From 53a68f179c5d40fe25d5c0b6c4214dd1a0563169 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 22 Nov 2022 09:52:49 +0900 Subject: [PATCH] cipher: add restriction on CCM tag length under FIPS mode Resolves: #2137807 Signed-off-by: Daiki Ueno --- gnutls-3.7.6-fips-ccm-taglen.patch | 331 ++++++++++++++ ...ips-service-indicator-test-functions.patch | 407 ++++++++++++++++++ gnutls.spec | 7 +- 3 files changed, 744 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.7.6-fips-ccm-taglen.patch create mode 100644 gnutls-3.7.6-fips-service-indicator-test-functions.patch diff --git a/gnutls-3.7.6-fips-ccm-taglen.patch b/gnutls-3.7.6-fips-ccm-taglen.patch new file mode 100644 index 0000000..2ec015b --- /dev/null +++ b/gnutls-3.7.6-fips-ccm-taglen.patch @@ -0,0 +1,331 @@ +From 26b2caef673aba8bfd10db3b1b8117f941c18e58 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 21 Oct 2022 15:48:39 +0900 +Subject: [PATCH] cipher: add restriction on CCM tag length under FIPS mode + +This change prohibits any use of tag length other than 4, 6, 8, 10, +12, 14, and 16 bytes in CCM used under FIPS mode, in accordance with +SP800-38C A.1. While use of tag lengths smaller than 8 bytes is not +recommended, we simply allow 4 and 6 bytes tags for now. + +Signed-off-by: Daiki Ueno +--- + lib/accelerated/aarch64/aes-ccm-aarch64.c | 39 ++++++++++ + lib/accelerated/x86/aes-ccm-x86-aesni.c | 39 ++++++++++ + lib/nettle/cipher.c | 55 ++++++++++++++ + tests/fips-test.c | 87 ++++++++++++++++++++++- + 4 files changed, 218 insertions(+), 2 deletions(-) + +diff --git a/lib/accelerated/aarch64/aes-ccm-aarch64.c b/lib/accelerated/aarch64/aes-ccm-aarch64.c +index a2ba259e99..b415d4ddfb 100644 +--- a/lib/accelerated/aarch64/aes-ccm-aarch64.c ++++ b/lib/accelerated/aarch64/aes-ccm-aarch64.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + + typedef struct ccm_aarch64_aes_ctx { + AES_KEY key; +@@ -103,6 +104,25 @@ aes_ccm_aead_encrypt(void *_ctx, + if (unlikely(encr_size < plain_size + tag_size)) + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + ++ /* SP800-38C A.1 says Tlen must be a multiple of 16 between 32 ++ * and 128. ++ */ ++ switch (tag_size) { ++ case 4: case 6: ++ /* SP800-38C B.2 says Tlen smaller than 64 should not be used ++ * under sufficient restriction. We simply allow those for now. ++ */ ++ FALLTHROUGH; ++ case 8: case 10: case 12: case 14: case 16: ++ break; ++ default: ++ if (_gnutls_fips_mode_enabled()) { ++ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ break; ++ } ++ + ccm_encrypt_message(&ctx->key, aarch64_aes_encrypt, + nonce_size, nonce, + auth_size, auth, +@@ -129,6 +149,25 @@ aes_ccm_aead_decrypt(void *_ctx, + if (unlikely(plain_size < encr_size - tag_size)) + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + ++ /* SP800-38C A.1 says Tlen must be a multiple of 16 between 32 ++ * and 128. ++ */ ++ switch (tag_size) { ++ case 4: case 6: ++ /* SP800-38C B.2 says Tlen smaller than 64 should not be used ++ * under sufficient restriction. We simply allow those for now. ++ */ ++ FALLTHROUGH; ++ case 8: case 10: case 12: case 14: case 16: ++ break; ++ default: ++ if (_gnutls_fips_mode_enabled()) { ++ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ break; ++ } ++ + ret = ccm_decrypt_message(&ctx->key, aarch64_aes_encrypt, + nonce_size, nonce, + auth_size, auth, +diff --git a/lib/accelerated/x86/aes-ccm-x86-aesni.c b/lib/accelerated/x86/aes-ccm-x86-aesni.c +index 701c0f992a..9ebbdd7b2a 100644 +--- a/lib/accelerated/x86/aes-ccm-x86-aesni.c ++++ b/lib/accelerated/x86/aes-ccm-x86-aesni.c +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include + + typedef struct ccm_x86_aes_ctx { + AES_KEY key; +@@ -95,6 +96,25 @@ aes_ccm_aead_encrypt(void *_ctx, + if (unlikely(encr_size < plain_size + tag_size)) + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + ++ /* SP800-38C A.1 says Tlen must be a multiple of 16 between 32 ++ * and 128. ++ */ ++ switch (tag_size) { ++ case 4: case 6: ++ /* SP800-38C B.2 says Tlen smaller than 64 should not be used ++ * under sufficient restriction. We simply allow those for now. ++ */ ++ FALLTHROUGH; ++ case 8: case 10: case 12: case 14: case 16: ++ break; ++ default: ++ if (_gnutls_fips_mode_enabled()) { ++ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ break; ++ } ++ + ccm_encrypt_message(&ctx->key, x86_aes_encrypt, + nonce_size, nonce, + auth_size, auth, +@@ -121,6 +141,25 @@ aes_ccm_aead_decrypt(void *_ctx, + if (unlikely(plain_size < encr_size - tag_size)) + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + ++ /* SP800-38C A.1 says Tlen must be a multiple of 16 between 32 ++ * and 128. ++ */ ++ switch (tag_size) { ++ case 4: case 6: ++ /* SP800-38C B.2 says Tlen smaller than 64 should not be used ++ * under sufficient restriction. We simply allow those for now. ++ */ ++ FALLTHROUGH; ++ case 8: case 10: case 12: case 14: case 16: ++ break; ++ default: ++ if (_gnutls_fips_mode_enabled()) { ++ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ break; ++ } ++ + ret = ccm_decrypt_message(&ctx->key, x86_aes_encrypt, + nonce_size, nonce, + auth_size, auth, +diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c +index 9c2ce19e7e..8c23d11252 100644 +--- a/lib/nettle/cipher.c ++++ b/lib/nettle/cipher.c +@@ -1253,6 +1253,34 @@ wrap_nettle_cipher_aead_encrypt(void *_ctx, + ctx->cipher->tag(ctx->ctx_ptr, tag_size, ((uint8_t*)encr) + plain_size); + } else { + /* CCM-style cipher */ ++ ++ switch (ctx->cipher->algo) { ++ case GNUTLS_CIPHER_AES_128_CCM: ++ case GNUTLS_CIPHER_AES_256_CCM: ++ /* SP800-38C A.1 says Tlen must be a multiple of 16 ++ * between 32 and 128. ++ */ ++ switch (tag_size) { ++ case 4: case 6: ++ /* SP800-38C B.2 says Tlen smaller than 64 ++ * should not be used under sufficient ++ * restriction. We simply allow those for now. ++ */ ++ FALLTHROUGH; ++ case 8: case 10: case 12: case 14: case 16: ++ break; ++ default: ++ if (_gnutls_fips_mode_enabled()) { ++ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ break; ++ } ++ break; ++ default: ++ break; ++ } ++ + ctx->cipher->aead_encrypt(ctx, + nonce_size, nonce, + auth_size, auth, +@@ -1302,6 +1330,33 @@ wrap_nettle_cipher_aead_decrypt(void *_ctx, + if (unlikely(plain_size < encr_size)) + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + ++ switch (ctx->cipher->algo) { ++ case GNUTLS_CIPHER_AES_128_CCM: ++ case GNUTLS_CIPHER_AES_256_CCM: ++ /* SP800-38C A.1 says Tlen must be a multiple of 16 ++ * between 32 and 128. ++ */ ++ switch (tag_size) { ++ case 4: case 6: ++ /* SP800-38C B.2 says Tlen smaller than 64 ++ * should not be used under sufficient ++ * restriction. We simply allow those for now. ++ */ ++ FALLTHROUGH; ++ case 8: case 10: case 12: case 14: case 16: ++ break; ++ default: ++ if (_gnutls_fips_mode_enabled()) { ++ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ break; ++ } ++ break; ++ default: ++ break; ++ } ++ + ret = ctx->cipher->aead_decrypt(ctx, + nonce_size, nonce, + auth_size, auth, +diff --git a/tests/fips-test.c b/tests/fips-test.c +index f7556d7bbb..c43503fba0 100644 +--- a/tests/fips-test.c ++++ b/tests/fips-test.c +@@ -1,4 +1,5 @@ + #include ++#include + #include + #include + #include +@@ -213,14 +214,96 @@ test_cipher_disallowed(gnutls_cipher_algorithm_t cipher) + FIPS_POP_CONTEXT(ERROR); + } + ++static void ++test_ccm_cipher(gnutls_cipher_algorithm_t cipher, size_t tag_length, ++ bool expect_encryption_fail, ++ gnutls_fips140_operation_state_t expected_state) ++{ ++ int ret; ++ unsigned key_size = gnutls_cipher_get_key_size(cipher); ++ gnutls_aead_cipher_hd_t h; ++ gnutls_datum_t key = { key_data, key_size }; ++ unsigned char buffer[256]; ++ size_t length; ++ gnutls_memset(key_data, 0, key_size); ++ ++ FIPS_PUSH_CONTEXT(); ++ ret = gnutls_aead_cipher_init(&h, cipher, &key); ++ if (ret < 0) { ++ fail("gnutls_aead_cipher_init failed for %s\n", ++ gnutls_cipher_get_name(cipher)); ++ } ++ FIPS_POP_CONTEXT(APPROVED); ++ ++ fips_push_context(fips_context); ++ memset(buffer, 0, sizeof(buffer)); ++ length = sizeof(buffer); ++ ret = gnutls_aead_cipher_encrypt(h, iv_data, ++ gnutls_cipher_get_iv_size(cipher), ++ NULL, 0, tag_length, ++ buffer, length - tag_length, ++ buffer, &length); ++ if (expect_encryption_fail) { ++ if (ret != GNUTLS_E_INVALID_REQUEST) { ++ fail("gnutls_aead_cipher_encrypt(%s) returned %d " ++ "while %d is expected\n", ++ gnutls_cipher_get_name(cipher), ++ ret, GNUTLS_E_INVALID_REQUEST); ++ } ++ } else if (ret < 0) { ++ fail("gnutls_aead_cipher_encrypt failed for %s\n", ++ gnutls_cipher_get_name(cipher)); ++ } ++ fips_pop_context(fips_context, expected_state); ++ ++ fips_push_context(fips_context); ++ length = sizeof(buffer); ++ ret = gnutls_aead_cipher_decrypt(h, iv_data, ++ gnutls_cipher_get_iv_size(cipher), ++ NULL, 0, tag_length, ++ buffer, length, ++ buffer, &length); ++ if (expect_encryption_fail) { ++ if (ret != GNUTLS_E_INVALID_REQUEST) { ++ fail("gnutls_aead_cipher_decrypt(%s) returned %d " ++ "while %d is expected\n", ++ gnutls_cipher_get_name(cipher), ++ ret, GNUTLS_E_INVALID_REQUEST); ++ } ++ } else if (ret < 0) { ++ fail("gnutls_aead_cipher_decrypt failed for %s\n", ++ gnutls_cipher_get_name(cipher)); ++ } ++ fips_pop_context(fips_context, expected_state); ++ ++ gnutls_aead_cipher_deinit(h); ++} ++ + static inline void + test_ciphers(void) + { ++ size_t i; ++ + test_cipher_approved(GNUTLS_CIPHER_AES_128_CBC); + test_cipher_approved(GNUTLS_CIPHER_AES_192_CBC); + test_cipher_approved(GNUTLS_CIPHER_AES_256_CBC); +- test_aead_cipher_approved(GNUTLS_CIPHER_AES_128_CCM); +- test_aead_cipher_approved(GNUTLS_CIPHER_AES_256_CCM); ++ ++ /* Check for all allowed Tlen */ ++ for (i = 4; i <= 16; i += 2) { ++ test_ccm_cipher(GNUTLS_CIPHER_AES_128_CCM, i, ++ false, GNUTLS_FIPS140_OP_APPROVED); ++ test_ccm_cipher(GNUTLS_CIPHER_AES_256_CCM, i, ++ false, GNUTLS_FIPS140_OP_APPROVED); ++ } ++ test_ccm_cipher(GNUTLS_CIPHER_AES_128_CCM, 3, ++ true, GNUTLS_FIPS140_OP_ERROR); ++ test_ccm_cipher(GNUTLS_CIPHER_AES_256_CCM, 3, ++ true, GNUTLS_FIPS140_OP_ERROR); ++ test_ccm_cipher(GNUTLS_CIPHER_AES_128_CCM, 5, ++ true, GNUTLS_FIPS140_OP_ERROR); ++ test_ccm_cipher(GNUTLS_CIPHER_AES_256_CCM, 5, ++ true, GNUTLS_FIPS140_OP_ERROR); ++ + test_aead_cipher_approved(GNUTLS_CIPHER_AES_128_CCM_8); + test_aead_cipher_approved(GNUTLS_CIPHER_AES_256_CCM_8); + test_cipher_approved(GNUTLS_CIPHER_AES_128_CFB8); +-- +2.38.1 + diff --git a/gnutls-3.7.6-fips-service-indicator-test-functions.patch b/gnutls-3.7.6-fips-service-indicator-test-functions.patch new file mode 100644 index 0000000..99bd913 --- /dev/null +++ b/gnutls-3.7.6-fips-service-indicator-test-functions.patch @@ -0,0 +1,407 @@ +From e8b35d31817d207d8b4b87ccf104d3b93aa446e0 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 17 Oct 2022 11:11:43 +0900 +Subject: [PATCH] tests: move FIPS service indicator functions to common file + +Signed-off-by: Daiki Ueno +--- + tests/dh-compute.c | 36 +++++--------------------- + tests/fips-rsa-sizes.c | 24 ----------------- + tests/fips-test.c | 27 +++----------------- + tests/kdf-api.c | 27 +------------------- + tests/pkcs12_encode.c | 24 ----------------- + tests/privkey-keygen.c | 24 ----------------- + tests/utils.h | 58 ++++++++++++++++++++++++++++++++++++++++++ + 7 files changed, 69 insertions(+), 151 deletions(-) + +diff --git a/tests/dh-compute.c b/tests/dh-compute.c +index 828fb05e9c..6c1d5328f6 100644 +--- a/tests/dh-compute.c ++++ b/tests/dh-compute.c +@@ -156,34 +156,10 @@ void doit(void) + { NULL } + }; + +-#define FIPS_PUSH_CONTEXT() do { \ +- if (gnutls_fips140_mode_enabled()) { \ +- ret = gnutls_fips140_push_context(fips_context); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_push_context failed\n"); \ +- } \ +- } \ +-} while (0) +- +-#define FIPS_POP_CONTEXT(state) do { \ +- if (gnutls_fips140_mode_enabled()) { \ +- ret = gnutls_fips140_pop_context(); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_context_pop failed\n"); \ +- } \ +- fips_state = gnutls_fips140_get_operation_state(fips_context); \ +- if (fips_state != state) { \ +- fail("operation state is not %d (%d)\n", \ +- state, fips_state); \ +- } \ +- } \ +-} while (0) +- + for (int i = 0; test_data[i].name != NULL; i++) { + gnutls_datum_t priv_key, pub_key; + gnutls_dh_params_t dh_params; + gnutls_fips140_context_t fips_context; +- gnutls_fips140_operation_state_t fips_state; + int ret; + + if (gnutls_fips140_mode_enabled()) { +@@ -193,24 +169,24 @@ void doit(void) + } + } + +- FIPS_PUSH_CONTEXT(); ++ fips_push_context(fips_context); + params(&dh_params, &test_data[i].prime, &test_data[i].q, + &test_data[i].generator); +- FIPS_POP_CONTEXT(GNUTLS_FIPS140_OP_INITIAL); ++ fips_pop_context(fips_context, GNUTLS_FIPS140_OP_INITIAL); + + success("%s genkey\n", test_data[i].name); + +- FIPS_PUSH_CONTEXT(); ++ fips_push_context(fips_context); + genkey(dh_params, &priv_key, &pub_key); +- FIPS_POP_CONTEXT(test_data[i].fips_state_genkey); ++ fips_pop_context(fips_context, test_data[i].fips_state_genkey); + + success("%s compute_key\n", test_data[i].name); + +- FIPS_PUSH_CONTEXT(); ++ fips_push_context(fips_context); + compute_key(test_data[i].name, dh_params, &priv_key, + &pub_key, &test_data[i].peer_key, + test_data[i].expected_error, NULL, 0); +- FIPS_POP_CONTEXT(test_data[i].fips_state_compute_key); ++ fips_pop_context(fips_context, test_data[i].fips_state_compute_key); + + gnutls_dh_params_deinit(dh_params); + gnutls_free(priv_key.data); +diff --git a/tests/fips-rsa-sizes.c b/tests/fips-rsa-sizes.c +index 84b9affabb..5feb284503 100644 +--- a/tests/fips-rsa-sizes.c ++++ b/tests/fips-rsa-sizes.c +@@ -27,25 +27,6 @@ + #include + #include + +-#define FIPS_PUSH_CONTEXT() do { \ +- ret = gnutls_fips140_push_context(fips_context); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_push_context failed\n"); \ +- } \ +-} while (0) +- +-#define FIPS_POP_CONTEXT(state) do { \ +- ret = gnutls_fips140_pop_context(); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_context_pop failed\n"); \ +- } \ +- fips_state = gnutls_fips140_get_operation_state(fips_context); \ +- if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ +- fail("operation state is not " # state " (%d)\n", \ +- fips_state); \ +- } \ +-} while (0) +- + + void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, + unsigned int size); +@@ -63,7 +44,6 @@ void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, + int ret; + gnutls_x509_privkey_t xprivkey; + gnutls_fips140_context_t fips_context; +- gnutls_fips140_operation_state_t fips_state; + assert(gnutls_fips140_context_init(&fips_context) == 0); + + fprintf(stderr, "%d-bit\n", size); +@@ -102,7 +82,6 @@ void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, + int ret; + gnutls_x509_privkey_t xprivkey; + gnutls_fips140_context_t fips_context; +- gnutls_fips140_operation_state_t fips_state; + assert(gnutls_fips140_context_init(&fips_context) == 0); + + fprintf(stderr, "%d-bit\n", size); +@@ -156,7 +135,6 @@ void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, + void sign_verify_successfully(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) { + int ret; + gnutls_fips140_context_t fips_context; +- gnutls_fips140_operation_state_t fips_state; + + gnutls_datum_t signature; + gnutls_datum_t plaintext = { +@@ -190,7 +168,6 @@ void sign_verify_unsuccessfully(gnutls_privkey_t privkey, + gnutls_pubkey_t pubkey) { + int ret; + gnutls_fips140_context_t fips_context; +- gnutls_fips140_operation_state_t fips_state; + + gnutls_datum_t signature; + gnutls_datum_t plaintext = { +@@ -225,7 +202,6 @@ void sign_verify_unsuccessfully(gnutls_privkey_t privkey, + void nosign_verify(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) { + int ret; + gnutls_fips140_context_t fips_context; +- gnutls_fips140_operation_state_t fips_state; + + gnutls_datum_t signature; + gnutls_datum_t plaintext = { +diff --git a/tests/fips-test.c b/tests/fips-test.c +index f789afb107..b0bae4ef9f 100644 +--- a/tests/fips-test.c ++++ b/tests/fips-test.c +@@ -12,25 +12,6 @@ + /* This does check the FIPS140 support. + */ + +-#define FIPS_PUSH_CONTEXT() do { \ +- ret = gnutls_fips140_push_context(fips_context); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_push_context failed\n"); \ +- } \ +-} while (0) +- +-#define FIPS_POP_CONTEXT(state) do { \ +- ret = gnutls_fips140_pop_context(); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_context_pop failed\n"); \ +- } \ +- fips_state = gnutls_fips140_get_operation_state(fips_context); \ +- if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ +- fail("operation state is not " # state " (%d)\n", \ +- fips_state); \ +- } \ +-} while (0) +- + void _gnutls_lib_simulate_error(void); + + static void tls_log_func(int level, const char *str) +@@ -40,10 +21,9 @@ static void tls_log_func(int level, const char *str) + + static uint8_t key16[16]; + static uint8_t iv16[16]; +-uint8_t key_data[64]; +-uint8_t iv_data[16]; +-gnutls_fips140_context_t fips_context; +-gnutls_fips140_operation_state_t fips_state; ++static uint8_t key_data[64]; ++static uint8_t iv_data[16]; ++static gnutls_fips140_context_t fips_context; + + static const gnutls_datum_t data = { .data = (unsigned char *)"foo", 3 }; + static const uint8_t rsa2342_sha1_sig_data[] = { +@@ -276,6 +256,7 @@ test_ciphers(void) + void doit(void) + { + int ret; ++ gnutls_fips140_operation_state_t fips_state; + unsigned int mode; + gnutls_cipher_hd_t ch; + gnutls_hmac_hd_t mh; +diff --git a/tests/kdf-api.c b/tests/kdf-api.c +index 9724502005..a28ce82a62 100644 +--- a/tests/kdf-api.c ++++ b/tests/kdf-api.c +@@ -33,30 +33,7 @@ + #define MAX_BUF 1024 + + static gnutls_fips140_context_t fips_context; +-static gnutls_fips140_operation_state_t fips_state; +- +-#define FIPS_PUSH_CONTEXT() do { \ +- if (gnutls_fips140_mode_enabled()) { \ +- ret = gnutls_fips140_push_context(fips_context); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_push_context failed\n"); \ +- } \ +- } \ +-} while (0) +- +-#define FIPS_POP_CONTEXT(state) do { \ +- if (gnutls_fips140_mode_enabled()) { \ +- ret = gnutls_fips140_pop_context(); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_context_pop failed\n"); \ +- } \ +- fips_state = gnutls_fips140_get_operation_state(fips_context); \ +- if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ +- fail("operation state is not " # state " (%d)\n", \ +- fips_state); \ +- } \ +- } \ +-} while (0) ++ + + static void + test_hkdf(gnutls_mac_algorithm_t mac, +@@ -74,7 +51,6 @@ test_hkdf(gnutls_mac_algorithm_t mac, + gnutls_datum_t prk; + gnutls_datum_t okm; + uint8_t buf[MAX_BUF]; +- int ret; + + success("HKDF test with %s\n", gnutls_mac_get_name(mac)); + +@@ -144,7 +120,6 @@ test_pbkdf2(gnutls_mac_algorithm_t mac, + gnutls_datum_t salt; + gnutls_datum_t okm; + uint8_t buf[MAX_BUF]; +- int ret; + + success("PBKDF2 test with %s\n", gnutls_mac_get_name(mac)); + +diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c +index ea39f3d69e..dc55daccde 100644 +--- a/tests/pkcs12_encode.c ++++ b/tests/pkcs12_encode.c +@@ -70,29 +70,6 @@ static void tls_log_func(int level, const char *str) + fprintf(stderr, "|<%d>| %s", level, str); + } + +-#define FIPS_PUSH_CONTEXT() do { \ +- if (gnutls_fips140_mode_enabled()) { \ +- ret = gnutls_fips140_push_context(fips_context); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_push_context failed\n"); \ +- } \ +- } \ +-} while (0) +- +-#define FIPS_POP_CONTEXT(state) do { \ +- if (gnutls_fips140_mode_enabled()) { \ +- ret = gnutls_fips140_pop_context(); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_context_pop failed\n"); \ +- } \ +- fips_state = gnutls_fips140_get_operation_state(fips_context); \ +- if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ +- fail("operation state is not " # state " (%d)\n", \ +- fips_state); \ +- } \ +- } \ +-} while (0) +- + void doit(void) + { + gnutls_pkcs12_t pkcs12; +@@ -106,7 +83,6 @@ void doit(void) + size_t size; + unsigned i; + gnutls_fips140_context_t fips_context; +- gnutls_fips140_operation_state_t fips_state; + size_t n_tests = 0; + struct tests { + const char *name; +diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c +index 2766afee08..2531906d71 100644 +--- a/tests/privkey-keygen.c ++++ b/tests/privkey-keygen.c +@@ -119,30 +119,6 @@ void doit(void) + gnutls_x509_privkey_t pkey, dst; + int ret, algorithm, i; + gnutls_fips140_context_t fips_context; +- gnutls_fips140_operation_state_t fips_state; +- +-#define FIPS_PUSH_CONTEXT() do { \ +- if (gnutls_fips140_mode_enabled()) { \ +- ret = gnutls_fips140_push_context(fips_context); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_push_context failed\n"); \ +- } \ +- } \ +-} while (0) +- +-#define FIPS_POP_CONTEXT(state) do { \ +- if (gnutls_fips140_mode_enabled()) { \ +- ret = gnutls_fips140_pop_context(); \ +- if (ret < 0) { \ +- fail("gnutls_fips140_context_pop failed\n"); \ +- } \ +- fips_state = gnutls_fips140_get_operation_state(fips_context); \ +- if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ +- fail("operation state is not " # state " (%d)\n", \ +- fips_state); \ +- } \ +- } \ +-} while (0) + + ret = global_init(); + if (ret < 0) +diff --git a/tests/utils.h b/tests/utils.h +index d3a2ba8d16..4433a07057 100644 +--- a/tests/utils.h ++++ b/tests/utils.h +@@ -210,4 +210,62 @@ inline static unsigned int get_dtls_retransmit_timeout(void) { + return (unsigned int) ul; + } + ++static inline const char * ++fips_operation_state_to_string(gnutls_fips140_operation_state_t state) ++{ ++ switch (state) { ++ case GNUTLS_FIPS140_OP_INITIAL: ++ return "INITIAL"; ++ case GNUTLS_FIPS140_OP_APPROVED: ++ return "APPROVED"; ++ case GNUTLS_FIPS140_OP_NOT_APPROVED: ++ return "NOT_APPROVED"; ++ case GNUTLS_FIPS140_OP_ERROR: ++ return "ERROR"; ++ default: ++ /*NOTREACHED*/ ++ assert(0); ++ return NULL; ++ } ++} ++ ++static inline void ++fips_push_context(gnutls_fips140_context_t context) ++{ ++ if (gnutls_fips140_mode_enabled()) { ++ int ret; ++ ++ ret = gnutls_fips140_push_context(context); ++ if (ret < 0) { ++ fail("gnutls_fips140_push_context failed\n"); ++ } ++ } ++} ++ ++static inline void ++fips_pop_context(gnutls_fips140_context_t context, ++ gnutls_fips140_operation_state_t expected_state) ++{ ++ gnutls_fips140_operation_state_t state; ++ ++ if (gnutls_fips140_mode_enabled()) { ++ int ret; ++ ++ ret = gnutls_fips140_pop_context(); ++ if (ret < 0) { ++ fail("gnutls_fips140_context_pop failed\n"); ++ } ++ state = gnutls_fips140_get_operation_state(context); ++ if (state != expected_state) { ++ fail("operation state is not %s (%s)\n", ++ fips_operation_state_to_string(expected_state), ++ fips_operation_state_to_string(state)); ++ } ++ } ++} ++ ++/* To use those convenient macros, define fips_context variable. */ ++#define FIPS_PUSH_CONTEXT() fips_push_context(fips_context) ++#define FIPS_POP_CONTEXT(state) fips_pop_context(fips_context, GNUTLS_FIPS140_OP_ ## state) ++ + #endif /* GNUTLS_TESTS_UTILS_H */ +-- +2.38.1 + diff --git a/gnutls.spec b/gnutls.spec index ca636aa..ac4cb16 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16)) } Version: 3.7.6 -Release: 13%{?dist} +Release: 14%{?dist} # not upstreamed Patch: gnutls-3.6.7-no-now-guile.patch Patch: gnutls-3.2.7-rpath.patch @@ -34,6 +34,8 @@ Patch: gnutls-3.7.8-xts-key-check.patch Patch: gnutls-3.7.8-clear-session-ticket.patch Patch: gnutls-3.7.7-aes-cbc-padding-support.patch Patch: gnutls-3.7.8-integrity-check.patch +Patch: gnutls-3.7.6-fips-service-indicator-test-functions.patch +Patch: gnutls-3.7.6-fips-ccm-taglen.patch # not upstreamed Patch: gnutls-3.7.3-disable-config-reload.patch @@ -398,6 +400,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Nov 22 2022 Daiki Ueno - 3.7.6-14 +- cipher: add restriction on CCM tag length under FIPS mode (#2137807) + * Tue Nov 15 2022 Zoltan Fridrich - 3.7.6-13 - fips: make XTS key check failure not fatal (#2130971) - enable source archive verification again (#2127094)