From bb8f9067ee53d72432c7547f32cbd2284de7402c Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 10 Feb 2023 13:31:17 +0900
Subject: [PATCH] fips: extend PCT to DH key generation

Resolves: #2168143
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 gnutls-3.7.8-fips-pct-dh.patch | 54 ++++++++++++++++++++++++++++++++++
 gnutls.spec                    |  6 +++-
 2 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 gnutls-3.7.8-fips-pct-dh.patch

diff --git a/gnutls-3.7.8-fips-pct-dh.patch b/gnutls-3.7.8-fips-pct-dh.patch
new file mode 100644
index 0000000..4d94d94
--- /dev/null
+++ b/gnutls-3.7.8-fips-pct-dh.patch
@@ -0,0 +1,54 @@
+From 8879cd62b327874cdcc9b960ff34d320025f07c2 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 10 Feb 2023 12:35:22 +0900
+Subject: [PATCH] pk: extend pair-wise consistency to cover DH key generation
+
+Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise
+Consistency check, even if we only support ephemeral DH, as it is
+required by FIPS 140-3 IG 10.3.A.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Co-authored-by: Pedro Monreal <pmonreal@suse.com>
+---
+ lib/nettle/pk.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index f38016b19a..607a39ccd8 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -2497,7 +2497,30 @@ static int pct_test(gnutls_pk_algorithm_t algo, const gnutls_pk_params_st* param
+ 			goto cleanup;
+ 		}
+ 		break;
+-	case GNUTLS_PK_DH:
++	case GNUTLS_PK_DH: {
++		mpz_t y;
++
++		/* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance
++		 * of Pair-wise Consistency check, even if we only
++		 * support ephemeral DH, as it is required by FIPS
++		 * 140-3 IG 10.3.A.
++		 *
++		 * Use the private key, x, along with the generator g
++		 * and prime modulus p included in the domain
++		 * parameters associated with the key pair to compute
++		 * g^x mod p. Compare the result to the public key, y.
++		 */
++		mpz_init(y);
++		mpz_powm(y,
++			 TOMPZ(params->params[DSA_G]),
++			 TOMPZ(params->params[DSA_X]),
++			 TOMPZ(params->params[DSA_P]));
++		if (unlikely(mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) {
++			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
++		}
++		mpz_clear(y);
++		break;
++	}
+ 	case GNUTLS_PK_ECDH_X25519:
+ 	case GNUTLS_PK_ECDH_X448:
+ 		ret = 0;
+-- 
+2.39.1
+
diff --git a/gnutls.spec b/gnutls.spec
index f1dbf3a..55ae020 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
 }
 
 Version: 3.7.6
-Release: 15%{?dist}
+Release: 16%{?dist}
 # not upstreamed
 Patch: gnutls-3.6.7-no-now-guile.patch
 Patch: gnutls-3.2.7-rpath.patch
@@ -45,6 +45,7 @@ Patch: gnutls-3.7.3-fips-dsa-post.patch
 Patch: gnutls-3.7.6-drbg-reseed.patch
 Patch: gnutls-3.7.6-cpuid-fixes.patch
 Patch: gnutls-3.7.6-gmp-static.patch
+Patch: gnutls-3.7.8-fips-pct-dh.patch
 
 %bcond_without bootstrap
 %bcond_without dane
@@ -404,6 +405,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Fri Feb 10 2023 Daiki Ueno <dueno@redhat.com> - 3.7.6-16
+- fips: extend PCT to DH key generation (#2168143)
+
 * Thu Dec 15 2022 Zoltan Fridrich <zfridric@redhat.com> - 3.7.6-15
 - fips: rename hmac file to its previous name (#2148269)