From 755e6dce727915249cbb1a98f22832d940b99c24 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 6 Mar 2025 09:12:36 +0900
Subject: [PATCH 07/14] cipher,ecc: Fix for supplied K.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* cipher/ecc.c (ecc_sign): Check if it's under FIPS mode.
(ecc_verify): Supplied K does no sense for verification, but add
comment of clarification mark/reject-ing under FIPS mode.

--

GnuPG-bug-id: 7338
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: Lucas Mülling <lucas.mulling@suse.com>
---
 cipher/ecc.c | 39 +++++++++++++++++++++++----------------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/cipher/ecc.c b/cipher/ecc.c
index 569e41f6..a165bb7a 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -962,17 +962,21 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
 
   if (ctx.label)
     {
-      if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK_ECC_K))
+      /* ECDSA signing can have supplied K (for testing, deterministic).  */
+      if (fips_mode ())
         {
-          rc = GPG_ERR_INV_DATA;
-          goto leave;
+          if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK_ECC_K))
+            {
+              rc = GPG_ERR_INV_DATA;
+              goto leave;
+            }
+          else
+            fips_service_indicator_mark_non_compliant ();
         }
-      else
-        fips_service_indicator_mark_non_compliant ();
       rc = _gcry_mpi_scan (&k, GCRYMPI_FMT_USG, ctx.label, ctx.labellen, NULL);
+      if (rc)
+        goto leave;
     }
-  if (rc)
-    goto leave;
 
   if (fips_mode ()
       && ((ctx.flags & PUBKEY_FLAG_GOST) || (ctx.flags & PUBKEY_FLAG_SM2)))
@@ -1128,18 +1132,21 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t s_keyparms)
   if (rc)
     goto leave;
 
-  if (ctx.label)
+  /*
+   * ECDSA signing can have supplied K (for testing, deterministic),
+   * but it's non-compliant.  For ECDSA signature verification, having
+   * K is irrelevant, but an application may use same flags as the one
+   * for signing.
+   */
+  if (ctx.label && fips_mode ())
     {
-      if (fips_mode ())
+      if (fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK_ECC_K))
         {
-          if(fips_check_rejection (GCRY_FIPS_FLAG_REJECT_PK_ECC_K))
-            {
-              rc = GPG_ERR_INV_DATA;
-              goto leave;
-            }
-          else
-            fips_service_indicator_mark_non_compliant ();
+          rc = GPG_ERR_INV_DATA;
+          goto leave;
         }
+      else
+        fips_service_indicator_mark_non_compliant ();
     }
 
   if (DBG_CIPHER)
-- 
2.49.0