diff --git a/libgcrypt-1.10.0-fips-rsa-pss.patch b/libgcrypt-1.10.0-fips-rsa-pss.patch new file mode 100644 index 0000000..af3f772 --- /dev/null +++ b/libgcrypt-1.10.0-fips-rsa-pss.patch @@ -0,0 +1,109 @@ +From bf1e62e59200b2046680d1d3d1599facc88cfe63 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 29 Nov 2022 14:04:59 +0100 +Subject: [PATCH] rsa: Prevent usage of long salt in FIPS mode + +* cipher/rsa-common.c (_gcry_rsa_pss_encode): Prevent usage of large + salt lengths + (_gcry_rsa_pss_verify): Ditto. +* tests/basic.c (check_pubkey_sign): Check longer salt length fails in + FIPS mode +* tests/t-rsa-pss.c (one_test_sexp): Fix function name in error message +--- + cipher/rsa-common.c | 14 ++++++++++++++ + tests/basic.c | 19 ++++++++++++++++++- + tests/t-rsa-pss.c | 2 +- + 3 files changed, 33 insertions(+), 2 deletions(-) + +diff --git a/cipher/rsa-common.c b/cipher/rsa-common.c +index 233ddb2d..61cd60a4 100644 +--- a/cipher/rsa-common.c ++++ b/cipher/rsa-common.c +@@ -809,6 +809,13 @@ _gcry_rsa_pss_encode (gcry_mpi_t *r_result, unsigned int nbits, int algo, + hlen = _gcry_md_get_algo_dlen (algo); + gcry_assert (hlen); /* We expect a valid ALGO here. */ + ++ /* The FIPS 186-4 Section 5.5 allows only 0 <= sLen <= hLen */ ++ if (fips_mode () && saltlen > hlen) ++ { ++ rc = GPG_ERR_INV_ARG; ++ goto leave; ++ } ++ + /* Allocate a help buffer and setup some pointers. */ + buflen = 8 + hlen + saltlen + (emlen - hlen - 1); + buf = xtrymalloc (buflen); +@@ -950,6 +957,13 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, int hashed_already, + hlen = _gcry_md_get_algo_dlen (algo); + gcry_assert (hlen); /* We expect a valid ALGO here. */ + ++ /* The FIPS 186-4 Section 5.5 allows only 0 <= sLen <= hLen */ ++ if (fips_mode () && saltlen > hlen) ++ { ++ rc = GPG_ERR_INV_ARG; ++ goto leave; ++ } ++ + /* Allocate a help buffer and setup some pointers. + This buffer is used for two purposes: + +------------------------------+-------+ +diff --git a/tests/basic.c b/tests/basic.c +index 77e2fd93..429bd237 100644 +--- a/tests/basic.c ++++ b/tests/basic.c +@@ -16602,6 +16602,7 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, + const char *data; + int algo; + int expected_rc; ++ int flags; + } datas[] = + { + { "(data\n (flags pkcs1)\n" +@@ -16672,6 +16673,22 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, + " (random-override #4253647587980912233445566778899019283747#))\n", + GCRY_PK_RSA, + 0 }, ++ { "(data\n (flags pss)\n" ++ " (hash-algo sha256)\n" ++ " (value #11223344556677889900AABBCCDDEEFF#)\n" ++ " (salt-length 2:32)\n" ++ " (random-override #42536475879809122334455667788990192837465564738291" ++ "00122334455667#))\n", ++ GCRY_PK_RSA, ++ 0 }, ++ { "(data\n (flags pss)\n" ++ " (hash-algo sha256)\n" ++ " (value #11223344556677889900AABBCCDDEEFF#)\n" ++ " (salt-length 2:33)\n" ++ " (random-override #42536475879809122334455667788990192837465564738291" ++ "0012233445566778#))\n", ++ GCRY_PK_RSA, ++ 0, FLAG_NOFIPS }, + { NULL } + }; + +@@ -16695,7 +16712,7 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo, + die ("converting data failed: %s\n", gpg_strerror (rc)); + + rc = gcry_pk_sign (&sig, hash, skey); +- if (in_fips_mode && (flags & FLAG_NOFIPS)) ++ if (in_fips_mode && (flags & FLAG_NOFIPS || datas[dataidx].flags & FLAG_NOFIPS)) + { + if (!rc) + fail ("gcry_pk_sign did not fail as expected in FIPS mode\n"); +diff --git a/tests/t-rsa-pss.c b/tests/t-rsa-pss.c +index c5f90116..82dd54b3 100644 +--- a/tests/t-rsa-pss.c ++++ b/tests/t-rsa-pss.c +@@ -340,7 +340,7 @@ one_test_sexp (const char *n, const char *e, const char *d, + snprintf (p, 3, "%02x", out[i]); + if (strcmp (sig_string, s)) + { +- fail ("gcry_pkhash_sign failed: %s", ++ fail ("gcry_pk_hash_sign failed: %s", + "wrong value returned"); + info (" expected: '%s'", s); + info (" got: '%s'", sig_string); +-- +2.39.0 + diff --git a/libgcrypt.spec b/libgcrypt.spec index e9a6696..7c2eb66 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -48,6 +48,8 @@ Patch13: libgcrypt-1.10.0-fips-integrity.patch Patch14: libgcrypt-1.10.0-fips-integrity2.patch # 06ea5b5332ffdb44a0a394d766be8989bcb6a95c Patch15: libgcrypt-1.10.0-fips-x931.patch +# bf1e62e59200b2046680d1d3d1599facc88cfe63 +Patch16: libgcrypt-1.10.0-fips-rsa-pss.patch %global gcrylibdir %{_libdir} %global gcrysoname libgcrypt.so.20 @@ -96,6 +98,7 @@ applications using libgcrypt. %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 %build # This package has a configure test which uses ASMs, but does not link the