Disable RSA blinding during FIPS self-tests

Related: rhbz#1835265
2020-05-20 10:41:58 +02:00 · 2020-05-20 10:41:58 +02:00 · f2ea860ff5
commit f2ea860ff5
parent 5de0851cf9
2 changed files with 129 additions and 1 deletions
--- a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch
+++ b/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch
@ -0,0 +1,124 @@
+From 8f8615c4ef0b92b95e7bcb3bd1400124a203eef3 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Fri, 16 Aug 2019 17:01:05 +0200
+Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests
+
+Nettle's RSA signing, encryption and decryption functions still
+require randomness for blinding, so fallback to use a fixed buffer in
+selftests where entropy might not be available.
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+---
+ lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++----
+ 1 file changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 15ad4b4e9..ccf403b00 100644
+--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
+@@ -107,6 +107,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
+ 	nettle_mpz_get_str_256 (length, data, *k);
+ }
+ 
+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
+{
+	if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) {
+		_gnutls_switch_lib_state(LIB_STATE_ERROR);
+	}
+
+	memset(data, 0xAA, length);
+}
+
+ static void
+ ecc_scalar_zclear (struct ecc_scalar *s)
+ {
+@@ -526,6 +535,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
+ 	case GNUTLS_PK_RSA:
+ 		{
+ 			struct rsa_public_key pub;
+			nettle_random_func *random_func;
+ 
+ 			ret = _rsa_params_to_pubkey(pk_params, &pub);
+ 			if (ret < 0) {
+@@ -533,8 +543,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
+ 				goto cleanup;
+ 			}
+ 
+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+				random_func = rnd_nonce_func_fallback;
+			else
+				random_func = rnd_nonce_func;
+ 			ret =
+-			    rsa_encrypt(&pub, NULL, rnd_nonce_func,
+			    rsa_encrypt(&pub, NULL, random_func,
+ 					plaintext->size, plaintext->data,
+ 					p);
+ 			if (ret == 0 || HAVE_LIB_ERROR()) {
+@@ -587,6 +601,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
+ 			struct rsa_public_key pub;
+ 			size_t length;
+ 			bigint_t c;
+			nettle_random_func *random_func;
+ 
+ 			_rsa_params_to_privkey(pk_params, &priv);
+ 			ret = _rsa_params_to_pubkey(pk_params, &pub);
+@@ -617,8 +632,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
+ 				goto cleanup;
+ 			}
+ 
+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+				random_func = rnd_nonce_func_fallback;
+			else
+				random_func = rnd_nonce_func;
+ 			ret =
+-			    rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func,
+			    rsa_decrypt_tr(&pub, &priv, NULL, random_func,
+ 					   &length, plaintext->data,
+ 					   TOMPZ(c));
+ 			_gnutls_mpi_release(&c);
+@@ -664,6 +683,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
+ 	bigint_t c;
+ 	uint32_t is_err;
+ 	int ret;
+	nettle_random_func *random_func;
+ 
+ 	if (algo != GNUTLS_PK_RSA || plaintext == NULL) {
+ 		gnutls_assert();
+@@ -683,7 +703,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
+ 		return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED);
+ 	}
+ 
+-	ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func,
+	if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+		random_func = rnd_nonce_func_fallback;
+	else
+		random_func = rnd_nonce_func;
+	ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func,
+ 			     plaintext_size, plaintext, TOMPZ(c));
+ 	/* after this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+@@ -1072,6 +1096,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 		{
+ 			struct rsa_private_key priv;
+ 			struct rsa_public_key pub;
+			nettle_random_func *random_func;
+ 			mpz_t s;
+ 
+ 			_rsa_params_to_privkey(pk_params, &priv);
+@@ -1082,8 +1107,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 
+ 			mpz_init(s);
+ 
+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+				random_func = rnd_nonce_func_fallback;
+			else
+				random_func = rnd_nonce_func;
+ 			ret =
+-			    rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func,
+			    rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func,
+ 					      vdata->size, vdata->data, s);
+ 			if (ret == 0 || HAVE_LIB_ERROR()) {
+ 				gnutls_assert();
+-- 
+2.25.4
+
--- a/gnutls.spec
+++ b/gnutls.spec
@ -1,9 +1,10 @@
 # This spec file has been automatically updated
 Version:	3.6.13
-Release: 2%{?dist}
+Release: 3%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
 Patch3:	gnutls-3.6.13-bump-linked-libs-soname-f33.patch
+Patch4:	gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch
 %bcond_without dane
 %if 0%{?rhel}
 %bcond_with guile
@ -280,6 +281,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif

 %changelog
+* Tue May 19 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-3
+- Disable RSA blinding during FIPS self-tests
+
 * Thu May 14 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-2
 - Bump linked libraries soname to fix FIPS selftests (#1835265)