From f8a8961cfa176fc74c153cb6e1e68aff5e2d42f2 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 27 Sep 2022 10:52:19 +0900
Subject: [PATCH] gnutls-3.7.6-fips-symkey-limit.patch

---
 lib/crypto-api.c  | 26 ++++++++++++++++++++++---
 tests/fips-test.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++
 tests/kdf-api.c   |  9 ++++++++-
 3 files changed, 80 insertions(+), 4 deletions(-)

diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index b3e1eec..35200fb 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -896,6 +896,7 @@ gnutls_hash_hd_t gnutls_hash_copy(gnutls_hash_hd_t handle)
 int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size)
 {
 	int ret;
+	bool not_approved = false;
 
 	FAIL_IF_LIB_ERROR;
 
@@ -912,17 +913,31 @@ int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size)
 	key->data = gnutls_malloc(key->size);
 	if (!key->data) {
 		gnutls_assert();
-		return GNUTLS_E_MEMORY_ERROR;
+		ret = GNUTLS_E_MEMORY_ERROR;
+		goto error;
+	}
+
+	/* Key lengths of less than 112 bits are not approved */
+	if (key_size < 14) {
+		not_approved = true;
 	}
 
 	ret = gnutls_rnd(GNUTLS_RND_RANDOM, key->data, key->size);
 	if (ret < 0) {
 		gnutls_assert();
 		_gnutls_free_datum(key);
-		return ret;
+		goto error;
 	}
 
-	return 0;
+ error:
+	if (ret < 0) {
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+	} else if (not_approved) {
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+	} else {
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
+	}
+	return ret;
 }
 
 /* AEAD API */
@@ -2058,6 +2073,11 @@ gnutls_pbkdf2(gnutls_mac_algorithm_t mac,
 		not_approved = true;
 	}
 
+	/* Key lengths and output sizes of less than 112 bits are not approved */
+	if (key->size < 14 || length < 14) {
+		not_approved = true;
+	}
+
 	ret = _gnutls_kdf_ops.pbkdf2(mac, key->data, key->size,
 				     salt->data, salt->size, iter_count,
 				     output, length);
diff --git a/tests/fips-test.c b/tests/fips-test.c
index 31a5e26..27da414 100644
--- a/tests/fips-test.c
+++ b/tests/fips-test.c
@@ -274,6 +274,8 @@ void doit(void)
 	gnutls_datum_t signature;
 	unsigned int bits;
 	uint8_t hmac[64];
+	uint8_t pbkdf2[64];
+	gnutls_datum_t temp_key = { NULL, 0 };
 
 	fprintf(stderr,
 		"Please note that if in FIPS140 mode, you need to assure the library's integrity prior to running this test\n");
@@ -371,11 +373,58 @@ void doit(void)
 	}
 	FIPS_POP_CONTEXT(NOT_APPROVED);
 
+	/* PBKDF2 with key equal to or longer than 112 bits: approved */
+	FIPS_PUSH_CONTEXT();
+	ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100,
+			    &pbkdf2, sizeof(pbkdf2));
+	if (ret < 0) {
+		fail("gnutls_pbkdf2 failed\n");
+	}
+	FIPS_POP_CONTEXT(APPROVED);
+
+	/* PBKDF2 with key shorter than 112 bits: not approved */
+	FIPS_PUSH_CONTEXT();
+	key.size = 13;
+	ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100,
+			    &pbkdf2, sizeof(pbkdf2));
+	if (ret < 0) {
+		fail("gnutls_pbkdf2 failed\n");
+	}
+	key.size = sizeof(key16);
+	FIPS_POP_CONTEXT(NOT_APPROVED);
+
+	/* PBKDF2 with output shorter than 112 bits: not approved */
+	FIPS_PUSH_CONTEXT();
+	ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100,
+			    &pbkdf2, 13);
+	if (ret < 0) {
+		fail("gnutls_pbkdf2 failed\n");
+	}
+	FIPS_POP_CONTEXT(NOT_APPROVED);
+
 	ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16));
 	if (ret < 0) {
 		fail("gnutls_rnd failed\n");
 	}
 
+	/* Symmetric key generation equal to or longer than 112 bits: approved */
+	FIPS_PUSH_CONTEXT();
+	ret = gnutls_key_generate(&temp_key, 14);
+	if (ret < 0) {
+		fail("gnutls_key_generate failed\n");
+	}
+	gnutls_free(temp_key.data);
+	FIPS_POP_CONTEXT(APPROVED);
+
+	/* Symmetric key generation shorter than 112 bits: not approved */
+	FIPS_PUSH_CONTEXT();
+	ret = gnutls_key_generate(&temp_key, 13);
+	if (ret < 0) {
+		fail("gnutls_key_generate failed\n");
+	}
+	gnutls_free(temp_key.data);
+	FIPS_POP_CONTEXT(NOT_APPROVED);
+
 	ret = gnutls_pubkey_init(&pubkey);
 	if (ret < 0) {
 		fail("gnutls_pubkey_init failed\n");
diff --git a/tests/kdf-api.c b/tests/kdf-api.c
index 25fbc6a..8a4677c 100644
--- a/tests/kdf-api.c
+++ b/tests/kdf-api.c
@@ -89,6 +89,7 @@ test_hkdf(gnutls_mac_algorithm_t mac,
 
 	FIPS_PUSH_CONTEXT();
 	assert(gnutls_hkdf_extract(mac, &ikm, &salt, buf) >= 0);
+	/* HKDF outside of TLS usage is not approved */
 	FIPS_POP_CONTEXT(NOT_APPROVED);
 	gnutls_free(ikm.data);
 	gnutls_free(salt.data);
@@ -110,6 +111,7 @@ test_hkdf(gnutls_mac_algorithm_t mac,
 
 	FIPS_PUSH_CONTEXT();
 	assert(gnutls_hkdf_expand(mac, &prk, &info, buf, length) >= 0);
+	/* HKDF outside of TLS usage is not approved */
 	FIPS_POP_CONTEXT(NOT_APPROVED);
 	gnutls_free(info.data);
 
@@ -151,7 +153,12 @@ test_pbkdf2(gnutls_mac_algorithm_t mac,
 
 	FIPS_PUSH_CONTEXT();
 	assert(gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length) >= 0);
-	FIPS_POP_CONTEXT(APPROVED);
+	/* Key sizes and output sizes less than 112-bit are not approved.  */
+	if (ikm.size < 14 || length < 14) {
+		FIPS_POP_CONTEXT(NOT_APPROVED);
+	} else {
+		FIPS_POP_CONTEXT(APPROVED);
+	}
 	gnutls_free(ikm.data);
 	gnutls_free(salt.data);
 
-- 
2.37.3

From 86eded166f77612c70201c0d85d3abe711edd77d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 29 Sep 2022 21:19:26 +0900
Subject: [PATCH] fips: only mark HMAC as approved in PBKDF2

As ACVP only allows HMAC used with PBKDF2[1], this change marks other
hash algorithms not-approved.

1. https://pages.nist.gov/ACVP/draft-celi-acvp-pbkdf.html

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/crypto-api.c |  5 ++++-
 lib/fips.h       | 16 +++++++++++++++-
 tests/kdf-api.c  | 30 +++++++++++++++++++++++++++++-
 3 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index d3e601ab3a..9f7e18db11 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -2229,7 +2229,10 @@ gnutls_pbkdf2(gnutls_mac_algorithm_t mac,
 	if (!is_mac_algo_allowed(mac)) {
 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
 		return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
-	} else if (!is_mac_algo_approved_in_fips(mac)) {
+	} else if (!is_mac_algo_hmac_approved_in_fips(mac)) {
+		/* ACVP only allows HMAC used with PBKDF2:
+		 * https://pages.nist.gov/ACVP/draft-celi-acvp-pbkdf.html
+		 */
 		not_approved = true;
 	}
 
diff --git a/lib/fips.h b/lib/fips.h
index 3a74f254e7..bf61b36741 100644
--- a/lib/fips.h
+++ b/lib/fips.h
@@ -76,7 +76,7 @@ void _gnutls_lib_simulate_error(void);
 void _gnutls_lib_force_operational(void);
 
 inline static bool
-is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo)
+is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo)
 {
 	switch (algo) {
 	case GNUTLS_MAC_SHA1:
@@ -88,6 +88,20 @@ is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo)
 	case GNUTLS_MAC_SHA3_256:
 	case GNUTLS_MAC_SHA3_384:
 	case GNUTLS_MAC_SHA3_512:
+		return true;
+	default:
+		return false;
+	}
+}
+
+inline static bool
+is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo)
+{
+	if (is_mac_algo_hmac_approved_in_fips(algo)) {
+		return true;
+	}
+
+	switch (algo) {
 	case GNUTLS_MAC_AES_CMAC_128:
 	case GNUTLS_MAC_AES_CMAC_256:
 	case GNUTLS_MAC_AES_GMAC_128:
diff --git a/tests/kdf-api.c b/tests/kdf-api.c
index 577cbf7a17..4feb22688b 100644
--- a/tests/kdf-api.c
+++ b/tests/kdf-api.c
@@ -26,6 +26,7 @@
 #include <gnutls/crypto.h>
 
 #include <assert.h>
+#include <stdbool.h>
 #include <stdint.h>
 
 #include "utils.h"
@@ -133,6 +134,25 @@ test_hkdf(gnutls_mac_algorithm_t mac,
 	gnutls_free(hex.data);
 }
 
+inline static bool
+is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo)
+{
+	switch (algo) {
+	case GNUTLS_MAC_SHA1:
+	case GNUTLS_MAC_SHA256:
+	case GNUTLS_MAC_SHA384:
+	case GNUTLS_MAC_SHA512:
+	case GNUTLS_MAC_SHA224:
+	case GNUTLS_MAC_SHA3_224:
+	case GNUTLS_MAC_SHA3_256:
+	case GNUTLS_MAC_SHA3_384:
+	case GNUTLS_MAC_SHA3_512:
+		return true;
+	default:
+		return false;
+	}
+}
+
 static void
 test_pbkdf2(gnutls_mac_algorithm_t mac,
 	    const char *ikm_hex,
@@ -161,7 +181,8 @@ test_pbkdf2(gnutls_mac_algorithm_t mac,
 	FIPS_PUSH_CONTEXT();
 	assert(gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length) >= 0);
 	/* Key sizes and output sizes less than 112-bit are not approved.  */
-	if (ikm.size < 14 || length < 14) {
+	if (ikm.size < 14 || length < 14 ||
+	    !is_mac_algo_hmac_approved_in_fips(mac)) {
 		FIPS_POP_CONTEXT(NOT_APPROVED);
 	} else {
 		FIPS_POP_CONTEXT(APPROVED);
@@ -208,5 +229,12 @@ doit(void)
 		    20,
 		    "4b007901b765489abead49d926f721d065a429c1");
 
+	test_pbkdf2(GNUTLS_MAC_AES_CMAC_128,
+		    "70617373776f726470617373776f7264", /* "passwordpassword" */
+		    "73616c74",		/* "salt" */
+		    4096,
+		    20,
+		    "c4c112c6e1e3b8757640603dec78825ff87605a7");
+
 	gnutls_fips140_context_deinit(fips_context);
 }
-- 
2.37.3