|
 |
8dd812 |
From fbb6dd2a65c6fc7a2e9bd82fe66fde54f6cf2952 Mon Sep 17 00:00:00 2001
|
|
|
8dd812 |
From: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
Date: Fri, 16 Aug 2019 17:01:05 +0200
|
|
|
8dd812 |
Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests
|
|
|
8dd812 |
|
|
|
8dd812 |
Nettle's RSA signing, encryption and decryption functions still
|
|
|
8dd812 |
require randomness for blinding, so fallback to use a fixed buffer in
|
|
|
8dd812 |
selftests where entropy might not be available.
|
|
|
8dd812 |
|
|
|
8dd812 |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
---
|
|
|
8dd812 |
lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++----
|
|
|
8dd812 |
1 file changed, 33 insertions(+), 4 deletions(-)
|
|
|
8dd812 |
|
|
|
8dd812 |
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
|
|
|
8dd812 |
index b2d27cf74..772fcdc21 100644
|
|
|
8dd812 |
--- a/lib/nettle/pk.c
|
|
|
8dd812 |
+++ b/lib/nettle/pk.c
|
|
|
8dd812 |
@@ -94,6 +94,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
|
|
|
8dd812 |
nettle_mpz_get_str_256 (length, data, *k);
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
|
|
|
8dd812 |
+{
|
|
|
8dd812 |
+ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) {
|
|
|
8dd812 |
+ _gnutls_switch_lib_state(LIB_STATE_ERROR);
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ memset(data, 0xAA, length);
|
|
|
8dd812 |
+}
|
|
|
8dd812 |
+
|
|
|
8dd812 |
static void
|
|
|
8dd812 |
ecc_scalar_zclear (struct ecc_scalar *s)
|
|
|
8dd812 |
{
|
|
|
8dd812 |
@@ -435,6 +444,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
case GNUTLS_PK_RSA:
|
|
|
8dd812 |
{
|
|
|
8dd812 |
struct rsa_public_key pub;
|
|
|
8dd812 |
+ nettle_random_func *random_func;
|
|
|
8dd812 |
|
|
|
8dd812 |
ret = _rsa_params_to_pubkey(pk_params, &pub;;
|
|
|
8dd812 |
if (ret < 0) {
|
|
|
8dd812 |
@@ -442,8 +452,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
goto cleanup;
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
|
|
|
8dd812 |
+ random_func = rnd_nonce_func_fallback;
|
|
|
8dd812 |
+ else
|
|
|
8dd812 |
+ random_func = rnd_nonce_func;
|
|
|
8dd812 |
ret =
|
|
|
8dd812 |
- rsa_encrypt(&pub, NULL, rnd_nonce_func,
|
|
|
8dd812 |
+ rsa_encrypt(&pub, NULL, random_func,
|
|
|
8dd812 |
plaintext->size, plaintext->data,
|
|
|
8dd812 |
p);
|
|
|
8dd812 |
if (ret == 0 || HAVE_LIB_ERROR()) {
|
|
|
8dd812 |
@@ -496,6 +510,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
struct rsa_public_key pub;
|
|
|
8dd812 |
size_t length;
|
|
|
8dd812 |
bigint_t c;
|
|
|
8dd812 |
+ nettle_random_func *random_func;
|
|
|
8dd812 |
|
|
|
8dd812 |
_rsa_params_to_privkey(pk_params, &priv;;
|
|
|
8dd812 |
ret = _rsa_params_to_pubkey(pk_params, &pub;;
|
|
|
8dd812 |
@@ -526,8 +541,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
goto cleanup;
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
|
|
|
8dd812 |
+ random_func = rnd_nonce_func_fallback;
|
|
|
8dd812 |
+ else
|
|
|
8dd812 |
+ random_func = rnd_nonce_func;
|
|
|
8dd812 |
ret =
|
|
|
8dd812 |
- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func,
|
|
|
8dd812 |
+ rsa_decrypt_tr(&pub, &priv, NULL, random_func,
|
|
|
8dd812 |
&length, plaintext->data,
|
|
|
8dd812 |
TOMPZ(c));
|
|
|
8dd812 |
_gnutls_mpi_release(&c);
|
|
|
8dd812 |
@@ -573,6 +592,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
bigint_t c;
|
|
|
8dd812 |
uint32_t is_err;
|
|
|
8dd812 |
int ret;
|
|
|
8dd812 |
+ nettle_random_func *random_func;
|
|
|
8dd812 |
|
|
|
8dd812 |
if (algo != GNUTLS_PK_RSA || plaintext == NULL) {
|
|
|
8dd812 |
gnutls_assert();
|
|
|
8dd812 |
@@ -592,7 +612,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED);
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func,
|
|
|
8dd812 |
+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
|
|
|
8dd812 |
+ random_func = rnd_nonce_func_fallback;
|
|
|
8dd812 |
+ else
|
|
|
8dd812 |
+ random_func = rnd_nonce_func;
|
|
|
8dd812 |
+ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func,
|
|
|
8dd812 |
plaintext_size, plaintext, TOMPZ(c));
|
|
|
8dd812 |
/* after this point, any conditional on failure that cause differences
|
|
|
8dd812 |
* in execution may create a timing or cache access pattern side
|
|
|
8dd812 |
@@ -942,6 +966,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
{
|
|
|
8dd812 |
struct rsa_private_key priv;
|
|
|
8dd812 |
struct rsa_public_key pub;
|
|
|
8dd812 |
+ nettle_random_func *random_func;
|
|
|
8dd812 |
mpz_t s;
|
|
|
8dd812 |
|
|
|
8dd812 |
_rsa_params_to_privkey(pk_params, &priv;;
|
|
|
8dd812 |
@@ -952,8 +977,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
|
|
|
8dd812 |
mpz_init(s);
|
|
|
8dd812 |
|
|
|
8dd812 |
+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
|
|
|
8dd812 |
+ random_func = rnd_nonce_func_fallback;
|
|
|
8dd812 |
+ else
|
|
|
8dd812 |
+ random_func = rnd_nonce_func;
|
|
|
8dd812 |
ret =
|
|
|
8dd812 |
- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func,
|
|
|
8dd812 |
+ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func,
|
|
|
8dd812 |
vdata->size, vdata->data, s);
|
|
|
8dd812 |
if (ret == 0 || HAVE_LIB_ERROR()) {
|
|
|
8dd812 |
gnutls_assert();
|
|
|
8dd812 |
--
|
|
|
8dd812 |
2.21.0
|
|
|
8dd812 |
|