110 lines
3.8 KiB
Diff
110 lines
3.8 KiB
Diff
From bf1e62e59200b2046680d1d3d1599facc88cfe63 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Jelen <jjelen@redhat.com>
|
|
Date: Tue, 29 Nov 2022 14:04:59 +0100
|
|
Subject: [PATCH] rsa: Prevent usage of long salt in FIPS mode
|
|
|
|
* cipher/rsa-common.c (_gcry_rsa_pss_encode): Prevent usage of large
|
|
salt lengths
|
|
(_gcry_rsa_pss_verify): Ditto.
|
|
* tests/basic.c (check_pubkey_sign): Check longer salt length fails in
|
|
FIPS mode
|
|
* tests/t-rsa-pss.c (one_test_sexp): Fix function name in error message
|
|
---
|
|
cipher/rsa-common.c | 14 ++++++++++++++
|
|
tests/basic.c | 19 ++++++++++++++++++-
|
|
tests/t-rsa-pss.c | 2 +-
|
|
3 files changed, 33 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/cipher/rsa-common.c b/cipher/rsa-common.c
|
|
index 233ddb2d..61cd60a4 100644
|
|
--- a/cipher/rsa-common.c
|
|
+++ b/cipher/rsa-common.c
|
|
@@ -809,6 +809,13 @@ _gcry_rsa_pss_encode (gcry_mpi_t *r_result, unsigned int nbits, int algo,
|
|
hlen = _gcry_md_get_algo_dlen (algo);
|
|
gcry_assert (hlen); /* We expect a valid ALGO here. */
|
|
|
|
+ /* The FIPS 186-4 Section 5.5 allows only 0 <= sLen <= hLen */
|
|
+ if (fips_mode () && saltlen > hlen)
|
|
+ {
|
|
+ rc = GPG_ERR_INV_ARG;
|
|
+ goto leave;
|
|
+ }
|
|
+
|
|
/* Allocate a help buffer and setup some pointers. */
|
|
buflen = 8 + hlen + saltlen + (emlen - hlen - 1);
|
|
buf = xtrymalloc (buflen);
|
|
@@ -950,6 +957,13 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, int hashed_already,
|
|
hlen = _gcry_md_get_algo_dlen (algo);
|
|
gcry_assert (hlen); /* We expect a valid ALGO here. */
|
|
|
|
+ /* The FIPS 186-4 Section 5.5 allows only 0 <= sLen <= hLen */
|
|
+ if (fips_mode () && saltlen > hlen)
|
|
+ {
|
|
+ rc = GPG_ERR_INV_ARG;
|
|
+ goto leave;
|
|
+ }
|
|
+
|
|
/* Allocate a help buffer and setup some pointers.
|
|
This buffer is used for two purposes:
|
|
+------------------------------+-------+
|
|
diff --git a/tests/basic.c b/tests/basic.c
|
|
index 77e2fd93..429bd237 100644
|
|
--- a/tests/basic.c
|
|
+++ b/tests/basic.c
|
|
@@ -16602,6 +16602,7 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
|
|
const char *data;
|
|
int algo;
|
|
int expected_rc;
|
|
+ int flags;
|
|
} datas[] =
|
|
{
|
|
{ "(data\n (flags pkcs1)\n"
|
|
@@ -16672,6 +16673,22 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
|
|
" (random-override #4253647587980912233445566778899019283747#))\n",
|
|
GCRY_PK_RSA,
|
|
0 },
|
|
+ { "(data\n (flags pss)\n"
|
|
+ " (hash-algo sha256)\n"
|
|
+ " (value #11223344556677889900AABBCCDDEEFF#)\n"
|
|
+ " (salt-length 2:32)\n"
|
|
+ " (random-override #42536475879809122334455667788990192837465564738291"
|
|
+ "00122334455667#))\n",
|
|
+ GCRY_PK_RSA,
|
|
+ 0 },
|
|
+ { "(data\n (flags pss)\n"
|
|
+ " (hash-algo sha256)\n"
|
|
+ " (value #11223344556677889900AABBCCDDEEFF#)\n"
|
|
+ " (salt-length 2:33)\n"
|
|
+ " (random-override #42536475879809122334455667788990192837465564738291"
|
|
+ "0012233445566778#))\n",
|
|
+ GCRY_PK_RSA,
|
|
+ 0, FLAG_NOFIPS },
|
|
{ NULL }
|
|
};
|
|
|
|
@@ -16695,7 +16712,7 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
|
|
die ("converting data failed: %s\n", gpg_strerror (rc));
|
|
|
|
rc = gcry_pk_sign (&sig, hash, skey);
|
|
- if (in_fips_mode && (flags & FLAG_NOFIPS))
|
|
+ if (in_fips_mode && (flags & FLAG_NOFIPS || datas[dataidx].flags & FLAG_NOFIPS))
|
|
{
|
|
if (!rc)
|
|
fail ("gcry_pk_sign did not fail as expected in FIPS mode\n");
|
|
diff --git a/tests/t-rsa-pss.c b/tests/t-rsa-pss.c
|
|
index c5f90116..82dd54b3 100644
|
|
--- a/tests/t-rsa-pss.c
|
|
+++ b/tests/t-rsa-pss.c
|
|
@@ -340,7 +340,7 @@ one_test_sexp (const char *n, const char *e, const char *d,
|
|
snprintf (p, 3, "%02x", out[i]);
|
|
if (strcmp (sig_string, s))
|
|
{
|
|
- fail ("gcry_pkhash_sign failed: %s",
|
|
+ fail ("gcry_pk_hash_sign failed: %s",
|
|
"wrong value returned");
|
|
info (" expected: '%s'", s);
|
|
info (" got: '%s'", sig_string);
|
|
--
|
|
2.39.0
|
|
|