7_shib.dllSSPCPP-904Resolved issue: SSPCPP-904Rod Widdowson
- Using an attributePrefix of "HTTP_" should be guardedSSPCPP-898Resolved issue: SSPCPP-898Scott Cantor
- Logout notifications are depending on access to SP sessionSSPCPP-891Resolved issue: SSPCPP-891Scott Cantor
- request from MDQ metadata provider does not include correct Accept headerSSPCPP-887Resolved issue: SSPCPP-887Scott Cantor
- Access discoveryURL via RequestMap within handlersSSPCPP-886Resolved issue: SSPCPP-886Scott Cantor
- Empty entityID in shibboleth2.xml causes seg faultSSPCPP-882Resolved issue: SSPCPP-882Scott Cantor
- Auto-registered SessionInitiators not usable via requireSessionWithSSPCPP-879Resolved issue: SSPCPP-879Scott Cantor
- Possible XML namespace issue in SPSSPCPP-877Resolved issue: SSPCPP-877Scott Cantor
- Specfile has unnecessary "fix-up" logic that should be removedSSPCPP-874Resolved issue: SSPCPP-874Scott Cantor
- BOOST assert with misconfigured ExternalAuthSSPCPP-872Resolved issue: SSPCPP-872Scott Cantor
- IIS url rewrite rule break authorizationSSPCPP-868Resolved issue: SSPCPP-868Rod Widdowson
- Attribute Resolver handler should propagate StatusCode to callerSSPCPP-865Resolved issue: SSPCPP-865Scott Cantor
- RPM overwritesSSPCPP-864Resolved issue: SSPCPP-864Scott Cantor
- Improve the error message 'Blocked unacceptable redirect location'SSPCPP-861Resolved issue: SSPCPP-861Scott Cantor
- New IIS module does not honor handlerSSL property.SSPCPP-858Resolved issue: SSPCPP-858Rod Widdowson
- Non-default handler URL fails with IIS 7 moduleSSPCPP-856Resolved issue: SSPCPP-856Scott Cantor
- Upgrade to v3 comments out unscoped-affiliation in an unmodified attribute-map.xmlSSPCPP-852Resolved issue: SSPCPP-852Scott Cantor
- Can't change from default binding templateSSPCPP-848Resolved issue: SSPCPP-848Scott Cantor
- Crash on malformed DateTime stringsSSPCPP-845Resolved issue: SSPCPP-845Scott Cantor
- Warn on duplicated handler locationsSSPCPP-840Resolved issue: SSPCPP-840Scott Cantor
- Shibboleth 3 RPM fails to build with FastCGI supportSSPCPP-834Resolved issue: SSPCPP-834Scott Cantor
- Upgrade to 3.0.1 comments out persistent-id in an unmodified attribute-map.xmlSSPCPP-832Resolved issue: SSPCPP-832Scott Cantor
- Review code for PropertySet options affected by namespace changeSSPCPP-831Resolved issue: SSPCPP-831Scott Cantor
- fastcgi support doesn't buildSSPCPP-829Resolved issue: SSPCPP-829Scott Cantor
- .NET Handler paths reported incorrectlySSPCPP-828Resolved issue: SSPCPP-828Rod Widdowson
- Attribute Resolver handler should propagate IdP errors to callerSSPCPP-739Resolved issue: SSPCPP-739Scott Cantor
DataSealer roundtrip encryption fails on Red Hat 9 OpenJDK in FIPS mode
Description
Environment
Attachments
is duplicated by
Activity
Scott Cantor November 27, 2023 at 2:10 PM
A nominal search for some of the relevant Cipher methods do not reveal any other (direct) usage by us across the IdP stack.
Scott Cantor November 22, 2023 at 6:49 PM
Appreciate all your help. We don’t do a lot of this anywhere else and this is exactly why, but we’ll search the code ourselves just in case after addressing this.
Paul Donohue November 22, 2023 at 6:27 PM(edited)
(I’ve been working with Rich on this)
I’ve attached an improved patch (DataSealer.patch) that fixes another issue with the Shib calls to Cipher.
Shib was definitely using the Cipher API improperly. It looks to me like the FIPS implementation is functioning within the API guarantees, but feel free to verify.
Note: I have NOT checked the rest of the Shibboleth codebase for other instances of similar misuse of Cipher.
More specifically:
Cipher.getOutputSize() returns a number that is intended to be used for sizing the output buffer.
However, per the API spec: “The actual output length … may be smaller than the length returned by this method.”
Shib was effectively assuming that getOutputSize() returned the actual output length, and it was doing the wrong thing in cases where getOutputSize() did not return the actual output length.
It looks like the non-FIPS implementation just happens to have getOutputSize() return the actual output length, but the FIPS implementation returns a number larger than the actual output length.In case it isn’t clear what Shib was doing wrong in the case where getOutputSize() is too big:
When converting a byte array to a String without specifying a length, the byte array’s length is used and null characters are included in the String. So, for example:
byte[] b = new byte[2];
b[0] = 'x';
String s = new String(b, StandardCharsets.UTF_8);
s.length(); // Returns 2
"x".equals(s); // Returns false because “x” != “x\0”So, the first fix is: Don’t assume the size of the output buffer is the size of the output data; Instead, track the actual output data size and pass it to anything that reads the output buffer.
The additional problem that I fixed in my improved patch is:
The Cipher API supports either streaming (“multiple-part”) or all-at-once (“single-part”) encryption/decryption.
Shib is not streaming, so it may use the all-at-once behavior … But it was instead using the streaming behavior … And it was using it wrong.
If you are using the streaming functions, then you are supposed to call getOutputSize() and create a new byte array output buffer for every call to .update() or .doFinal(), and then concatenate the buffers. However, Shib was not doing that.
The fix is to switch to using the all-at-once behavior (call the four-parameter doFinal()) instead of using the streaming behavior (calling update() followed by the two-parameter doFinal()).
Scott Cantor November 21, 2023 at 10:36 PM
Much appreciated. Seems like the code was probably wrong anyway, but I’ll dig into it, I want to make sure this isn’t a case of the FIPS code violating any API guarantees.
When trying to run Shibboleth with OpenJDK in FIPS mode, we noticed that the {{DataSealer.testEncryption()}} was failing with “Round trip encryption/decryption test unsuccessful. Decrypted text did not match”, causing the IdP to fail to start. We traced this to a quirk of the FIPS crypto implementation filling the unused portion of the output buffer with null characters, which the {{String}} constructor was picking up and including in the {{decrypted}} String.
I’ve attached a small patch that fixes this, taking into account that the actual length of the output (as returned by {{Cipher.update()}} and {{Cipher.doFinal}}) may be smaller than the size returned by {{Cipher.getOutputSize}}.