From 51b721b69fd08ef1c4c4989f5e12b643e170ff56 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Date: Thu, 16 Feb 2023 17:02:38 +0100 Subject: [PATCH] pk: extend pair-wise consistency to cover DH key generation Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise Consistency check, even if we only support ephemeral DH, as it is required by FIPS 140-3 IG 10.3.A. Signed-off-by: Pedro Monreal Co-authored-by: Daiki Ueno --- lib/nettle/pk.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c index d30bca594f..bd9c1b4c74 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c @@ -2642,6 +2642,35 @@ static int pct_test(gnutls_pk_algorithm_t algo, } break; case GNUTLS_PK_DH: + { + mpz_t y; + + /* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance + * of Pair-wise Consistency check, even if we only + * support ephemeral DH, as it is required by FIPS + * 140-3 IG 10.3.A. + * + * Use the private key, x, along with the generator g + * and prime modulus p included in the domain + * parameters associated with the key pair to compute + * g^x mod p. Compare the result to the public key, y. + */ + mpz_init(y); + mpz_powm(y, + TOMPZ(params->params[DSA_G]), + TOMPZ(params->params[DSA_X]), + TOMPZ(params->params[DSA_P])); + if (unlikely + (mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) { + ret = + gnutls_assert_val + (GNUTLS_E_PK_GENERATION_ERROR); + mpz_clear(y); + goto cleanup; + } + mpz_clear(y); + break; + } case GNUTLS_PK_ECDH_X25519: case GNUTLS_PK_ECDH_X448: ret = 0; -- 2.39.2