fips: extend PCT to DH key generation

Resolves: #2168143 Signed-off-by: Daiki Ueno <dueno@redhat.com>
2023-02-10 13:31:17 +09:00 · 2023-02-10 13:31:17 +09:00 · bb8f9067ee
parent 0efdf6a30a
commit bb8f9067ee
2 changed files with 59 additions and 1 deletions
--- a/gnutls-3.7.8-fips-pct-dh.patch
+++ b/gnutls-3.7.8-fips-pct-dh.patch
@ -0,0 +1,54 @@
+From 8879cd62b327874cdcc9b960ff34d320025f07c2 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 10 Feb 2023 12:35:22 +0900
+Subject: [PATCH] pk: extend pair-wise consistency to cover DH key generation
+
+Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise
+Consistency check, even if we only support ephemeral DH, as it is
+required by FIPS 140-3 IG 10.3.A.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Co-authored-by: Pedro Monreal <pmonreal@suse.com>
+---
+ lib/nettle/pk.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index f38016b19a..607a39ccd8 100644
+--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
+@@ -2497,7 +2497,30 @@ static int pct_test(gnutls_pk_algorithm_t algo, const gnutls_pk_params_st* param
+ 			goto cleanup;
+ 		}
+ 		break;
+-	case GNUTLS_PK_DH:
+	case GNUTLS_PK_DH: {
+		mpz_t y;
+
+		/* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance
+		 * of Pair-wise Consistency check, even if we only
+		 * support ephemeral DH, as it is required by FIPS
+		 * 140-3 IG 10.3.A.
+		 *
+		 * Use the private key, x, along with the generator g
+		 * and prime modulus p included in the domain
+		 * parameters associated with the key pair to compute
+		 * g^x mod p. Compare the result to the public key, y.
+		 */
+		mpz_init(y);
+		mpz_powm(y,
+			 TOMPZ(params->params[DSA_G]),
+			 TOMPZ(params->params[DSA_X]),
+			 TOMPZ(params->params[DSA_P]));
+		if (unlikely(mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) {
+			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+		}
+		mpz_clear(y);
+		break;
+	}
+ 	case GNUTLS_PK_ECDH_X25519:
+ 	case GNUTLS_PK_ECDH_X448:
+ 		ret = 0;
+-- 
+2.39.1
+
--- a/gnutls.spec
+++ b/gnutls.spec
@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
 }

 Version: 3.7.6
-Release: 15%{?dist}
+Release: 16%{?dist}
 # not upstreamed
 Patch: gnutls-3.6.7-no-now-guile.patch
 Patch: gnutls-3.2.7-rpath.patch
@ -45,6 +45,7 @@ Patch: gnutls-3.7.3-fips-dsa-post.patch
 Patch: gnutls-3.7.6-drbg-reseed.patch
 Patch: gnutls-3.7.6-cpuid-fixes.patch
 Patch: gnutls-3.7.6-gmp-static.patch
+Patch: gnutls-3.7.8-fips-pct-dh.patch

 %bcond_without bootstrap
 %bcond_without dane
@ -404,6 +405,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif

 %changelog
+* Fri Feb 10 2023 Daiki Ueno <dueno@redhat.com> - 3.7.6-16
+- fips: extend PCT to DH key generation (#2168143)
+
 * Thu Dec 15 2022 Zoltan Fridrich <zfridric@redhat.com> - 3.7.6-15
 - fips: rename hmac file to its previous name (#2148269)