From fbb6dd2a65c6fc7a2e9bd82fe66fde54f6cf2952 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 16 Aug 2019 17:01:05 +0200 Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests Nettle's RSA signing, encryption and decryption functions still require randomness for blinding, so fallback to use a fixed buffer in selftests where entropy might not be available. Signed-off-by: Daiki Ueno --- lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c index b2d27cf74..772fcdc21 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c @@ -94,6 +94,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) nettle_mpz_get_str_256 (length, data, *k); } +static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data) +{ + if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) { + _gnutls_switch_lib_state(LIB_STATE_ERROR); + } + + memset(data, 0xAA, length); +} + static void ecc_scalar_zclear (struct ecc_scalar *s) { @@ -435,6 +444,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, case GNUTLS_PK_RSA: { struct rsa_public_key pub; + nettle_random_func *random_func; ret = _rsa_params_to_pubkey(pk_params, &pub); if (ret < 0) { @@ -442,8 +452,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, goto cleanup; } + if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) + random_func = rnd_nonce_func_fallback; + else + random_func = rnd_nonce_func; ret = - rsa_encrypt(&pub, NULL, rnd_nonce_func, + rsa_encrypt(&pub, NULL, random_func, plaintext->size, plaintext->data, p); if (ret == 0 || HAVE_LIB_ERROR()) { @@ -496,6 +510,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, struct rsa_public_key pub; size_t length; bigint_t c; + nettle_random_func *random_func; _rsa_params_to_privkey(pk_params, &priv); ret = _rsa_params_to_pubkey(pk_params, &pub); @@ -526,8 +541,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, goto cleanup; } + if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) + random_func = rnd_nonce_func_fallback; + else + random_func = rnd_nonce_func; ret = - rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func, + rsa_decrypt_tr(&pub, &priv, NULL, random_func, &length, plaintext->data, TOMPZ(c)); _gnutls_mpi_release(&c); @@ -573,6 +592,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, bigint_t c; uint32_t is_err; int ret; + nettle_random_func *random_func; if (algo != GNUTLS_PK_RSA || plaintext == NULL) { gnutls_assert(); @@ -592,7 +612,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED); } - ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func, + if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) + random_func = rnd_nonce_func_fallback; + else + random_func = rnd_nonce_func; + ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func, plaintext_size, plaintext, TOMPZ(c)); /* after this point, any conditional on failure that cause differences * in execution may create a timing or cache access pattern side @@ -942,6 +966,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, { struct rsa_private_key priv; struct rsa_public_key pub; + nettle_random_func *random_func; mpz_t s; _rsa_params_to_privkey(pk_params, &priv); @@ -952,8 +977,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, mpz_init(s); + if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) + random_func = rnd_nonce_func_fallback; + else + random_func = rnd_nonce_func; ret = - rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func, + rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func, vdata->size, vdata->data, s); if (ret == 0 || HAVE_LIB_ERROR()) { gnutls_assert(); -- 2.21.0