fips: perform only signature PCT for all RSA algorithms

Resolves: RHEL-69524 Signed-off-by: Daiki Ueno <dueno@redhat.com>
2025-02-10 16:00:51 +09:00 · 2025-02-10 16:00:51 +09:00 · e5e6ca4128
commit e5e6ca4128
parent 510d9c743d
2 changed files with 146 additions and 0 deletions
--- a/gnutls-3.8.9-allow-rsa-pkcs1-encrypt.patch
+++ b/gnutls-3.8.9-allow-rsa-pkcs1-encrypt.patch
@ -0,0 +1,144 @@
+From 15018ea075e655f59c2cbd6338be51e4c8ea44a4 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 27 Jan 2025 16:36:41 +0900
+Subject: [PATCH 1/2] fips: perform only signature PCT for all RSA algorithms
+
+FIPS 140-3 IG 10.3.A states that having a signature PCT also covers
+key transport for RSA. Therefore, this consolidate all code paths for
+RSA, RSA-PSS, and RSA-OAEP to exercise a signature PCT.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/pk.c | 67 ++++++-------------------------------------------
+ 1 file changed, 7 insertions(+), 60 deletions(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 91eaffd689..674cfe57e9 100644
+--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
+@@ -3599,7 +3599,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,
+ 	gnutls_datum_t ddata, tmp = { NULL, 0 };
+ 	char *gen_data = NULL;
+ 	gnutls_x509_spki_st spki;
+-	gnutls_fips140_context_t context;
+ 
+ 	ret = _gnutls_x509_spki_copy(&spki, &params->spki);
+ 	if (ret < 0) {
+@@ -3624,7 +3623,13 @@ static int pct_test(gnutls_pk_algorithm_t algo,
+ 	} else if (algo == GNUTLS_PK_GOST_12_512) {
+ 		ddata.data = (void *)const_data_sha512;
+ 		ddata.size = sizeof(const_data_sha512);
+-	} else if (algo == GNUTLS_PK_RSA_PSS) {
+	} else if (GNUTLS_PK_IS_RSA(algo)) {
+		/* We only do a signature PCT for RSA, as FIPS 140-3
+		 * IG 10.3.A says that a signature PCT also covers a
+		 * key transport PCT, though the reverse is not true.
+		 */
+		algo = GNUTLS_PK_RSA_PSS;
+
+ 		if (spki.rsa_pss_dig == GNUTLS_DIG_UNKNOWN)
+ 			spki.rsa_pss_dig = GNUTLS_DIG_SHA256;
+ 
+@@ -3651,64 +3656,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,
+ 	}
+ 
+ 	switch (algo) {
+-	case GNUTLS_PK_RSA:
+-	case GNUTLS_PK_RSA_OAEP:
+-		if (algo == GNUTLS_PK_RSA) {
+-			/* Push a temporary FIPS context because _gnutls_pk_encrypt and
+-			 * _gnutls_pk_decrypt below will mark RSAES-PKCS1-v1_5 operation
+-			 * non-approved */
+-			if (gnutls_fips140_context_init(&context) < 0) {
+-				ret = gnutls_assert_val(
+-					GNUTLS_E_PK_GENERATION_ERROR);
+-				goto cleanup;
+-			}
+-			if (gnutls_fips140_push_context(context) < 0) {
+-				ret = gnutls_assert_val(
+-					GNUTLS_E_PK_GENERATION_ERROR);
+-				gnutls_fips140_context_deinit(context);
+-				goto cleanup;
+-			}
+-		}
+-
+-		ret = _gnutls_pk_encrypt(algo, &sig, &ddata, params);
+-		if (ret < 0) {
+-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+-		}
+-		if (ret == 0 && ddata.size == sig.size &&
+-		    memcmp(ddata.data, sig.data, sig.size) == 0) {
+-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+-		}
+-		if (ret == 0 &&
+-		    _gnutls_pk_decrypt(algo, &tmp, &sig, params) < 0) {
+-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+-		}
+-		if (ret == 0 &&
+-		    !(tmp.size == ddata.size &&
+-		      memcmp(tmp.data, ddata.data, tmp.size) == 0)) {
+-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+-		}
+-
+-		if (algo == GNUTLS_PK_RSA) {
+-			if (unlikely(gnutls_fips140_pop_context() < 0)) {
+-				ret = gnutls_assert_val(
+-					GNUTLS_E_PK_GENERATION_ERROR);
+-			}
+-			gnutls_fips140_context_deinit(context);
+-		}
+-
+-		if (ret < 0) {
+-			goto cleanup;
+-		}
+-
+-		free(sig.data);
+-		sig.data = NULL;
+-
+-		/* RSA-OAEP can't be used for signing */
+-		if (algo == GNUTLS_PK_RSA_OAEP) {
+-			break;
+-		}
+-
+-		FALLTHROUGH;
+ 	case GNUTLS_PK_EC: /* we only do keys for ECDSA */
+ 	case GNUTLS_PK_EDDSA_ED25519:
+ 	case GNUTLS_PK_EDDSA_ED448:
+-- 
+2.48.1
+
+
+From 81cd18f4344c2f56a804de1c30a316409928eeaf Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 10 Feb 2025 15:57:39 +0900
+Subject: [PATCH 2/2] tests: do not assume RSAES-PKCS1-v1_5 is enabled in
+ system config
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/system-override-allow-rsa-pkcs1-encrypt.sh | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+index 714d0af946..30cb77ca50 100755
+--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+@@ -56,14 +56,4 @@ if [ $? = 0 ]; then
+ fi
+ echo "RSAES-PKCS1-v1_5 successfully disabled"
+ 
+-unset GNUTLS_SYSTEM_PRIORITY_FILE
+-unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
+-
+-${TEST}
+-if [ $? != 0 ]; then
+-	echo "${TEST} expected to succeed by default"
+-	exit 1
+-fi
+-echo "RSAES-PKCS1-v1_5 successfully enabled by default"
+-
+ exit 0
+-- 
+2.48.1
+
--- a/gnutls.spec
+++ b/gnutls.spec
@ -28,6 +28,8 @@ Patch: gnutls-3.7.6-drbg-reseed.patch
 Patch: gnutls-3.7.6-fips-sha1-sigver.patch
 # not upstreamed: see https://gitlab.com/gnutls/gnutls/-/issues/1443
 Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch
+# not upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932
+Patch: gnutls-3.8.9-allow-rsa-pkcs1-encrypt.patch

 %bcond_without bootstrap
 %bcond_without dane