fips: Allow SigVer only with RSA keys with modulus >= 2048 bits

This is for easier complience with FIPS 186-5,
otherwise it would be necessary to justify how
the timestamp is provided to prove that only
pre-existing signatures can be verified in compliance
with FIPS 186-5.

Signed-off-by: Angel Yankov <angel.yankov@suse.com>

diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index cccad6f7d41708a24823a14aba25d53c9b0ed308..f26eaa57fba1562666931221e6af468c7d8ec804 100644 (file)
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -2115,16 +2115,12 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
 
                bits = mpz_sizeinbase(pub.n, 2);
 
-               /* In FIPS 140-3, RSA key size should be larger than
-                        * 2048-bit or one of the known lengths (1024, 1280,
-                        * 1536, 1792; i.e., multiple of 256-bits).
-                        *
+               /* In FIPS 140-3, RSA key size should be larger than 2048-bit.
                         * In addition to this, only SHA-1 and SHA-2 are allowed
                         * for SigVer; it is checked in _pkcs1_rsa_verify_sig in
                         * lib/pubkey.c.
                         */
-               if (unlikely(bits < 2048 && bits != 1024 && bits != 1280 &&
-                            bits != 1536 && bits != 1792)) {
+               if (unlikely(bits < 2048)) {
                        not_approved = true;
                }
 

diff --git a/tests/fips-rsa-sizes.c b/tests/fips-rsa-sizes.c
index d134a35f8c2234218174cf0b3609a542589972e8..61a76d3c09fd14fa2d4fae7db0c682c842134fa2 100644 (file)
--- a/tests/fips-rsa-sizes.c
+++ b/tests/fips-rsa-sizes.c
@@ -250,35 +250,24 @@ void doit(void)
 
        assert(gnutls_fips140_context_init(&fips_context) == 0);
 
-       /* 512-bit RSA: no generate, no sign, no verify */
        generate_unsuccessfully(&privkey, &pubkey, 512);
        sign_verify_unsuccessfully(privkey, pubkey);
-       /* 512-bit RSA again (to be safer about going in and out of FIPS) */
        generate_unsuccessfully(&privkey, &pubkey, 512);
        sign_verify_unsuccessfully(privkey, pubkey);
-       /* 600-bit RSA: no generate, no sign, no verify */
        generate_unsuccessfully(&privkey, &pubkey, 600);
        sign_verify_unsuccessfully(privkey, pubkey);
-
-       /* 768-bit RSA not-an-exception: nogenerate, nosign, verify */
        generate_unsuccessfully(&privkey, &pubkey, 768);
        sign_verify_unsuccessfully(privkey, pubkey);
-       /* 1024-bit RSA exception: nogenerate, nosign, verify */
        generate_unsuccessfully(&privkey, &pubkey, 1024);
-       nosign_verify(privkey, pubkey);
-       /* 1280-bit RSA exception: nogenerate, nosign, verify */
+       sign_verify_unsuccessfully(privkey, pubkey);
        generate_unsuccessfully(&privkey, &pubkey, 1280);
-       nosign_verify(privkey, pubkey);
-       /* 1500-bit RSA not-an-exception: nogenerate, nosign, noverify */
+       sign_verify_unsuccessfully(privkey, pubkey);
        generate_unsuccessfully(&privkey, &pubkey, 1500);
        sign_verify_unsuccessfully(privkey, pubkey);
-       /* 1536-bit RSA exception: nogenerate, nosign, verify */
        generate_unsuccessfully(&privkey, &pubkey, 1536);
-       nosign_verify(privkey, pubkey);
-       /* 1792-bit RSA exception: nogenerate, nosign, verify */
+       sign_verify_unsuccessfully(privkey, pubkey);
        generate_unsuccessfully(&privkey, &pubkey, 1792);
-       nosign_verify(privkey, pubkey);
-       /* 2000-bit RSA not-an-exception: nogenerate, nosign, noverify */
+       sign_verify_unsuccessfully(privkey, pubkey);
        generate_unsuccessfully(&privkey, &pubkey, 2000);
        sign_verify_unsuccessfully(privkey, pubkey);