From fbd0de3a3635fb0fb617625e9ce5002b70dc0130 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 27 Apr 2026 18:00:00 +0900
Subject: [PATCH] Use full hash+sign operations in pct_test

Resolves: RHEL-172270
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 gnutls-3.8.10-fips-pct-hash-sign.patch | 172 +++++++++++++++++++++++++
 gnutls.spec                            |   7 +-
 2 files changed, 178 insertions(+), 1 deletion(-)
 create mode 100644 gnutls-3.8.10-fips-pct-hash-sign.patch

diff --git a/gnutls-3.8.10-fips-pct-hash-sign.patch b/gnutls-3.8.10-fips-pct-hash-sign.patch
new file mode 100644
index 0000000..900f591
--- /dev/null
+++ b/gnutls-3.8.10-fips-pct-hash-sign.patch
@@ -0,0 +1,172 @@
+From 3272be27967c42c96b9f9eeab5b0fe886269fb5b Mon Sep 17 00:00:00 2001
+From: Angel Yankov <angel.yankov@suse.com>
+Date: Fri, 8 Nov 2024 17:07:27 +0200
+Subject: [PATCH] Use full hash+sign operations in pct_test
+
+pct_test inside fips uses low-level, separate primitves
+for some hasing and signing. Replace them with high-level,
+more specific APIs.
+
+Signed-off-by: Angel Yankov <angel.yankov@suse.com>
+Modified-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/pk.c | 136 +++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 135 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 5986a410c2..c665ded6e6 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -3195,6 +3195,128 @@ cleanup:
+ 	return ret;
+ }
+ 
++static gnutls_sign_algorithm_t pct_pk_to_sign(gnutls_pk_algorithm_t algo,
++					      const gnutls_x509_spki_st *spki)
++{
++	switch (algo) {
++	case GNUTLS_PK_RSA:
++		return gnutls_pk_to_sign(algo, GNUTLS_DIG_SHA256);
++	case GNUTLS_PK_RSA_PSS:
++		return gnutls_pk_to_sign(algo, spki->rsa_pss_dig);
++#ifdef ENABLE_DSA
++	case GNUTLS_PK_DSA:
++#endif
++	case GNUTLS_PK_ECDSA:
++		return gnutls_pk_to_sign(algo, spki->dsa_dig);
++	case GNUTLS_PK_EDDSA_ED25519:
++		return GNUTLS_SIGN_EDDSA_ED25519;
++	case GNUTLS_PK_EDDSA_ED448:
++		return GNUTLS_SIGN_EDDSA_ED448;
++#if ENABLE_GOST
++	case GNUTLS_PK_GOST_01:
++		return GNUTLS_SIGN_GOST_94;
++	case GNUTLS_PK_GOST_12_256:
++		return GNUTLS_SIGN_GOST_256;
++	case GNUTLS_PK_GOST_12_512:
++		return GNUTLS_SIGN_GOST_512;
++#endif
++	case GNUTLS_PK_MLDSA44:
++		return GNUTLS_SIGN_MLDSA44;
++	case GNUTLS_PK_MLDSA65:
++		return GNUTLS_SIGN_MLDSA65;
++	case GNUTLS_PK_MLDSA87:
++		return GNUTLS_SIGN_MLDSA87;
++	default:
++		return GNUTLS_SIGN_UNKNOWN;
++	}
++}
++
++static int pct_hash_sign_test(gnutls_pk_algorithm_t algo,
++			      const gnutls_pk_params_st *params,
++			      const gnutls_x509_spki_st *spki,
++			      const gnutls_datum_t *data)
++{
++	gnutls_privkey_t privkey = NULL;
++	gnutls_pubkey_t pubkey = NULL;
++	gnutls_x509_privkey_t xprivkey = NULL;
++	gnutls_datum_t sig = { NULL, 0 };
++	gnutls_sign_algorithm_t sign_algo;
++	int ret;
++
++	sign_algo = pct_pk_to_sign(algo, spki);
++	if (sign_algo == GNUTLS_SIGN_UNKNOWN)
++		return gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
++
++	ret = gnutls_x509_privkey_init(&xprivkey);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	ret = _gnutls_pk_params_copy(&xprivkey->params, params);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	ret = gnutls_privkey_init(&privkey);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	ret = gnutls_privkey_import_x509(privkey, xprivkey,
++					 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++	xprivkey = NULL;
++
++	ret = gnutls_pubkey_init(&pubkey);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	ret = gnutls_privkey_sign_data2(privkey, sign_algo, 0, data, &sig);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	/* Ignore algorithm disablement through configuration during PCT.  */
++	ret = gnutls_pubkey_verify_data2(
++		pubkey, sign_algo, GNUTLS_VERIFY_ALLOW_BROKEN, data, &sig);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++cleanup:
++	if (ret < 0) {
++		_gnutls_debug_log("PCT: %s hash+sign self-test failed: %s\n",
++				  gnutls_sign_get_name(sign_algo),
++				  gnutls_strerror(ret));
++	} else {
++		_gnutls_debug_log("PCT: %s hash+sign self-test succeeded\n",
++				  gnutls_sign_get_name(sign_algo));
++	}
++
++	gnutls_x509_privkey_deinit(xprivkey);
++	gnutls_privkey_deinit(privkey);
++	gnutls_pubkey_deinit(pubkey);
++	_gnutls_free_datum(&sig);
++
++	return ret;
++}
++
+ static int pct_test(gnutls_pk_algorithm_t algo,
+ 		    const gnutls_pk_params_st *params)
+ {
+@@ -3341,7 +3463,19 @@ static int pct_test(gnutls_pk_algorithm_t algo,
+ 		ret = _gnutls_pk_verify(algo, &ddata, &sig, params, &spki);
+ 		if (ret < 0) {
+ 			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+-			gnutls_assert();
++			goto cleanup;
++		}
++
++		/* Exercise the combined hash+sign operation, using
++		 * the abstract key interface.
++		 *
++		 * FIXME: rework this once the crypto-backend
++		 * interface natively supports hash+sign operation, see:
++		 * https://gitlab.com/gnutls/gnutls/-/merge_requests/2066
++		 */
++		ret = pct_hash_sign_test(algo, params, &spki, &ddata);
++		if (ret < 0) {
++			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+ 			goto cleanup;
+ 		}
+ 		break;
+-- 
+2.54.0
+
diff --git a/gnutls.spec b/gnutls.spec
index 6e20745..1d06941 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
 }
 
 Version: 3.8.10
-Release: 4%{?dist}
+Release: 5%{?dist}
 # not upstreamed
 Patch: gnutls-3.2.7-rpath.patch
 Patch: gnutls-3.7.2-enable-intel-cet.patch
@@ -69,6 +69,8 @@ Patch: gnutls-3.8.10-1841-hybrid-kx-zeroize.patch
 Patch: gnutls-3.8.10-1823-cfg-clear-options.patch
 Patch: gnutls-3.8.10-1817-security-parameters.patch
 Patch: gnutls-3.8.10-1820-p11p-kdf.patch
+# https://gitlab.com/gnutls/gnutls/-/merge_requests/2100
+Patch: gnutls-3.8.10-fips-pct-hash-sign.patch
 
 %bcond_without bootstrap
 %bcond_without dane
@@ -514,6 +516,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null XFAIL_TESTS="$x
 %endif
 
 %changelog
+* Mon Apr 27 2026 Daiki Ueno  <dueno@redhat.com> - 3.8.10-5
+- Use full hash+sign operations in pct_test (RHEL-172270)
+
 * Thu Apr 30 2026 Alexander Sosedkin <asosedkin@redhat.com> - 3.8.10-4
 - Fix CVE-2026-33846 (DTLS fragment reassembly, High, heap overwrite)
 - Fix CVE-2026-42009 (DTLS fragment reassembly, High, undefined behaviour)