From 15018ea075e655f59c2cbd6338be51e4c8ea44a4 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 27 Jan 2025 16:36:41 +0900
Subject: [PATCH 1/2] fips: perform only signature PCT for all RSA algorithms

FIPS 140-3 IG 10.3.A states that having a signature PCT also covers
key transport for RSA. Therefore, this consolidate all code paths for
RSA, RSA-PSS, and RSA-OAEP to exercise a signature PCT.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/nettle/pk.c | 67 ++++++-------------------------------------------
 1 file changed, 7 insertions(+), 60 deletions(-)

diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 91eaffd689..674cfe57e9 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -3599,7 +3599,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,
 	gnutls_datum_t ddata, tmp = { NULL, 0 };
 	char *gen_data = NULL;
 	gnutls_x509_spki_st spki;
-	gnutls_fips140_context_t context;
 
 	ret = _gnutls_x509_spki_copy(&spki, &params->spki);
 	if (ret < 0) {
@@ -3624,7 +3623,13 @@ static int pct_test(gnutls_pk_algorithm_t algo,
 	} else if (algo == GNUTLS_PK_GOST_12_512) {
 		ddata.data = (void *)const_data_sha512;
 		ddata.size = sizeof(const_data_sha512);
-	} else if (algo == GNUTLS_PK_RSA_PSS) {
+	} else if (GNUTLS_PK_IS_RSA(algo)) {
+		/* We only do a signature PCT for RSA, as FIPS 140-3
+		 * IG 10.3.A says that a signature PCT also covers a
+		 * key transport PCT, though the reverse is not true.
+		 */
+		algo = GNUTLS_PK_RSA_PSS;
+
 		if (spki.rsa_pss_dig == GNUTLS_DIG_UNKNOWN)
 			spki.rsa_pss_dig = GNUTLS_DIG_SHA256;
 
@@ -3651,64 +3656,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,
 	}
 
 	switch (algo) {
-	case GNUTLS_PK_RSA:
-	case GNUTLS_PK_RSA_OAEP:
-		if (algo == GNUTLS_PK_RSA) {
-			/* Push a temporary FIPS context because _gnutls_pk_encrypt and
-			 * _gnutls_pk_decrypt below will mark RSAES-PKCS1-v1_5 operation
-			 * non-approved */
-			if (gnutls_fips140_context_init(&context) < 0) {
-				ret = gnutls_assert_val(
-					GNUTLS_E_PK_GENERATION_ERROR);
-				goto cleanup;
-			}
-			if (gnutls_fips140_push_context(context) < 0) {
-				ret = gnutls_assert_val(
-					GNUTLS_E_PK_GENERATION_ERROR);
-				gnutls_fips140_context_deinit(context);
-				goto cleanup;
-			}
-		}
-
-		ret = _gnutls_pk_encrypt(algo, &sig, &ddata, params);
-		if (ret < 0) {
-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
-		}
-		if (ret == 0 && ddata.size == sig.size &&
-		    memcmp(ddata.data, sig.data, sig.size) == 0) {
-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
-		}
-		if (ret == 0 &&
-		    _gnutls_pk_decrypt(algo, &tmp, &sig, params) < 0) {
-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
-		}
-		if (ret == 0 &&
-		    !(tmp.size == ddata.size &&
-		      memcmp(tmp.data, ddata.data, tmp.size) == 0)) {
-			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
-		}
-
-		if (algo == GNUTLS_PK_RSA) {
-			if (unlikely(gnutls_fips140_pop_context() < 0)) {
-				ret = gnutls_assert_val(
-					GNUTLS_E_PK_GENERATION_ERROR);
-			}
-			gnutls_fips140_context_deinit(context);
-		}
-
-		if (ret < 0) {
-			goto cleanup;
-		}
-
-		free(sig.data);
-		sig.data = NULL;
-
-		/* RSA-OAEP can't be used for signing */
-		if (algo == GNUTLS_PK_RSA_OAEP) {
-			break;
-		}
-
-		FALLTHROUGH;
 	case GNUTLS_PK_EC: /* we only do keys for ECDSA */
 	case GNUTLS_PK_EDDSA_ED25519:
 	case GNUTLS_PK_EDDSA_ED448:
-- 
2.48.1


From 81cd18f4344c2f56a804de1c30a316409928eeaf Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 10 Feb 2025 15:57:39 +0900
Subject: [PATCH 2/2] tests: do not assume RSAES-PKCS1-v1_5 is enabled in
 system config

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 tests/system-override-allow-rsa-pkcs1-encrypt.sh | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
index 714d0af946..30cb77ca50 100755
--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
@@ -56,14 +56,4 @@ if [ $? = 0 ]; then
 fi
 echo "RSAES-PKCS1-v1_5 successfully disabled"
 
-unset GNUTLS_SYSTEM_PRIORITY_FILE
-unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
-
-${TEST}
-if [ $? != 0 ]; then
-	echo "${TEST} expected to succeed by default"
-	exit 1
-fi
-echo "RSAES-PKCS1-v1_5 successfully enabled by default"
-
 exit 0
-- 
2.48.1