gnutls/SOURCES/gnutls-3.6.8-fips-deterministic-ecdsa.patch

From e94ab6b703ee50ea020565e1b8729a9b1d524d84 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 29 Jul 2019 14:00:30 +0200
Subject: [PATCH 1/6] nettle: add functions for deterministic ECDSA/DSA

This adds functions to perform deterministic ECDSA/DSA, namely
_gnutls_{ecdsa,dsa}_compute_k(), which computes the k value according
to RFC 6979.  The retrieved k value can be given to
nettle_{ecdsa,dsa}_sign() through a wrapper random function.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/nettle/Makefile.am           |   5 +-
 lib/nettle/int/dsa-compute-k.c   | 209 +++++++++++++++++++++++++++++++
 lib/nettle/int/dsa-compute-k.h   |  37 ++++++
 lib/nettle/int/ecdsa-compute-k.c |  95 ++++++++++++++
 lib/nettle/int/ecdsa-compute-k.h |  37 ++++++
 lib/nettle/int/mpn-base256.c     |  97 ++++++++++++++
 lib/nettle/int/mpn-base256.h     |  48 +++++++
 7 files changed, 527 insertions(+), 1 deletion(-)
 create mode 100644 lib/nettle/int/dsa-compute-k.c
 create mode 100644 lib/nettle/int/dsa-compute-k.h
 create mode 100644 lib/nettle/int/ecdsa-compute-k.c
 create mode 100644 lib/nettle/int/ecdsa-compute-k.h
 create mode 100644 lib/nettle/int/mpn-base256.c
 create mode 100644 lib/nettle/int/mpn-base256.h

diff --git a/lib/nettle/Makefile.am b/lib/nettle/Makefile.am
index 1c60d3244..bd9dd753a 100644
--- a/lib/nettle/Makefile.am
+++ b/lib/nettle/Makefile.am
@@ -45,7 +45,10 @@ libcrypto_la_SOURCES = pk.c mpi.c mac.c cipher.c init.c \
 	backport/xts.c backport/xts.h \
 	rnd.c int/rsa-fips.h int/rsa-keygen-fips186.c int/provable-prime.c \
 	int/dsa-fips.h int/dsa-keygen-fips186.c int/dsa-validate.c \
-	int/tls1-prf.c int/tls1-prf.h
+	int/tls1-prf.c int/tls1-prf.h \
+	int/dsa-compute-k.c int/dsa-compute-k.h \
+	int/ecdsa-compute-k.c int/ecdsa-compute-k.h \
+	int/mpn-base256.c int/mpn-base256.h
 
 if WINDOWS
 libcrypto_la_SOURCES += sysrng-windows.c
diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
new file mode 100644
index 000000000..17d63318c
--- /dev/null
+++ b/lib/nettle/int/dsa-compute-k.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GNUTLS.
+ *
+ * The GNUTLS library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "dsa-compute-k.h"
+
+#include "gnutls_int.h"
+#include "mem.h"
+#include "mpn-base256.h"
+#include <string.h>
+
+#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
+
+/* The maximum size of q, choosen from the fact that we support
+ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
+ * maximum. */
+#define MAX_Q_BITS 521
+#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
+#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
+
+#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
+#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
+
+int
+_gnutls_dsa_compute_k(mpz_t k,
+		      const mpz_t q,
+		      const mpz_t x,
+		      gnutls_mac_algorithm_t mac,
+		      const uint8_t *digest,
+		      size_t length)
+{
+	uint8_t V[MAX_HASH_SIZE];
+	uint8_t K[MAX_HASH_SIZE];
+	uint8_t xp[MAX_Q_SIZE];
+	uint8_t tp[MAX_Q_SIZE];
+	mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
+	mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2);
+	mp_size_t qn = mpz_size(q);
+	mp_bitcnt_t h_bits = length * 8;
+	mp_size_t hn = BITS_TO_LIMBS(h_bits);
+	size_t nbytes = (q_bits + 7) / 8;
+	const uint8_t c0 = 0x00;
+	const uint8_t c1 = 0x01;
+	mp_limb_t cy;
+	gnutls_hmac_hd_t hd;
+	int ret = 0;
+
+	if (unlikely(q_bits > MAX_Q_BITS))
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+	if (unlikely(length > MAX_HASH_SIZE))
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+	/* int2octets(x) */
+	mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
+
+	/* bits2octets(h) */
+	mpn_set_base256(h, hn, digest, length);
+
+	if (hn < qn)
+		/* qlen > blen: add zero bits to the left */
+		mpn_zero(&h[hn], qn - hn);
+	else if (h_bits > q_bits) {
+		/* qlen < blen: keep the leftmost qlen bits.  We do this in 2
+		 * steps because mpn_rshift only accepts shift count in the
+		 * range 1 to mp_bits_per_limb-1.
+		 */
+		mp_bitcnt_t shift = h_bits - q_bits;
+
+		if (shift / GMP_NUMB_BITS > 0) {
+			mpn_copyi(h, &h[shift / GMP_NUMB_BITS], qn);
+			hn -= shift / GMP_NUMB_BITS;
+		}
+
+		if (shift % GMP_NUMB_BITS > 0)
+			mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
+	}
+
+	cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
+	/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
+#ifdef mpn_cnd_add_n
+	mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
+#else
+	mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
+#endif
+	mpn_get_base256(tp, nbytes, h, qn);
+
+	/* Step b */
+	memset(V, c1, length);
+
+	/* Step c */
+	memset(K, c0, length);
+
+	/* Step d */
+	ret = gnutls_hmac_init(&hd, mac, K, length);
+	if (ret < 0)
+		goto out;
+	ret = gnutls_hmac(hd, V, length);
+	if (ret < 0)
+		goto out;
+	ret = gnutls_hmac(hd, &c0, 1);
+	if (ret < 0)
+		goto out;
+	ret = gnutls_hmac(hd, xp, nbytes);
+	if (ret < 0)
+		goto out;
+	ret = gnutls_hmac(hd, tp, nbytes);
+	if (ret < 0)
+		goto out;
+	gnutls_hmac_deinit(hd, K);
+
+	/* Step e */
+	ret = gnutls_hmac_fast(mac, K, length, V, length, V);
+	if (ret < 0)
+		goto out;
+
+	/* Step f */
+	ret = gnutls_hmac_init(&hd, mac, K, length);
+	if (ret < 0)
+		goto out;
+	ret = gnutls_hmac(hd, V, length);
+	if (ret < 0)
+		goto out;
+	ret = gnutls_hmac(hd, &c1, 1);
+	if (ret < 0)
+		goto out;
+	ret = gnutls_hmac(hd, xp, nbytes);
+	if (ret < 0)
+		goto out;
+	ret = gnutls_hmac(hd, tp, nbytes);
+	if (ret < 0)
+		goto out;
+	gnutls_hmac_deinit(hd, K);
+
+	/* Step g */
+	ret = gnutls_hmac_fast(mac, K, length, V, length, V);
+	if (ret < 0)
+		goto out;
+
+	/* Step h */
+	for (;;) {
+		/* Step 1 */
+		size_t tlen = 0;
+
+		/* Step 2 */
+		while (tlen < nbytes) {
+			size_t remaining = MIN(nbytes - tlen, length);
+			ret = gnutls_hmac_fast(mac, K, length, V, length, V);
+			if (ret < 0)
+				goto out;
+			memcpy (&tp[tlen], V, remaining);
+			tlen += remaining;
+		}
+
+		/* Step 3 */
+		mpn_set_base256 (h, qn, tp, tlen);
+		if (tlen * 8 > q_bits)
+			mpn_rshift (h, h, qn, tlen * 8 - q_bits);
+		/* Check if k is in [1,q-1] */
+		if (!mpn_zero_p (h, qn) &&
+		    mpn_cmp (h, mpz_limbs_read(q), qn) < 0) {
+			mpn_copyi(mpz_limbs_write(k, qn), h, qn);
+			mpz_limbs_finish(k, qn);
+			break;
+		}
+
+		ret = gnutls_hmac_init(&hd, mac, K, length);
+		if (ret < 0)
+			goto out;
+		ret = gnutls_hmac(hd, V, length);
+		if (ret < 0)
+			goto out;
+		ret = gnutls_hmac(hd, &c0, 1);
+		if (ret < 0)
+			goto out;
+		gnutls_hmac_deinit(hd, K);
+
+		ret = gnutls_hmac_fast(mac, K, length, V, length, V);
+		if (ret < 0)
+			goto out;
+	}
+
+ out:
+	zeroize_key(xp, sizeof(xp));
+	zeroize_key(tp, sizeof(tp));
+
+	return ret;
+}
diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
new file mode 100644
index 000000000..64e90e0ca
--- /dev/null
+++ b/lib/nettle/int/dsa-compute-k.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#ifndef GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H
+#define GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H
+
+#include <gnutls/gnutls.h>
+#include <nettle/bignum.h> /* includes gmp.h */
+
+int
+_gnutls_dsa_compute_k(mpz_t k,
+		      const mpz_t q,
+		      const mpz_t x,
+		      gnutls_mac_algorithm_t mac,
+		      const uint8_t *digest,
+		      size_t length);
+
+#endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
new file mode 100644
index 000000000..94914ebdf
--- /dev/null
+++ b/lib/nettle/int/ecdsa-compute-k.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GNUTLS.
+ *
+ * The GNUTLS library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "ecdsa-compute-k.h"
+
+#include "dsa-compute-k.h"
+#include "gnutls_int.h"
+
+static inline int
+_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
+{
+	switch (curve) {
+#ifdef ENABLE_NON_SUITEB_CURVES
+	case GNUTLS_ECC_CURVE_SECP192R1:
+		mpz_init_set_str(*q,
+				 "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
+				 "146BC9B1B4D22831",
+				 16);
+		return 0;
+	case GNUTLS_ECC_CURVE_SECP224R1:
+		mpz_init_set_str(*q,
+				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
+				 "E0B8F03E13DD29455C5C2A3D",
+				 16);
+		return 0;
+#endif
+	case GNUTLS_ECC_CURVE_SECP256R1:
+		mpz_init_set_str(*q,
+				 "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
+				 "BCE6FAADA7179E84F3B9CAC2FC632551",
+				 16);
+		return 0;
+	case GNUTLS_ECC_CURVE_SECP384R1:
+		mpz_init_set_str(*q,
+				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+				 "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
+				 "581A0DB248B0A77AECEC196ACCC52973",
+				 16);
+		return 0;
+	case GNUTLS_ECC_CURVE_SECP521R1:
+		mpz_init_set_str(*q,
+				 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+				 "FFA51868783BF2F966B7FCC0148F709A"
+				 "5D03BB5C9B8899C47AEBB6FB71E91386"
+				 "409",
+				 16);
+		return 0;
+	default:
+		return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+	}
+}
+
+int
+_gnutls_ecdsa_compute_k (mpz_t k,
+			 gnutls_ecc_curve_t curve,
+			 const mpz_t x,
+			 gnutls_mac_algorithm_t mac,
+			 const uint8_t *digest,
+			 size_t length)
+{
+	mpz_t q;
+	int ret;
+
+	ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+
+	ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length);
+	mpz_clear(q);
+	return ret;
+}
diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
new file mode 100644
index 000000000..7ca401d6e
--- /dev/null
+++ b/lib/nettle/int/ecdsa-compute-k.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#ifndef GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H
+#define GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H
+
+#include <gnutls/gnutls.h>
+#include <nettle/bignum.h> /* includes gmp.h */
+
+int
+_gnutls_ecdsa_compute_k (mpz_t k,
+			 gnutls_ecc_curve_t curve,
+			 const mpz_t x,
+			 gnutls_mac_algorithm_t mac,
+			 const uint8_t *digest,
+			 size_t length);
+
+#endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
diff --git a/lib/nettle/int/mpn-base256.c b/lib/nettle/int/mpn-base256.c
new file mode 100644
index 000000000..88dd00bd2
--- /dev/null
+++ b/lib/nettle/int/mpn-base256.c
@@ -0,0 +1,97 @@
+/* gmp-glue.c
+
+   Copyright (C) 2013 Niels Möller
+   Copyright (C) 2013 Red Hat
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "mpn-base256.h"
+
+void
+mpn_set_base256 (mp_limb_t *rp, mp_size_t rn,
+		 const uint8_t *xp, size_t xn)
+{
+  size_t xi;
+  mp_limb_t out;
+  unsigned bits;
+  for (xi = xn, out = bits = 0; xi > 0 && rn > 0; )
+    {
+      mp_limb_t in = xp[--xi];
+      out |= (in << bits) & GMP_NUMB_MASK;
+      bits += 8;
+      if (bits >= GMP_NUMB_BITS)
+	{
+	  *rp++ = out;
+	  rn--;
+
+	  bits -= GMP_NUMB_BITS;
+	  out = in >> (8 - bits);
+	}
+    }
+  if (rn > 0)
+    {
+      *rp++ = out;
+      if (--rn > 0)
+	mpn_zero (rp, rn);
+    }
+}
+
+void
+mpn_get_base256 (uint8_t *rp, size_t rn,
+		 const mp_limb_t *xp, mp_size_t xn)
+{
+  unsigned bits;
+  mp_limb_t in;
+  for (bits = in = 0; xn > 0 && rn > 0; )
+    {
+      if (bits >= 8)
+	{
+	  rp[--rn] = in;
+	  in >>= 8;
+	  bits -= 8;
+	}
+      else
+	{
+	  uint8_t old = in;
+	  in = *xp++;
+	  xn--;
+	  rp[--rn] = old | (in << bits);
+	  in >>= (8 - bits);
+	  bits += GMP_NUMB_BITS - 8;
+	}
+    }
+  while (rn > 0)
+    {
+      rp[--rn] = in;
+      in >>= 8;
+    }
+}
diff --git a/lib/nettle/int/mpn-base256.h b/lib/nettle/int/mpn-base256.h
new file mode 100644
index 000000000..b5ca4af03
--- /dev/null
+++ b/lib/nettle/int/mpn-base256.h
@@ -0,0 +1,48 @@
+/* gmp-glue.h
+
+   Copyright (C) 2013 Niels Möller
+   Copyright (C) 2013 Red Hat
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_GMP_GLUE_H_INCLUDED
+#define NETTLE_GMP_GLUE_H_INCLUDED
+
+#include <nettle/bignum.h>
+
+/* Like mpn_set_str, but always writes rn limbs. If input is larger,
+   higher bits are ignored. */
+void
+mpn_set_base256 (mp_limb_t *rp, mp_size_t rn,
+		 const uint8_t *xp, size_t xn);
+
+void
+mpn_get_base256 (uint8_t *rp, size_t rn,
+	         const mp_limb_t *xp, mp_size_t xn);
+
+#endif /* NETTLE_GMP_GLUE_H_INCLUDED */
-- 
2.21.0


From f42d96451a654ccc3523b0a0086e18f19ba3fecc Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 29 Jul 2019 15:10:51 +0200
Subject: [PATCH 2/6] privkey_sign_raw_data: remove unnecessary local variable

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/privkey.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/lib/privkey.c b/lib/privkey.c
index 8e353c5e5..2fee8777a 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -1492,8 +1492,6 @@ privkey_sign_raw_data(gnutls_privkey_t key,
 							   0,
 							   data, signature);
 		} else if (key->key.ext.sign_hash_func) {
-			unsigned int flags = 0;
-
 			if (se->pk == GNUTLS_PK_RSA) {
 				se = _gnutls_sign_to_entry(GNUTLS_SIGN_RSA_RAW);
 				assert(se != NULL);
@@ -1502,7 +1500,7 @@ privkey_sign_raw_data(gnutls_privkey_t key,
 			/* se may not be set here if we are doing legacy RSA */
 			return key->key.ext.sign_hash_func(key, se->id,
 							   key->key.ext.userdata,
-							   flags,
+							   0,
 							   data, signature);
 		} else {
 			if (!PK_IS_OK_FOR_EXT2(se->pk))
-- 
2.21.0


From 3dd0df9e1a499c7b31bf7b4a315e797d2195c1ba Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 7 Aug 2019 14:37:00 +0200
Subject: [PATCH 3/6] privkey_sign_prehashed: remove unused argument

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/privkey.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/lib/privkey.c b/lib/privkey.c
index 2fee8777a..8683b4e20 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -43,7 +43,7 @@ privkey_sign_prehashed(gnutls_privkey_t signer,
 		       const gnutls_sign_entry_st *se,
 		       const gnutls_datum_t * hash_data,
 		       gnutls_datum_t * signature,
-		       gnutls_x509_spki_st * params, unsigned flags);
+		       gnutls_x509_spki_st * params);
 
 /**
  * gnutls_privkey_get_type:
@@ -1253,7 +1253,7 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer,
 		return ret;
 	}
 
-	return privkey_sign_prehashed(signer, se, hash_data, signature, &params, flags);
+	return privkey_sign_prehashed(signer, se, hash_data, signature, &params);
 }
 
 int
@@ -1377,7 +1377,7 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer,
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
 	return privkey_sign_prehashed(signer, se,
-				      hash_data, signature, &params, flags);
+				      hash_data, signature, &params);
 }
 
 static int
@@ -1385,8 +1385,7 @@ privkey_sign_prehashed(gnutls_privkey_t signer,
 		       const gnutls_sign_entry_st *se,
 		       const gnutls_datum_t * hash_data,
 		       gnutls_datum_t * signature,
-		       gnutls_x509_spki_st * params,
-		       unsigned flags)
+		       gnutls_x509_spki_st * params)
 {
 	int ret;
 	gnutls_datum_t digest;
-- 
2.21.0


From 8eb3a29336ea11f6b417ce7e25d53513509bdd87 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 29 Jul 2019 14:01:11 +0200
Subject: [PATCH 4/6] pk: implement deterministic ECDSA/DSA

This exposes the deterministic ECDSA/DSA functionality through the
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 .gitignore                        |   1 +
 NEWS                              |   7 ++
 lib/crypto-backend.h              |  16 ++-
 lib/includes/gnutls/abstract.h    |   5 +-
 lib/nettle/pk.c                   |  54 +++++++-
 lib/privkey.c                     |   8 ++
 lib/x509/crq.c                    |   2 +
 lib/x509/pkcs7.c                  |   2 +
 lib/x509/sign.c                   |   2 +
 tests/Makefile.am                 |   2 +-
 tests/sign-verify-deterministic.c | 196 ++++++++++++++++++++++++++++++
 11 files changed, 290 insertions(+), 5 deletions(-)
 create mode 100644 tests/sign-verify-deterministic.c

diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
index 43124abaf..33eca6031 100644
--- a/lib/crypto-backend.h
+++ b/lib/crypto-backend.h
@@ -187,6 +187,13 @@ typedef struct gnutls_x509_spki_st {
 	/* if non-zero, the legacy value for PKCS#7 signatures will be
 	 * written for RSA signatures. */
 	unsigned int legacy;
+
+	/* the digest used by ECDSA/DSA */
+	gnutls_digest_algorithm_t dsa_dig;
+
+	/* flags may include GNUTLS_PK_FLAG_REPRODUCIBLE for
+	 * deterministic ECDSA/DSA */
+	unsigned int flags;
 } gnutls_x509_spki_st;
 
 #define GNUTLS_MAX_PK_PARAMS 16
@@ -219,9 +226,16 @@ typedef struct {
  */
 typedef enum {
 	GNUTLS_PK_FLAG_NONE = 0,
-	GNUTLS_PK_FLAG_PROVABLE = 1
+	GNUTLS_PK_FLAG_PROVABLE = 1,
+	GNUTLS_PK_FLAG_REPRODUCIBLE = 2
 } gnutls_pk_flag_t;
 
+#define FIX_SIGN_PARAMS(params, flags, dig) do {		\
+	if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) {	\
+		(params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE;	\
+		(params).dsa_dig = (dig);			\
+	}							\
+} while (0)
 
 void gnutls_pk_params_release(gnutls_pk_params_st * p);
 void gnutls_pk_params_clear(gnutls_pk_params_st * p);
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index d4b7da68b..d8805681a 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -371,7 +371,10 @@ int gnutls_privkey_status(gnutls_privkey_t key);
  * gnutls_privkey_flags:
  * @GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA: Make an RSA signature on the hashed data as in the TLS protocol.
  * @GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS: Make an RSA signature on the hashed data with the PSS padding.
- * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make an RSA-PSS signature on the hashed data with reproducible parameters (zero salt).
+ * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make a signature on the hashed data with reproducible parameters.
+ *   For RSA-PSS, that means to use empty salt instead of random value. For ECDSA/DSA, it uses the deterministic
+ *   construction of random parameter according to RFC 6979. Note that
+ *   this only supports the NIST curves and DSA subgroup bits up to 512.
  * @GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE: When importing a private key, automatically
  *   release it when the structure it was imported is released.
  * @GNUTLS_PRIVKEY_IMPORT_COPY: Copy required values during import.
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 08117c2d8..ebd6481cf 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -54,6 +54,8 @@
 #include "gost/gostdsa.h"
 #include "gost/ecc-gost-curve.h"
 #endif
+#include "int/ecdsa-compute-k.h"
+#include "int/dsa-compute-k.h"
 #include <gnettle.h>
 #include <fips.h>
 
@@ -86,6 +88,12 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
 	}
 }
 
+static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
+{
+	mpz_t *k = _ctx;
+	nettle_mpz_get_str_256 (length, data, *k);
+}
+
 static void
 ecc_scalar_zclear (struct ecc_scalar *s)
 {
@@ -782,6 +790,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 			struct dsa_signature sig;
 			int curve_id = pk_params->curve;
 			const struct ecc_curve *curve;
+			mpz_t k;
+			void *random_ctx;
+			nettle_random_func *random_func;
 
 			curve = get_supported_nist_curve(curve_id);
 			if (curve == NULL)
@@ -808,7 +819,23 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 				hash_len = vdata->size;
 			}
 
-			ecdsa_sign(&priv, NULL, rnd_nonce_func, hash_len,
+			mpz_init(k);
+			if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
+				ret = _gnutls_ecdsa_compute_k(k,
+							      curve_id,
+							      pk_params->params[ECC_K],
+							      sign_params->dsa_dig,
+							      vdata->data,
+							      vdata->size);
+				if (ret < 0)
+					goto ecdsa_cleanup;
+				random_ctx = &k;
+				random_func = rnd_mpz_func;
+			} else {
+				random_ctx = NULL;
+				random_func = rnd_nonce_func;
+			}
+			ecdsa_sign(&priv, random_ctx, random_func, hash_len,
 				   vdata->data, &sig);
 
 			/* prevent memory leaks */
@@ -824,6 +851,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
  ecdsa_cleanup:
 			dsa_signature_clear(&sig);
 			ecc_scalar_zclear(&priv);
+			mpz_clear(k);
 
 			if (ret < 0) {
 				gnutls_assert();
@@ -836,6 +864,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 			struct dsa_params pub;
 			bigint_t priv;
 			struct dsa_signature sig;
+			mpz_t k;
+			void *random_ctx;
+			nettle_random_func *random_func;
 
 			memset(&priv, 0, sizeof(priv));
 			memset(&pub, 0, sizeof(pub));
@@ -856,8 +887,26 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 				hash_len = vdata->size;
 			}
 
+			mpz_init(k);
+			if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
+				ret = _gnutls_dsa_compute_k(k,
+							    pub.q,
+							    TOMPZ(priv),
+							    sign_params->dsa_dig,
+							    vdata->data,
+							    vdata->size);
+				if (ret < 0)
+					goto dsa_fail;
+				/* cancel-out dsa_sign's addition of 1 to random data */
+				mpz_sub_ui (k, k, 1);
+				random_ctx = &k;
+				random_func = rnd_mpz_func;
+			} else {
+				random_ctx = NULL;
+				random_func = rnd_nonce_func;
+			}
 			ret =
-			    dsa_sign(&pub, TOMPZ(priv), NULL, rnd_nonce_func,
+			    dsa_sign(&pub, TOMPZ(priv), random_ctx, random_func,
 				     hash_len, vdata->data, &sig);
 			if (ret == 0 || HAVE_LIB_ERROR()) {
 				gnutls_assert();
@@ -871,6 +920,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 
  dsa_fail:
 			dsa_signature_clear(&sig);
+			mpz_clear(k);
 
 			if (ret < 0) {
 				gnutls_assert();
diff --git a/lib/privkey.c b/lib/privkey.c
index 8683b4e20..4ef07c8b0 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -1134,6 +1134,8 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer,
 		return ret;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, hash);
+
 	return privkey_sign_and_hash_data(signer, _gnutls_pk_to_sign_entry(params.pk, hash), data, signature, &params);
 }
 
@@ -1186,6 +1188,8 @@ gnutls_privkey_sign_data2(gnutls_privkey_t signer,
 		return ret;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, se->hash);
+
 	return privkey_sign_and_hash_data(signer, se, data, signature, &params);
 }
 
@@ -1253,6 +1257,8 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer,
 		return ret;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, se->hash);
+
 	return privkey_sign_prehashed(signer, se, hash_data, signature, &params);
 }
 
@@ -1376,6 +1382,8 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer,
 	if (unlikely(se == NULL))
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
+	FIX_SIGN_PARAMS(params, flags, hash_algo);
+
 	return privkey_sign_prehashed(signer, se,
 				      hash_data, signature, &params);
 }
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index c8899f81a..4ca67535d 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -2642,6 +2642,8 @@ gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key,
 	if (se == NULL)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
+	FIX_SIGN_PARAMS(params, flags, dig);
+
 	result = privkey_sign_and_hash_data(key, se,
 					    &tbs, &signature, &params);
 	gnutls_free(tbs.data);
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index 21fff7b07..98669e887 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -2532,6 +2532,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
 		goto cleanup;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, dig);
+
 	ret = privkey_sign_and_hash_data(signer_key, se,
 					 &sigdata, &signature, &params);
 	if (ret < 0) {
diff --git a/lib/x509/sign.c b/lib/x509/sign.c
index 8f7a96f21..461524f5b 100644
--- a/lib/x509/sign.c
+++ b/lib/x509/sign.c
@@ -175,6 +175,8 @@ _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name,
 		return result;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, dig);
+
 	if (_gnutls_pk_is_not_prehashed(params.pk)) {
 		result = privkey_sign_raw_data(issuer_key, se, &tbs, &signature, &params);
 	} else {
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 7970ad6b3..a8c2d152e 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -211,7 +211,8 @@ ctests += mini-record-2 simple gnutls_hm
 	 tls13-server-kx-neg gnutls_ext_raw_parse_dtls key-export-pkcs8 \
 	 null_retrieve_function tls-record-size-limit tls-crt_type-neg \
 	 resume-with-stek-expiration resume-with-previous-stek rawpk-api \
-	 tls-record-size-limit-asym dh-compute ecdh-compute
+	 tls-record-size-limit-asym dh-compute ecdh-compute \
+	 sign-verify-deterministic
 
 if HAVE_SECCOMP_TESTS
 ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
new file mode 100644
index 000000000..fe4873fc8
--- /dev/null
+++ b/tests/sign-verify-deterministic.c
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) 2017-2019 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos, Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#ifndef _WIN32
+# include <netinet/in.h>
+# include <sys/socket.h>
+# include <arpa/inet.h>
+#endif
+#include <unistd.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+#include "utils.h"
+
+/* verifies whether the sign-data and verify-data APIs
+ * operate as expected with deterministic ECDSA/DSA (RFC 6979) */
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "<%d> %s", level, str);
+}
+
+struct _key_tests_st {
+	const char *name;
+	gnutls_datum_t key;
+	gnutls_datum_t msg;
+	gnutls_datum_t sig;
+	gnutls_pk_algorithm_t pk;
+	gnutls_digest_algorithm_t digest;
+	gnutls_sign_algorithm_t sigalgo;
+	unsigned int sign_flags;
+};
+
+/* Test vectors from RFC 6979 */
+static const char dsa_privkey_rfc6979[] =
+    "-----BEGIN DSA PRIVATE KEY-----\n"
+    "MIIBugIBAAKBgQCG9coD3P6yJQY/+DCgx2m53Z1hU62R184n94fEMni0R+ZTO4ax\n"
+    "i+1uiki3hKFMJSxb4Nv2C4bWOFvS8S+3Y+2Ic6v9P1ui4KjApZCC6sBWk15Sna98\n"
+    "YQRniZx3re38hGyIGHC3sZsrWPm+BSGhcALjvda4ZoXukLPZobAreCsXeQIVAJlv\n"
+    "ln9sjjiNnijQHiBfupV6VpixAoGAB7D5JUYVC2JRS7dx4qDAzjh/A72mxWtQUgn/\n"
+    "Jf08Ez2Ju82X6QTgkRTZp9796t/JB46lRNLkAa7sxAu5+794/YeZWhChwny3eJtZ\n"
+    "S6fvtcQyap/lmgcOE223cXVGStykF75dzi9A0QpGo6OUPyarf9nAOY/4x27gpWgm\n"
+    "qKiPHb0CgYBd9eAd7THQKX4nThaRwZL+WGj++eGahHdkVLEAzxb2U5IZWji5BSPi\n"
+    "VC7mGHHARAy4fDIvxLTS7F4efsdm4b6NTOk1Q33BHDyP1CYziTPr/nOcs0ZfTTZo\n"
+    "xeRzUIJTseaC9ly9xPrpPC6iEjkOVJBahuIiMXC0Tqp9pd2f/Pt/OwIUQRYCyxmm\n"
+    "zMNElNedmO8eftWvJfc=\n"
+    "-----END DSA PRIVATE KEY-----\n";
+
+static const char ecdsa_secp256r1_privkey_rfc6979[] =
+    "-----BEGIN EC PRIVATE KEY-----\n"
+    "MHgCAQEEIQDJr6nYRbp1FmtcIVdnsdaTTlDD2zbomxJ7imIrEg9nIaAKBggqhkjO\n"
+    "PQMBB6FEA0IABGD+1LolWp0xyWHrdMY1bWjASbiSO2H6bOZpYi5g8p+2eQP+EAi4\n"
+    "vJmkGunpVii8ZPLxsgwtfp9Rd6PClNRGIpk=\n"
+    "-----END EC PRIVATE KEY-----\n";
+
+static const char sample[] = "sample";
+
+static const
+struct _key_tests_st tests[] = {
+	{
+		.name = "dsa key",
+		.key = {(void *) dsa_privkey_rfc6979, sizeof(dsa_privkey_rfc6979)-1},
+		.msg = {(void *) sample, sizeof(sample)-1},
+		.sig = {(void *) "\x30\x2d\x02\x15\x00\x81\xf2\xf5\x85\x0b\xe5\xbc\x12\x3c\x43\xf7\x1a\x30\x33\xe9\x38\x46\x11\xc5\x45\x02\x14\x4c\xdd\x91\x4b\x65\xeb\x6c\x66\xa8\xaa\xad\x27\x29\x9b\xee\x6b\x03\x5f\x5e\x89", 47},
+		.pk = GNUTLS_PK_DSA,
+		.digest = GNUTLS_DIG_SHA256,
+		.sigalgo = GNUTLS_SIGN_DSA_SHA256,
+		.sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
+	},
+	{
+		.name = "ecdsa key",
+		.key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
+		.msg = {(void *) sample, sizeof(sample)-1},
+		.sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72},
+		.pk = GNUTLS_PK_ECDSA,
+		.digest = GNUTLS_DIG_SHA256,
+		.sigalgo = GNUTLS_SIGN_ECDSA_SECP256R1_SHA256,
+		.sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
+	},
+	{
+		.name = "ecdsa key",
+		.key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
+		.msg = {(void *) sample, sizeof(sample)-1},
+		.sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72},
+		.pk = GNUTLS_PK_ECDSA,
+		.digest = GNUTLS_DIG_SHA256,
+		.sigalgo = GNUTLS_SIGN_ECDSA_SHA256,
+		.sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
+	},
+	{
+		.name = "ecdsa key (q bits < h bits)",
+		.key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
+		.msg = {(void *) sample, sizeof(sample)-1},
+		.sig = {(void *) "\x30\x44\x02\x20\x0e\xaf\xea\x03\x9b\x20\xe9\xb4\x23\x09\xfb\x1d\x89\xe2\x13\x05\x7c\xbf\x97\x3d\xc0\xcf\xc8\xf1\x29\xed\xdd\xc8\x00\xef\x77\x19\x02\x20\x48\x61\xf0\x49\x1e\x69\x98\xb9\x45\x51\x93\xe3\x4e\x7b\x0d\x28\x4d\xdd\x71\x49\xa7\x4b\x95\xb9\x26\x1f\x13\xab\xde\x94\x09\x54", 70},
+		.pk = GNUTLS_PK_ECDSA,
+		.digest = GNUTLS_DIG_SHA384,
+		.sigalgo = GNUTLS_SIGN_ECDSA_SHA384,
+		.sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
+	},
+	{
+		.name = "ecdsa key (q bits > h bits)",
+		.key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
+		.msg = {(void *) sample, sizeof(sample)-1},
+		.sig = {(void *) "\x30\x45\x02\x20\x53\xb2\xff\xf5\xd1\x75\x2b\x2c\x68\x9d\xf2\x57\xc0\x4c\x40\xa5\x87\xfa\xba\xbb\x3f\x6f\xc2\x70\x2f\x13\x43\xaf\x7c\xa9\xaa\x3f\x02\x21\x00\xb9\xaf\xb6\x4f\xdc\x03\xdc\x1a\x13\x1c\x7d\x23\x86\xd1\x1e\x34\x9f\x07\x0a\xa4\x32\xa4\xac\xc9\x18\xbe\xa9\x88\xbf\x75\xc7\x4c", 71},
+		.pk = GNUTLS_PK_ECDSA,
+		.digest = GNUTLS_DIG_SHA224,
+		.sigalgo = GNUTLS_SIGN_ECDSA_SHA224,
+		.sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
+	}
+};
+
+#define testfail(fmt, ...) \
+	fail("%s: "fmt, tests[i].name, ##__VA_ARGS__)
+
+void doit(void)
+{
+	gnutls_pubkey_t pubkey;
+	gnutls_privkey_t privkey;
+	gnutls_datum_t signature;
+	int ret;
+	size_t i;
+
+	global_init();
+
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(6);
+
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		success("testing: %s - %s\n", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo));
+
+		ret = gnutls_privkey_init(&privkey);
+		if (ret < 0)
+			testfail("gnutls_privkey_init\n");
+
+		ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0);
+		if (ret < 0)
+			testfail("gnutls_privkey_import_x509_raw\n");
+
+		ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags,
+					       &tests[i].msg, &signature);
+		if (ret < 0)
+			testfail("gnutls_privkey_sign_data\n");
+
+		if (signature.size != tests[i].sig.size ||
+		    memcmp(signature.data, tests[i].sig.data, signature.size) != 0)
+			testfail("signature does not match");
+
+		ret = gnutls_pubkey_init(&pubkey);
+		if (ret < 0)
+			testfail("gnutls_pubkey_init\n");
+
+		ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0);
+		if (ret < 0)
+			testfail("gnutls_pubkey_import_privkey\n");
+
+		ret =
+		    gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0, &tests[i].msg,
+					      &signature);
+		if (ret < 0)
+			testfail("gnutls_pubkey_verify_data2\n");
+
+		gnutls_free(signature.data);
+		gnutls_privkey_deinit(privkey);
+		gnutls_pubkey_deinit(pubkey);
+	}
+
+	gnutls_global_deinit();
+}
-- 
2.21.0


From 1adee9e136176a8fe26bae036ebb275fe4c26f64 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 5 Aug 2019 15:21:55 +0200
Subject: [PATCH 5/6] nettle: enable deterministic ECDSA/DSA during FIPS
 selftests

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/nettle/pk.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index ebd6481cf..1f8e7f931 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -820,7 +820,8 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 			}
 
 			mpz_init(k);
-			if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+			    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
 				ret = _gnutls_ecdsa_compute_k(k,
 							      curve_id,
 							      pk_params->params[ECC_K],
@@ -888,7 +889,8 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 			}
 
 			mpz_init(k);
-			if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+			    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
 				ret = _gnutls_dsa_compute_k(k,
 							    pub.q,
 							    TOMPZ(priv),
-- 
2.21.0


From 3beaa23ef5852e2d8aaa610aac9cde9b46be4f77 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 7 Aug 2019 15:55:44 +0200
Subject: [PATCH 6/6] nettle: prohibit deterministic ECDSA/DSA under FIPS
 except selftests

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/nettle/pk.c                   |  8 ++++++++
 tests/sign-verify-deterministic.c | 27 ++++++++++++++++++++-------
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 1f8e7f931..b2d27cf74 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -703,6 +703,14 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 			return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
 	}
 
+	/* deterministic ECDSA/DSA is prohibited under FIPS except in
+	 * the selftests */
+	if (_gnutls_fips_mode_enabled() &&
+	    _gnutls_get_lib_state() != LIB_STATE_SELFTEST &&
+	    (algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_ECDSA) &&
+	    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE))
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
 	switch (algo) {
 	case GNUTLS_PK_EDDSA_ED25519:	/* we do EdDSA */
 		{
diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
index fe4873fc8..6e907288e 100644
--- a/tests/sign-verify-deterministic.c
+++ b/tests/sign-verify-deterministic.c
@@ -154,29 +154,40 @@ void doit(void)
 		gnutls_global_set_log_level(6);
 
 	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
-		success("testing: %s - %s\n", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo));
+		success("testing: %s - %s", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo));
+
+		ret = gnutls_pubkey_init(&pubkey);
+		if (ret < 0)
+			testfail("gnutls_pubkey_init\n");
 
 		ret = gnutls_privkey_init(&privkey);
 		if (ret < 0)
 			testfail("gnutls_privkey_init\n");
 
+		signature.data = NULL;
+		signature.size = 0;
+
 		ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0);
 		if (ret < 0)
 			testfail("gnutls_privkey_import_x509_raw\n");
 
 		ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags,
 					       &tests[i].msg, &signature);
-		if (ret < 0)
-			testfail("gnutls_privkey_sign_data\n");
+		if (gnutls_fips140_mode_enabled()) {
+			/* deterministic ECDSA/DSA is prohibited under FIPS */
+			if (ret != GNUTLS_E_INVALID_REQUEST)
+				testfail("gnutls_privkey_sign_data unexpectedly succeeds\n");
+			success(" - skipping\n");
+			goto next;
+		} else {
+			if (ret < 0)
+				testfail("gnutls_privkey_sign_data\n");
+		}
 
 		if (signature.size != tests[i].sig.size ||
 		    memcmp(signature.data, tests[i].sig.data, signature.size) != 0)
 			testfail("signature does not match");
 
-		ret = gnutls_pubkey_init(&pubkey);
-		if (ret < 0)
-			testfail("gnutls_pubkey_init\n");
-
 		ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0);
 		if (ret < 0)
 			testfail("gnutls_pubkey_import_privkey\n");
@@ -186,7 +197,9 @@ void doit(void)
 					      &signature);
 		if (ret < 0)
 			testfail("gnutls_pubkey_verify_data2\n");
+		success(" - pass");
 
+	next:
 		gnutls_free(signature.data);
 		gnutls_privkey_deinit(privkey);
 		gnutls_pubkey_deinit(pubkey);
-- 
2.21.0

From 6cb58f18280bedfec9d7c8ac411574b868b3d758 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 16 Aug 2019 14:59:03 +0200
Subject: [PATCH] crypto-backend: always set sign_params.dsa_sig when ECDSA/DSA

In FIPS selftests we create deterministic signature and the
information about the digest algorithm is necessary.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/crypto-backend.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
index 33eca6031..664ba4377 100644
--- a/lib/crypto-backend.h
+++ b/lib/crypto-backend.h
@@ -233,6 +233,9 @@ typedef enum {
 #define FIX_SIGN_PARAMS(params, flags, dig) do {		\
 	if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) {	\
 		(params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE;	\
+	}							\
+	if ((params).pk == GNUTLS_PK_DSA ||			\
+	    (params).pk == GNUTLS_PK_ECDSA) {			\
 		(params).dsa_dig = (dig);			\
 	}							\
 } while (0)
-- 
2.21.0