import libgcrypt-1.10.0-10.el9_1

This commit is contained in:
CentOS Sources 2023-04-11 14:19:06 +00:00 committed by Stepan Oksanichenko
parent 3a05836646
commit 286d3be13d
13 changed files with 2523 additions and 42 deletions

View File

@ -48,4 +48,30 @@ index c98247d8..aee5bffb 100644
-- --
2.37.1 2.37.1
commit 02718ade6ab5eee38169c2102097166770a2456d
Author: Jakub Jelen <jjelen@redhat.com>
Date: Thu Oct 20 16:33:11 2022 +0200
visiblity: Check the HMAC key length in FIPS mode
---
* src/visibility.c (gcry_md_setkey): Check the HMAC key length in FIPS
mode also in the md_ API.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
diff --git a/src/visibility.c b/src/visibility.c
index 150b197d..73db3dea 100644
--- a/src/visibility.c
+++ b/src/visibility.c
@@ -1357,6 +1357,10 @@ gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen)
{
if (!fips_is_operational ())
return gpg_error (fips_not_operational ());
+
+ if (fips_mode () && keylen < 14)
+ return GPG_ERR_INV_VALUE;
+
return gpg_error (_gcry_md_setkey (hd, key, keylen));
}

View File

@ -0,0 +1,85 @@
From 45b80678109e5817b7cd15566a9d6c96b064b95f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 1 Mar 2023 15:39:15 +0100
Subject: [PATCH] random: Remove unused SHA384 DRBGs.
* random/random-drbg.c (global): Remove unused SHA384-based defines.
(drbg_cores): Remove SHA384 configurations.
(drbg_sec_strength): Remove unused SHA384.
--
These are no longer allowed by FIPS and it looks like they were never
usable as they do not have any conversion from the string flags.
GnuPG-bug-id: 6393
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
random/random-drbg.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/random/random-drbg.c b/random/random-drbg.c
index f1cfe286..af49a5a5 100644
--- a/random/random-drbg.c
+++ b/random/random-drbg.c
@@ -188,11 +188,9 @@
#define DRBG_HASHSHA1 ((u32)1<<4)
#define DRBG_HASHSHA224 ((u32)1<<5)
#define DRBG_HASHSHA256 ((u32)1<<6)
-#define DRBG_HASHSHA384 ((u32)1<<7)
#define DRBG_HASHSHA512 ((u32)1<<8)
#define DRBG_HASH_MASK (DRBG_HASHSHA1 | DRBG_HASHSHA224 \
- | DRBG_HASHSHA256 | DRBG_HASHSHA384 \
- | DRBG_HASHSHA512)
+ | DRBG_HASHSHA256 | DRBG_HASHSHA512)
/* type modifiers (A.3)*/
#define DRBG_HMAC ((u32)1<<12)
#define DRBG_SYM128 ((u32)1<<13)
@@ -211,23 +209,18 @@
#define DRBG_NOPR_CTRAES256 (DRBG_CTRAES | DRBG_SYM256)
#define DRBG_PR_HASHSHA1 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1)
#define DRBG_PR_HASHSHA256 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256)
-#define DRBG_PR_HASHSHA384 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384)
#define DRBG_PR_HASHSHA512 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512)
#define DRBG_NOPR_HASHSHA1 (DRBG_HASHSHA1)
#define DRBG_NOPR_HASHSHA256 (DRBG_HASHSHA256)
-#define DRBG_NOPR_HASHSHA384 (DRBG_HASHSHA384)
#define DRBG_NOPR_HASHSHA512 (DRBG_HASHSHA512)
#define DRBG_PR_HMACSHA1 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1 \
| DRBG_HMAC)
#define DRBG_PR_HMACSHA256 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256 \
| DRBG_HMAC)
-#define DRBG_PR_HMACSHA384 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384 \
- | DRBG_HMAC)
#define DRBG_PR_HMACSHA512 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512 \
| DRBG_HMAC)
#define DRBG_NOPR_HMACSHA1 (DRBG_HASHSHA1 | DRBG_HMAC)
#define DRBG_NOPR_HMACSHA256 (DRBG_HASHSHA256 | DRBG_HMAC)
-#define DRBG_NOPR_HMACSHA384 (DRBG_HASHSHA384 | DRBG_HMAC)
#define DRBG_NOPR_HMACSHA512 (DRBG_HASHSHA512 | DRBG_HMAC)
@@ -359,12 +352,10 @@ static const struct drbg_core_s drbg_cores[] = {
/* Hash DRBGs */
{DRBG_HASHSHA1, 55, 20, GCRY_MD_SHA1},
{DRBG_HASHSHA256, 55, 32, GCRY_MD_SHA256},
- {DRBG_HASHSHA384, 111, 48, GCRY_MD_SHA384},
{DRBG_HASHSHA512, 111, 64, GCRY_MD_SHA512},
/* HMAC DRBGs */
{DRBG_HASHSHA1 | DRBG_HMAC, 20, 20, GCRY_MD_SHA1},
{DRBG_HASHSHA256 | DRBG_HMAC, 32, 32, GCRY_MD_SHA256},
- {DRBG_HASHSHA384 | DRBG_HMAC, 48, 48, GCRY_MD_SHA384},
{DRBG_HASHSHA512 | DRBG_HMAC, 64, 64, GCRY_MD_SHA512},
/* block ciphers */
{DRBG_CTRAES | DRBG_SYM128, 32, 16, GCRY_CIPHER_AES128},
@@ -543,7 +534,7 @@ drbg_sec_strength (u32 flags)
else if (flags & DRBG_SYM192)
return 24;
else if ((flags & DRBG_SYM256) || (flags & DRBG_HASHSHA256) ||
- (flags & DRBG_HASHSHA384) || (flags & DRBG_HASHSHA512))
+ (flags & DRBG_HASHSHA512))
return 32;
else
return 32;
--
2.39.2

View File

@ -0,0 +1,277 @@
From fd832687f36c1885d2388c55f7e8569184ba2593 Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobias.heider@canonical.com>
Date: Thu, 16 Feb 2023 03:20:48 +0100
Subject: [PATCH] fips: Add explicit indicators for md and mac algorithms
* src/fips.c (_gcry_fips_indicator_mac): New function indicating
non-approved mac algorithms
(_gcry_fips_indicator_md): new functions indicating non-approved
message digest algorithms
* src/g10lib.h (_gcry_fips_indicator_mac): new function
(_gcry_fips_indicator_md): ditto
* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbols
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC and
GCRYCTL_FIPS_SERVICE_INDICATOR_MD
* src/global.c (_gcry_vcontrol): Handle new FIPS indicators.
* doc/gcrypt.texi: Document the new option.
--
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
---
doc/gcrypt.texi | 13 +++++++++++++
src/fips.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++
src/g10lib.h | 2 ++
src/gcrypt.h.in | 4 +++-
src/global.c | 14 ++++++++++++++
5 files changed, 83 insertions(+), 1 deletion(-)
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index e44c2f2e..462c5931 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -992,6 +992,19 @@ certification. If the function is approved, this function returns
@code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos
+
+Check if the given MAC is approved under the current FIPS 140-3
+certification. If the MAC is approved, this function returns
+@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
+is returned.
+
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
+
+Check if the given message digest algorithm is approved under the current
+FIPS 140-3 certification. If the algorithm is approved, this function returns
+@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+
@end table
@end deftypefun
diff --git a/src/fips.c b/src/fips.c
index 272aabae..8b3b3f04 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -377,6 +377,57 @@ _gcry_fips_indicator_cipher (va_list arg_ptr)
}
}
+int
+_gcry_fips_indicator_mac (va_list arg_ptr)
+{
+ enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
+
+ switch (alg)
+ {
+ case GCRY_MAC_CMAC_AES:
+ case GCRY_MAC_HMAC_SHA1:
+ case GCRY_MAC_HMAC_SHA224:
+ case GCRY_MAC_HMAC_SHA256:
+ case GCRY_MAC_HMAC_SHA384:
+ case GCRY_MAC_HMAC_SHA512:
+ case GCRY_MAC_HMAC_SHA512_224:
+ case GCRY_MAC_HMAC_SHA512_256:
+ case GCRY_MAC_HMAC_SHA3_224:
+ case GCRY_MAC_HMAC_SHA3_256:
+ case GCRY_MAC_HMAC_SHA3_384:
+ case GCRY_MAC_HMAC_SHA3_512:
+ return GPG_ERR_NO_ERROR;
+ default:
+ return GPG_ERR_NOT_SUPPORTED;
+ }
+}
+
+int
+_gcry_fips_indicator_md (va_list arg_ptr)
+{
+ enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);
+
+ switch (alg)
+ {
+ case GCRY_MD_SHA1:
+ case GCRY_MD_SHA224:
+ case GCRY_MD_SHA256:
+ case GCRY_MD_SHA384:
+ case GCRY_MD_SHA512:
+ case GCRY_MD_SHA512_224:
+ case GCRY_MD_SHA512_256:
+ case GCRY_MD_SHA3_224:
+ case GCRY_MD_SHA3_256:
+ case GCRY_MD_SHA3_384:
+ case GCRY_MD_SHA3_512:
+ case GCRY_MD_SHAKE128:
+ case GCRY_MD_SHAKE256:
+ return GPG_ERR_NO_ERROR;
+ default:
+ return GPG_ERR_NOT_SUPPORTED;
+ }
+}
+
int
_gcry_fips_indicator_kdf (va_list arg_ptr)
{
diff --git a/src/g10lib.h b/src/g10lib.h
index 6be0ab21..86337eed 100644
--- a/src/g10lib.h
+++ b/src/g10lib.h
@@ -467,6 +467,8 @@ void _gcry_fips_signal_error (const char *srcfile,
#endif
int _gcry_fips_indicator_cipher (va_list arg_ptr);
+int _gcry_fips_indicator_mac (va_list arg_ptr);
+int _gcry_fips_indicator_md (va_list arg_ptr);
int _gcry_fips_indicator_kdf (va_list arg_ptr);
int _gcry_fips_indicator_function (va_list arg_ptr);
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index aba22bfc..54080d46 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -330,7 +330,9 @@ enum gcry_ctl_cmds
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
GCRYCTL_NO_FIPS_MODE = 83,
- GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84
+ GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86
};
/* Perform various operations defined by CMD. */
diff --git a/src/global.c b/src/global.c
index debf6194..d16d3709 100644
--- a/src/global.c
+++ b/src/global.c
@@ -791,6 +791,20 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
rc = _gcry_fips_indicator_cipher (arg_ptr);
break;
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
+ /* Get FIPS Service Indicator for a given message authentication code.
+ * Returns GPG_ERR_NO_ERROR if algorithm is allowed or
+ * GPG_ERR_NOT_SUPPORTED otherwise */
+ rc = _gcry_fips_indicator_mac (arg_ptr);
+ break;
+
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_MD:
+ /* Get FIPS Service Indicator for a given message digest. Returns
+ * GPG_ERR_NO_ERROR if algorithm is allowed or GPG_ERR_NOT_SUPPORTED
+ * otherwise */
+ rc = _gcry_fips_indicator_md (arg_ptr);
+ break;
+
case GCRYCTL_FIPS_SERVICE_INDICATOR_KDF:
/* Get FIPS Service Indicator for a given KDF. Returns GPG_ERR_NO_ERROR
* if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
--
2.39.2
From 2d193a955d05b4b9caed2895cf25600add3484da Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobias.heider@canonical.com>
Date: Thu, 16 Feb 2023 03:21:26 +0100
Subject: [PATCH] fips: Unblock MD5 in fips mode but mark non-approved in
indicator.
* cipher/mac-hmac.c (_gcry_mac_type_spec_hmac_md5): allow in fips mode
* cipher/md5.c (_gcry_digest_spec_md5): allow in fips mode
--
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
---
cipher/mac-hmac.c | 2 +-
cipher/md5.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/cipher/mac-hmac.c b/cipher/mac-hmac.c
index f1ab568b..9fac77dc 100644
--- a/cipher/mac-hmac.c
+++ b/cipher/mac-hmac.c
@@ -1413,7 +1413,7 @@ const gcry_mac_spec_t _gcry_mac_type_spec_hmac_tiger1 = {
#endif
#if USE_MD5
const gcry_mac_spec_t _gcry_mac_type_spec_hmac_md5 = {
- GCRY_MAC_HMAC_MD5, {0, 0}, "HMAC_MD5",
+ GCRY_MAC_HMAC_MD5, {0, 1}, "HMAC_MD5",
&hmac_ops
};
#endif
diff --git a/cipher/md5.c b/cipher/md5.c
index 5457fc38..744a2cc1 100644
--- a/cipher/md5.c
+++ b/cipher/md5.c
@@ -314,7 +314,7 @@ static const gcry_md_oid_spec_t oid_spec_md5[] =
const gcry_md_spec_t _gcry_digest_spec_md5 =
{
- GCRY_MD_MD5, {0, 0},
+ GCRY_MD_MD5, {0, 1},
"MD5", asn, DIM (asn), oid_spec_md5, 16,
md5_init, _gcry_md_block_write, md5_final, md5_read, NULL,
NULL,
--
2.39.2
From f52f33389da3302f51b6b00451cf9fc7e7a7e277 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 6 Mar 2023 17:26:17 +0100
Subject: [PATCH] tests: Improve test coverage for FIPS service indicators
* tests/basic.c (check_digests): Check the FIPS indicators
(check_mac): Ditto.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/basic.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/tests/basic.c b/tests/basic.c
index 095bdc97..5d5ceac9 100644
--- a/tests/basic.c
+++ b/tests/basic.c
@@ -14086,6 +14086,7 @@ check_mac (void)
"\x13\x46\x76\xfb\x6d\xe0\x44\x60\x65\xc9\x74\x40\xfa\x8c\x6a\x58" },
{ 0 },
};
+ gcry_error_t err;
int i;
if (verbose)
@@ -15370,6 +15370,12 @@ check_digests (void)
{
if (in_fips_mode)
{
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MD, algos[i].md);
+ if (err == GPG_ERR_NO_ERROR)
+ {
+ fail ("algo %d, gcry_md_test_algo failed while it should"
+ " have worked in FIPS mode\n", algos[i].md);
+ }
if (verbose)
fprintf (stderr, " algorithm %d not available in fips mode\n",
algos[i].md);
@@ -16948,6 +16954,7 @@ check_mac (void)
#endif /* USE_GOST28147 */
{ 0 },
};
+ gcry_error_t err;
int i;
if (verbose)
@@ -16961,6 +16968,12 @@ check_mac (void)
{
if (in_fips_mode)
{
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MAC, algos[i].algo);
+ if (err == GPG_ERR_NO_ERROR)
+ {
+ fail ("algo %d, gcry_mac_test_algo failed while it should"
+ " have worked in FIPS mode\n", algos[i].algo);
+ }
if (verbose)
fprintf (stderr, " algorithm %d not available in fips mode\n",
algos[i].algo);
--
2.39.2

View File

@ -0,0 +1,277 @@
From 0c0268177666f6ce53c0a61e86c1c5bd2c53c0b0 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 6 Mar 2023 15:57:40 +0100
Subject: [PATCH] fips: Explicitly allow only some PK flags
* src/fips.c (_gcry_fips_indicator_pk_flags): New function for explicit
FIPS indicator for public key algorithm flags
* src/g10lib.h (_gcry_fips_indicator_pk_flags): New.
* src/gcrypt.h.in (GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS): New.
* src/global.c (_gcry_vcontrol): Handle the new option.
* doc/gcrypt.texi: Document new options.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
doc/gcrypt.texi | 6 ++++++
src/fips.c | 15 +++++++++++++++
src/g10lib.h | 1 +
src/gcrypt.h.in | 3 ++-
src/global.c | 7 +++++++
5 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index 462c5931..750b6718 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -1005,6 +1005,12 @@ Check if the given message digest algorithm is approved under the current
FIPS 140-3 certification. If the algorithm is approved, this function returns
@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char *
+
+Check if the given public key operation flag is approved under the current
+FIPS 140-3 certification. If the flag is approved, this function returns
+@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+
@end table
@end deftypefun
diff --git a/src/fips.c b/src/fips.c
index 974ed833..cb547aa2 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -457,6 +457,21 @@ _gcry_fips_indicator_function (va_list arg_ptr)
}
+int
+_gcry_fips_indicator_pk_flags (va_list arg_ptr)
+{
+ const char *flag = va_arg (arg_ptr, const char *);
+
+ if (strcmp (flag, "param") == 0 ||
+ strcmp (flag, "raw") == 0 ||
+ strcmp (flag, "no-blinding") == 0 ||
+ strcmp (flag, "pss") == 0)
+ return GPG_ERR_NO_ERROR;
+
+ return GPG_ERR_NOT_SUPPORTED;
+}
+
+
/* This is a test on whether the library is in the error or
operational state. */
int
diff --git a/src/g10lib.h b/src/g10lib.h
index 86337eed..acff2d6b 100644
--- a/src/g10lib.h
+++ b/src/g10lib.h
@@ -471,6 +471,7 @@ int _gcry_fips_indicator_mac (va_list arg_ptr);
int _gcry_fips_indicator_md (va_list arg_ptr);
int _gcry_fips_indicator_kdf (va_list arg_ptr);
int _gcry_fips_indicator_function (va_list arg_ptr);
+int _gcry_fips_indicator_pk_flags (va_list arg_ptr);
int _gcry_fips_is_operational (void);
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index 54080d46..121a2061 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -332,7 +332,8 @@ enum gcry_ctl_cmds
GCRYCTL_NO_FIPS_MODE = 83,
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
- GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86
+ GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87
};
/* Perform various operations defined by CMD. */
diff --git a/src/global.c b/src/global.c
index d16d3709..f39df422 100644
--- a/src/global.c
+++ b/src/global.c
@@ -818,6 +818,13 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
rc = _gcry_fips_indicator_function (arg_ptr);
break;
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS:
+ /* Get FIPS Service Indicator for a public key operation flags.
+ * Returns GPG_ERR_NO_ERROR if the flag is allowed to be used or
+ * GPG_ERR_NOT_SUPPORTED otherwise */
+ rc = _gcry_fips_indicator_pk_flags (arg_ptr);
+ break;
+
case PRIV_CTL_INIT_EXTRNG_TEST: /* Init external random test. */
rc = GPG_ERR_NOT_SUPPORTED;
break;
--
2.39.2
From 22a40df4c0210a671b331932a434f70b50354873 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 6 Mar 2023 16:05:07 +0100
Subject: [PATCH] fips: Explicitly disable overriding random in FIPS mode
* src/fips.c: (_gcry_fips_indicator_function): Mark using random
override non-approved in FIPS mode.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/fips.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/fips.c b/src/fips.c
index cb547aa2..a7342030 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -450,7 +450,8 @@ _gcry_fips_indicator_function (va_list arg_ptr)
if (strcmp (function, "gcry_pk_sign") == 0 ||
strcmp (function, "gcry_pk_verify") == 0 ||
strcmp (function, "gcry_pk_encrypt") == 0 ||
- strcmp (function, "gcry_pk_decrypt") == 0)
+ strcmp (function, "gcry_pk_decrypt") == 0 ||
+ strcmp (function, "gcry_pk_random_override_new") == 0)
return GPG_ERR_NOT_SUPPORTED;
return GPG_ERR_NO_ERROR;
--
2.39.2
From 1c916b8c99ea0e30f1d81d606fd63b0c45657186 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 24 Mar 2023 13:12:56 +0900
Subject: [PATCH] fips: More elaborate way of getting FIPS pk flags indicators.
* src/fips.c (_gcry_fips_indicator_pk_flags): List more allowed string
in the S-expression.
* doc/gcrypt.texi: Add document for the FIPS service indicator
GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS with example.
--
GnuPG-bug-id: 6417
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
doc/gcrypt.texi | 42 +++++++++++++++++++++++++++++++++++++++---
src/fips.c | 41 +++++++++++++++++++++++++++++++++++++----
2 files changed, 76 insertions(+), 7 deletions(-)
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index 750b6718..752f64d6 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -1007,9 +1007,45 @@ FIPS 140-3 certification. If the algorithm is approved, this function returns
@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char *
-Check if the given public key operation flag is approved under the current
-FIPS 140-3 certification. If the flag is approved, this function returns
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+Check if the given public key operation flag or s-expression object name is
+approved under the current FIPS 140-3 certification. If the flag is
+approved, this function returns @code{GPG_ERR_NO_ERROR}.
+
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+
+For compound s-expression objects, if the object name is allowed, the user
+is responsible to check also the internal members. For example:
+
+@example
+ gcry_sexp_t s_sig = NULL;
+ gcry_md_hd_t hd = NULL;
+ gcry_sexp_t s_sk = NULL;
+ const char *data_tmpl = "(data(flags pss)(hash %s %b)(salt-length 1:0))";
+
+ if (err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION, "gcry_md_open") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MD, GCRY_MD_SHA512) &&
+ err = gcry_md_open (&hd, GCRY_MD_SHA512, 0))
+ @{
+ printf ("gcry_md_open failed: %s", gpg_strerror (err));
+ return;
+ @}
+ gcry_md_write (hd, buffer, buflen);
+
+ /* initialize the key in s_sk */
+
+ if (err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION, "gcry_pk_hash_sign") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "data") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "flags") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "pss") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "hash") &&
+ err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "salt-length")
+ err = gcry_pk_hash_sign (&s_sig, data_tmpl, s_sk, hd, NULL))
+ @{
+ printf ("gcry_pk_hash_sign failed: %s", gpg_strerror (err));
+ return;
+ @}
+ /* ok */
+@end example
@end table
diff --git a/src/fips.c b/src/fips.c
index a7342030..669cfd0e 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -457,16 +457,49 @@ _gcry_fips_indicator_function (va_list arg_ptr)
return GPG_ERR_NO_ERROR;
}
+/* Note: the array should be sorted. */
+static const char *valid_string_in_sexp[] = {
+ "curve",
+ "d",
+ "data",
+ "e",
+ "ecdsa",
+ "flags",
+ "genkey",
+ "hash",
+ "n",
+ "nbits",
+ "pkcs1",
+ "private-key",
+ "pss",
+ "public-key",
+ "q",
+ "r",
+ "raw",
+ "rsa",
+ "rsa-use-e",
+ "s",
+ "salt-length",
+ "sig-val",
+ "value"
+};
+
+static int
+compare_string (const void *v1, const void *v2)
+{
+ const char * const *p_str1 = v1;
+ const char * const *p_str2 = v2;
+
+ return strcmp (*p_str1, *p_str2);
+}
int
_gcry_fips_indicator_pk_flags (va_list arg_ptr)
{
const char *flag = va_arg (arg_ptr, const char *);
- if (strcmp (flag, "param") == 0 ||
- strcmp (flag, "raw") == 0 ||
- strcmp (flag, "no-blinding") == 0 ||
- strcmp (flag, "pss") == 0)
+ if (bsearch (&flag, valid_string_in_sexp, DIM (valid_string_in_sexp),
+ sizeof (char *), compare_string))
return GPG_ERR_NO_ERROR;
return GPG_ERR_NOT_SUPPORTED;
--
2.39.2

View File

@ -0,0 +1,55 @@
From c34c9e70055ee43e5ef257384fa15941f064e5a4 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 15 Nov 2022 10:47:18 +0100
Subject: [PATCH] fips: Mark AES key wrapping as approved.
* src/fips.c (_gcry_fips_indicator_cipher): Add key wrapping mode as
approved.
--
GnuPG-bug-id: 5512
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/fips.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/fips.c b/src/fips.c
index 6599121c..272aabae 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -367,6 +367,7 @@ _gcry_fips_indicator_cipher (va_list arg_ptr)
case GCRY_CIPHER_MODE_CCM:
case GCRY_CIPHER_MODE_GCM:
case GCRY_CIPHER_MODE_XTS:
+ case GCRY_CIPHER_MODE_AESWRAP:
return GPG_ERR_NO_ERROR;
default:
return GPG_ERR_NOT_SUPPORTED;
--
commit d6117b04e0e4d5d68df8fb731f618b0d5126ee14
Author: Jakub Jelen <jjelen@redhat.com>
Date: Tue Jan 17 14:39:34 2023 +0100
fips: Remove GCM mode from the allowed FIPS indicators
* src/fips.c (_gcry_fips_indicator_cipher): Do not mark GCM mode as FIPS
approved.
---
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
diff --git a/src/fips.c b/src/fips.c
index 272aabae..774e7b4c 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -365,7 +365,6 @@ _gcry_fips_indicator_cipher (va_list arg_ptr)
case GCRY_CIPHER_MODE_OFB:
case GCRY_CIPHER_MODE_CTR:
case GCRY_CIPHER_MODE_CCM:
- case GCRY_CIPHER_MODE_GCM:
case GCRY_CIPHER_MODE_XTS:
case GCRY_CIPHER_MODE_AESWRAP:
return GPG_ERR_NO_ERROR;
--

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,190 @@
From 3c8b6c4a9cad59c5e1db5706f6774a3141b60210 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 17 Feb 2022 10:28:05 +0900
Subject: [PATCH] fips: Fix gen-note-integrity.sh script not to use cmp
utility.
* src/gen-note-integrity.sh: Simplify detecting 32-bit machine
or 64-bit machine.
--
GnuPG-bug-id: 5835
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
src/gen-note-integrity.sh | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/gen-note-integrity.sh b/src/gen-note-integrity.sh
index 969fdca6..878d7095 100755
--- a/src/gen-note-integrity.sh
+++ b/src/gen-note-integrity.sh
@@ -73,9 +73,9 @@ FILE=.libs/libgcrypt.so
#
# Fixup the ELF header to clean up section information
#
-printf '%b' '\002' > 2.bin
-dd ibs=1 skip=4 count=1 if=$FILE status=none > class-byte.bin
-if cmp class-byte.bin 2.bin; then
+BYTE002=$(printf '%b' '\002')
+CLASS_BYTE=$(dd ibs=1 skip=4 count=1 if=$FILE status=none)
+if test "$CLASS_BYTE" = "$BYTE002"; then
CLASS=64
HEADER_SIZE=64
else
@@ -112,4 +112,4 @@ END { print offset}")
dd ibs=1 skip=$HEADER_SIZE count=$OFFSET if=$FILE status=none) \
| ./hmac256 --stdkey --binary
-rm -f 2.bin class-byte.bin header-fixed.bin
+rm -f header-fixed.bin
--
2.39.1
From 052c5ef4cea56772b7015e36f231fa0bcbf91410 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 17 Feb 2022 11:21:35 +0900
Subject: [PATCH] fips: Clarify what to be hashed for the integrity check.
* src/fips.c (get_file_offset): Compute the maximum offset
of segments.
* src/gen-note-integrity.sh: Likewise.
--
The result is same (in current format of ELF program).
Semantics is more clear. It hashes:
- From the start of shared library file,
- fixed up the ELF header to exclude link-time information,
- up to the last segment.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
src/fips.c | 20 +++++++++-----------
src/gen-note-integrity.sh | 20 ++++++++++++++------
2 files changed, 23 insertions(+), 17 deletions(-)
diff --git a/src/fips.c b/src/fips.c
index d798d577..89f8204b 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -595,7 +595,7 @@ run_random_selftests (void)
/*
* In the ELF file opened as FP, fill the ELF header to the pointer
- * EHDR_P, determine the offset of last loadable segment in R_OFFSET.
+ * EHDR_P, determine the maximum offset of segments in R_OFFSET.
* Also, find the section which contains the hmac value and return it
* in HMAC. Rewinds FP to the beginning on success.
*/
@@ -624,24 +624,22 @@ get_file_offset (FILE *fp, ElfW (Ehdr) *ehdr_p,
if (fseek (fp, ehdr_p->e_phoff, SEEK_SET) != 0)
return gpg_error_from_syserror ();
- /* Iterate over the program headers, determine the last loadable
- segment. */
+ /* Iterate over the program headers, determine the last offset of
+ segments. */
for (i = 0; i < ehdr_p->e_phnum; i++)
{
+ unsigned long off;
+
if (fread (&phdr, sizeof (phdr), 1, fp) != 1)
return gpg_error_from_syserror ();
- if (phdr.p_type == PT_PHDR)
- continue;
-
- if (phdr.p_type != PT_LOAD)
- break;
-
- off_segment = phdr.p_offset + phdr.p_filesz;
+ off = phdr.p_offset + phdr.p_filesz;
+ if (off_segment < off)
+ off_segment = off;
}
if (!off_segment)
- /* The segment not found in the file */
+ /* No segment found in the file */
return gpg_error (GPG_ERR_INV_OBJ);
/* The section header entry size should match the size of the shdr struct */
diff --git a/src/gen-note-integrity.sh b/src/gen-note-integrity.sh
index 878d7095..50071bf5 100755
--- a/src/gen-note-integrity.sh
+++ b/src/gen-note-integrity.sh
@@ -95,21 +95,29 @@ else
dd ibs=1 count=6 if=/dev/zero status=none
fi > header-fixed.bin
-# Compute the end of loadable segment.
+#
+# Compute the end of segments, and emit the COUNT to read
+# (For each segment in program headers, calculate the offset
+# and select the maximum)
#
# This require computation in hexadecimal, and GNU awk needs
# --non-decimal-data option
#
-OFFSET=$($READELF --wide --program-headers $FILE | \
- $AWK $AWK_OPTION "/^ LOAD/ { offset=\$2+\$5-$HEADER_SIZE }\
-END { print offset}")
+COUNT=$($READELF --wide --program-headers $FILE | \
+ $AWK $AWK_OPTION \
+"BEGIN { max_offset=0 }
+/^\$/ { if (program_headers_start) program_headers_end=1 }
+(program_headers_start && !program_headers_end) { offset = \$2 + \$5 }
+(max_offset < offset) { max_offset = offset }
+/^ Type/ { program_headers_start=1 }
+END { print max_offset- $HEADER_SIZE }")
#
-# Feed the header fixed and loadable segments to HMAC256
+# Feed the header fixed and all segments to HMAC256
# to generate hmac hash of the FILE
#
(cat header-fixed.bin; \
- dd ibs=1 skip=$HEADER_SIZE count=$OFFSET if=$FILE status=none) \
+ dd ibs=1 skip=$HEADER_SIZE count=$COUNT if=$FILE status=none) \
| ./hmac256 --stdkey --binary
rm -f header-fixed.bin
--
2.39.1
From 3fd3bb31597f80c76a94ea62e42d58d796beabf1 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 20 Feb 2023 16:16:01 +0100
Subject: [PATCH] fips: Check return value from ftell
* src/fips.c (get_file_offset): Check return value of ftell to be able
to detect errors.
--
Originally reported by coverity.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/fips.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/fips.c b/src/fips.c
index 272aabae..0d89b6da 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -681,6 +681,8 @@ get_file_offset (FILE *fp, ElfW (Ehdr) *ehdr_p,
return gpg_error_from_syserror ();
off = ftell (fp);
+ if (off < 0)
+ return gpg_error_from_syserror ();
if (shdr.sh_type == SHT_NOTE && shdr.sh_flags == 0 && shdr.sh_size == 48)
{
const char header_of_the_note[] = {
--
2.39.2

View File

@ -1,36 +1,3 @@
From 857e6f467d0fc9fd858a73d84122695425970075 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Tue, 27 Sep 2022 13:26:16 +0900
Subject: [PATCH] kdf:pkdf2: Require longer input when FIPS mode.
* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.
--
GnuPG-bug-id: 6039
Fixes-commit: 58c92098d053aae7c78cc42bdd7c80c13efc89bb
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
cipher/kdf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/cipher/kdf.c b/cipher/kdf.c
index 3e51e115..81523320 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -160,6 +160,9 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
return GPG_ERR_INV_VALUE;
#endif
+ /* HMAC requires longer input for approved use case. */
+ if (fips_mode () && passphraselen < 14)
+ return GPG_ERR_INV_VALUE;
/* Step 2 */
l = ((dklen - 1)/ hlen) + 1;
--
2.37.3
From 3c04b692de1e7b45b764ff8d66bf84609b012e3a Mon Sep 17 00:00:00 2001 From 3c04b692de1e7b45b764ff8d66bf84609b012e3a Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobias.heider@canonical.com> From: Tobias Heider <tobias.heider@canonical.com>
Date: Tue, 27 Sep 2022 13:31:05 +0900 Date: Tue, 27 Sep 2022 13:31:05 +0900
@ -58,9 +25,9 @@ index 81523320..67c60df8 100644
+ if (fips_mode () && dklen < 14) + if (fips_mode () && dklen < 14)
+ return GPG_ERR_INV_VALUE; + return GPG_ERR_INV_VALUE;
+ +
/* HMAC requires longer input for approved use case. */
if (fips_mode () && passphraselen < 14) /* Step 2 */
return GPG_ERR_INV_VALUE; l = ((dklen - 1)/ hlen) + 1;
-- --
2.37.3 2.37.3
From e5a5e847b66eb6b80e60a2dffa347268f059aee3 Mon Sep 17 00:00:00 2001 From e5a5e847b66eb6b80e60a2dffa347268f059aee3 Mon Sep 17 00:00:00 2001
@ -118,3 +85,103 @@ index c0192d7b..716fb53e 100644
-- --
2.37.3 2.37.3
From f4a861f3e5ae82f278284061e4829c03edf9c3a7 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 18 Nov 2022 09:49:50 +0900
Subject: [PATCH] pkdf2: Add checks for FIPS.
* cipher/kdf.c (_gcry_kdf_pkdf2): Require 8 chars passphrase for FIPS.
Set bounds for salt length and iteration count in FIPS mode.
--
GnuPG-bug-id: 6039
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/kdf.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/cipher/kdf.c b/cipher/kdf.c
index d22584da..823c744e 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -160,6 +160,18 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
return GPG_ERR_INV_VALUE;
#endif
+ /* FIPS requires minimum passphrase length, see FIPS 140-3 IG D.N */
+ if (fips_mode () && passphraselen < 8)
+ return GPG_ERR_INV_VALUE;
+
+ /* FIPS requires minimum salt length of 128 b (SP 800-132 sec. 5.1, p.6) */
+ if (fips_mode () && saltlen < 16)
+ return GPG_ERR_INV_VALUE;
+
+ /* FIPS requires minimum iterations bound (SP 800-132 sec 5.2, p.6) */
+ if (fips_mode () && iterations < 1000)
+ return GPG_ERR_INV_VALUE;
+
/* Check minimum key size */
if (fips_mode () && dklen < 14)
return GPG_ERR_INV_VALUE;
--
2.39.0
From f5fe94810f3099c9ccc2ca3a5891502922ab0576 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 28 Feb 2023 12:53:28 +0100
Subject: [PATCH] kdf: Update tests in regards to the allowed parameters in
FIPS mode.
* cipher/kdf.c (check_one): run selftests for more approved parameters
and check that wrong parameters correctly fail in FIPS mode.
--
Fixes-commit: 535a4d345872aa2cd2ab3a5f9c4411d0a0313328
GnuPG-bug-id: 5512
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/kdf.c | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/cipher/kdf.c b/cipher/kdf.c
index 823c744e..12beec56 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -2059,17 +2059,25 @@ check_one (int algo, int hash_algo,
{
unsigned char key[512]; /* hardcoded to avoid allocation */
size_t keysize = expectlen;
-
- /* Skip test with shoter passphrase in FIPS mode. */
- if (fips_mode () && passphraselen < 14)
- return NULL;
+ int rv;
if (keysize > sizeof(key))
return "invalid tests data";
- if (_gcry_kdf_derive (passphrase, passphraselen, algo,
- hash_algo, salt, saltlen, iterations,
- keysize, key))
+ rv = _gcry_kdf_derive (passphrase, passphraselen, algo,
+ hash_algo, salt, saltlen, iterations,
+ keysize, key);
+ /* In fips mode we have special requirements for the input and
+ * output parameters */
+ if (fips_mode ())
+ {
+ if (rv && (passphraselen < 8 || saltlen < 16 ||
+ iterations < 1000 || expectlen < 14))
+ return NULL;
+ else if (rv)
+ return "gcry_kdf_derive unexpectedly failed in FIPS Mode";
+ }
+ else if (rv)
return "gcry_kdf_derive failed";
if (memcmp (key, expect, expectlen))
--
2.39.2

View File

@ -0,0 +1,145 @@
From 2ddeec574bc1ae90bb4242c4ce9ad9e7975a27bd Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 1 Mar 2023 15:42:29 +0100
Subject: [PATCH] ecc: Do not allow skipping tests in FIPS Mode.
* cipher/ecc.c (ecc_generate): Do not allow skipping tests PCT tests
in FIPS mode.
--
The new FIPS specification requires to run the PCT without any
exceptions.
GnuPG-bug-id: 6394
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/ecc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 1e80200e..797f2368 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -677,7 +677,7 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
log_debug ("ecgen result using Ed25519+EdDSA\n");
}
- if (!(flags & PUBKEY_FLAG_NO_KEYTEST) && fips_mode ())
+ if (fips_mode ())
test_keys_fips (*r_skey);
leave:
--
2.39.2
From 23a2d1285e35b2eb91bb422609eb1c965c8a9bf6 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 2 Mar 2023 09:43:44 +0100
Subject: [PATCH] ecc: Make the PCT recoverable in FIPS mode and consistent
with RSA.
* cipher/ecc.c (test_keys_fips): Replace calls to log_fatal with
return code on error.
(ecc_generate): Signal error when PCT fails in FIPS mode.
--
GnuPG-bug-id: 6397
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/ecc.c | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 797f2368..19520db3 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -101,7 +101,7 @@ static void *progress_cb_data;
/* Local prototypes. */
static void test_keys (mpi_ec_t ec, unsigned int nbits);
-static void test_keys_fips (gcry_sexp_t skey);
+static int test_keys_fips (gcry_sexp_t skey);
static void test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags);
static unsigned int ecc_get_nbits (gcry_sexp_t parms);
@@ -308,9 +308,10 @@ test_keys (mpi_ec_t ec, unsigned int nbits)
/* We should get here only with the NIST curves as they are the only ones
* having the fips bit set in ecc_domain_parms_t struct so this is slightly
* simpler than the whole ecc_generate function */
-static void
+static int
test_keys_fips (gcry_sexp_t skey)
{
+ int result = -1; /* Default to failure */
gcry_md_hd_t hd = NULL;
const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
gcry_sexp_t sig = NULL;
@@ -323,18 +324,27 @@ test_keys_fips (gcry_sexp_t skey)
/* Open MD context and feed the random data in */
rc = _gcry_md_open (&hd, GCRY_MD_SHA256, 0);
if (rc)
- log_fatal ("ECDSA operation: failed to initialize MD context: %s\n", gpg_strerror (rc));
+ {
+ log_error ("ECDSA operation: failed to initialize MD context: %s\n", gpg_strerror (rc));
+ goto leave;
+ }
_gcry_md_write (hd, plaintext, sizeof(plaintext));
/* Sign the data */
rc = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
if (rc)
- log_fatal ("ECDSA operation: signing failed: %s\n", gpg_strerror (rc));
+ {
+ log_error ("ECDSA operation: signing failed: %s\n", gpg_strerror (rc));
+ goto leave;
+ }
/* Verify this signature. */
rc = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (rc)
- log_fatal ("ECDSA operation: verification failed: %s\n", gpg_strerror (rc));
+ {
+ log_error ("ECDSA operation: verification failed: %s\n", gpg_strerror (rc));
+ goto leave;
+ }
/* Modify the data and check that the signing fails. */
_gcry_md_reset(hd);
@@ -342,10 +352,16 @@ test_keys_fips (gcry_sexp_t skey)
_gcry_md_write (hd, plaintext, sizeof(plaintext));
rc = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (rc != GPG_ERR_BAD_SIGNATURE)
- log_fatal ("ECDSA operation: signature verification worked on modified data\n");
+ {
+ log_error ("ECDSA operation: signature verification worked on modified data\n");
+ goto leave;
+ }
+ result = 0;
+leave:
_gcry_md_close (hd);
sexp_release (sig);
+ return result;
}
@@ -677,8 +693,12 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
log_debug ("ecgen result using Ed25519+EdDSA\n");
}
- if (fips_mode ())
- test_keys_fips (*r_skey);
+ if (fips_mode () && test_keys_fips (*r_skey))
+ {
+ sexp_release (*r_skey); r_skey = NULL;
+ fips_signal_error ("self-test after key generation failed");
+ rc = GPG_ERR_SELFTEST_FAILED;
+ }
leave:
mpi_free (public);
--
2.39.2

View File

@ -0,0 +1,109 @@
From bf1e62e59200b2046680d1d3d1599facc88cfe63 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 29 Nov 2022 14:04:59 +0100
Subject: [PATCH] rsa: Prevent usage of long salt in FIPS mode
* cipher/rsa-common.c (_gcry_rsa_pss_encode): Prevent usage of large
salt lengths
(_gcry_rsa_pss_verify): Ditto.
* tests/basic.c (check_pubkey_sign): Check longer salt length fails in
FIPS mode
* tests/t-rsa-pss.c (one_test_sexp): Fix function name in error message
---
cipher/rsa-common.c | 14 ++++++++++++++
tests/basic.c | 19 ++++++++++++++++++-
tests/t-rsa-pss.c | 2 +-
3 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/cipher/rsa-common.c b/cipher/rsa-common.c
index 233ddb2d..61cd60a4 100644
--- a/cipher/rsa-common.c
+++ b/cipher/rsa-common.c
@@ -809,6 +809,13 @@ _gcry_rsa_pss_encode (gcry_mpi_t *r_result, unsigned int nbits, int algo,
hlen = _gcry_md_get_algo_dlen (algo);
gcry_assert (hlen); /* We expect a valid ALGO here. */
+ /* The FIPS 186-4 Section 5.5 allows only 0 <= sLen <= hLen */
+ if (fips_mode () && saltlen > hlen)
+ {
+ rc = GPG_ERR_INV_ARG;
+ goto leave;
+ }
+
/* Allocate a help buffer and setup some pointers. */
buflen = 8 + hlen + saltlen + (emlen - hlen - 1);
buf = xtrymalloc (buflen);
@@ -950,6 +957,13 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, int hashed_already,
hlen = _gcry_md_get_algo_dlen (algo);
gcry_assert (hlen); /* We expect a valid ALGO here. */
+ /* The FIPS 186-4 Section 5.5 allows only 0 <= sLen <= hLen */
+ if (fips_mode () && saltlen > hlen)
+ {
+ rc = GPG_ERR_INV_ARG;
+ goto leave;
+ }
+
/* Allocate a help buffer and setup some pointers.
This buffer is used for two purposes:
+------------------------------+-------+
diff --git a/tests/basic.c b/tests/basic.c
index 77e2fd93..429bd237 100644
--- a/tests/basic.c
+++ b/tests/basic.c
@@ -16602,6 +16602,7 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
const char *data;
int algo;
int expected_rc;
+ int flags;
} datas[] =
{
{ "(data\n (flags pkcs1)\n"
@@ -16672,6 +16673,22 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
" (random-override #4253647587980912233445566778899019283747#))\n",
GCRY_PK_RSA,
0 },
+ { "(data\n (flags pss)\n"
+ " (hash-algo sha256)\n"
+ " (value #11223344556677889900AABBCCDDEEFF#)\n"
+ " (salt-length 2:32)\n"
+ " (random-override #42536475879809122334455667788990192837465564738291"
+ "00122334455667#))\n",
+ GCRY_PK_RSA,
+ 0 },
+ { "(data\n (flags pss)\n"
+ " (hash-algo sha256)\n"
+ " (value #11223344556677889900AABBCCDDEEFF#)\n"
+ " (salt-length 2:33)\n"
+ " (random-override #42536475879809122334455667788990192837465564738291"
+ "0012233445566778#))\n",
+ GCRY_PK_RSA,
+ 0, FLAG_NOFIPS },
{ NULL }
};
@@ -16695,7 +16712,7 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
die ("converting data failed: %s\n", gpg_strerror (rc));
rc = gcry_pk_sign (&sig, hash, skey);
- if (in_fips_mode && (flags & FLAG_NOFIPS))
+ if (in_fips_mode && (flags & FLAG_NOFIPS || datas[dataidx].flags & FLAG_NOFIPS))
{
if (!rc)
fail ("gcry_pk_sign did not fail as expected in FIPS mode\n");
diff --git a/tests/t-rsa-pss.c b/tests/t-rsa-pss.c
index c5f90116..82dd54b3 100644
--- a/tests/t-rsa-pss.c
+++ b/tests/t-rsa-pss.c
@@ -340,7 +340,7 @@ one_test_sexp (const char *n, const char *e, const char *d,
snprintf (p, 3, "%02x", out[i]);
if (strcmp (sig_string, s))
{
- fail ("gcry_pkhash_sign failed: %s",
+ fail ("gcry_pk_hash_sign failed: %s",
"wrong value returned");
info (" expected: '%s'", s);
info (" got: '%s'", sig_string);
--
2.39.0

View File

@ -0,0 +1,46 @@
From 654d0dfa04993ebe28c0536d42f4bc6d87c28369 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 1 Mar 2023 17:14:00 +0100
Subject: [PATCH] visibility: Check FIPS operational status for MD+Sign
operation.
* src/visibility.c (gcry_pk_hash_sign): Check fips status before
calling the operation itself.
(gcry_pk_hash_verify): Ditto.
--
GnuPG-bug-id: 6396
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/visibility.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/visibility.c b/src/visibility.c
index 73db3dea..1f17e147 100644
--- a/src/visibility.c
+++ b/src/visibility.c
@@ -1050,6 +1050,11 @@ gcry_error_t
gcry_pk_hash_sign (gcry_sexp_t *result, const char *data_tmpl, gcry_sexp_t skey,
gcry_md_hd_t hd, gcry_ctx_t ctx)
{
+ if (!fips_is_operational ())
+ {
+ *result = NULL;
+ return gpg_error (fips_not_operational ());
+ }
return gpg_error (_gcry_pk_sign_md (result, data_tmpl, hd, skey, ctx));
}
@@ -1065,6 +1070,8 @@ gcry_error_t
gcry_pk_hash_verify (gcry_sexp_t sigval, const char *data_tmpl, gcry_sexp_t pkey,
gcry_md_hd_t hd, gcry_ctx_t ctx)
{
+ if (!fips_is_operational ())
+ return gpg_error (fips_not_operational ());
return gpg_error (_gcry_pk_verify_md (sigval, data_tmpl, hd, pkey, ctx));
}
--
2.39.2

View File

@ -0,0 +1,139 @@
From 06ea5b5332ffdb44a0a394d766be8989bcb6a95c Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 6 Dec 2022 10:03:47 +0900
Subject: [PATCH] fips,rsa: Prevent usage of X9.31 keygen in FIPS mode.
* cipher/rsa.c (rsa_generate): Do not accept use-x931 or derive-parms
in FIPS mode.
* tests/pubkey.c (get_keys_x931_new): Expect failure in FIPS mode.
(check_run): Skip checking X9.31 keys in FIPS mode.
* doc/gcrypt.texi: Document "test-parms" and clarify some cases around
the X9.31 keygen.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/rsa.c | 5 +++++
doc/gcrypt.texi | 41 ++++++++++++++++++++++++++++++++++++-----
tests/pubkey.c | 15 +++++++++++++--
3 files changed, 54 insertions(+), 7 deletions(-)
diff --git a/cipher/rsa.c b/cipher/rsa.c
index df4af94b..45523e6b 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1256,6 +1256,11 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
if (deriveparms || (flags & PUBKEY_FLAG_USE_X931))
{
int swapped;
+ if (fips_mode ())
+ {
+ sexp_release (deriveparms);
+ return GPG_ERR_INV_SEXP;
+ }
ec = generate_x931 (&sk, nbits, evalue, deriveparms, &swapped);
sexp_release (deriveparms);
if (!ec && swapped)
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index d0372f3e..e845a4dd 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -2699,8 +2699,7 @@ achieve fastest ECC key generation.
Force the use of the ANSI X9.31 key generation algorithm instead of
the default algorithm. This flag is only meaningful for RSA key
generation and usually not required. Note that this algorithm is
-implicitly used if either @code{derive-parms} is given or Libgcrypt is
-in FIPS mode.
+implicitly used if either @code{derive-parms} is given.
@item use-fips186
@cindex FIPS 186
@@ -3310,9 +3309,9 @@ This is currently only implemented for RSA and DSA keys. It is not
allowed to use this together with a @code{domain} specification. If
given, it is used to derive the keys using the given parameters.
-If given for an RSA key the X9.31 key generation algorithm is used
-even if libgcrypt is not in FIPS mode. If given for a DSA key, the
-FIPS 186 algorithm is used even if libgcrypt is not in FIPS mode.
+If given for an RSA key, the X9.31 key generation algorithm is used.
+If given for a DSA key, the FIPS 186 algorithm is used even if
+libgcrypt is not in FIPS mode.
@example
(genkey
@@ -3342,6 +3341,38 @@ FIPS 186 algorithm is used even if libgcrypt is not in FIPS mode.
(seed @var{seed-mpi}))))
@end example
+@item test-parms @var{list}
+This is currently only implemented for RSA keys. If given, the
+libgcrypt will not generate parameter, but tests whether the p,q is
+probably prime. Returns key with zeroes.
+
+The FIPS key generation algorithm is used even if libgcrypt is not
+in FIPS mode.
+
+@example
+(genkey
+ (rsa
+ (nbits 4:1024)
+ (rsa-use-e 1:3)
+ (test-parms
+ (e "65537")
+ (p #00bbccabcee15d343944a47e492d4b1f4de79633e2
+ 0cbb46f7d2d6813392a807ad048cf77528edd19f77
+ e7453f25173b9dcb70423afa2037aae147b81a33d5
+ 41fc58f875eff1e852ab55e2e09a3debfbc151b3b0
+ d17fef6f74d81fca14fbae531418e211ef818592af
+ 70de5cec3b92795cc3578572bf456099cd8727150e
+ 523261#)
+ (q #00ca87ecf2883f4ed00a9ec65abdeba81d28edbfcc
+ 34ecc563d587f166b52d42bfbe22bbc095b0b8426a
+ 2f8bbc55baaa8859b42cbc376ed3067db3ef7b135b
+ 63481322911ebbd7014db83aa051e0ca2dbf302b75
+ cd37f2ae8df90e134226e92f6353a284b28bb30af0
+ bbf925b345b955328379866ebac11d55bc80fe84f1
+ 05d415#)
+
+@end example
+
@item flags @var{flaglist}
This is preferred way to define flags. @var{flaglist} may contain any
diff --git a/tests/pubkey.c b/tests/pubkey.c
index bc44f3a5..2669b41a 100644
--- a/tests/pubkey.c
+++ b/tests/pubkey.c
@@ -430,7 +430,17 @@ get_keys_x931_new (gcry_sexp_t *pkey, gcry_sexp_t *skey)
rc = gcry_pk_genkey (&key, key_spec);
gcry_sexp_release (key_spec);
if (rc)
- die ("error generating RSA key: %s\n", gcry_strerror (rc));
+ {
+ if (in_fips_mode)
+ {
+ if (verbose)
+ fprintf (stderr, "The X9.31 RSA keygen is not available in FIPS modee.\n");
+ return;
+ }
+ die ("error generating RSA key: %s\n", gcry_strerror (rc));
+ }
+ else if (in_fips_mode)
+ die ("generating X9.31 RSA key unexpected worked in FIPS mode\n");
if (verbose > 1)
show_sexp ("generated RSA (X9.31) key:\n", key);
@@ -777,7 +787,8 @@ check_run (void)
if (verbose)
fprintf (stderr, "Checking generated RSA key (X9.31).\n");
get_keys_x931_new (&pkey, &skey);
- check_keys (pkey, skey, 800, 0);
+ if (!in_fips_mode)
+ check_keys (pkey, skey, 800, 0);
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
pkey = skey = NULL;
--
2.39.0

View File

@ -16,7 +16,7 @@ print(string.sub(hash, 0, 16))
Name: libgcrypt Name: libgcrypt
Version: 1.10.0 Version: 1.10.0
Release: 7%{?dist} Release: 10%{?dist}
URL: https://www.gnupg.org/ URL: https://www.gnupg.org/
Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2 Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
@ -34,7 +34,35 @@ Patch9: libgcrypt-1.10.0-sha3-large.patch
# https://dev.gnupg.org/T5919 # https://dev.gnupg.org/T5919
Patch10: libgcrypt-1.10.0-fips-keygen.patch Patch10: libgcrypt-1.10.0-fips-keygen.patch
# https://dev.gnupg.org/T6219 # https://dev.gnupg.org/T6219
# f4a861f3e5ae82f278284061e4829c03edf9c3a7
Patch11: libgcrypt-1.10.0-fips-kdf.patch Patch11: libgcrypt-1.10.0-fips-kdf.patch
# c34c9e70055ee43e5ef257384fa15941f064e5a4
# https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/13
Patch12: libgcrypt-1.10.0-fips-indicator.patch
# beb5d6df5c5785db7c32a24a5d2a351cb964bfbc
# 521500624b4b11538d206137205e2a511dad7072
# 9dcf9305962b90febdf2d7cc73b49feadbf6a01f
# a340e980388243ceae6df57d101036f3f2a955be
Patch13: libgcrypt-1.10.0-fips-integrity.patch
# 3c8b6c4a9cad59c5e1db5706f6774a3141b60210
# 052c5ef4cea56772b7015e36f231fa0bcbf91410
# 3fd3bb31597f80c76a94ea62e42d58d796beabf1
Patch14: libgcrypt-1.10.0-fips-integrity2.patch
# 06ea5b5332ffdb44a0a394d766be8989bcb6a95c
Patch15: libgcrypt-1.10.0-fips-x931.patch
# bf1e62e59200b2046680d1d3d1599facc88cfe63
Patch16: libgcrypt-1.10.0-fips-rsa-pss.patch
# https://dev.gnupg.org/T6376
Patch17: libgcrypt-1.10.0-fips-indicator-md-hmac.patch
# https://dev.gnupg.org/T6394
# https://dev.gnupg.org/T6397
Patch18: libgcrypt-1.10.0-fips-pct.patch
# https://dev.gnupg.org/T6396
Patch19: libgcrypt-1.10.0-fips-status-sign-verify.patch
# https://dev.gnupg.org/T6393
Patch20: libgcrypt-1.10.0-fips-drbg.patch
# https://dev.gnupg.org/T6417
Patch21: libgcrypt-1.10.0-fips-indicator-pk-flags.patch
%global gcrylibdir %{_libdir} %global gcrylibdir %{_libdir}
%global gcrysoname libgcrypt.so.20 %global gcrysoname libgcrypt.so.20
@ -79,6 +107,16 @@ applications using libgcrypt.
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%build %build
# This package has a configure test which uses ASMs, but does not link the # This package has a configure test which uses ASMs, but does not link the
@ -105,6 +143,7 @@ autoreconf -f
--enable-noexecstack \ --enable-noexecstack \
--enable-hmac-binary-check=%{hmackey} \ --enable-hmac-binary-check=%{hmackey} \
--disable-brainpool \ --disable-brainpool \
--disable-jent-support \
--enable-digests="$DIGESTS" \ --enable-digests="$DIGESTS" \
--enable-ciphers="$CIPHERS" \ --enable-ciphers="$CIPHERS" \
--with-fips-module-version="$FIPS_MODULE_NAME %{version}-%{srpmhash}" --with-fips-module-version="$FIPS_MODULE_NAME %{version}-%{srpmhash}"
@ -122,12 +161,12 @@ LIBGCRYPT_FORCE_FIPS_MODE=1 make check
%{?__debug_package:%{__debug_install_post}} \ %{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \ %{__arch_install_post} \
%{__os_install_post} \ %{__os_install_post} \
dd if=/dev/zero of=%{libpath}.hmac bs=32 count=1 \ cd src \
objcopy --update-section .rodata1=%{libpath}.hmac %{libpath} %{libpath}.empty \ sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \
src/hmac256 --binary %{hmackey} %{libpath}.empty > %{libpath}.hmac \ READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath} > %{libpath}.hmac \
objcopy --update-section .rodata1=%{libpath}.hmac %{libpath}.empty %{libpath}.new \ objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath} %{libpath}.new \
mv -f %{libpath}.new %{libpath} \ mv -f %{libpath}.new %{libpath} \
rm -f %{libpath}.hmac %{libpath}.empty rm -f %{libpath}.hmac
%{nil} %{nil}
%install %install
@ -197,6 +236,24 @@ mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
%license COPYING %license COPYING
%changelog %changelog
* Mon Mar 20 2023 Jakub Jelen <jjelen@redhat.com> - 1.10.0-10
- Provide FIPS indicators for MD and HMACs
- Improve PCT tests for ECDSA and always run them after key is generated
- Add missing guards for FIPS status in md_sign/verify function
- Provider FIPS indicators for public key operation flags
* Tue Jan 24 2023 Jakub Jelen <jjelen@redhat.com> - 1.10.0-9
- Avoid usage of invalid arguments sizes for PBKDF2 in FIPS mode
- Do not allow large salt lengths with RSA-PSS padding
- Disable X9.31 key generation in FIPS mode
- Update the FIPS integrity checking code to upstream version
- Update cipher modes FIPS indicators for AES WRAP and GCM
- Disable jitter entropy generator
* Thu Oct 20 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-8
- Fix unneeded PBKDF2 passphrase length limitation in FIPS mode
- Enforce HMAC key lengths in MD API in FIPS mode
* Thu Oct 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-7 * Thu Oct 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-7
- Properly enforce KDF limits in FIPS mode (#2130275) - Properly enforce KDF limits in FIPS mode (#2130275)
- Fix memory leak in large digest test (#2129150) - Fix memory leak in large digest test (#2129150)