gnutls/gnutls-3.8.9-allow-rsa-pkcs1-encrypt.patch

From 15018ea075e655f59c2cbd6338be51e4c8ea44a4 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 27 Jan 2025 16:36:41 +0900
Subject: [PATCH 1/2] fips: perform only signature PCT for all RSA algorithms

FIPS 140-3 IG 10.3.A states that having a signature PCT also covers
key transport for RSA. Therefore, this consolidate all code paths for
RSA, RSA-PSS, and RSA-OAEP to exercise a signature PCT.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/nettle/pk.c | 67 ++++++-------------------------------------------
 1 file changed, 7 insertions(+), 60 deletions(-)

diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 91eaffd689..674cfe57e9 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -3599,7 +3599,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,
 	gnutls_datum_t ddata, tmp = { NULL, 0 };
 	char *gen_data = NULL;
 	gnutls_x509_spki_st spki;
-	gnutls_fips140_context_t context;
 
 	ret = _gnutls_x509_spki_copy(&spki, &params->spki);
 	if (ret < 0) {
@@ -3624,7 +3623,13 @@ static int pct_test(gnutls_pk_algorithm_t algo,
 	} else if (algo == GNUTLS_PK_GOST_12_512) {
 		ddata.data = (void *)const_data_sha512;
 		ddata.size = sizeof(const_data_sha512);
-	} else if (algo == GNUTLS_PK_RSA_PSS) {
+	} else if (GNUTLS_PK_IS_RSA(algo)) {
+		/* We only do a signature PCT for RSA, as FIPS 140-3
+		 * IG 10.3.A says that a signature PCT also covers a
+		 * key transport PCT, though the reverse is not true.
+		 */
+		algo = GNUTLS_PK_RSA_PSS;
+
 		if (spki.rsa_pss_dig == GNUTLS_DIG_UNKNOWN)
 			spki.rsa_pss_dig = GNUTLS_DIG_SHA256;
 
@@ -3651,64 +3656,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,
 	}
 
 	switch (algo) {
-	case GNUTLS_PK_RSA:
-	case GNUTLS_PK_RSA_OAEP:
-		if (algo == GNUTLS_PK_RSA) {
-			/* Push a temporary FIPS context because _gnutls_pk_encrypt and
-			 * _gnutls_pk_decrypt below will mark RSAES-PKCS1-v1_5 operation
-			 * non-approved */
-			if (gnutls_fips140_context_init(&context) < 0) {
-				ret = gnutls_assert_val(
-					GNUTLS_E_PK_GENERATION_ERROR);
-				goto cleanup;
-			}
-			if (gnutls_fips140_push_context(context) < 0) {
-				ret = gnutls_assert_val(
-					GNUTLS_E_PK_GENERATION_ERROR);
-				gnutls_fips140_context_deinit(context);
-				goto cleanup;
-			}
-		}
-
-		ret = _gnutls_pk_encrypt(algo, &sig, &ddata, params);
-		if (ret < 0) {
-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
-		}
-		if (ret == 0 && ddata.size == sig.size &&
-		    memcmp(ddata.data, sig.data, sig.size) == 0) {
-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
-		}
-		if (ret == 0 &&
-		    _gnutls_pk_decrypt(algo, &tmp, &sig, params) < 0) {
-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
-		}
-		if (ret == 0 &&
-		    !(tmp.size == ddata.size &&
-		      memcmp(tmp.data, ddata.data, tmp.size) == 0)) {
-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
-		}
-
-		if (algo == GNUTLS_PK_RSA) {
-			if (unlikely(gnutls_fips140_pop_context() < 0)) {
-				ret = gnutls_assert_val(
-					GNUTLS_E_PK_GENERATION_ERROR);
-			}
-			gnutls_fips140_context_deinit(context);
-		}
-
-		if (ret < 0) {
-			goto cleanup;
-		}
-
-		free(sig.data);
-		sig.data = NULL;
-
-		/* RSA-OAEP can't be used for signing */
-		if (algo == GNUTLS_PK_RSA_OAEP) {
-			break;
-		}
-
-		FALLTHROUGH;
 	case GNUTLS_PK_EC: /* we only do keys for ECDSA */
 	case GNUTLS_PK_EDDSA_ED25519:
 	case GNUTLS_PK_EDDSA_ED448:
-- 
2.48.1


From 81cd18f4344c2f56a804de1c30a316409928eeaf Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 10 Feb 2025 15:57:39 +0900
Subject: [PATCH 2/2] tests: do not assume RSAES-PKCS1-v1_5 is enabled in
 system config

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 tests/system-override-allow-rsa-pkcs1-encrypt.sh | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
index 714d0af946..30cb77ca50 100755
--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
@@ -56,14 +56,4 @@ if [ $? = 0 ]; then
 fi
 echo "RSAES-PKCS1-v1_5 successfully disabled"
 
-unset GNUTLS_SYSTEM_PRIORITY_FILE
-unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
-
-${TEST}
-if [ $? != 0 ]; then
-	echo "${TEST} expected to succeed by default"
-	exit 1
-fi
-echo "RSAES-PKCS1-v1_5 successfully enabled by default"
-
 exit 0
-- 
2.48.1
fips: perform only signature PCT for all RSA algorithms Resolves: RHEL-69524 Signed-off-by: Daiki Ueno <dueno@redhat.com> 2025-02-10 07:00:51 +00:00			`From 15018ea075e655f59c2cbd6338be51e4c8ea44a4 Mon Sep 17 00:00:00 2001`
			`From: Daiki Ueno <ueno@gnu.org>`
			`Date: Mon, 27 Jan 2025 16:36:41 +0900`
			`Subject: [PATCH 1/2] fips: perform only signature PCT for all RSA algorithms`

			`FIPS 140-3 IG 10.3.A states that having a signature PCT also covers`
			`key transport for RSA. Therefore, this consolidate all code paths for`
			`RSA, RSA-PSS, and RSA-OAEP to exercise a signature PCT.`

			`Signed-off-by: Daiki Ueno <ueno@gnu.org>`
			`---`
			`lib/nettle/pk.c \| 67 ++++++-------------------------------------------`
			`1 file changed, 7 insertions(+), 60 deletions(-)`

			`diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c`
			`index 91eaffd689..674cfe57e9 100644`
			`--- a/lib/nettle/pk.c`
			`+++ b/lib/nettle/pk.c`
			`@@ -3599,7 +3599,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,`
			`gnutls_datum_t ddata, tmp = { NULL, 0 };`
			`char *gen_data = NULL;`
			`gnutls_x509_spki_st spki;`
			`- gnutls_fips140_context_t context;`

			`ret = _gnutls_x509_spki_copy(&spki, &params->spki);`
			`if (ret < 0) {`
			`@@ -3624,7 +3623,13 @@ static int pct_test(gnutls_pk_algorithm_t algo,`
			`} else if (algo == GNUTLS_PK_GOST_12_512) {`
			`ddata.data = (void *)const_data_sha512;`
			`ddata.size = sizeof(const_data_sha512);`
			`- } else if (algo == GNUTLS_PK_RSA_PSS) {`
			`+ } else if (GNUTLS_PK_IS_RSA(algo)) {`
			`+ /* We only do a signature PCT for RSA, as FIPS 140-3`
			`+ * IG 10.3.A says that a signature PCT also covers a`
			`+ * key transport PCT, though the reverse is not true.`
			`+ */`
			`+ algo = GNUTLS_PK_RSA_PSS;`
			`+`
			`if (spki.rsa_pss_dig == GNUTLS_DIG_UNKNOWN)`
			`spki.rsa_pss_dig = GNUTLS_DIG_SHA256;`

			`@@ -3651,64 +3656,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,`
			`}`

			`switch (algo) {`
			`- case GNUTLS_PK_RSA:`
			`- case GNUTLS_PK_RSA_OAEP:`
			`- if (algo == GNUTLS_PK_RSA) {`
			`- /* Push a temporary FIPS context because _gnutls_pk_encrypt and`
			`- * _gnutls_pk_decrypt below will mark RSAES-PKCS1-v1_5 operation`
			`- * non-approved */`
			`- if (gnutls_fips140_context_init(&context) < 0) {`
			`- ret = gnutls_assert_val(`
			`- GNUTLS_E_PK_GENERATION_ERROR);`
			`- goto cleanup;`
			`- }`
			`- if (gnutls_fips140_push_context(context) < 0) {`
			`- ret = gnutls_assert_val(`
			`- GNUTLS_E_PK_GENERATION_ERROR);`
			`- gnutls_fips140_context_deinit(context);`
			`- goto cleanup;`
			`- }`
			`- }`
			`-`
			`- ret = _gnutls_pk_encrypt(algo, &sig, &ddata, params);`
			`- if (ret < 0) {`
			`- ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);`
			`- }`
			`- if (ret == 0 && ddata.size == sig.size &&`
			`- memcmp(ddata.data, sig.data, sig.size) == 0) {`
			`- ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);`
			`- }`
			`- if (ret == 0 &&`
			`- _gnutls_pk_decrypt(algo, &tmp, &sig, params) < 0) {`
			`- ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);`
			`- }`
			`- if (ret == 0 &&`
			`- !(tmp.size == ddata.size &&`
			`- memcmp(tmp.data, ddata.data, tmp.size) == 0)) {`
			`- ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);`
			`- }`
			`-`
			`- if (algo == GNUTLS_PK_RSA) {`
			`- if (unlikely(gnutls_fips140_pop_context() < 0)) {`
			`- ret = gnutls_assert_val(`
			`- GNUTLS_E_PK_GENERATION_ERROR);`
			`- }`
			`- gnutls_fips140_context_deinit(context);`
			`- }`
			`-`
			`- if (ret < 0) {`
			`- goto cleanup;`
			`- }`
			`-`
			`- free(sig.data);`
			`- sig.data = NULL;`
			`-`
			`- /* RSA-OAEP can't be used for signing */`
			`- if (algo == GNUTLS_PK_RSA_OAEP) {`
			`- break;`
			`- }`
			`-`
			`- FALLTHROUGH;`
			`case GNUTLS_PK_EC: /* we only do keys for ECDSA */`
			`case GNUTLS_PK_EDDSA_ED25519:`
			`case GNUTLS_PK_EDDSA_ED448:`
			`--`
			`2.48.1`


			`From 81cd18f4344c2f56a804de1c30a316409928eeaf Mon Sep 17 00:00:00 2001`
			`From: Daiki Ueno <ueno@gnu.org>`
			`Date: Mon, 10 Feb 2025 15:57:39 +0900`
			`Subject: [PATCH 2/2] tests: do not assume RSAES-PKCS1-v1_5 is enabled in`
			`system config`

			`Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>`
			`Signed-off-by: Daiki Ueno <ueno@gnu.org>`
			`---`
			`tests/system-override-allow-rsa-pkcs1-encrypt.sh \| 10 ----------`
			`1 file changed, 10 deletions(-)`

			`diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh`
			`index 714d0af946..30cb77ca50 100755`
			`--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh`
			`+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh`
			`@@ -56,14 +56,4 @@ if [ $? = 0 ]; then`
			`fi`
			`echo "RSAES-PKCS1-v1_5 successfully disabled"`

			`-unset GNUTLS_SYSTEM_PRIORITY_FILE`
			`-unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID`
			`-`
			`-${TEST}`
			`-if [ $? != 0 ]; then`
			`- echo "${TEST} expected to succeed by default"`
			`- exit 1`
			`-fi`
			`-echo "RSAES-PKCS1-v1_5 successfully enabled by default"`
			`-`
			`exit 0`
			`--`
			`2.48.1`