#include "gnettle.h"
#include "fips.h"
#include "dh.h"
+#include "crau/crau.h"
#ifdef HAVE_LEANCRYPTO
#include <leancrypto.h>
#endif
int ret;
bool not_approved = false;
+ crau_new_context_with_data("name", CRAU_STRING, "pk::derive",
+ "pk::algorithm", CRAU_STRING,
+ gnutls_pk_get_name(algo), NULL);
+
switch (algo) {
case GNUTLS_PK_DH: {
bigint_t f, x, q, prime;
goto dh_cleanup;
}
+ crau_data("pk::bits", CRAU_WORD, bits, NULL);
+
if (bits < 2048) {
not_approved = true;
}
goto cleanup;
}
+ crau_data("pk::curve", CRAU_STRING,
+ gnutls_ecc_curve_get_name(priv->curve), NULL);
+
/* P-192 is not supported in FIPS 140-3 */
if (priv->curve == GNUTLS_ECC_CURVE_SECP192R1) {
not_approved = true;
goto cleanup;
}
+ crau_data("pk::curve", CRAU_STRING,
+ gnutls_ecc_curve_get_name(priv->curve), NULL);
+
if (nonce == NULL) {
gnutls_assert();
ret = GNUTLS_E_INVALID_REQUEST;
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
}
+ crau_pop_context();
+
return ret;
}
gnutls_datum_t *shared_secret,
const gnutls_datum_t *pub)
{
+ int ret;
+
switch (algo) {
case GNUTLS_PK_MLKEM768:
case GNUTLS_PK_MLKEM1024:
- return ml_kem_encaps(algo, ciphertext, shared_secret, pub);
+ break;
default:
return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
}
+
+ crau_new_context_with_data("name", CRAU_STRING, "pk::encapsulate",
+ "pk::algorithm", CRAU_STRING,
+ gnutls_pk_get_name(algo), NULL);
+
+ ret = ml_kem_encaps(algo, ciphertext, shared_secret, pub);
+
+ crau_pop_context();
+
+ return ret;
}
static int _wrap_nettle_pk_decaps(gnutls_pk_algorithm_t algo,
const gnutls_datum_t *ciphertext,
const gnutls_datum_t *priv)
{
+ int ret;
+
switch (algo) {
case GNUTLS_PK_MLKEM768:
case GNUTLS_PK_MLKEM1024:
- return ml_kem_decaps(algo, shared_secret, ciphertext, priv);
+ break;
default:
return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
}
+
+ crau_new_context_with_data("name", CRAU_STRING, "pk::decapsulate",
+ "pk::algorithm", CRAU_STRING,
+ gnutls_pk_get_name(algo), NULL);
+
+ ret = ml_kem_decaps(algo, shared_secret, ciphertext, priv);
+
+ crau_pop_context();
+
+ return ret;
}
/* This wraps nettle_rsa_encrypt so it returns ciphertext as a byte
algo = GNUTLS_PK_RSA_OAEP;
}
+ crau_new_context_with_data("name", CRAU_STRING, "pk::encrypt",
+ "pk::algorithm", CRAU_STRING,
+ gnutls_pk_get_name(algo), NULL);
+
switch (algo) {
case GNUTLS_PK_RSA: {
struct rsa_public_key pub;
nettle_random_func *random_func;
+ size_t bits;
if (!_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
ret = gnutls_assert_val(
goto cleanup;
}
+ bits = mpz_sizeinbase(pub.n, 2);
+
+ crau_data("pk::bits", CRAU_WORD, bits, NULL);
+
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
random_func = rnd_nonce_func_fallback;
else
case GNUTLS_PK_RSA_OAEP: {
struct rsa_public_key pub;
nettle_random_func *random_func;
+ size_t bits;
ret = _rsa_params_to_pubkey(pk_params, &pub);
if (ret < 0) {
goto cleanup;
}
+ bits = mpz_sizeinbase(pub.n, 2);
+
+ crau_data("pk::bits", CRAU_WORD, bits, "pk::hash", CRAU_STRING,
+ gnutls_digest_get_name(encrypt_params->rsa_oaep_dig),
+ NULL);
+
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
random_func = rnd_nonce_func_fallback;
else
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
}
+ crau_pop_context();
+
FAIL_IF_LIB_ERROR;
return ret;
}
algo = GNUTLS_PK_RSA_OAEP;
}
+ crau_new_context_with_data("name", CRAU_STRING, "pk::decrypt",
+ "pk::algorithm", CRAU_STRING,
+ gnutls_pk_get_name(algo), NULL);
+
switch (algo) {
case GNUTLS_PK_RSA: {
struct rsa_private_key priv;
struct rsa_public_key pub;
size_t length;
nettle_random_func *random_func;
+ size_t bits;
if (!_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
ret = gnutls_assert_val(
goto cleanup;
}
+ bits = mpz_sizeinbase(pub.n, 2);
+
+ crau_data("pk::bits", CRAU_WORD, bits, NULL);
+
if (ciphertext->size != pub.size) {
ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
goto cleanup;
struct rsa_public_key pub;
size_t length;
nettle_random_func *random_func;
+ size_t bits;
_rsa_params_to_privkey(pk_params, &priv);
ret = _rsa_params_to_pubkey(pk_params, &pub);
goto cleanup;
}
+ bits = mpz_sizeinbase(pub.n, 2);
+
+ crau_data("pk::bits", CRAU_WORD, bits, "pk::hash", CRAU_STRING,
+ gnutls_digest_get_name(encrypt_params->rsa_oaep_dig),
+ NULL);
+
if (ciphertext->size != pub.size) {
ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
goto cleanup;
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
}
+ crau_pop_context();
+
FAIL_IF_LIB_ERROR;
return ret;
}
int ret;
nettle_random_func *random_func;
bool not_approved = false;
+ size_t bits;
FAIL_IF_LIB_ERROR;
goto fail;
}
+ bits = mpz_sizeinbase(pub.n, 2);
+
+ crau_new_context_with_data("name", CRAU_STRING, "pk::decrypt",
+ "pk::algorithm", CRAU_STRING,
+ gnutls_pk_get_name(algo), "pk::bits",
+ CRAU_WORD, bits, NULL);
+
if (ciphertext->size != pub.size) {
ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
goto fail;
ciphertext->data);
break;
case GNUTLS_PK_RSA_OAEP:
+ crau_data("pk::hash", CRAU_STRING,
+ gnutls_digest_get_name(encrypt_params->rsa_oaep_dig),
+ NULL);
+
ret = _rsa_oaep_decrypt(encrypt_params->rsa_oaep_dig, &pub,
&priv, NULL, random_func,
encrypt_params->rsa_oaep_label.size,
fail:
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+ crau_pop_context();
+
return ret;
}
goto cleanup;
}
+ crau_new_context_with_data("name", CRAU_STRING, "pk::sign",
+ "pk::algorithm", CRAU_STRING,
+ gnutls_pk_get_name(algo), NULL);
+
switch (algo) {
case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */
case GNUTLS_PK_EDDSA_ED448: {
goto cleanup;
}
+ crau_data("pk::curve", CRAU_STRING,
+ gnutls_ecc_curve_get_name(pk_params->curve), NULL);
+
ret = _ecc_params_to_privkey(pk_params, &priv, curve);
if (ret < 0) {
gnutls_assert();
not_approved = true;
}
+ crau_data("pk::curve", CRAU_STRING,
+ gnutls_ecc_curve_get_name(curve_id), "pk::hash",
+ CRAU_STRING, _gnutls_mac_get_name(me), NULL);
+
mpz_init(q);
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
gnutls_datum_t k = { NULL, 0 };
void *random_ctx;
nettle_random_func *random_func;
+ size_t bits;
/* DSA is currently being defined as sunset with the
* current draft of FIPS 186-5 */
hash_len = vdata->size;
}
+ bits = mpz_sizeinbase(pub.p, 2);
+ crau_data("pk::bits", CRAU_WORD, bits, NULL);
+
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
(sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
mp_limb_t h[DSA_COMPUTE_K_ITCH];
struct rsa_public_key pub;
nettle_random_func *random_func;
mpz_t s;
+ size_t bits;
_rsa_params_to_privkey(pk_params, &priv);
goto cleanup;
}
+ bits = mpz_sizeinbase(pub.n, 2);
+
/* RSA modulus size should be 2048-bit or larger in FIPS
* 140-3. In addition to this, only SHA-2 is allowed
* for SigGen; it is checked in pk_prepare_hash lib/pk.c
*/
- if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) {
+ if (unlikely(bits < 2048)) {
not_approved = true;
}
+ crau_data("pk::bits", CRAU_WORD, bits, NULL);
+
mpz_init(s);
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
struct rsa_public_key pub;
nettle_random_func *random_func;
mpz_t s;
+ size_t bits;
_rsa_params_to_privkey(pk_params, &priv);
goto cleanup;
}
+ bits = mpz_sizeinbase(pub.n, 2);
+
/* RSA modulus size should be 2048-bit or larger in FIPS
* 140-3. In addition to this, only SHA-2 is allowed
* for SigGen; however, Nettle only support SHA256,
* SHA384, and SHA512 for RSA-PSS (see
* _rsa_pss_sign_digest_tr in this file for details).
*/
- if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) {
+ if (unlikely(bits < 2048)) {
not_approved = true;
}
me = hash_to_entry(sign_params->rsa_pss_dig);
+ crau_data("pk::bits", CRAU_WORD, bits, "pk::hash", CRAU_STRING,
+ _gnutls_mac_get_name(me), NULL);
+
/* According to FIPS 186-5 5.4, the salt length must be
* in the range between 0 and the hash length inclusive.
*/
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
}
+ crau_pop_context();
+
FAIL_IF_LIB_ERROR;
return ret;
}
goto cleanup;
}
+ crau_new_context_with_data("name", CRAU_STRING, "pk::verify",
+ "pk::algorithm", CRAU_STRING,
+ gnutls_pk_get_name(algo), NULL);
+
switch (algo) {
case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */
case GNUTLS_PK_EDDSA_ED448: {
goto cleanup;
}
+ crau_data("pk::curve", CRAU_STRING,
+ gnutls_ecc_curve_get_name(pk_params->curve), NULL);
+
/* This call will return a valid MAC entry and
* getters will check that is not null anyway. */
me = hash_to_entry(_gnutls_gost_digest(pk_params->algo));
struct dsa_signature sig;
int curve_id = pk_params->curve;
const struct ecc_curve *curve;
+ const mac_entry_st *me;
curve = get_supported_nist_curve(curve_id);
if (curve == NULL) {
not_approved = true;
}
+ me = hash_to_entry(sign_params->dsa_dig);
+
+ crau_data("pk::curve", CRAU_STRING,
+ gnutls_ecc_curve_get_name(curve_id), "pk::hash",
+ CRAU_STRING, _gnutls_mac_get_name(me), NULL);
+
ret = ecdsa_verify(&pub, hash_len, vdata->data, &sig);
if (ret == 0) {
gnutls_assert();
struct dsa_params pub;
struct dsa_signature sig;
bigint_t y;
+ size_t bits;
/* DSA is currently being defined as sunset with the
* current draft of FIPS 186-5 */
if (hash_len > vdata->size)
hash_len = vdata->size;
+ bits = mpz_sizeinbase(pub.p, 2);
+ crau_data("pk::bits", CRAU_WORD, bits, NULL);
+
ret = dsa_verify(&pub, TOMPZ(y), hash_len, vdata->data, &sig);
if (ret == 0) {
gnutls_assert();
bits = mpz_sizeinbase(pub.n, 2);
+ crau_data("pk::bits", CRAU_WORD, bits, NULL);
+
/* In FIPS 140-3, RSA key size should be larger than 2048-bit.
* In addition to this, only SHA-2 is allowed
* for SigVer; it is checked in _pkcs1_rsa_verify_sig in
}
case GNUTLS_PK_RSA_PSS: {
struct rsa_public_key pub;
+ size_t bits;
if ((sign_params->flags &
GNUTLS_PK_FLAG_RSA_PSS_FIXED_SALT_LENGTH) &&
goto cleanup;
}
+ bits = mpz_sizeinbase(pub.n, 2);
+
/* RSA modulus size should be 2048-bit or larger in FIPS
* 140-3. In addition to this, only SHA-2 are
* allowed for SigVer, while Nettle only supports
* SHA256, SHA384, and SHA512 for RSA-PSS (see
* _rsa_pss_verify_digest in this file for the details).
*/
- if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) {
+ if (unlikely(bits < 2048)) {
not_approved = true;
}
goto cleanup;
}
+ crau_data("pk::bits", CRAU_WORD, bits, "pk::hash", CRAU_STRING,
+ gnutls_digest_get_name(sign_params->rsa_pss_dig),
+ NULL);
+
ret = _rsa_pss_verify_digest(sign_params->rsa_pss_dig, &pub,
sign_params->salt_size,
vdata->data, vdata->size,
_gnutls_mpi_release(&tmp[0]);
_gnutls_mpi_release(&tmp[1]);
+
+ crau_pop_context();
+
FAIL_IF_LIB_ERROR;
return ret;
}
rnd_level = GNUTLS_RND_KEY;
}
+ crau_new_context_with_data("name", CRAU_STRING, "pk::generate",
+ "pk::algorithm", CRAU_STRING,
+ gnutls_pk_get_name(algo), NULL);
+
switch (algo) {
#ifdef ENABLE_DSA
case GNUTLS_PK_DSA:
goto cleanup;
}
+ crau_data("pk::curve", CRAU_STRING,
+ gnutls_ecc_curve_get_name(level), NULL);
+
/* P-192 is not supported in FIPS 140-3 */
if (level == GNUTLS_ECC_CURVE_SECP192R1) {
not_approved = true;
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
}
+ crau_pop_context();
+
FAIL_IF_LIB_ERROR;
return ret;
}
projects / thirdparty / gnutls.git / commitdiff
