Disable usage of X9.31 key generation in FIPS mode

Related: rhbz#2167764
2023-01-17 15:43:18 +01:00 · 2023-01-17 15:43:18 +01:00 · 8d0820609b
commit 8d0820609b
parent 7e0fcaf4ab
2 changed files with 142 additions and 0 deletions
--- a/libgcrypt-1.10.0-fips-x931.patch
+++ b/libgcrypt-1.10.0-fips-x931.patch
@ -0,0 +1,139 @@
+From 06ea5b5332ffdb44a0a394d766be8989bcb6a95c Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 6 Dec 2022 10:03:47 +0900
+Subject: [PATCH] fips,rsa: Prevent usage of X9.31 keygen in FIPS mode.
+
+* cipher/rsa.c (rsa_generate): Do not accept use-x931 or derive-parms
+in FIPS mode.
+* tests/pubkey.c (get_keys_x931_new): Expect failure in FIPS mode.
+(check_run): Skip checking X9.31 keys in FIPS mode.
+* doc/gcrypt.texi: Document "test-parms" and clarify some cases around
+the X9.31 keygen.
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/rsa.c    |  5 +++++
+ doc/gcrypt.texi | 41 ++++++++++++++++++++++++++++++++++++-----
+ tests/pubkey.c  | 15 +++++++++++++--
+ 3 files changed, 54 insertions(+), 7 deletions(-)
+
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index df4af94b..45523e6b 100644
+--- a/cipher/rsa.c
+++ b/cipher/rsa.c
+@@ -1256,6 +1256,11 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
+   if (deriveparms || (flags & PUBKEY_FLAG_USE_X931))
+     {
+       int swapped;
+      if (fips_mode ())
+        {
+          sexp_release (deriveparms);
+          return GPG_ERR_INV_SEXP;
+        }
+       ec = generate_x931 (&sk, nbits, evalue, deriveparms, &swapped);
+       sexp_release (deriveparms);
+       if (!ec && swapped)
+diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
+index d0372f3e..e845a4dd 100644
+--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
+@@ -2699,8 +2699,7 @@ achieve fastest ECC key generation.
+ Force the use of the ANSI X9.31 key generation algorithm instead of
+ the default algorithm. This flag is only meaningful for RSA key
+ generation and usually not required.  Note that this algorithm is
+-implicitly used if either @code{derive-parms} is given or Libgcrypt is
+-in FIPS mode.
+implicitly used if either @code{derive-parms} is given.
+ 
+ @item use-fips186
+ @cindex FIPS 186
+@@ -3310,9 +3309,9 @@ This is currently only implemented for RSA and DSA keys.  It is not
+ allowed to use this together with a @code{domain} specification.  If
+ given, it is used to derive the keys using the given parameters.
+ 
+-If given for an RSA key the X9.31 key generation algorithm is used
+-even if libgcrypt is not in FIPS mode.  If given for a DSA key, the
+-FIPS 186 algorithm is used even if libgcrypt is not in FIPS mode.
+If given for an RSA key, the X9.31 key generation algorithm is used.
+If given for a DSA key, the FIPS 186 algorithm is used even if
+libgcrypt is not in FIPS mode.
+ 
+ @example
+ (genkey
+@@ -3342,6 +3341,38 @@ FIPS 186 algorithm is used even if libgcrypt is not in FIPS mode.
+       (seed @var{seed-mpi}))))
+ @end example
+ 
+@item test-parms @var{list}
+This is currently only implemented for RSA keys. If given, the
+libgcrypt will not generate parameter, but tests whether the p,q is
+probably prime. Returns key with zeroes.
+
+The FIPS key generation algorithm is used even if libgcrypt is not
+in FIPS mode.
+
+@example
+(genkey
+  (rsa
+    (nbits 4:1024)
+    (rsa-use-e 1:3)
+    (test-parms
+      (e "65537")
+      (p #00bbccabcee15d343944a47e492d4b1f4de79633e2
+          0cbb46f7d2d6813392a807ad048cf77528edd19f77
+          e7453f25173b9dcb70423afa2037aae147b81a33d5
+          41fc58f875eff1e852ab55e2e09a3debfbc151b3b0
+          d17fef6f74d81fca14fbae531418e211ef818592af
+          70de5cec3b92795cc3578572bf456099cd8727150e
+          523261#)
+      (q #00ca87ecf2883f4ed00a9ec65abdeba81d28edbfcc
+          34ecc563d587f166b52d42bfbe22bbc095b0b8426a
+          2f8bbc55baaa8859b42cbc376ed3067db3ef7b135b
+          63481322911ebbd7014db83aa051e0ca2dbf302b75
+          cd37f2ae8df90e134226e92f6353a284b28bb30af0
+          bbf925b345b955328379866ebac11d55bc80fe84f1
+          05d415#)
+
+@end example
+
+ 
+ @item flags @var{flaglist}
+ This is preferred way to define flags.  @var{flaglist} may contain any
+diff --git a/tests/pubkey.c b/tests/pubkey.c
+index bc44f3a5..2669b41a 100644
+--- a/tests/pubkey.c
+++ b/tests/pubkey.c
+@@ -430,7 +430,17 @@ get_keys_x931_new (gcry_sexp_t *pkey, gcry_sexp_t *skey)
+   rc = gcry_pk_genkey (&key, key_spec);
+   gcry_sexp_release (key_spec);
+   if (rc)
+-    die ("error generating RSA key: %s\n", gcry_strerror (rc));
+    {
+      if (in_fips_mode)
+        {
+          if (verbose)
+            fprintf (stderr, "The X9.31 RSA keygen is not available in FIPS modee.\n");
+          return;
+        }
+      die ("error generating RSA key: %s\n", gcry_strerror (rc));
+    }
+  else if (in_fips_mode)
+    die ("generating X9.31 RSA key unexpected worked in FIPS mode\n");
+ 
+   if (verbose > 1)
+     show_sexp ("generated RSA (X9.31) key:\n", key);
+@@ -777,7 +787,8 @@ check_run (void)
+   if (verbose)
+     fprintf (stderr, "Checking generated RSA key (X9.31).\n");
+   get_keys_x931_new (&pkey, &skey);
+-  check_keys (pkey, skey, 800, 0);
+  if (!in_fips_mode)
+    check_keys (pkey, skey, 800, 0);
+   gcry_sexp_release (pkey);
+   gcry_sexp_release (skey);
+   pkey = skey = NULL;
+-- 
+2.39.0
+
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@ -46,6 +46,8 @@ Patch13: libgcrypt-1.10.0-fips-integrity.patch
 # 3c8b6c4a9cad59c5e1db5706f6774a3141b60210
 # 052c5ef4cea56772b7015e36f231fa0bcbf91410
 Patch14: libgcrypt-1.10.0-fips-integrity2.patch
+# 06ea5b5332ffdb44a0a394d766be8989bcb6a95c
+Patch15: libgcrypt-1.10.0-fips-x931.patch

 %global gcrylibdir %{_libdir}
 %global gcrysoname libgcrypt.so.20
@ -93,6 +95,7 @@ applications using libgcrypt.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1

 %build
 # This package has a configure test which uses ASMs, but does not link the