From bf1e62e59200b2046680d1d3d1599facc88cfe63 Mon Sep 17 00:00:00 2001

From: Jakub Jelen <jjelen@redhat.com>

Date: Tue, 29 Nov 2022 14:04:59 +0100

Subject: [PATCH] rsa: Prevent usage of long salt in FIPS mode

* cipher/rsa-common.c (_gcry_rsa_pss_encode): Prevent usage of large

  salt lengths

  (_gcry_rsa_pss_verify): Ditto.

* tests/basic.c (check_pubkey_sign): Check longer salt length fails in

  FIPS mode

* tests/t-rsa-pss.c (one_test_sexp): Fix function name in error message

---

 cipher/rsa-common.c | 14 ++++++++++++++

 tests/basic.c       | 19 ++++++++++++++++++-

 tests/t-rsa-pss.c   |  2 +-

 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/cipher/rsa-common.c b/cipher/rsa-common.c

index 233ddb2d..61cd60a4 100644

--- a/cipher/rsa-common.c

+++ b/cipher/rsa-common.c

@@ -809,6 +809,13 @@ _gcry_rsa_pss_encode (gcry_mpi_t *r_result, unsigned int nbits, int algo,

   hlen = _gcry_md_get_algo_dlen (algo);

   gcry_assert (hlen);  /* We expect a valid ALGO here.  */

+  /* The FIPS 186-4 Section 5.5 allows only 0 <= sLen <= hLen */

+  if (fips_mode () && saltlen > hlen)

+    {

+      rc = GPG_ERR_INV_ARG;

+      goto leave;

+    }

+

   /* Allocate a help buffer and setup some pointers.  */

   buflen = 8 + hlen + saltlen + (emlen - hlen - 1);

   buf = xtrymalloc (buflen);

@@ -950,6 +957,13 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, int hashed_already,

   hlen = _gcry_md_get_algo_dlen (algo);

   gcry_assert (hlen);  /* We expect a valid ALGO here.  */

+  /* The FIPS 186-4 Section 5.5 allows only 0 <= sLen <= hLen */

+  if (fips_mode () && saltlen > hlen)

+    {

+      rc = GPG_ERR_INV_ARG;

+      goto leave;

+    }

+

   /* Allocate a help buffer and setup some pointers.

      This buffer is used for two purposes:

         +------------------------------+-------+

diff --git a/tests/basic.c b/tests/basic.c

index 77e2fd93..429bd237 100644

--- a/tests/basic.c

+++ b/tests/basic.c

@@ -16602,6 +16602,7 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,

     const char *data;

     int algo;

     int expected_rc;

+    int flags;

   } datas[] =

     {

       { "(data\n (flags pkcs1)\n"

@@ -16672,6 +16673,22 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,

         " (random-override #4253647587980912233445566778899019283747#))\n",

 	GCRY_PK_RSA,

 	0 },

+      { "(data\n (flags pss)\n"

+	" (hash-algo sha256)\n"

+	" (value #11223344556677889900AABBCCDDEEFF#)\n"

+	" (salt-length 2:32)\n"

+        " (random-override #42536475879809122334455667788990192837465564738291"

+                           "00122334455667#))\n",

+	GCRY_PK_RSA,

+	0 },

+      { "(data\n (flags pss)\n"

+	" (hash-algo sha256)\n"

+	" (value #11223344556677889900AABBCCDDEEFF#)\n"

+	" (salt-length 2:33)\n"

+        " (random-override #42536475879809122334455667788990192837465564738291"

+                           "0012233445566778#))\n",

+	GCRY_PK_RSA,

+	0, FLAG_NOFIPS },

       { NULL }

     };

@@ -16695,7 +16712,7 @@ check_pubkey_sign (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,

 	die ("converting data failed: %s\n", gpg_strerror (rc));

       rc = gcry_pk_sign (&sig, hash, skey);

-      if (in_fips_mode && (flags & FLAG_NOFIPS))

+      if (in_fips_mode && (flags & FLAG_NOFIPS || datas[dataidx].flags & FLAG_NOFIPS))

         {

           if (!rc)

             fail ("gcry_pk_sign did not fail as expected in FIPS mode\n");

diff --git a/tests/t-rsa-pss.c b/tests/t-rsa-pss.c

index c5f90116..82dd54b3 100644

--- a/tests/t-rsa-pss.c

+++ b/tests/t-rsa-pss.c

@@ -340,7 +340,7 @@ one_test_sexp (const char *n, const char *e, const char *d,

     snprintf (p, 3, "%02x", out[i]);

   if (strcmp (sig_string, s))

     {

-      fail ("gcry_pkhash_sign failed: %s",

+      fail ("gcry_pk_hash_sign failed: %s",

             "wrong value returned");

       info ("  expected: '%s'", s);

       info ("       got: '%s'", sig_string);

-- 

2.39.0