Blob Blame History Raw
From 7d8d8feb502ddb20a0d115fa3f63403c849a7168 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 10 Feb 2022 16:43:08 +0100
Subject: [PATCH 1/2] pkcs12: mark MAC generation and verification as FIPS
 non-approved

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/x509/pkcs12.c     | 39 +++++++++++++++++++++++++---
 tests/pkcs12_encode.c | 59 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 94 insertions(+), 4 deletions(-)

diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index a8f7d8f956..11b9da3ac9 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -286,13 +286,26 @@ gnutls_pkcs12_export(gnutls_pkcs12_t pkcs12,
 		     gnutls_x509_crt_fmt_t format, void *output_data,
 		     size_t * output_data_size)
 {
+	int ret;
+
 	if (pkcs12 == NULL) {
 		gnutls_assert();
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
-	return _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12,
-				       output_data, output_data_size);
+	ret = _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12,
+				      output_data, output_data_size);
+
+	if (ret < 0) {
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+	} else {
+		/* PKCS#12 export is always non-approved, because the MAC
+		 * calculation involves non-approved KDF (PKCS#12 KDF) and
+		 * without MAC the protection is insufficient.
+		 */
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+	}
+	return ret;
 }
 
 /**
@@ -317,13 +330,25 @@ int
 gnutls_pkcs12_export2(gnutls_pkcs12_t pkcs12,
 		      gnutls_x509_crt_fmt_t format, gnutls_datum_t * out)
 {
+	int ret;
+
 	if (pkcs12 == NULL) {
 		gnutls_assert();
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
-	return _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12,
-					out);
+	ret = _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12,
+				       out);
+	if (ret < 0) {
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+	} else {
+		/* PKCS#12 export is always non-approved, because the MAC
+		 * calculation involves non-approved KDF (PKCS#12 KDF) and
+		 * without MAC the protection is insufficient.
+		 */
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+	}
+	return ret;
 }
 
 static int oid2bag(const char *oid)
@@ -1025,9 +1050,12 @@ int gnutls_pkcs12_generate_mac2(gnutls_pkcs12_t pkcs12, gnutls_mac_algorithm_t m
 		goto cleanup;
 	}
 
+	/* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */
+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
 	return 0;
 
       cleanup:
+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
 	_gnutls_free_datum(&tmp);
 	return result;
 }
@@ -1203,8 +1231,11 @@ pkcs12_try_gost:
 		goto cleanup;
 	}
 
+	/* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */
+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
 	result = 0;
  cleanup:
+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
 	_gnutls_free_datum(&tmp);
 	_gnutls_free_datum(&salt);
 	return result;
diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
index 3b0e84ef13..b8f7d17267 100644
--- a/tests/pkcs12_encode.c
+++ b/tests/pkcs12_encode.c
@@ -70,6 +70,29 @@ static void tls_log_func(int level, const char *str)
 	fprintf(stderr, "|<%d>| %s", level, str);
 }
 
+#define FIPS_PUSH_CONTEXT() do {					\
+	if (gnutls_fips140_mode_enabled()) {				\
+		ret = gnutls_fips140_push_context(fips_context);	\
+		if (ret < 0) {						\
+			fail("gnutls_fips140_push_context failed\n");	\
+		}							\
+	}								\
+} while (0)
+
+#define FIPS_POP_CONTEXT(state) do {					\
+	if (gnutls_fips140_mode_enabled()) {				\
+		ret = gnutls_fips140_pop_context();			\
+		if (ret < 0) {						\
+			fail("gnutls_fips140_context_pop failed\n");	\
+		}							\
+		fips_state = gnutls_fips140_get_operation_state(fips_context); \
+		if (fips_state != GNUTLS_FIPS140_OP_ ## state) {	\
+			fail("operation state is not " # state " (%d)\n", \
+			     fips_state);				\
+		}							\
+	}								\
+} while (0)
+
 void doit(void)
 {
 	gnutls_pkcs12_t pkcs12;
@@ -82,6 +105,8 @@ void doit(void)
 	char outbuf[10240];
 	size_t size;
 	unsigned tests, i;
+	gnutls_fips140_context_t fips_context;
+	gnutls_fips140_operation_state_t fips_state;
 
 	ret = global_init();
 	if (ret < 0) {
@@ -93,6 +118,11 @@ void doit(void)
 	if (debug)
 		gnutls_global_set_log_level(4711);
 
+	ret = gnutls_fips140_context_init(&fips_context);
+	if (ret < 0) {
+		fail("Cannot initialize FIPS context\n");
+	}
+
 	/* Read certs. */
 	ret = gnutls_x509_crt_init(&client);
 	if (ret < 0) {
@@ -196,6 +226,8 @@ void doit(void)
 		gnutls_pkcs12_bag_deinit(bag);
 	}
 
+	FIPS_PUSH_CONTEXT();
+
 	/* MAC the structure, export and print. */
 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA1, "pass");
 	if (ret < 0) {
@@ -203,36 +235,60 @@ void doit(void)
 		exit(1);
 	}
 
+	FIPS_POP_CONTEXT(NOT_APPROVED);
+
+	FIPS_PUSH_CONTEXT();
+
 	ret = gnutls_pkcs12_verify_mac(pkcs12, "pass");
 	if (ret < 0) {
 		fprintf(stderr, "verify_mac: %s (%d)\n", gnutls_strerror(ret), ret);
 		exit(1);
 	}
 
+	FIPS_POP_CONTEXT(NOT_APPROVED);
+
+	FIPS_PUSH_CONTEXT();
+
 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA256, "passwd");
 	if (ret < 0) {
 		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
 		exit(1);
 	}
 
+	FIPS_POP_CONTEXT(NOT_APPROVED);
+
+	FIPS_PUSH_CONTEXT();
+
 	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd");
 	if (ret < 0) {
 		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
 		exit(1);
 	}
 
+	FIPS_POP_CONTEXT(NOT_APPROVED);
+
+	FIPS_PUSH_CONTEXT();
+
 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA512, "passwd1");
 	if (ret < 0) {
 		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
 		exit(1);
 	}
 
+	FIPS_POP_CONTEXT(NOT_APPROVED);
+
+	FIPS_PUSH_CONTEXT();
+
 	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd1");
 	if (ret < 0) {
 		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
 		exit(1);
 	}
 
+	FIPS_POP_CONTEXT(NOT_APPROVED);
+
+	FIPS_PUSH_CONTEXT();
+
 	size = sizeof(outbuf);
 	ret =
 	    gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf,
@@ -242,10 +298,13 @@ void doit(void)
 		exit(1);
 	}
 
+	FIPS_POP_CONTEXT(NOT_APPROVED);
+
 	if (debug)
 		fwrite(outbuf, size, 1, stdout);
 
 	/* Cleanup. */
+	gnutls_fips140_context_deinit(fips_context);
 	gnutls_pkcs12_deinit(pkcs12);
 	gnutls_x509_crt_deinit(client);
 	gnutls_x509_crt_deinit(ca);
-- 
2.34.1


From e7f9267342bc2231149a640163c82b63c86f1dfd Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 10 Feb 2022 17:35:13 +0100
Subject: [PATCH 2/2] _gnutls_pkcs_raw_{decrypt,encrypt}_data: use public
 crypto API

These functions previously used the internal crypto
API (_gnutls_cipher_*) which does not have algorithm checks for FIPS.

This change switches the code to use the public crypto
API (gnutls_cipher_*) to trigger proper state transitions under FIPS
mode.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/x509/pkcs7-crypt.c | 36 +++++++++++-----------------
 tests/pkcs12_encode.c  | 54 +++++++++++++++++++++++++++---------------
 2 files changed, 49 insertions(+), 41 deletions(-)

diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
index 4cce52ecf0..2dc5bc4df0 100644
--- a/lib/x509/pkcs7-crypt.c
+++ b/lib/x509/pkcs7-crypt.c
@@ -1130,8 +1130,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
 	gnutls_datum_t enc = { NULL, 0 };
 	uint8_t *key = NULL;
 	gnutls_datum_t dkey, d_iv;
-	cipher_hd_st ch;
-	int ch_init = 0;
+	gnutls_cipher_hd_t ch = NULL;
 	int key_size, ret;
 	unsigned int pass_len = 0;
 	const struct pkcs_cipher_schema_st *p;
@@ -1237,8 +1236,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
 	d_iv.data = (uint8_t *) enc_params->iv;
 	d_iv.size = enc_params->iv_size;
 
-	ret =
-	    _gnutls_cipher_init(&ch, ce, &dkey, &d_iv, 0);
+	ret = gnutls_cipher_init(&ch, ce->id, &dkey, &d_iv);
 
 	gnutls_free(key);
 
@@ -1247,9 +1245,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
 		goto error;
 	}
 
-	ch_init = 1;
-
-	ret = _gnutls_cipher_decrypt(&ch, enc.data, enc.size);
+	ret = gnutls_cipher_decrypt(ch, enc.data, enc.size);
 	if (ret < 0) {
 		gnutls_assert();
 		ret = GNUTLS_E_DECRYPTION_FAILED;
@@ -1281,7 +1277,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
 		decrypted_data->size = enc.size;
 	}
 
-	_gnutls_cipher_deinit(&ch);
+	gnutls_cipher_deinit(ch);
 
 	ret = 0;
 
@@ -1294,8 +1290,9 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
 	gnutls_free(password);
 	gnutls_free(enc.data);
 	gnutls_free(key);
-	if (ch_init != 0)
-		_gnutls_cipher_deinit(&ch);
+	if (ch) {
+		gnutls_cipher_deinit(ch);
+	}
 	return ret;
 }
 
@@ -1725,8 +1722,7 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
 	int data_size;
 	uint8_t *data = NULL;
 	gnutls_datum_t d_iv;
-	cipher_hd_st ch;
-	int ch_init = 0;
+	gnutls_cipher_hd_t ch = NULL;
 	uint8_t pad, pad_size;
 	const cipher_entry_st *ce;
 
@@ -1756,18 +1752,13 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
 
 	d_iv.data = (uint8_t *) enc_params->iv;
 	d_iv.size = enc_params->iv_size;
-	result =
-	    _gnutls_cipher_init(&ch, cipher_to_entry(enc_params->cipher),
-				key, &d_iv, 1);
-
+	result = gnutls_cipher_init(&ch, enc_params->cipher, key, &d_iv);
 	if (result < 0) {
 		gnutls_assert();
 		goto error;
 	}
 
-	ch_init = 1;
-
-	result = _gnutls_cipher_encrypt(&ch, data, data_size);
+	result = gnutls_cipher_encrypt(ch, data, data_size);
 	if (result < 0) {
 		gnutls_assert();
 		goto error;
@@ -1776,13 +1767,14 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
 	encrypted->data = data;
 	encrypted->size = data_size;
 
-	_gnutls_cipher_deinit(&ch);
+	gnutls_cipher_deinit(ch);
 
 	return 0;
 
  error:
 	gnutls_free(data);
-	if (ch_init != 0)
-		_gnutls_cipher_deinit(&ch);
+	if (ch) {
+		gnutls_cipher_deinit(ch);
+	}
 	return result;
 }
diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
index b8f7d17267..78f6f41b48 100644
--- a/tests/pkcs12_encode.c
+++ b/tests/pkcs12_encode.c
@@ -104,9 +104,17 @@ void doit(void)
 	int ret, indx;
 	char outbuf[10240];
 	size_t size;
-	unsigned tests, i;
+	unsigned i;
 	gnutls_fips140_context_t fips_context;
 	gnutls_fips140_operation_state_t fips_state;
+	size_t n_tests = 0;
+	struct tests {
+		const char *name;
+		gnutls_x509_crt_t crt;
+		const char *friendly_name;
+		unsigned bag_encrypt_flags;
+		int bag_encrypt_expected;
+	} tests[2];
 
 	ret = global_init();
 	if (ret < 0) {
@@ -157,21 +165,34 @@ void doit(void)
 		exit(1);
 	}
 
-	/* Generate and add PKCS#12 cert bags. */
-	if (!gnutls_fips140_mode_enabled()) {
-		tests = 2; /* include RC2 */
+	tests[n_tests].name = "3DES";
+	tests[n_tests].crt = client;
+	tests[n_tests].friendly_name = "client";
+	tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS8_USE_PKCS12_3DES;
+	tests[n_tests].bag_encrypt_expected = 0;
+	n_tests++;
+
+	tests[n_tests].name = "RC2-40";
+	tests[n_tests].crt = ca;
+	tests[n_tests].friendly_name = "ca";
+	tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
+	if (gnutls_fips140_mode_enabled()) {
+		tests[n_tests].bag_encrypt_expected =
+			GNUTLS_E_UNWANTED_ALGORITHM;
 	} else {
-		tests = 1;
+		tests[n_tests].bag_encrypt_expected = 0;
 	}
+	n_tests++;
 
-	for (i = 0; i < tests; i++) {
+	/* Generate and add PKCS#12 cert bags. */
+	for (i = 0; i < n_tests; i++) {
 		ret = gnutls_pkcs12_bag_init(&bag);
 		if (ret < 0) {
 			fprintf(stderr, "bag_init: %s (%d)\n", gnutls_strerror(ret), ret);
 			exit(1);
 		}
 
-		ret = gnutls_pkcs12_bag_set_crt(bag, i == 0 ? client : ca);
+		ret = gnutls_pkcs12_bag_set_crt(bag, tests[i].crt);
 		if (ret < 0) {
 			fprintf(stderr, "set_crt: %s (%d)\n", gnutls_strerror(ret), ret);
 			exit(1);
@@ -180,16 +201,14 @@ void doit(void)
 		indx = ret;
 
 		ret = gnutls_pkcs12_bag_set_friendly_name(bag, indx,
-							  i ==
-							  0 ? "client" :
-							  "ca");
+							  tests[i].friendly_name);
 		if (ret < 0) {
 			fprintf(stderr, "set_friendly_name: %s (%d)\n", gnutls_strerror(ret), ret);
 			exit(1);
 		}
 
 		size = sizeof(key_id_buf);
-		ret = gnutls_x509_crt_get_key_id(i == 0 ? client : ca, 0,
+		ret = gnutls_x509_crt_get_key_id(tests[i].crt, 0,
 						 key_id_buf, &size);
 		if (ret < 0) {
 			fprintf(stderr, "get_key_id: %s (%d)\n", gnutls_strerror(ret), ret);
@@ -206,14 +225,11 @@ void doit(void)
 		}
 
 		ret = gnutls_pkcs12_bag_encrypt(bag, "pass",
-						i ==
-						0 ?
-						GNUTLS_PKCS8_USE_PKCS12_3DES
-						:
-						GNUTLS_PKCS_USE_PKCS12_RC2_40);
-		if (ret < 0) {
-			fprintf(stderr, "bag_encrypt: %d: %s", ret,
-				i == 0 ? "3DES" : "RC2-40");
+						tests[i].bag_encrypt_flags);
+		if (ret != tests[i].bag_encrypt_expected) {
+			fprintf(stderr, "bag_encrypt: returned %d, expected %d: %s", ret,
+				tests[i].bag_encrypt_expected,
+				tests[i].name);
 			exit(1);
 		}
 
-- 
2.34.1