diff --git a/gnutls-3.7.8-fips-pct-dh.patch b/gnutls-3.7.8-fips-pct-dh.patch index 4d94d94..c38132e 100644 --- a/gnutls-3.7.8-fips-pct-dh.patch +++ b/gnutls-3.7.8-fips-pct-dh.patch @@ -1,54 +1,58 @@ -From 8879cd62b327874cdcc9b960ff34d320025f07c2 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 10 Feb 2023 12:35:22 +0900 +From 51b721b69fd08ef1c4c4989f5e12b643e170ff56 Mon Sep 17 00:00:00 2001 +From: Pedro Monreal +Date: Thu, 16 Feb 2023 17:02:38 +0100 Subject: [PATCH] pk: extend pair-wise consistency to cover DH key generation Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise Consistency check, even if we only support ephemeral DH, as it is required by FIPS 140-3 IG 10.3.A. -Signed-off-by: Daiki Ueno -Co-authored-by: Pedro Monreal +Signed-off-by: Pedro Monreal +Co-authored-by: Daiki Ueno --- - lib/nettle/pk.c | 25 ++++++++++++++++++++++++- - 1 file changed, 24 insertions(+), 1 deletion(-) + lib/nettle/pk.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index f38016b19a..607a39ccd8 100644 +index d30bca594f..bd9c1b4c74 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c -@@ -2497,7 +2497,30 @@ static int pct_test(gnutls_pk_algorithm_t algo, const gnutls_pk_params_st* param - goto cleanup; +@@ -2642,6 +2642,35 @@ static int pct_test(gnutls_pk_algorithm_t algo, } break; -- case GNUTLS_PK_DH: -+ case GNUTLS_PK_DH: { -+ mpz_t y; + case GNUTLS_PK_DH: ++ { ++ mpz_t y; + -+ /* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance -+ * of Pair-wise Consistency check, even if we only -+ * support ephemeral DH, as it is required by FIPS -+ * 140-3 IG 10.3.A. -+ * -+ * Use the private key, x, along with the generator g -+ * and prime modulus p included in the domain -+ * parameters associated with the key pair to compute -+ * g^x mod p. Compare the result to the public key, y. -+ */ -+ mpz_init(y); -+ mpz_powm(y, -+ TOMPZ(params->params[DSA_G]), -+ TOMPZ(params->params[DSA_X]), -+ TOMPZ(params->params[DSA_P])); -+ if (unlikely(mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) { -+ ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR); ++ /* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance ++ * of Pair-wise Consistency check, even if we only ++ * support ephemeral DH, as it is required by FIPS ++ * 140-3 IG 10.3.A. ++ * ++ * Use the private key, x, along with the generator g ++ * and prime modulus p included in the domain ++ * parameters associated with the key pair to compute ++ * g^x mod p. Compare the result to the public key, y. ++ */ ++ mpz_init(y); ++ mpz_powm(y, ++ TOMPZ(params->params[DSA_G]), ++ TOMPZ(params->params[DSA_X]), ++ TOMPZ(params->params[DSA_P])); ++ if (unlikely ++ (mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) { ++ ret = ++ gnutls_assert_val ++ (GNUTLS_E_PK_GENERATION_ERROR); ++ mpz_clear(y); ++ goto cleanup; ++ } ++ mpz_clear(y); ++ break; + } -+ mpz_clear(y); -+ break; -+ } case GNUTLS_PK_ECDH_X25519: case GNUTLS_PK_ECDH_X448: ret = 0; -- -2.39.1 +2.39.2 diff --git a/gnutls.spec b/gnutls.spec index d4586a4..4ec9226 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16)) } Version: 3.7.6 -Release: 17%{?dist} +Release: 18%{?dist} # not upstreamed Patch: gnutls-3.6.7-no-now-guile.patch Patch: gnutls-3.2.7-rpath.patch @@ -39,6 +39,7 @@ Patch: gnutls-3.7.6-fips-ccm-taglen.patch Patch: gnutls-3.7.6-fips-rsa-pss-saltlen.patch Patch: gnutls-3.7.8-revert-hmac-name.patch Patch: gnutls-3.7.8-rsa-kx-timing.patch +Patch: gnutls-3.7.8-fips-pct-dh.patch # not upstreamed Patch: gnutls-3.7.3-disable-config-reload.patch @@ -46,7 +47,6 @@ Patch: gnutls-3.7.3-fips-dsa-post.patch Patch: gnutls-3.7.6-drbg-reseed.patch Patch: gnutls-3.7.6-cpuid-fixes.patch Patch: gnutls-3.7.6-gmp-static.patch -Patch: gnutls-3.7.8-fips-pct-dh.patch %bcond_without bootstrap %bcond_without dane @@ -406,6 +406,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Feb 28 2023 Daiki Ueno - 3.7.6-18 +- Update gnutls-3.7.8-fips-pct-dh.patch to the upstream version (#2168143) + * Fri Feb 10 2023 Daiki Ueno - 3.7.6-17 - Fix timing side-channel in TLS RSA key exchange (#2162601)