From ca2afc9fb64d9a9b2f8930ba505d9ab6c8a57667 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 12 May 2022 10:56:47 +0200
Subject: [PATCH] cipher: Allow verification of small RSA signatures in FIPS
 mode

* cipher/rsa.c (rsa_check_keysize): Formatting.
  (rsa_check_verify_keysize): New function.
  (rsa_verify): Allow using smaller keys for verification.
--

GnuPG-bug-id: 5975
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
 cipher/rsa.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/cipher/rsa.c b/cipher/rsa.c
index c6319b67..9f2b36e8 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -352,13 +352,35 @@ generate_std (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
 static gpg_err_code_t
 rsa_check_keysize (unsigned int nbits)
 {
-  if (fips_mode() && nbits < 2048)
+  if (fips_mode () && nbits < 2048)
     return GPG_ERR_INV_VALUE;
 
   return GPG_ERR_NO_ERROR;
 }
 
 
+/* Check the RSA key length is acceptable for signature verification
+ *
+ * FIPS allows signature verification with RSA keys of size
+ * 1024, 1280, 1536 and 1792 in legacy mode, but this is up to the
+ * calling application to decide if the signature is legacy and
+ * should be accepted.
+ */
+static gpg_err_code_t
+rsa_check_verify_keysize (unsigned int nbits)
+{
+  if (fips_mode ())
+    {
+      if ((nbits >= 1024 && (nbits % 256) == 0) || nbits >= 2048)
+        return GPG_ERR_NO_ERROR;
+
+      return GPG_ERR_INV_VALUE;
+    }
+
+  return GPG_ERR_NO_ERROR;
+}
+
+
 /****************
  * Generate a key pair with a key of size NBITS.
  * USE_E = 0 let Libcgrypt decide what exponent to use.
@@ -1602,7 +1624,7 @@ rsa_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   gcry_mpi_t result = NULL;
   unsigned int nbits = rsa_get_nbits (keyparms);
 
-  rc = rsa_check_keysize (nbits);
+  rc = rsa_check_verify_keysize (nbits);
   if (rc)
     return rc;
 
-- 
2.37.1