From ca2afc9fb64d9a9b2f8930ba505d9ab6c8a57667 Mon Sep 17 00:00:00 2001

From: Jakub Jelen <jjelen@redhat.com>

Date: Thu, 12 May 2022 10:56:47 +0200

Subject: [PATCH] cipher: Allow verification of small RSA signatures in FIPS

 mode

* cipher/rsa.c (rsa_check_keysize): Formatting.

  (rsa_check_verify_keysize): New function.

  (rsa_verify): Allow using smaller keys for verification.

--

GnuPG-bug-id: 5975

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

---

 cipher/rsa.c | 26 ++++++++++++++++++++++++--

 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/cipher/rsa.c b/cipher/rsa.c

index c6319b67..9f2b36e8 100644

--- a/cipher/rsa.c

+++ b/cipher/rsa.c

@@ -352,13 +352,35 @@ generate_std (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,

 static gpg_err_code_t

 rsa_check_keysize (unsigned int nbits)

 {

-  if (fips_mode() && nbits < 2048)

+  if (fips_mode () && nbits < 2048)

     return GPG_ERR_INV_VALUE;

   return GPG_ERR_NO_ERROR;

 }

+/* Check the RSA key length is acceptable for signature verification

+ *

+ * FIPS allows signature verification with RSA keys of size

+ * 1024, 1280, 1536 and 1792 in legacy mode, but this is up to the

+ * calling application to decide if the signature is legacy and

+ * should be accepted.

+ */

+static gpg_err_code_t

+rsa_check_verify_keysize (unsigned int nbits)

+{

+  if (fips_mode ())

+    {

+      if ((nbits >= 1024 && (nbits % 256) == 0) || nbits >= 2048)

+        return GPG_ERR_NO_ERROR;

+

+      return GPG_ERR_INV_VALUE;

+    }

+

+  return GPG_ERR_NO_ERROR;

+}

+

+

 /****************

  * Generate a key pair with a key of size NBITS.

  * USE_E = 0 let Libcgrypt decide what exponent to use.

@@ -1602,7 +1624,7 @@ rsa_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)

   gcry_mpi_t result = NULL;

   unsigned int nbits = rsa_get_nbits (keyparms);

-  rc = rsa_check_keysize (nbits);

+  rc = rsa_check_verify_keysize (nbits);

   if (rc)

     return rc;

-- 

2.37.1