From 8d0820609b0a6dd9cbb7eb94bb7390fb56a5904e Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 17 Jan 2023 15:43:18 +0100 Subject: [PATCH] Disable usage of X9.31 key generation in FIPS mode Related: rhbz#2167764 --- libgcrypt-1.10.0-fips-x931.patch | 139 +++++++++++++++++++++++++++++++ libgcrypt.spec | 3 + 2 files changed, 142 insertions(+) create mode 100644 libgcrypt-1.10.0-fips-x931.patch diff --git a/libgcrypt-1.10.0-fips-x931.patch b/libgcrypt-1.10.0-fips-x931.patch new file mode 100644 index 0000000..b4a99ba --- /dev/null +++ b/libgcrypt-1.10.0-fips-x931.patch @@ -0,0 +1,139 @@ +From 06ea5b5332ffdb44a0a394d766be8989bcb6a95c Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 6 Dec 2022 10:03:47 +0900 +Subject: [PATCH] fips,rsa: Prevent usage of X9.31 keygen in FIPS mode. + +* cipher/rsa.c (rsa_generate): Do not accept use-x931 or derive-parms +in FIPS mode. +* tests/pubkey.c (get_keys_x931_new): Expect failure in FIPS mode. +(check_run): Skip checking X9.31 keys in FIPS mode. +* doc/gcrypt.texi: Document "test-parms" and clarify some cases around +the X9.31 keygen. + +-- + +Signed-off-by: Jakub Jelen +--- + cipher/rsa.c | 5 +++++ + doc/gcrypt.texi | 41 ++++++++++++++++++++++++++++++++++++----- + tests/pubkey.c | 15 +++++++++++++-- + 3 files changed, 54 insertions(+), 7 deletions(-) + +diff --git a/cipher/rsa.c b/cipher/rsa.c +index df4af94b..45523e6b 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -1256,6 +1256,11 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) + if (deriveparms || (flags & PUBKEY_FLAG_USE_X931)) + { + int swapped; ++ if (fips_mode ()) ++ { ++ sexp_release (deriveparms); ++ return GPG_ERR_INV_SEXP; ++ } + ec = generate_x931 (&sk, nbits, evalue, deriveparms, &swapped); + sexp_release (deriveparms); + if (!ec && swapped) +diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi +index d0372f3e..e845a4dd 100644 +--- a/doc/gcrypt.texi ++++ b/doc/gcrypt.texi +@@ -2699,8 +2699,7 @@ achieve fastest ECC key generation. + Force the use of the ANSI X9.31 key generation algorithm instead of + the default algorithm. This flag is only meaningful for RSA key + generation and usually not required. Note that this algorithm is +-implicitly used if either @code{derive-parms} is given or Libgcrypt is +-in FIPS mode. ++implicitly used if either @code{derive-parms} is given. + + @item use-fips186 + @cindex FIPS 186 +@@ -3310,9 +3309,9 @@ This is currently only implemented for RSA and DSA keys. It is not + allowed to use this together with a @code{domain} specification. If + given, it is used to derive the keys using the given parameters. + +-If given for an RSA key the X9.31 key generation algorithm is used +-even if libgcrypt is not in FIPS mode. If given for a DSA key, the +-FIPS 186 algorithm is used even if libgcrypt is not in FIPS mode. ++If given for an RSA key, the X9.31 key generation algorithm is used. ++If given for a DSA key, the FIPS 186 algorithm is used even if ++libgcrypt is not in FIPS mode. + + @example + (genkey +@@ -3342,6 +3341,38 @@ FIPS 186 algorithm is used even if libgcrypt is not in FIPS mode. + (seed @var{seed-mpi})))) + @end example + ++@item test-parms @var{list} ++This is currently only implemented for RSA keys. If given, the ++libgcrypt will not generate parameter, but tests whether the p,q is ++probably prime. Returns key with zeroes. ++ ++The FIPS key generation algorithm is used even if libgcrypt is not ++in FIPS mode. ++ ++@example ++(genkey ++ (rsa ++ (nbits 4:1024) ++ (rsa-use-e 1:3) ++ (test-parms ++ (e "65537") ++ (p #00bbccabcee15d343944a47e492d4b1f4de79633e2 ++ 0cbb46f7d2d6813392a807ad048cf77528edd19f77 ++ e7453f25173b9dcb70423afa2037aae147b81a33d5 ++ 41fc58f875eff1e852ab55e2e09a3debfbc151b3b0 ++ d17fef6f74d81fca14fbae531418e211ef818592af ++ 70de5cec3b92795cc3578572bf456099cd8727150e ++ 523261#) ++ (q #00ca87ecf2883f4ed00a9ec65abdeba81d28edbfcc ++ 34ecc563d587f166b52d42bfbe22bbc095b0b8426a ++ 2f8bbc55baaa8859b42cbc376ed3067db3ef7b135b ++ 63481322911ebbd7014db83aa051e0ca2dbf302b75 ++ cd37f2ae8df90e134226e92f6353a284b28bb30af0 ++ bbf925b345b955328379866ebac11d55bc80fe84f1 ++ 05d415#) ++ ++@end example ++ + + @item flags @var{flaglist} + This is preferred way to define flags. @var{flaglist} may contain any +diff --git a/tests/pubkey.c b/tests/pubkey.c +index bc44f3a5..2669b41a 100644 +--- a/tests/pubkey.c ++++ b/tests/pubkey.c +@@ -430,7 +430,17 @@ get_keys_x931_new (gcry_sexp_t *pkey, gcry_sexp_t *skey) + rc = gcry_pk_genkey (&key, key_spec); + gcry_sexp_release (key_spec); + if (rc) +- die ("error generating RSA key: %s\n", gcry_strerror (rc)); ++ { ++ if (in_fips_mode) ++ { ++ if (verbose) ++ fprintf (stderr, "The X9.31 RSA keygen is not available in FIPS modee.\n"); ++ return; ++ } ++ die ("error generating RSA key: %s\n", gcry_strerror (rc)); ++ } ++ else if (in_fips_mode) ++ die ("generating X9.31 RSA key unexpected worked in FIPS mode\n"); + + if (verbose > 1) + show_sexp ("generated RSA (X9.31) key:\n", key); +@@ -777,7 +787,8 @@ check_run (void) + if (verbose) + fprintf (stderr, "Checking generated RSA key (X9.31).\n"); + get_keys_x931_new (&pkey, &skey); +- check_keys (pkey, skey, 800, 0); ++ if (!in_fips_mode) ++ check_keys (pkey, skey, 800, 0); + gcry_sexp_release (pkey); + gcry_sexp_release (skey); + pkey = skey = NULL; +-- +2.39.0 + diff --git a/libgcrypt.spec b/libgcrypt.spec index 3e07a37..e9a6696 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -46,6 +46,8 @@ Patch13: libgcrypt-1.10.0-fips-integrity.patch # 3c8b6c4a9cad59c5e1db5706f6774a3141b60210 # 052c5ef4cea56772b7015e36f231fa0bcbf91410 Patch14: libgcrypt-1.10.0-fips-integrity2.patch +# 06ea5b5332ffdb44a0a394d766be8989bcb6a95c +Patch15: libgcrypt-1.10.0-fips-x931.patch %global gcrylibdir %{_libdir} %global gcrysoname libgcrypt.so.20 @@ -93,6 +95,7 @@ applications using libgcrypt. %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 %build # This package has a configure test which uses ASMs, but does not link the