libgcrypt/libgcrypt-PCT-RSA.patch

Index: libgcrypt-1.8.2/cipher/rsa.c
===================================================================
--- libgcrypt-1.8.2.orig/cipher/rsa.c
+++ libgcrypt-1.8.2/cipher/rsa.c
@@ -159,27 +159,93 @@ test_keys (RSA_secret_key *sk, unsigned
   /* Create another random plaintext as data for signature checking.  */
   _gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM);
 
-  /* Use the RSA secret function to create a signature of the plaintext.  */
-  secret (signature, plaintext, sk);
+  /* Use the gcry_pk_sign_md API in order to comply with FIPS 140-2,
+   * which requires full signature operation for PCT (hashing +
+   * asymmetric operation */
+  gcry_sexp_t s_skey = NULL;
+  gcry_sexp_t s_pkey = NULL;
+  gcry_sexp_t r_sig = NULL;
+  gcry_sexp_t s_hash = NULL;
+  gcry_md_hd_t hd = NULL;
+  gcry_mpi_t r_sig_mpi = NULL;
+  unsigned char *buf = NULL;
+  size_t buflen;
 
-  /* Use the RSA public function to verify this signature.  */
-  public (decr_plaintext, signature, &pk);
-  if (mpi_cmp (decr_plaintext, plaintext))
-    goto leave; /* Signature does not match.  */
-
-  /* Modify the signature and check that the signing fails.  */
-  mpi_add_ui (signature, signature, 1);
-  public (decr_plaintext, signature, &pk);
-  if (!mpi_cmp (decr_plaintext, plaintext))
-    goto leave; /* Signature matches but should not.  */
+  if (_gcry_md_open (&hd, GCRY_MD_SHA256, 0))
+    {
+      log_debug ("gcry_pk_sign failed\n");
+      goto leave_hash;
+    }
+
+  _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, plaintext);
+  _gcry_md_write (hd, buf, buflen);
+
+  xfree (buf);
+
+  /* build RSA private key sexp in s_skey */
+  sexp_build (&s_skey, NULL,
+              "(private-key (rsa(n %m)(e %m)(d %m)(p %m)(q %m)))",
+              sk->n, sk->e, sk->d, sk->p, sk->q);
+  sexp_build (&s_hash, NULL,
+              "(data (flags pkcs1)(hash-algo sha256))");
+
+  if (_gcry_pk_sign_md (&r_sig, hd, s_hash, s_skey))
+    {
+      log_debug ("gcry_pk_sign failed\n");
+      goto leave_hash;
+    }
+
+  /* Check that the signature and the original plaintext differ. */
+  if (_gcry_sexp_extract_param (r_sig, "sig-val!rsa", "s", &r_sig_mpi, NULL))
+    {
+      log_debug ("extracting signature data failed\n");
+      goto leave_hash;
+    }
+
+  if (!mpi_cmp (r_sig_mpi, plaintext))
+    {
+      log_debug ("Signature failed\n");
+      goto leave_hash; /* Signature and plaintext match but should not. */
+    }
+
+  _gcry_sexp_release (s_hash);
+  _gcry_md_close (hd);
+
+  /* build RSA public key sexp in s_pkey */
+  sexp_build (&s_pkey, NULL, "(public-key (rsa(n %m)(e %m)))", pk.n, pk.e);
+  sexp_build (&s_hash, NULL, "(data (flags pkcs1)(hash-algo sha256))");
+
+  if (_gcry_md_open (&hd, GCRY_MD_SHA256, 0))
+    log_debug ("gcry_md_open failed\n");
+
+  _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, plaintext);
+  _gcry_md_write (hd, buf, buflen);
+
+  xfree (buf);
+
+  /* verify the signature */
+  if (_gcry_pk_verify_md (r_sig, hd, s_hash, s_pkey))
+    {
+      log_debug ("gcry_pk_verify failed\n");
+      goto leave_hash; /* Signature does not match. */
+    }
 
   result = 0; /* All tests succeeded.  */
 
+ leave_hash:
+  _gcry_sexp_release (s_skey);
+  _gcry_sexp_release (s_pkey);
+  _gcry_sexp_release (s_hash);
+  _gcry_sexp_release (r_sig);
+  _gcry_md_close (hd);
+  _gcry_mpi_release (r_sig_mpi);
+
  leave:
   _gcry_mpi_release (signature);
   _gcry_mpi_release (decr_plaintext);
   _gcry_mpi_release (ciphertext);
   _gcry_mpi_release (plaintext);
+
   return result;
 }
 
@@ -1903,7 +1969,7 @@ selftest_encr_2048 (gcry_sexp_t pkey, gc
   /* This sexp trickery is to prevent the use of blinding.
    * The flag doesn't get inherited by encr, so we have to
    * derive a new sexp from the ciphertext */
-  char buf[1024];
+  unsigned char buf[1024];
   memset(buf, 0, sizeof(buf));
   err = _gcry_mpi_print (GCRYMPI_FMT_STD, buf, sizeof buf, NULL, ciphertext);
   if (err)
Accepting request 805624 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - FIPS: libgcrypt: Double free in test_keys() on failed signature verification [bsc#1169944] * Use safer gcry_mpi_release() instead of mpi_free() - Update patches: * libgcrypt-PCT-DSA.patch * libgcrypt-PCT-RSA.patch * libgcrypt-PCT-ECC.patch - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) * add libgcrypt-fips_selftest_trigger_file.patch * refresh libgcrypt-global_init-constructor.patch - Remove libgcrypt-binary_integrity_in_non-FIPS.patch obsoleted by libgcrypt-global_init-constructor.patch - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC: [bsc#1165539] - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Refreshed patches: * libgcrypt-PCT-DSA.patch * libgcrypt-PCT-RSA.patch * libgcrypt-PCT-ECC.patch - FIPS: Switch the PCT to use the new signature operation [bsc#1165539] * Patches for DSA, RSA and ECDSA test_keys functions: - libgcrypt-PCT-DSA.patch - libgcrypt-PCT-RSA.patch - libgcrypt-PCT-ECC.patch - Update patch: libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch OBS-URL: https://build.opensuse.org/request/show/805624 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=134 2020-05-14 17:39:34 +02:00			`Index: libgcrypt-1.8.2/cipher/rsa.c`
			`===================================================================`
			`--- libgcrypt-1.8.2.orig/cipher/rsa.c`
			`+++ libgcrypt-1.8.2/cipher/rsa.c`
			`@@ -159,27 +159,93 @@ test_keys (RSA_secret_key *sk, unsigned`
			`/* Create another random plaintext as data for signature checking. */`
			`_gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM);`

			`- /* Use the RSA secret function to create a signature of the plaintext. */`
			`- secret (signature, plaintext, sk);`
			`+ /* Use the gcry_pk_sign_md API in order to comply with FIPS 140-2,`
			`+ * which requires full signature operation for PCT (hashing +`
			`+ * asymmetric operation */`
			`+ gcry_sexp_t s_skey = NULL;`
			`+ gcry_sexp_t s_pkey = NULL;`
			`+ gcry_sexp_t r_sig = NULL;`
			`+ gcry_sexp_t s_hash = NULL;`
			`+ gcry_md_hd_t hd = NULL;`
			`+ gcry_mpi_t r_sig_mpi = NULL;`
			`+ unsigned char *buf = NULL;`
			`+ size_t buflen;`

			`- /* Use the RSA public function to verify this signature. */`
			`- public (decr_plaintext, signature, &pk);`
			`- if (mpi_cmp (decr_plaintext, plaintext))`
			`- goto leave; /* Signature does not match. */`
			`-`
			`- /* Modify the signature and check that the signing fails. */`
			`- mpi_add_ui (signature, signature, 1);`
			`- public (decr_plaintext, signature, &pk);`
			`- if (!mpi_cmp (decr_plaintext, plaintext))`
			`- goto leave; /* Signature matches but should not. */`
			`+ if (_gcry_md_open (&hd, GCRY_MD_SHA256, 0))`
			`+ {`
			`+ log_debug ("gcry_pk_sign failed\n");`
			`+ goto leave_hash;`
			`+ }`
			`+`
			`+ _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, plaintext);`
			`+ _gcry_md_write (hd, buf, buflen);`
			`+`
			`+ xfree (buf);`
			`+`
			`+ /* build RSA private key sexp in s_skey */`
			`+ sexp_build (&s_skey, NULL,`
			`+ "(private-key (rsa(n %m)(e %m)(d %m)(p %m)(q %m)))",`
			`+ sk->n, sk->e, sk->d, sk->p, sk->q);`
			`+ sexp_build (&s_hash, NULL,`
			`+ "(data (flags pkcs1)(hash-algo sha256))");`
			`+`
			`+ if (_gcry_pk_sign_md (&r_sig, hd, s_hash, s_skey))`
			`+ {`
			`+ log_debug ("gcry_pk_sign failed\n");`
			`+ goto leave_hash;`
			`+ }`
			`+`
			`+ /* Check that the signature and the original plaintext differ. */`
			`+ if (_gcry_sexp_extract_param (r_sig, "sig-val!rsa", "s", &r_sig_mpi, NULL))`
			`+ {`
			`+ log_debug ("extracting signature data failed\n");`
			`+ goto leave_hash;`
			`+ }`
			`+`
			`+ if (!mpi_cmp (r_sig_mpi, plaintext))`
			`+ {`
			`+ log_debug ("Signature failed\n");`
			`+ goto leave_hash; /* Signature and plaintext match but should not. */`
			`+ }`
			`+`
			`+ _gcry_sexp_release (s_hash);`
			`+ _gcry_md_close (hd);`
			`+`
			`+ /* build RSA public key sexp in s_pkey */`
			`+ sexp_build (&s_pkey, NULL, "(public-key (rsa(n %m)(e %m)))", pk.n, pk.e);`
			`+ sexp_build (&s_hash, NULL, "(data (flags pkcs1)(hash-algo sha256))");`
			`+`
			`+ if (_gcry_md_open (&hd, GCRY_MD_SHA256, 0))`
			`+ log_debug ("gcry_md_open failed\n");`
			`+`
			`+ _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, plaintext);`
			`+ _gcry_md_write (hd, buf, buflen);`
			`+`
			`+ xfree (buf);`
			`+`
			`+ /* verify the signature */`
			`+ if (_gcry_pk_verify_md (r_sig, hd, s_hash, s_pkey))`
			`+ {`
			`+ log_debug ("gcry_pk_verify failed\n");`
			`+ goto leave_hash; /* Signature does not match. */`
			`+ }`

			`result = 0; /* All tests succeeded. */`

			`+ leave_hash:`
			`+ _gcry_sexp_release (s_skey);`
			`+ _gcry_sexp_release (s_pkey);`
			`+ _gcry_sexp_release (s_hash);`
			`+ _gcry_sexp_release (r_sig);`
			`+ _gcry_md_close (hd);`
			`+ _gcry_mpi_release (r_sig_mpi);`
			`+`
			`leave:`
			`_gcry_mpi_release (signature);`
			`_gcry_mpi_release (decr_plaintext);`
			`_gcry_mpi_release (ciphertext);`
			`_gcry_mpi_release (plaintext);`
			`+`
			`return result;`
			`}`

			`@@ -1903,7 +1969,7 @@ selftest_encr_2048 (gcry_sexp_t pkey, gc`
			`/* This sexp trickery is to prevent the use of blinding.`
			`* The flag doesn't get inherited by encr, so we have to`
			`* derive a new sexp from the ciphertext */`
			`- char buf[1024];`
			`+ unsigned char buf[1024];`
			`memset(buf, 0, sizeof(buf));`
			`err = _gcry_mpi_print (GCRYMPI_FMT_STD, buf, sizeof buf, NULL, ciphertext);`
			`if (err)`