From cbe7d48792e6b51963df6ca6ba412cb0a59b6d1b Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 26 Sep 2022 13:49:56 +0200
Subject: [PATCH] Fix FIPS RSA PCT

Resolves: rhbz#2128455
---
 libgcrypt-1.10.0-fips-selftest.patch | 203 +++++++++++++++++++++++++++
 libgcrypt.spec                       |   2 +
 2 files changed, 205 insertions(+)

diff --git a/libgcrypt-1.10.0-fips-selftest.patch b/libgcrypt-1.10.0-fips-selftest.patch
index 6840c07..6b9a4fb 100644
--- a/libgcrypt-1.10.0-fips-selftest.patch
+++ b/libgcrypt-1.10.0-fips-selftest.patch
@@ -921,3 +921,206 @@ index 78c26f2f..9d14a474 100644
  
 -- 
 2.37.1
+
+--
+
+ACVP testing uses the test-parms option to specify p and q to be checked
+for primality. When test-parms is specified, generate_fips() always
+returns keys with p=q=0. These keys then fail the pairwise consistency
+test, because they cannot be used to successfully sign a message and
+verify the signature.
+
+Skip the PCT when test-parms is specified.
+
+Add a regression test to check that this functionality continues to work
+in the future.
+
+Signed-off-by: Clemens Lang <cllang at redhat.com>
+---
+ cipher/rsa.c           |   5 +-
+ tests/Makefile.am      |   2 +-
+ tests/t-rsa-testparm.c | 130 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 135 insertions(+), 2 deletions(-)
+ create mode 100644 tests/t-rsa-testparm.c
+
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 87f57b55..1a935d80 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -1218,6 +1218,7 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
+   int flags = 0;
+   gcry_sexp_t l1;
+   gcry_sexp_t swap_info = NULL;
++  int testparms = 0;
+ 
+   memset (&sk, 0, sizeof sk);
+ 
+@@ -1274,6 +1275,8 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
+         }
+       deriveparms = (genparms? sexp_find_token (genparms, "test-parms", 0)
+                      /**/    : NULL);
++      if (deriveparms)
++        testparms = 1;
+ 
+       /* Generate.  */
+       if (deriveparms || fips_mode ())
+@@ -1311,7 +1314,7 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
+   mpi_free (sk.u);
+   sexp_release (swap_info);
+ 
+-  if (!ec && fips_mode () && test_keys_fips (*r_skey))
++  if (!ec && !testparms && fips_mode () && test_keys_fips (*r_skey))
+     {
+       sexp_release (*r_skey); *r_skey = NULL;
+       fips_signal_error ("self-test after key generation failed");
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index f65725bc..302d923b 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -28,7 +28,7 @@ tests_bin = \
+ 	t-mpi-bit t-mpi-point curves t-lock \
+ 	prime basic keygen pubkey hmac hashtest t-kdf keygrip \
+ 	fips186-dsa aeswrap pkcs1v2 random dsa-rfc6979 \
+-	t-dsa t-ecdsa t-rsa-pss t-rsa-15 \
++	t-dsa t-ecdsa t-rsa-pss t-rsa-15 t-rsa-testparm \
+ 	t-ed25519 t-cv25519 t-x448 t-ed448
+
+ tests_bin_last = benchmark bench-slope
+diff --git a/tests/t-rsa-testparm.c b/tests/t-rsa-testparm.c
+new file mode 100644
+index 00000000..65617855
+--- /dev/null
++++ b/tests/t-rsa-testparm.c
+@@ -0,0 +1,130 @@
++/* t-rsa-testparm.c - Check the RSA Key Generation test-parm parameter
++ * Copyright (C) 2022 g10 Code GmbH
++ *
++ * This file is part of Libgcrypt.
++ *
++ * Libgcrypt is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU Lesser General Public License as
++ * published by the Free Software Foundation; either version 2.1 of
++ * the License, or (at your option) any later version.
++ *
++ * Libgcrypt is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program; if not, see <https://www.gnu.org/licenses/>.
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <gcrypt.h>
++
++#include "stopwatch.h"
++
++#define PGM "t-rsa-testparm"
++#include "t-common.h"
++
++
++static void
++check_rsa_testparm ()
++{
++  gpg_error_t err;
++  gcry_sexp_t keyspec = NULL;
++  gcry_sexp_t key = NULL;
++  const char *sexp = "(genkey (rsa (nbits \"2048\") (test-parms "
++    "(e \"65537\")"
++    "(p #00bbccabcee15d343944a47e492d4b1f4de79633e20cbb46f7d2d6813392a807ad048"
++        "cf77528edd19f77e7453f25173b9dcb70423afa2037aae147b81a33d541fc58f875ef"
++        "f1e852ab55e2e09a3debfbc151b3b0d17fef6f74d81fca14fbae531418e211ef81859"
++        "2af70de5cec3b92795cc3578572bf456099cd8727150e523261#)"
++    "(q #00ca87ecf2883f4ed00a9ec65abdeba81d28edbfcc34ecc563d587f166b52d42bfbe2"
++        "2bbc095b0b8426a2f8bbc55baaa8859b42cbc376ed3067db3ef7b135b63481322911e"
++        "bbd7014db83aa051e0ca2dbf302b75cd37f2ae8df90e134226e92f6353a284b28bb30"
++        "af0bbf925b345b955328379866ebac11d55bc80fe84f105d415#)"
++    ")))";
++
++  info ("Checking RSA KeyGen test-parm parameter.\n");
++
++  err = gcry_sexp_build (&keyspec, NULL, sexp);
++  if (err)
++    {
++      fail ("error building SEXP for test: %s", gpg_strerror (err));
++      goto leave;
++    }
++
++  err = gcry_pk_genkey (&key, keyspec);
++  if (err)
++    {
++      fail ("gcry_pk_genkey failed for test: %s", gpg_strerror (err));
++      goto leave;
++    }
++
++leave:
++  if (key)
++    gcry_sexp_release (key);
++  if (keyspec)
++    gcry_sexp_release (keyspec);
++}
++
++
++int
++main (int argc, char **argv)
++{
++  int last_argc = -1;
++
++  if (argc)
++    { argc--; argv++; }
++
++  while (argc && last_argc != argc )
++    {
++      last_argc = argc;
++      if (!strcmp (*argv, "--"))
++        {
++          argc--; argv++;
++          break;
++        }
++      else if (!strcmp (*argv, "--help"))
++        {
++          fputs ("usage: " PGM " [options]\n"
++                 "Options:\n"
++                 "  --verbose       print timings etc.\n"
++                 "  --debug         flyswatter\n",
++                 stdout);
++          exit (0);
++        }
++      else if (!strcmp (*argv, "--verbose"))
++        {
++          verbose++;
++          argc--; argv++;
++        }
++      else if (!strcmp (*argv, "--debug"))
++        {
++          verbose += 2;
++          debug++;
++          argc--; argv++;
++        }
++      else if (!strncmp (*argv, "--", 2))
++        die ("unknown option '%s'", *argv);
++
++    }
++
++  xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0));
++  if (!gcry_check_version (GCRYPT_VERSION))
++    die ("version mismatch\n");
++  if (debug)
++    xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 0xffffffff, 0));
++
++  start_timer ();
++  check_rsa_testparm ();
++  stop_timer ();
++
++  info ("All tests completed in %s.  Errors: %d\n",
++        elapsed_time (1), error_count);
++  return !!error_count;
++}
+-- 
+2.37.3
diff --git a/libgcrypt.spec b/libgcrypt.spec
index 4b9975c..0d827d9 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -27,6 +27,8 @@ Patch3: libgcrypt-1.10.0-ppc-hwf.patch
 Patch4: libgcrypt-1.10.0-allow-small-RSA-verify.patch
 Patch5: libgcrypt-1.10.0-allow-short-salt.patch
 Patch6: libgcrypt-1.10.0-fips-getrandom.patch
+# https://dev.gnupg.org/T6127
+# https://lists.gnupg.org/pipermail/gcrypt-devel/2022-September/005379.html
 Patch7: libgcrypt-1.10.0-fips-selftest.patch
 Patch8: libgcrypt-1.10.0-fips-disable-oaep.patch
 # https://dev.gnupg.org/T6217