fips: perform both PCTs for unrestricted RSA key

As PKCS#1 v1.5-padding is no longer allowed, exercise PCT with both
RSA-PSS and RSA-OAEP for unrestricted RSA keys. Note that, it is no
longer possible to create 512-bit RSA key under FIPS mode, because
there is a restriction of message size in RSA-OAEP based on the key
size, i.e., mLen > k - 2hLen - 2.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index ed52d6383e2dae15e18499220941edb707eef35b..3880baf0881f77f801949fe3c3bf8be78781923a 100644 (file)
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -3213,7 +3213,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,
        gnutls_datum_t ddata, tmp = { NULL, 0 };
        char gen_data[MAX_HASH_SIZE];
        gnutls_x509_spki_st spki;
-       gnutls_fips140_context_t context;
 
        ret = _gnutls_x509_spki_copy(&spki, &params->spki);
        if (ret < 0) {
@@ -3270,25 +3269,23 @@ static int pct_test(gnutls_pk_algorithm_t algo,
 
        switch (algo) {
        case GNUTLS_PK_RSA:
-       case GNUTLS_PK_RSA_OAEP:
-               if (algo == GNUTLS_PK_RSA) {
-                       /* Push a temporary FIPS context because _gnutls_pk_encrypt and
-                        * _gnutls_pk_decrypt below will mark RSAES-PKCS1-v1_5 operation
-                        * non-approved */
-                       if (gnutls_fips140_context_init(&context) < 0) {
-                               ret = gnutls_assert_val(
-                                       GNUTLS_E_PK_GENERATION_ERROR);
-                               goto cleanup;
-                       }
-                       if (gnutls_fips140_push_context(context) < 0) {
-                               ret = gnutls_assert_val(
-                                       GNUTLS_E_PK_GENERATION_ERROR);
-                               gnutls_fips140_context_deinit(context);
-                               goto cleanup;
-                       }
+               /* To comply with FIPS 140-3 IG 10.3.A, additional comment 1,
+                * Perform both key transport and signature PCTs for
+                * unrestricted RSA key.  */
+               ret = pct_test(GNUTLS_PK_RSA_OAEP, params);
+               if (ret < 0) {
+                       gnutls_assert();
+                       break;
                }
-
-               ret = _gnutls_pk_encrypt(algo, &sig, &ddata, params, &spki);
+               ret = pct_test(GNUTLS_PK_RSA_PSS, params);
+               if (ret < 0) {
+                       gnutls_assert();
+                       break;
+               }
+               break;
+       case GNUTLS_PK_RSA_OAEP:
+               ret = _gnutls_pk_encrypt(GNUTLS_PK_RSA_OAEP, &sig, &ddata,
+                                        params, &spki);
                if (ret < 0) {
                        ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
                }
@@ -3316,14 +3313,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,
                        ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
                }
 
-               if (algo == GNUTLS_PK_RSA) {
-                       if (unlikely(gnutls_fips140_pop_context() < 0)) {
-                               ret = gnutls_assert_val(
-                                       GNUTLS_E_PK_GENERATION_ERROR);
-                       }
-                       gnutls_fips140_context_deinit(context);
-               }
-
                if (ret < 0) {
                        goto cleanup;
                }
@@ -3331,12 +3320,7 @@ static int pct_test(gnutls_pk_algorithm_t algo,
                free(sig.data);
                sig.data = NULL;
 
-               /* RSA-OAEP can't be used for signing */
-               if (algo == GNUTLS_PK_RSA_OAEP) {
-                       break;
-               }
-
-               FALLTHROUGH;
+               break;
        case GNUTLS_PK_EC: /* we only do keys for ECDSA */
        case GNUTLS_PK_EDDSA_ED25519:
        case GNUTLS_PK_EDDSA_ED448:

diff --git a/tests/fips-override-test.c b/tests/fips-override-test.c
index 82db3c0c7990f07e0cc091f8786044e034cb4849..6fbd444d47fd2f3d1a927634faacff8b01cdf528 100644 (file)
--- a/tests/fips-override-test.c
+++ b/tests/fips-override-test.c
@@ -67,9 +67,9 @@ static void try_crypto(void)
        }
 
        assert(gnutls_x509_privkey_init(&privkey) == 0);
-       ret = gnutls_x509_privkey_generate(privkey, GNUTLS_PK_RSA, 512, 0);
+       ret = gnutls_x509_privkey_generate(privkey, GNUTLS_PK_RSA, 768, 0);
        if (ret < 0) {
-               fail("gnutls_x509_privkey_generate failed for 512-bit key\n");
+               fail("gnutls_x509_privkey_generate failed for 768-bit key\n");
        }
        gnutls_x509_privkey_deinit(privkey);
 }

diff --git a/tests/fips-rsa-sizes.c b/tests/fips-rsa-sizes.c
index 61a76d3c09fd14fa2d4fae7db0c682c842134fa2..2963ccd531769c70316c863c1e2ae822f3176ec7 100644 (file)
--- a/tests/fips-rsa-sizes.c
+++ b/tests/fips-rsa-sizes.c
@@ -250,12 +250,6 @@ void doit(void)
 
        assert(gnutls_fips140_context_init(&fips_context) == 0);
 
-       generate_unsuccessfully(&privkey, &pubkey, 512);
-       sign_verify_unsuccessfully(privkey, pubkey);
-       generate_unsuccessfully(&privkey, &pubkey, 512);
-       sign_verify_unsuccessfully(privkey, pubkey);
-       generate_unsuccessfully(&privkey, &pubkey, 600);
-       sign_verify_unsuccessfully(privkey, pubkey);
        generate_unsuccessfully(&privkey, &pubkey, 768);
        sign_verify_unsuccessfully(privkey, pubkey);
        generate_unsuccessfully(&privkey, &pubkey, 1024);