From 7d84a98339702b901a9693b224117ccb2a1bc31e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Sat, 29 Jul 2023 13:31:34 +0900
Subject: [PATCH] Mark SHA-1 signature verification non-approved in FIPS

Resolves: #2102751
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 gnutls-3.7.6-fips-sha1-sigver.patch | 109 ++++++++++++++++++++++++++++
 gnutls.spec                         |   6 +-
 2 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 gnutls-3.7.6-fips-sha1-sigver.patch

diff --git a/gnutls-3.7.6-fips-sha1-sigver.patch b/gnutls-3.7.6-fips-sha1-sigver.patch
new file mode 100644
index 0000000..e5ba62a
--- /dev/null
+++ b/gnutls-3.7.6-fips-sha1-sigver.patch
@@ -0,0 +1,109 @@
+From 00f62aac690ba55650c58fa125a3806a8a684214 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Sat, 29 Jul 2023 13:21:37 +0900
+Subject: [PATCH] nettle: mark SHA-1 signature verification non-approved
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/pk.c   | 13 +++++--------
+ lib/pubkey.c      |  3 ---
+ tests/fips-test.c |  8 ++++----
+ 3 files changed, 9 insertions(+), 15 deletions(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index c098e2aa45..f0b8b6d707 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -1575,10 +1575,7 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ 			if (hash_len > vdata->size)
+ 				hash_len = vdata->size;
+ 
+-			/* SHA-1 is allowed for SigVer in FIPS 140-3 in legacy
+-			 * mode */
+ 			switch (DIG_TO_MAC(sign_params->dsa_dig)) {
+-			case GNUTLS_MAC_SHA1:
+ 			case GNUTLS_MAC_SHA256:
+ 			case GNUTLS_MAC_SHA384:
+ 			case GNUTLS_MAC_SHA512:
+@@ -1656,8 +1653,8 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ 			 * 2048-bit or one of the known lengths (1024, 1280,
+ 			 * 1536, 1792; i.e., multiple of 256-bits).
+ 			 *
+-			 * In addition to this, only SHA-1 and SHA-2 are allowed
+-			 * for SigVer; it is checked in _pkcs1_rsa_verify_sig in
++			 * In addition to this, only SHA-2 is allowed for
++			 * SigVer; it is checked in _pkcs1_rsa_verify_sig in
+ 			 * lib/pubkey.c.
+ 			 */
+ 			if (unlikely(bits < 2048 &&
+@@ -1709,9 +1706,9 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ 			}
+ 
+ 			/* RSA modulus size should be 2048-bit or larger in FIPS
+-			 * 140-3.  In addition to this, only SHA-1 and SHA-2 are
+-			 * allowed for SigVer, while Nettle only supports
+-			 * SHA256, SHA384, and SHA512 for RSA-PSS (see
++			 * 140-3.  In addition to this, only SHA-2 is allowed
++			 * for SigVer, while Nettle only supports SHA256,
++			 * SHA384, and SHA512 for RSA-PSS (see
+ 			 * _rsa_pss_verify_digest in this file for the details).
+ 			 */
+ 			if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) {
+diff --git a/lib/pubkey.c b/lib/pubkey.c
+index be1b045fa7..052707d5da 100644
+--- a/lib/pubkey.c
++++ b/lib/pubkey.c
+@@ -2370,10 +2370,7 @@ _pkcs1_rsa_verify_sig(gnutls_pk_algorithm_t pk,
+ 	d.size = digest_size;
+ 
+ 	if (pk == GNUTLS_PK_RSA) {
+-		/* SHA-1 is allowed for SigVer in FIPS 140-3 in legacy
+-		 * mode */
+ 		switch (me->id) {
+-		case GNUTLS_MAC_SHA1:
+ 		case GNUTLS_MAC_SHA256:
+ 		case GNUTLS_MAC_SHA384:
+ 		case GNUTLS_MAC_SHA512:
+diff --git a/tests/fips-test.c b/tests/fips-test.c
+index f789afb107..3549b727b9 100644
+--- a/tests/fips-test.c
++++ b/tests/fips-test.c
+@@ -471,7 +471,7 @@ void doit(void)
+ 	}
+ 	FIPS_POP_CONTEXT(NOT_APPROVED);
+ 
+-	/* Verify a signature created with 2432-bit RSA and SHA-1; approved */
++	/* Verify a signature created with 2432-bit RSA and SHA-1; not approved */
+ 	FIPS_PUSH_CONTEXT();
+ 	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1,
+ 					 GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, &data,
+@@ -479,7 +479,7 @@ void doit(void)
+ 	if (ret < 0) {
+ 		fail("gnutls_pubkey_verify_data2 failed\n");
+ 	}
+-	FIPS_POP_CONTEXT(APPROVED);
++	FIPS_POP_CONTEXT(NOT_APPROVED);
+ 	gnutls_free(signature.data);
+ 	gnutls_pubkey_deinit(pubkey);
+ 	gnutls_privkey_deinit(privkey);
+@@ -583,7 +583,7 @@ void doit(void)
+ 	}
+ 	FIPS_POP_CONTEXT(NOT_APPROVED);
+ 
+-	/* Verify a signature created with ECDSA and SHA-1; approved */
++	/* Verify a signature created with ECDSA and SHA-1; not approved */
+ 	FIPS_PUSH_CONTEXT();
+ 	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_ECDSA_SHA1,
+ 					 GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, &data,
+@@ -591,7 +591,7 @@ void doit(void)
+ 	if (ret < 0) {
+ 		fail("gnutls_pubkey_verify_data2 failed\n");
+ 	}
+-	FIPS_POP_CONTEXT(APPROVED);
++	FIPS_POP_CONTEXT(NOT_APPROVED);
+ 	gnutls_free(signature.data);
+ 
+ 	/* Create a signature with ECDSA and SHA-1 (old API); not approved */
+-- 
+2.41.0
+
diff --git a/gnutls.spec b/gnutls.spec
index 5f4731b..934c048 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
 }
 
 Version: 3.7.6
-Release: 22%{?dist}
+Release: 23%{?dist}
 # not upstreamed
 Patch: gnutls-3.6.7-no-now-guile.patch
 Patch: gnutls-3.2.7-rpath.patch
@@ -41,6 +41,7 @@ Patch: gnutls-3.7.8-revert-hmac-name.patch
 Patch: gnutls-3.7.8-rsa-kx-timing.patch
 Patch: gnutls-3.7.8-fips-pct-dh.patch
 Patch: gnutls-3.7.6-fips-ems.patch
+Patch: gnutls-3.7.6-fips-sha1-sigver.patch
 
 # not upstreamed
 Patch: gnutls-3.7.3-disable-config-reload.patch
@@ -420,6 +421,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null XFAIL_TESTS="$x
 %endif
 
 %changelog
+* Sat Jul 29 2023 Daiki Ueno <dueno@redhat.com> - 3.7.6-23
+- Mark SHA-1 signature verification non-approved in FIPS (#2102751)
+
 * Tue Jul 18 2023 Daiki Ueno <dueno@redhat.com> - 3.7.6-22
 - Skip KTLS test on old kernel if host and target arches are different