From fbb6dd2a65c6fc7a2e9bd82fe66fde54f6cf2952 Mon Sep 17 00:00:00 2001

From: Daiki Ueno <dueno@redhat.com>

Date: Fri, 16 Aug 2019 17:01:05 +0200

Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests

Nettle's RSA signing, encryption and decryption functions still

require randomness for blinding, so fallback to use a fixed buffer in

selftests where entropy might not be available.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

---

 lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++----

 1 file changed, 33 insertions(+), 4 deletions(-)

diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c

index b2d27cf74..772fcdc21 100644

--- a/lib/nettle/pk.c

+++ b/lib/nettle/pk.c

@@ -94,6 +94,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)

 	nettle_mpz_get_str_256 (length, data, *k);

 }

+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)

+{

+	if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) {

+		_gnutls_switch_lib_state(LIB_STATE_ERROR);

+	}

+

+	memset(data, 0xAA, length);

+}

+

 static void

 ecc_scalar_zclear (struct ecc_scalar *s)

 {

@@ -435,6 +444,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,

 	case GNUTLS_PK_RSA:

 		{

 			struct rsa_public_key pub;

+			nettle_random_func *random_func;

 			ret = _rsa_params_to_pubkey(pk_params, &pub;;

 			if (ret < 0) {

@@ -442,8 +452,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,

 				goto cleanup;

 			}

+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)

+				random_func = rnd_nonce_func_fallback;

+			else

+				random_func = rnd_nonce_func;

 			ret =

-			    rsa_encrypt(&pub, NULL, rnd_nonce_func,

+			    rsa_encrypt(&pub, NULL, random_func,

 					plaintext->size, plaintext->data,

 					p);

 			if (ret == 0 || HAVE_LIB_ERROR()) {

@@ -496,6 +510,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,

 			struct rsa_public_key pub;

 			size_t length;

 			bigint_t c;

+			nettle_random_func *random_func;

 			_rsa_params_to_privkey(pk_params, &priv;;

 			ret = _rsa_params_to_pubkey(pk_params, &pub;;

@@ -526,8 +541,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,

 				goto cleanup;

 			}

+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)

+				random_func = rnd_nonce_func_fallback;

+			else

+				random_func = rnd_nonce_func;

 			ret =

-			    rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func,

+			    rsa_decrypt_tr(&pub, &priv, NULL, random_func,

 					   &length, plaintext->data,

 					   TOMPZ(c));

 			_gnutls_mpi_release(&c);

@@ -573,6 +592,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,

 	bigint_t c;

 	uint32_t is_err;

 	int ret;

+	nettle_random_func *random_func;

 	if (algo != GNUTLS_PK_RSA || plaintext == NULL) {

 		gnutls_assert();

@@ -592,7 +612,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,

 		return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED);

 	}

-	ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func,

+	if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)

+		random_func = rnd_nonce_func_fallback;

+	else

+		random_func = rnd_nonce_func;

+	ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func,

 			     plaintext_size, plaintext, TOMPZ(c));

 	/* after this point, any conditional on failure that cause differences

 	 * in execution may create a timing or cache access pattern side

@@ -942,6 +966,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,

 		{

 			struct rsa_private_key priv;

 			struct rsa_public_key pub;

+			nettle_random_func *random_func;

 			mpz_t s;

 			_rsa_params_to_privkey(pk_params, &priv;;

@@ -952,8 +977,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,

 			mpz_init(s);

+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)

+				random_func = rnd_nonce_func_fallback;

+			else

+				random_func = rnd_nonce_func;

 			ret =

-			    rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func,

+			    rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func,

 					      vdata->size, vdata->data, s);

 			if (ret == 0 || HAVE_LIB_ERROR()) {

 				gnutls_assert();

-- 

2.21.0