forked from pool/libgcrypt
9a7cde5372
- FIPS: libgcrypt: Double free in test_keys() on failed signature
verification [bsc#1169944]
* Use safer gcry_mpi_release() instead of mpi_free()
- Update patches:
* libgcrypt-PCT-DSA.patch
* libgcrypt-PCT-RSA.patch
* libgcrypt-PCT-ECC.patch
- Ship the FIPS checksum file in the shared library package and
create a separate trigger file for the FIPS selftests (bsc#1169569)
* add libgcrypt-fips_selftest_trigger_file.patch
* refresh libgcrypt-global_init-constructor.patch
- Remove libgcrypt-binary_integrity_in_non-FIPS.patch obsoleted
by libgcrypt-global_init-constructor.patch
- FIPS: Verify that the generated signature and the original input
differ in test_keys function for RSA, DSA and ECC: [bsc#1165539]
- Add zero-padding when qx and qy have different lengths when
assembling the Q point from affine coordinates.
- Refreshed patches:
* libgcrypt-PCT-DSA.patch
* libgcrypt-PCT-RSA.patch
* libgcrypt-PCT-ECC.patch
- FIPS: Switch the PCT to use the new signature operation [bsc#1165539]
* Patches for DSA, RSA and ECDSA test_keys functions:
- libgcrypt-PCT-DSA.patch
- libgcrypt-PCT-RSA.patch
- libgcrypt-PCT-ECC.patch
- Update patch: libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch
OBS-URL: https://build.opensuse.org/request/show/805624
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=134
120 lines
3.8 KiB
Diff
120 lines
3.8 KiB
Diff
Index: libgcrypt-1.8.2/cipher/rsa.c
|
|
===================================================================
|
|
--- libgcrypt-1.8.2.orig/cipher/rsa.c
|
|
+++ libgcrypt-1.8.2/cipher/rsa.c
|
|
@@ -159,27 +159,93 @@ test_keys (RSA_secret_key *sk, unsigned
|
|
/* Create another random plaintext as data for signature checking. */
|
|
_gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM);
|
|
|
|
- /* Use the RSA secret function to create a signature of the plaintext. */
|
|
- secret (signature, plaintext, sk);
|
|
+ /* Use the gcry_pk_sign_md API in order to comply with FIPS 140-2,
|
|
+ * which requires full signature operation for PCT (hashing +
|
|
+ * asymmetric operation */
|
|
+ gcry_sexp_t s_skey = NULL;
|
|
+ gcry_sexp_t s_pkey = NULL;
|
|
+ gcry_sexp_t r_sig = NULL;
|
|
+ gcry_sexp_t s_hash = NULL;
|
|
+ gcry_md_hd_t hd = NULL;
|
|
+ gcry_mpi_t r_sig_mpi = NULL;
|
|
+ unsigned char *buf = NULL;
|
|
+ size_t buflen;
|
|
|
|
- /* Use the RSA public function to verify this signature. */
|
|
- public (decr_plaintext, signature, &pk);
|
|
- if (mpi_cmp (decr_plaintext, plaintext))
|
|
- goto leave; /* Signature does not match. */
|
|
-
|
|
- /* Modify the signature and check that the signing fails. */
|
|
- mpi_add_ui (signature, signature, 1);
|
|
- public (decr_plaintext, signature, &pk);
|
|
- if (!mpi_cmp (decr_plaintext, plaintext))
|
|
- goto leave; /* Signature matches but should not. */
|
|
+ if (_gcry_md_open (&hd, GCRY_MD_SHA256, 0))
|
|
+ {
|
|
+ log_debug ("gcry_pk_sign failed\n");
|
|
+ goto leave_hash;
|
|
+ }
|
|
+
|
|
+ _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, plaintext);
|
|
+ _gcry_md_write (hd, buf, buflen);
|
|
+
|
|
+ xfree (buf);
|
|
+
|
|
+ /* build RSA private key sexp in s_skey */
|
|
+ sexp_build (&s_skey, NULL,
|
|
+ "(private-key (rsa(n %m)(e %m)(d %m)(p %m)(q %m)))",
|
|
+ sk->n, sk->e, sk->d, sk->p, sk->q);
|
|
+ sexp_build (&s_hash, NULL,
|
|
+ "(data (flags pkcs1)(hash-algo sha256))");
|
|
+
|
|
+ if (_gcry_pk_sign_md (&r_sig, hd, s_hash, s_skey))
|
|
+ {
|
|
+ log_debug ("gcry_pk_sign failed\n");
|
|
+ goto leave_hash;
|
|
+ }
|
|
+
|
|
+ /* Check that the signature and the original plaintext differ. */
|
|
+ if (_gcry_sexp_extract_param (r_sig, "sig-val!rsa", "s", &r_sig_mpi, NULL))
|
|
+ {
|
|
+ log_debug ("extracting signature data failed\n");
|
|
+ goto leave_hash;
|
|
+ }
|
|
+
|
|
+ if (!mpi_cmp (r_sig_mpi, plaintext))
|
|
+ {
|
|
+ log_debug ("Signature failed\n");
|
|
+ goto leave_hash; /* Signature and plaintext match but should not. */
|
|
+ }
|
|
+
|
|
+ _gcry_sexp_release (s_hash);
|
|
+ _gcry_md_close (hd);
|
|
+
|
|
+ /* build RSA public key sexp in s_pkey */
|
|
+ sexp_build (&s_pkey, NULL, "(public-key (rsa(n %m)(e %m)))", pk.n, pk.e);
|
|
+ sexp_build (&s_hash, NULL, "(data (flags pkcs1)(hash-algo sha256))");
|
|
+
|
|
+ if (_gcry_md_open (&hd, GCRY_MD_SHA256, 0))
|
|
+ log_debug ("gcry_md_open failed\n");
|
|
+
|
|
+ _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, plaintext);
|
|
+ _gcry_md_write (hd, buf, buflen);
|
|
+
|
|
+ xfree (buf);
|
|
+
|
|
+ /* verify the signature */
|
|
+ if (_gcry_pk_verify_md (r_sig, hd, s_hash, s_pkey))
|
|
+ {
|
|
+ log_debug ("gcry_pk_verify failed\n");
|
|
+ goto leave_hash; /* Signature does not match. */
|
|
+ }
|
|
|
|
result = 0; /* All tests succeeded. */
|
|
|
|
+ leave_hash:
|
|
+ _gcry_sexp_release (s_skey);
|
|
+ _gcry_sexp_release (s_pkey);
|
|
+ _gcry_sexp_release (s_hash);
|
|
+ _gcry_sexp_release (r_sig);
|
|
+ _gcry_md_close (hd);
|
|
+ _gcry_mpi_release (r_sig_mpi);
|
|
+
|
|
leave:
|
|
_gcry_mpi_release (signature);
|
|
_gcry_mpi_release (decr_plaintext);
|
|
_gcry_mpi_release (ciphertext);
|
|
_gcry_mpi_release (plaintext);
|
|
+
|
|
return result;
|
|
}
|
|
|
|
@@ -1903,7 +1969,7 @@ selftest_encr_2048 (gcry_sexp_t pkey, gc
|
|
/* This sexp trickery is to prevent the use of blinding.
|
|
* The flag doesn't get inherited by encr, so we have to
|
|
* derive a new sexp from the ciphertext */
|
|
- char buf[1024];
|
|
+ unsigned char buf[1024];
|
|
memset(buf, 0, sizeof(buf));
|
|
err = _gcry_mpi_print (GCRYMPI_FMT_STD, buf, sizeof buf, NULL, ciphertext);
|
|
if (err)
|