From 06ea5b5332ffdb44a0a394d766be8989bcb6a95c Mon Sep 17 00:00:00 2001

From: Jakub Jelen <jjelen@redhat.com>

Date: Tue, 6 Dec 2022 10:03:47 +0900

Subject: [PATCH] fips,rsa: Prevent usage of X9.31 keygen in FIPS mode.

* cipher/rsa.c (rsa_generate): Do not accept use-x931 or derive-parms

in FIPS mode.

* tests/pubkey.c (get_keys_x931_new): Expect failure in FIPS mode.

(check_run): Skip checking X9.31 keys in FIPS mode.

* doc/gcrypt.texi: Document "test-parms" and clarify some cases around

the X9.31 keygen.

--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

---

 cipher/rsa.c    |  5 +++++

 doc/gcrypt.texi | 41 ++++++++++++++++++++++++++++++++++++-----

 tests/pubkey.c  | 15 +++++++++++++--

 3 files changed, 54 insertions(+), 7 deletions(-)

diff --git a/cipher/rsa.c b/cipher/rsa.c

index df4af94b..45523e6b 100644

--- a/cipher/rsa.c

+++ b/cipher/rsa.c

@@ -1256,6 +1256,11 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)

   if (deriveparms || (flags & PUBKEY_FLAG_USE_X931))

     {

       int swapped;

+      if (fips_mode ())

+        {

+          sexp_release (deriveparms);

+          return GPG_ERR_INV_SEXP;

+        }

       ec = generate_x931 (&sk, nbits, evalue, deriveparms, &swapped);

       sexp_release (deriveparms);

       if (!ec && swapped)

diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi

index d0372f3e..e845a4dd 100644

--- a/doc/gcrypt.texi

+++ b/doc/gcrypt.texi

@@ -2699,8 +2699,7 @@ achieve fastest ECC key generation.

 Force the use of the ANSI X9.31 key generation algorithm instead of

 the default algorithm. This flag is only meaningful for RSA key

 generation and usually not required.  Note that this algorithm is

-implicitly used if either @code{derive-parms} is given or Libgcrypt is

-in FIPS mode.

+implicitly used if either @code{derive-parms} is given.

 @item use-fips186

 @cindex FIPS 186

@@ -3310,9 +3309,9 @@ This is currently only implemented for RSA and DSA keys.  It is not

 allowed to use this together with a @code{domain} specification.  If

 given, it is used to derive the keys using the given parameters.

-If given for an RSA key the X9.31 key generation algorithm is used

-even if libgcrypt is not in FIPS mode.  If given for a DSA key, the

-FIPS 186 algorithm is used even if libgcrypt is not in FIPS mode.

+If given for an RSA key, the X9.31 key generation algorithm is used.

+If given for a DSA key, the FIPS 186 algorithm is used even if

+libgcrypt is not in FIPS mode.

 @example

 (genkey

@@ -3342,6 +3341,38 @@ FIPS 186 algorithm is used even if libgcrypt is not in FIPS mode.

       (seed @var{seed-mpi}))))

 @end example

+@item test-parms @var{list}

+This is currently only implemented for RSA keys. If given, the

+libgcrypt will not generate parameter, but tests whether the p,q is

+probably prime. Returns key with zeroes.

+

+The FIPS key generation algorithm is used even if libgcrypt is not

+in FIPS mode.

+

+@example

+(genkey

+  (rsa

+    (nbits 4:1024)

+    (rsa-use-e 1:3)

+    (test-parms

+      (e "65537")

+      (p #00bbccabcee15d343944a47e492d4b1f4de79633e2

+          0cbb46f7d2d6813392a807ad048cf77528edd19f77

+          e7453f25173b9dcb70423afa2037aae147b81a33d5

+          41fc58f875eff1e852ab55e2e09a3debfbc151b3b0

+          d17fef6f74d81fca14fbae531418e211ef818592af

+          70de5cec3b92795cc3578572bf456099cd8727150e

+          523261#)

+      (q #00ca87ecf2883f4ed00a9ec65abdeba81d28edbfcc

+          34ecc563d587f166b52d42bfbe22bbc095b0b8426a

+          2f8bbc55baaa8859b42cbc376ed3067db3ef7b135b

+          63481322911ebbd7014db83aa051e0ca2dbf302b75

+          cd37f2ae8df90e134226e92f6353a284b28bb30af0

+          bbf925b345b955328379866ebac11d55bc80fe84f1

+          05d415#)

+

+@end example

+

 @item flags @var{flaglist}

 This is preferred way to define flags.  @var{flaglist} may contain any

diff --git a/tests/pubkey.c b/tests/pubkey.c

index bc44f3a5..2669b41a 100644

--- a/tests/pubkey.c

+++ b/tests/pubkey.c

@@ -430,7 +430,17 @@ get_keys_x931_new (gcry_sexp_t *pkey, gcry_sexp_t *skey)

   rc = gcry_pk_genkey (&key, key_spec);

   gcry_sexp_release (key_spec);

   if (rc)

-    die ("error generating RSA key: %s\n", gcry_strerror (rc));

+    {

+      if (in_fips_mode)

+        {

+          if (verbose)

+            fprintf (stderr, "The X9.31 RSA keygen is not available in FIPS modee.\n");

+          return;

+        }

+      die ("error generating RSA key: %s\n", gcry_strerror (rc));

+    }

+  else if (in_fips_mode)

+    die ("generating X9.31 RSA key unexpected worked in FIPS mode\n");

   if (verbose > 1)

     show_sexp ("generated RSA (X9.31) key:\n", key);

@@ -777,7 +787,8 @@ check_run (void)

   if (verbose)

     fprintf (stderr, "Checking generated RSA key (X9.31).\n");

   get_keys_x931_new (&pkey, &skey);

-  check_keys (pkey, skey, 800, 0);

+  if (!in_fips_mode)

+    check_keys (pkey, skey, 800, 0);

   gcry_sexp_release (pkey);

   gcry_sexp_release (skey);

   pkey = skey = NULL;

-- 

2.39.0