rpms/libgcrypt
7
0
Fork 0
Code Issues Pull Requests Releases Activity
cec0bff092
libgcrypt/libgcrypt-1.10.0-fips-selftest.patch
Jakub Jelen f42be9ce3d Address FIPS review comments around selftests 
Resolves: rhbz#2118695
2022-08-16 20:07:25 +02:00

924 lines
28 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From e62829a907a7179ec6b0d9f47258185860f0a6c0 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 2 Aug 2022 20:53:31 +0200
Subject: [PATCH 1/6] Run digest&sign self tests for RSA and ECC in FIPS mode
* cipher/ecc.c (selftest_hash_sign): Implement digest & sign KAT
(selftests_ecdsa): Run the original basic test only with extended tests
(run_selftests): Pass-through the extended argument
* cipher/rsa.c (selftest_hash_sign_2048): Implement digest & sign KAT
(selftests_rsa): Run the original basic test only with extended tests
(run_selftests): Pass-through the extended argument
---
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/ecc.c | 138 ++++++++++++++++++++++++++++++++++++++++++++++++---
cipher/rsa.c | 108 +++++++++++++++++++++++++++++++++++++---
2 files changed, 234 insertions(+), 12 deletions(-)
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 9f0e7b11..63b0d05e 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -1678,6 +1678,126 @@ _gcry_pk_ecc_get_sexp (gcry_sexp_t *r_sexp, int mode, mpi_ec_t ec)
Self-test section.
*/
+static const char *
+selftest_hash_sign (gcry_sexp_t pkey, gcry_sexp_t skey)
+{
+ int md_algo = GCRY_MD_SHA256;
+ gcry_md_hd_t hd = NULL;
+ const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
+ /* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */
+ static const char sample_data[] = "sample";
+ static const char sample_data_bad[] = "sbmple";
+ static const char signature_r[] =
+ "efd48b2aacb6a8fd1140dd9cd45e81d69d2c877b56aaf991c34d0ea84eaf3716";
+ static const char signature_s[] =
+ "f7cb1c942d657c41d436c7a1b6e29f65f3e900dbb9aff4064dc4ab2f843acda8";
+
+ const char *errtxt = NULL;
+ gcry_error_t err;
+ gcry_sexp_t sig = NULL;
+ gcry_sexp_t l1 = NULL;
+ gcry_sexp_t l2 = NULL;
+ gcry_mpi_t r = NULL;
+ gcry_mpi_t s = NULL;
+ gcry_mpi_t calculated_r = NULL;
+ gcry_mpi_t calculated_s = NULL;
+ int cmp;
+
+ err = _gcry_md_open (&hd, md_algo, 0);
+ if (err)
+ {
+ errtxt = "gcry_md_open failed";
+ goto leave;
+ }
+
+ _gcry_md_write (hd, sample_data, strlen(sample_data));
+
+ err = _gcry_mpi_scan (&r, GCRYMPI_FMT_HEX, signature_r, 0, NULL);
+ if (!err)
+ err = _gcry_mpi_scan (&s, GCRYMPI_FMT_HEX, signature_s, 0, NULL);
+
+ if (err)
+ {
+ errtxt = "converting data failed";
+ goto leave;
+ }
+
+ err = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
+ if (err)
+ {
+ errtxt = "signing failed";
+ goto leave;
+ }
+
+ /* check against known signature */
+ errtxt = "signature validity failed";
+ l1 = _gcry_sexp_find_token (sig, "sig-val", 0);
+ if (!l1)
+ goto leave;
+ l2 = _gcry_sexp_find_token (l1, "ecdsa", 0);
+ if (!l2)
+ goto leave;
+
+ sexp_release (l1);
+ l1 = l2;
+
+ l2 = _gcry_sexp_find_token (l1, "r", 0);
+ if (!l2)
+ goto leave;
+ calculated_r = _gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
+ if (!calculated_r)
+ goto leave;
+
+ sexp_release (l2);
+ l2 = _gcry_sexp_find_token (l1, "s", 0);
+ if (!l2)
+ goto leave;
+ calculated_s = _gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
+ if (!calculated_s)
+ goto leave;
+
+ errtxt = "known sig check failed";
+
+ cmp = _gcry_mpi_cmp (r, calculated_r);
+ if (cmp)
+ goto leave;
+ cmp = _gcry_mpi_cmp (s, calculated_s);
+ if (cmp)
+ goto leave;
+
+ errtxt = NULL;
+
+ /* verify generated signature */
+ err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ if (err)
+ {
+ errtxt = "verify failed";
+ goto leave;
+ }
+
+ _gcry_md_reset(hd);
+ _gcry_md_write (hd, sample_data_bad, strlen(sample_data_bad));
+ err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ if (gcry_err_code (err) != GPG_ERR_BAD_SIGNATURE)
+ {
+ errtxt = "bad signature not detected";
+ goto leave;
+ }
+
+
+ leave:
+ _gcry_md_close (hd);
+ sexp_release (sig);
+ sexp_release (l1);
+ sexp_release (l2);
+ mpi_release (r);
+ mpi_release (s);
+ mpi_release (calculated_r);
+ mpi_release (calculated_s);
+ return errtxt;
+}
+
+
static const char *
selftest_sign (gcry_sexp_t pkey, gcry_sexp_t skey)
{
@@ -1798,7 +1918,7 @@ selftest_sign (gcry_sexp_t pkey, gcry_sexp_t skey)
static gpg_err_code_t
-selftests_ecdsa (selftest_report_func_t report)
+selftests_ecdsa (selftest_report_func_t report, int extended)
{
const char *what;
const char *errtxt;
@@ -1826,8 +1946,16 @@ selftests_ecdsa (selftest_report_func_t report)
goto failed;
}
- what = "sign";
- errtxt = selftest_sign (pkey, skey);
+ if (extended)
+ {
+ what = "sign";
+ errtxt = selftest_sign (pkey, skey);
+ if (errtxt)
+ goto failed;
+ }
+
+ what = "digest sign";
+ errtxt = selftest_hash_sign (pkey, skey);
if (errtxt)
goto failed;
@@ -1848,12 +1976,10 @@ selftests_ecdsa (selftest_report_func_t report)
static gpg_err_code_t
run_selftests (int algo, int extended, selftest_report_func_t report)
{
- (void)extended;
-
if (algo != GCRY_PK_ECC)
return GPG_ERR_PUBKEY_ALGO;
- return selftests_ecdsa (report);
+ return selftests_ecdsa (report, extended);
}
diff --git a/cipher/rsa.c b/cipher/rsa.c
index 9f2b36e8..34c8e490 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1760,6 +1760,96 @@ compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparam)
Self-test section.
*/
+static const char *
+selftest_hash_sign_2048 (gcry_sexp_t pkey, gcry_sexp_t skey)
+{
+ int md_algo = GCRY_MD_SHA256;
+ gcry_md_hd_t hd = NULL;
+ const char *data_tmpl = "(data (flags pkcs1) (hash %s %b))";
+ static const char sample_data[] =
+ "11223344556677889900aabbccddeeff"
+ "102030405060708090a0b0c0d0f01121";
+ static const char sample_data_bad[] =
+ "11223344556677889900aabbccddeeff"
+ "802030405060708090a0b0c0d0f01121";
+
+ const char *errtxt = NULL;
+ gcry_error_t err;
+ gcry_sexp_t sig = NULL;
+ /* raw signature data reference */
+ const char ref_data[] =
+ "518f41dea3ad884e93eefff8d7ca68a6f4c30d923632e35673651d675cebd652"
+ "a44ed66f6879b18f3d48b2d235b1dd78f6189be1440352cc94231a55c1f93109"
+ "84616b2841c42fe9a6e37be34cd188207209bd028e2fa93e721fbac40c31a068"
+ "1253b312d4e07addb9c7f3d508fa89f218ea7c7f7b9f6a9b1e522c19fa1cd839"
+ "93f9d4ca2f16c3d0b9abafe5e63e848152afc72ce7ee19ea45353116f85209ea"
+ "b9de42129dbccdac8faa461e8e8cc2ae801101cc6add4ba76ccb752030b0e827"
+ "7352b11cdecebae9cdc9a626c4701cd9c85cd287618888c5fae8b4d0ba48915d"
+ "e5cc64e3aee2ba2862d04348ea71f65454f74f9fd1e3108005cc367ca41585a4";
+ gcry_mpi_t ref_mpi = NULL;
+ gcry_mpi_t sig_mpi = NULL;
+
+ err = _gcry_md_open (&hd, md_algo, 0);
+ if (err)
+ {
+ errtxt = "gcry_md_open failed";
+ goto leave;
+ }
+
+ _gcry_md_write (hd, sample_data, sizeof(sample_data));
+
+ err = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
+ if (err)
+ {
+ errtxt = "signing failed";
+ goto leave;
+ }
+
+ err = _gcry_mpi_scan(&ref_mpi, GCRYMPI_FMT_HEX, ref_data, 0, NULL);
+ if (err)
+ {
+ errtxt = "converting ref_data to mpi failed";
+ goto leave;
+ }
+
+ err = _gcry_sexp_extract_param(sig, "sig-val!rsa", "s", &sig_mpi, NULL);
+ if (err)
+ {
+ errtxt = "extracting signature data failed";
+ goto leave;
+ }
+
+ if (mpi_cmp (sig_mpi, ref_mpi))
+ {
+ errtxt = "signature does not match reference data";
+ goto leave;
+ }
+
+ err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ if (err)
+ {
+ errtxt = "verify failed";
+ goto leave;
+ }
+
+ _gcry_md_reset(hd);
+ _gcry_md_write (hd, sample_data_bad, sizeof(sample_data_bad));
+ err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ if (gcry_err_code (err) != GPG_ERR_BAD_SIGNATURE)
+ {
+ errtxt = "bad signature not detected";
+ goto leave;
+ }
+
+
+ leave:
+ sexp_release (sig);
+ _gcry_md_close (hd);
+ _gcry_mpi_release (ref_mpi);
+ _gcry_mpi_release (sig_mpi);
+ return errtxt;
+}
+
static const char *
selftest_sign_2048 (gcry_sexp_t pkey, gcry_sexp_t skey)
{
@@ -1996,7 +2086,7 @@ selftest_encr_2048 (gcry_sexp_t pkey, gcry_sexp_t skey)
static gpg_err_code_t
-selftests_rsa (selftest_report_func_t report)
+selftests_rsa (selftest_report_func_t report, int extended)
{
const char *what;
const char *errtxt;
@@ -2024,8 +2114,16 @@ selftests_rsa (selftest_report_func_t report)
goto failed;
}
- what = "sign";
- errtxt = selftest_sign_2048 (pkey, skey);
+ if (extended)
+ {
+ what = "sign";
+ errtxt = selftest_sign_2048 (pkey, skey);
+ if (errtxt)
+ goto failed;
+ }
+
+ what = "digest sign";
+ errtxt = selftest_hash_sign_2048 (pkey, skey);
if (errtxt)
goto failed;
@@ -2053,12 +2151,10 @@ run_selftests (int algo, int extended, selftest_report_func_t report)
{
gpg_err_code_t ec;
- (void)extended;
-
switch (algo)
{
case GCRY_PK_RSA:
- ec = selftests_rsa (report);
+ ec = selftests_rsa (report, extended);
break;
default:
ec = GPG_ERR_PUBKEY_ALGO;
--
2.37.1
From b386e9862e7c3c0f6623fb1c43b0cf0481bbebc7 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 8 Aug 2022 13:50:15 +0200
Subject: [PATCH 2/6] fips: Add function-name based FIPS indicator
* doc/gcrypt.texi: Document the new function-based fips indicator
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
* src/fips.c (_gcry_fips_indicator_function): New function indicating
non-approved functions.
* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbol
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
* src/global.c (_gcry_vcontrol): Handle new FIPS indicator.
---
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
doc/gcrypt.texi | 7 +++++++
src/fips.c | 12 ++++++++++++
src/g10lib.h | 1 +
src/gcrypt.h.in | 3 ++-
src/global.c | 7 +++++++
5 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index f2c1cc94..b608dba2 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -995,6 +995,13 @@ certification. If the KDF is approved, this function returns
@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
is returned.
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
+
+Check if the given function is approved under the current FIPS 140-3
+certification. If the function is approved, this function returns
+@code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+
@end table
@end deftypefun
diff --git a/src/fips.c b/src/fips.c
index a1958b14..9a524ea4 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -390,6 +390,18 @@ _gcry_fips_indicator_kdf (va_list arg_ptr)
}
}
+int
+_gcry_fips_indicator_function (va_list arg_ptr)
+{
+ const char *function = va_arg (arg_ptr, const char *);
+
+ if (strcmp (function, "gcry_sign") == 0 ||
+ strcmp (function, "gcry_verify") == 0)
+ return GPG_ERR_NOT_SUPPORTED;
+
+ return GPG_ERR_NO_ERROR;
+}
+
/* This is a test on whether the library is in the error or
operational state. */
diff --git a/src/g10lib.h b/src/g10lib.h
index 8ba0a5c2..eff6295f 100644
--- a/src/g10lib.h
+++ b/src/g10lib.h
@@ -468,6 +468,7 @@ void _gcry_fips_signal_error (const char *srcfile,
int _gcry_fips_indicator_cipher (va_list arg_ptr);
int _gcry_fips_indicator_kdf (va_list arg_ptr);
+int _gcry_fips_indicator_function (va_list arg_ptr);
int _gcry_fips_is_operational (void);
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index 299261db..d6a1d516 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -329,7 +329,8 @@ enum gcry_ctl_cmds
GCRYCTL_SET_DECRYPTION_TAG = 80,
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
- GCRYCTL_NO_FIPS_MODE = 83
+ GCRYCTL_NO_FIPS_MODE = 83,
+ GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84
};
/* Perform various operations defined by CMD. */
diff --git a/src/global.c b/src/global.c
index 258ea4d1..debf6194 100644
--- a/src/global.c
+++ b/src/global.c
@@ -797,6 +797,13 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
rc = _gcry_fips_indicator_kdf (arg_ptr);
break;
+ case GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION:
+ /* Get FIPS Service Indicator for a given function from the API.
+ * Returns GPG_ERR_NO_ERROR if the function is allowed or
+ * GPG_ERR_NOT_SUPPORTED otherwise */
+ rc = _gcry_fips_indicator_function (arg_ptr);
+ break;
+
case PRIV_CTL_INIT_EXTRNG_TEST: /* Init external random test. */
rc = GPG_ERR_NOT_SUPPORTED;
break;
--
2.37.1
From 756cdfaf30c2b12d2b2a931591089b1de22444f4 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 8 Aug 2022 15:58:16 +0200
Subject: [PATCH 4/6] rsa: Run PCT in FIPS mode also with digest step
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/rsa.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 68 insertions(+), 1 deletion(-)
diff --git a/cipher/rsa.c b/cipher/rsa.c
index 6e7be8e8..78c26f2f 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -177,6 +177,73 @@ test_keys (RSA_secret_key *sk, unsigned int nbits)
return result;
}
+static int
+test_keys_fips (RSA_secret_key *sk)
+{
+ int result = -1; /* Default to failure. */
+ char plaintext[128];
+ gcry_sexp_t sig = NULL;
+ gcry_sexp_t skey = NULL, pkey = NULL;
+ const char *data_tmpl = "(data (flags pkcs1) (hash %s %b))";
+ gcry_md_hd_t hd = NULL;
+ int ec;
+
+ /* Put the relevant parameters into a public key structure. */
+ ec = sexp_build (&pkey, NULL,
+ "(key-data"
+ " (public-key"
+ " (rsa(n%m)(e%m))))",
+ sk->n, sk->e);
+ if (ec)
+ goto leave;
+
+ /* Put the relevant parameters into a secret key structure. */
+ ec = sexp_build (&skey, NULL,
+ "(key-data"
+ " (public-key"
+ " (rsa(n%m)(e%m)))"
+ " (private-key"
+ " (rsa(n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))",
+ sk->n, sk->e,
+ sk->n, sk->e, sk->d, sk->p, sk->q, sk->u);
+ if (ec)
+ goto leave;
+
+ /* Create a random plaintext. */
+ _gcry_randomize (plaintext, sizeof plaintext, GCRY_WEAK_RANDOM);
+
+ /* Open MD context and feed the random data in */
+ ec = _gcry_md_open (&hd, GCRY_MD_SHA256, 0);
+ if (ec)
+ goto leave;
+ _gcry_md_write (hd, plaintext, sizeof(plaintext));
+
+ /* Use the RSA secret function to create a signature of the plaintext. */
+ ec = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
+ if (ec)
+ goto leave;
+
+ /* Use the RSA public function to verify this signature. */
+ ec = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ if (ec)
+ goto leave;
+
+ /* Modify the data and check that the signing fails. */
+ _gcry_md_reset(hd);
+ plaintext[sizeof plaintext / 2] ^= 1;
+ _gcry_md_write (hd, plaintext, sizeof(plaintext));
+ ec = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ if (ec != GPG_ERR_BAD_SIGNATURE)
+ goto leave; /* Signature verification worked on modified data */
+
+ result = 0; /* All tests succeeded. */
+ leave:
+ sexp_release (sig);
+ _gcry_md_close (hd);
+ sexp_release (pkey);
+ sexp_release (skey);
+ return result;
+}
/* Callback used by the prime generation to test whether the exponent
is suitable. Returns 0 if the test has been passed. */
@@ -648,7 +715,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
sk->u = u;
/* Now we can test our keys. */
- if (ec || (!testparms && test_keys (sk, nbits - 64)))
+ if (ec || (!testparms && test_keys_fips (sk)))
{
_gcry_mpi_release (sk->n); sk->n = NULL;
_gcry_mpi_release (sk->e); sk->e = NULL;
--
2.37.1
From de7ad6375be11a0cef45c6e9aa8119c4ce7a3258 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 15 Aug 2022 19:55:33 +0200
Subject: [PATCH 5/6] ecc: Run PCT also with the digest step
* cipher/ecc.c (test_keys_fips): New function
(nist_generate_key): In FIPS mode, execute new PCT test
---
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/ecc.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 81 insertions(+)
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 63b0d05e..783e249d 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -101,6 +101,7 @@ static void *progress_cb_data;
/* Local prototypes. */
static void test_keys (mpi_ec_t ec, unsigned int nbits);
+static void test_keys_fips (mpi_ec_t ec, gcry_mpi_t x, gcry_mpi_t y);
static void test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags);
static unsigned int ecc_get_nbits (gcry_sexp_t parms);
@@ -255,6 +256,8 @@ nist_generate_key (mpi_ec_t ec, int flags,
; /* User requested to skip the test. */
else if (ec->model == MPI_EC_MONTGOMERY)
test_ecdh_only_keys (ec, ec->nbits - 63, flags);
+ else if (fips_mode ())
+ test_keys_fips (ec, x, y);
else
test_keys (ec, ec->nbits - 64);
@@ -304,6 +307,84 @@ test_keys (mpi_ec_t ec, unsigned int nbits)
mpi_free (test);
}
+/* We should get here only with the NIST curves as they are the only ones
+ * having the fips bit set in ecc_domain_parms_t struct so this is slightly
+ * simpler than the whole ecc_generate function */
+static void
+test_keys_fips (mpi_ec_t ec, gcry_mpi_t Qx, gcry_mpi_t Qy)
+{
+ gcry_md_hd_t hd = NULL;
+ const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
+ gcry_sexp_t skey = NULL, pkey = NULL;
+ gcry_sexp_t curve_info = NULL;
+ gcry_sexp_t sig = NULL;
+ gcry_mpi_t public = NULL;
+ char plaintext[128];
+ int rc;
+
+ /* Build keys structures */
+ if (ec->name)
+ {
+ rc = sexp_build (&curve_info, NULL, "(curve %s)", ec->name);
+ if (rc)
+ log_fatal ("ECDSA operation: failed to build curve_info\n");
+ }
+
+ public = _gcry_ecc_ec2os (Qx, Qy, ec->p);
+ rc = sexp_build (&pkey, NULL,
+ "(key-data"
+ " (public-key"
+ " (ecc%S(q%m)))"
+ " )",
+ curve_info,
+ public);
+ if (rc)
+ log_fatal ("ECDSA operation: failed to build public key: %s\n", gpg_strerror (rc));
+ rc = sexp_build (&skey, NULL,
+ "(key-data"
+ " (private-key"
+ " (ecc%S(q%m)(d%m)))"
+ " )",
+ curve_info,
+ public, ec->d);
+ if (rc)
+ log_fatal ("ECDSA operation: failed to build private key: %s\n", gpg_strerror (rc));
+
+ /* Create a random plaintext. */
+ _gcry_randomize (plaintext, sizeof plaintext, GCRY_WEAK_RANDOM);
+
+ /* Open MD context and feed the random data in */
+ rc = _gcry_md_open (&hd, GCRY_MD_SHA256, 0);
+ if (rc)
+ log_fatal ("ECDSA operation: failed to initialize MD context: %s\n", gpg_strerror (rc));
+ _gcry_md_write (hd, plaintext, sizeof(plaintext));
+
+ /* Sign the data */
+ rc = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
+ if (rc)
+ log_fatal ("ECDSA operation: signing failed: %s\n", gpg_strerror (rc));
+
+ /* Verify this signature. */
+ rc = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ if (rc)
+ log_fatal ("ECDSA operation: verification failed: %s\n", gpg_strerror (rc));
+
+ /* Modify the data and check that the signing fails. */
+ _gcry_md_reset(hd);
+ plaintext[sizeof plaintext / 2] ^= 1;
+ _gcry_md_write (hd, plaintext, sizeof(plaintext));
+ rc = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ if (rc != GPG_ERR_BAD_SIGNATURE)
+ log_fatal ("ECDSA operation: signature verification worked on modified data\n");
+
+ mpi_free (public);
+ sexp_release (curve_info);
+ _gcry_md_close (hd);
+ sexp_release (pkey);
+ sexp_release (skey);
+ sexp_release (sig);
+}
+
static void
test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags)
--
2.37.1
From 2cca95e488d58ae79975dd867e7782504b155212 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 16 Aug 2022 10:27:46 +0200
Subject: [PATCH 6/6] Simplify the PCT for RSA and ECDSA
Could be squashed.
* cipher/ecc.c (test_keys_fips): Simplify to accept key in SEXP format
(nist_generate_key): Skip call to test keys
(ecc_generate): Call test keys in FIPS mode later, when we have
complete SEXP key structure.
* cipher/rsa.c (test_keys_fips): Simplify to accept key in SEXP format
(generate_fips): Skip selftest at this stage
(rsa_generate): Test the keys later when we already have key in SEXP
format
---
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
cipher/ecc.c | 50 ++++++++------------------------------------------
cipher/rsa.c | 47 ++++++++++++-----------------------------------
2 files changed, 20 insertions(+), 77 deletions(-)
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 783e249d..1e80200e 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -101,7 +101,7 @@ static void *progress_cb_data;
/* Local prototypes. */
static void test_keys (mpi_ec_t ec, unsigned int nbits);
-static void test_keys_fips (mpi_ec_t ec, gcry_mpi_t x, gcry_mpi_t y);
+static void test_keys_fips (gcry_sexp_t skey);
static void test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags);
static unsigned int ecc_get_nbits (gcry_sexp_t parms);
@@ -256,9 +256,7 @@ nist_generate_key (mpi_ec_t ec, int flags,
; /* User requested to skip the test. */
else if (ec->model == MPI_EC_MONTGOMERY)
test_ecdh_only_keys (ec, ec->nbits - 63, flags);
- else if (fips_mode ())
- test_keys_fips (ec, x, y);
- else
+ else if (!fips_mode ())
test_keys (ec, ec->nbits - 64);
return 0;
@@ -311,45 +309,14 @@ test_keys (mpi_ec_t ec, unsigned int nbits)
* having the fips bit set in ecc_domain_parms_t struct so this is slightly
* simpler than the whole ecc_generate function */
static void
-test_keys_fips (mpi_ec_t ec, gcry_mpi_t Qx, gcry_mpi_t Qy)
+test_keys_fips (gcry_sexp_t skey)
{
gcry_md_hd_t hd = NULL;
const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
- gcry_sexp_t skey = NULL, pkey = NULL;
- gcry_sexp_t curve_info = NULL;
gcry_sexp_t sig = NULL;
- gcry_mpi_t public = NULL;
char plaintext[128];
int rc;
- /* Build keys structures */
- if (ec->name)
- {
- rc = sexp_build (&curve_info, NULL, "(curve %s)", ec->name);
- if (rc)
- log_fatal ("ECDSA operation: failed to build curve_info\n");
- }
-
- public = _gcry_ecc_ec2os (Qx, Qy, ec->p);
- rc = sexp_build (&pkey, NULL,
- "(key-data"
- " (public-key"
- " (ecc%S(q%m)))"
- " )",
- curve_info,
- public);
- if (rc)
- log_fatal ("ECDSA operation: failed to build public key: %s\n", gpg_strerror (rc));
- rc = sexp_build (&skey, NULL,
- "(key-data"
- " (private-key"
- " (ecc%S(q%m)(d%m)))"
- " )",
- curve_info,
- public, ec->d);
- if (rc)
- log_fatal ("ECDSA operation: failed to build private key: %s\n", gpg_strerror (rc));
-
/* Create a random plaintext. */
_gcry_randomize (plaintext, sizeof plaintext, GCRY_WEAK_RANDOM);
@@ -365,7 +332,7 @@ test_keys_fips (mpi_ec_t ec, gcry_mpi_t Qx, gcry_mpi_t Qy)
log_fatal ("ECDSA operation: signing failed: %s\n", gpg_strerror (rc));
/* Verify this signature. */
- rc = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ rc = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (rc)
log_fatal ("ECDSA operation: verification failed: %s\n", gpg_strerror (rc));
@@ -373,15 +340,11 @@ test_keys_fips (mpi_ec_t ec, gcry_mpi_t Qx, gcry_mpi_t Qy)
_gcry_md_reset(hd);
plaintext[sizeof plaintext / 2] ^= 1;
_gcry_md_write (hd, plaintext, sizeof(plaintext));
- rc = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ rc = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (rc != GPG_ERR_BAD_SIGNATURE)
log_fatal ("ECDSA operation: signature verification worked on modified data\n");
- mpi_free (public);
- sexp_release (curve_info);
_gcry_md_close (hd);
- sexp_release (pkey);
- sexp_release (skey);
sexp_release (sig);
}
@@ -714,6 +677,9 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
log_debug ("ecgen result using Ed25519+EdDSA\n");
}
+ if (!(flags & PUBKEY_FLAG_NO_KEYTEST) && fips_mode ())
+ test_keys_fips (*r_skey);
+
leave:
mpi_free (public);
mpi_free (base);
diff --git a/cipher/rsa.c b/cipher/rsa.c
index 78c26f2f..9d14a474 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -178,37 +178,15 @@ test_keys (RSA_secret_key *sk, unsigned int nbits)
}
static int
-test_keys_fips (RSA_secret_key *sk)
+test_keys_fips (gcry_sexp_t skey)
{
int result = -1; /* Default to failure. */
char plaintext[128];
gcry_sexp_t sig = NULL;
- gcry_sexp_t skey = NULL, pkey = NULL;
const char *data_tmpl = "(data (flags pkcs1) (hash %s %b))";
gcry_md_hd_t hd = NULL;
int ec;
- /* Put the relevant parameters into a public key structure. */
- ec = sexp_build (&pkey, NULL,
- "(key-data"
- " (public-key"
- " (rsa(n%m)(e%m))))",
- sk->n, sk->e);
- if (ec)
- goto leave;
-
- /* Put the relevant parameters into a secret key structure. */
- ec = sexp_build (&skey, NULL,
- "(key-data"
- " (public-key"
- " (rsa(n%m)(e%m)))"
- " (private-key"
- " (rsa(n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))",
- sk->n, sk->e,
- sk->n, sk->e, sk->d, sk->p, sk->q, sk->u);
- if (ec)
- goto leave;
-
/* Create a random plaintext. */
_gcry_randomize (plaintext, sizeof plaintext, GCRY_WEAK_RANDOM);
@@ -224,7 +202,7 @@ test_keys_fips (RSA_secret_key *sk)
goto leave;
/* Use the RSA public function to verify this signature. */
- ec = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ ec = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (ec)
goto leave;
@@ -232,7 +210,7 @@ test_keys_fips (RSA_secret_key *sk)
_gcry_md_reset(hd);
plaintext[sizeof plaintext / 2] ^= 1;
_gcry_md_write (hd, plaintext, sizeof(plaintext));
- ec = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ ec = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (ec != GPG_ERR_BAD_SIGNATURE)
goto leave; /* Signature verification worked on modified data */
@@ -240,8 +218,6 @@ test_keys_fips (RSA_secret_key *sk)
leave:
sexp_release (sig);
_gcry_md_close (hd);
- sexp_release (pkey);
- sexp_release (skey);
return result;
}
@@ -714,8 +690,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
sk->d = d;
sk->u = u;
- /* Now we can test our keys. */
- if (ec || (!testparms && test_keys_fips (sk)))
+ if (ec)
{
_gcry_mpi_release (sk->n); sk->n = NULL;
_gcry_mpi_release (sk->e); sk->e = NULL;
@@ -723,11 +698,6 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
_gcry_mpi_release (sk->q); sk->q = NULL;
_gcry_mpi_release (sk->d); sk->d = NULL;
_gcry_mpi_release (sk->u); sk->u = NULL;
- if (!ec)
- {
- fips_signal_error ("self-test after key generation failed");
- return GPG_ERR_SELFTEST_FAILED;
- }
}
return ec;
@@ -1306,7 +1276,7 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
/**/ : NULL);
/* Generate. */
- if (deriveparms || fips_mode())
+ if (deriveparms || fips_mode ())
{
ec = generate_fips (&sk, nbits, evalue, deriveparms,
!!(flags & PUBKEY_FLAG_TRANSIENT_KEY));
@@ -1341,6 +1311,13 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
mpi_free (sk.u);
sexp_release (swap_info);
+ if (!ec && fips_mode () && test_keys_fips (*r_skey))
+ {
+ sexp_release (*r_skey); *r_skey = NULL;
+ fips_signal_error ("self-test after key generation failed");
+ return GPG_ERR_SELFTEST_FAILED;
+ }
+
return ec;
}
--
2.37.1
Reference in New Issue View Git Blame Copy Permalink