Accepting request 1059996 from home:pmonrealgonzalez:branches:security:tls

- FIPS: Change all the 140-2 references to FIPS 140-3 in order to
  account for the new FIPS certification [bsc#1207346]
  * Add gnutls-FIPS-140-3-references.patch

- FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183]
  * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch

OBS-URL: https://build.opensuse.org/request/show/1059996
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=84

gnutls-FIPS-PCT-DH.patch

@@ -0,0 +1,85 @@
+Index: gnutls-3.7.8/lib/nettle/pk.c
+===================================================================
+--- gnutls-3.7.8.orig/lib/nettle/pk.c
++++ gnutls-3.7.8/lib/nettle/pk.c
+@@ -2498,6 +2498,48 @@ static int pct_test(gnutls_pk_algorithm_
+ 		}
+ 		break;
+ 	case GNUTLS_PK_DH:
++		if (_gnutls_fips_mode_enabled()) {
++			/* Perform Owner Assurance of Pair-wise Consistency
++			 * according to SP800-56A (revision 3), 5.6.2.1.4.
++			 *
++			 * DH params (see lib/crypto-backend.h)
++			 *  [DSA_P] [0] is p (prime number)
++			 *  [DSA_Q] [1] is q (prime order)
++			 *  [DSA_G] [2] is g (generator)
++			 *  [DSA_Y] [3] is y (public key)
++			 *  [DSA_X] [4] is x (private key only)
++			 *
++			 * Regenerate the public key from the private key with
++			 * y = g^x mod p and compare it with the previous one.
++			 */
++
++			mpz_t p, g, y, x;
++
++			mpz_init(p);
++			mpz_init(g);
++			mpz_init(y);
++			mpz_init(x);
++
++			mpz_set(p, params->params[DSA_P]);
++			mpz_set(g, params->params[DSA_G]);
++			mpz_set(x, params->params[DSA_X]);
++
++			mpz_powm(y, g, x, p);
++
++			ret = mpz_cmp(y, params->params[DSA_Y]);
++			if (unlikely(ret != 0)) {
++				ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
++			}
++
++			mpz_clear(p);
++			mpz_clear(g);
++			mpz_clear(y);
++			mpz_clear(x);
++			if (ret < 0) {
++				goto cleanup;
++			}
++		}
++		break;
+ 	case GNUTLS_PK_ECDH_X25519:
+ 	case GNUTLS_PK_ECDH_X448:
+ 		ret = 0;
+@@ -2780,8 +2822,17 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a
+ 				}
+ 			}
+ #endif
+-
+-			ret = _gnutls_mpi_init_multi(&params->params[DSA_Y], &params->params[DSA_X], NULL);
++			if (_gnutls_fips_mode_enabled()) {
++				ret = _gnutls_mpi_init_multi(&params->params[DSA_P],
++							     &params->params[DSA_G],
++							     &params->params[DSA_Y],
++							     &params->params[DSA_X],
++							     NULL);
++			} else {
++				ret = _gnutls_mpi_init_multi(&params->params[DSA_Y],
++							     &params->params[DSA_X],
++							     NULL);
++			}
+ 			if (ret < 0) {
+ 				gnutls_assert();
+ 				goto dh_fail;
+@@ -2790,6 +2841,11 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a
+ 			mpz_set(TOMPZ(params->params[DSA_Y]), y);
+ 			mpz_set(TOMPZ(params->params[DSA_X]), x);
+ 			params->params_nr += 2;
++			if (_gnutls_fips_mode_enabled()) {
++				mpz_set(TOMPZ(params->params[DSA_P]), pub.p);
++				mpz_set(TOMPZ(params->params[DSA_G]), pub.g);
++				params->params_nr += 2;
++			}
+ 
+ 			ret = 0;
+ 

gnutls-FIPS-PCT-ECDH.patch

@@ -0,0 +1,171 @@
+Index: gnutls-3.7.3/lib/nettle/pk.c
+===================================================================
+--- gnutls-3.7.3.orig/lib/nettle/pk.c
++++ gnutls-3.7.3/lib/nettle/pk.c
+@@ -71,6 +71,9 @@
+ static inline const struct ecc_curve *get_supported_nist_curve(int curve);
+ static inline const struct ecc_curve *get_supported_gost_curve(int curve);
+ 
++static inline const char *get_supported_nist_curve_order(int curve);
++static inline const char *get_supported_nist_curve_modulus(int curve);
++
+ /* When these callbacks are used for a nettle operation, the
+  * caller must check the macro HAVE_LIB_ERROR() after the operation
+  * is complete. If the macro is true, the operation is to be considered
+@@ -406,6 +409,10 @@ dh_cleanup:
+ 			struct ecc_scalar ecc_priv;
+ 			struct ecc_point ecc_pub;
+ 			const struct ecc_curve *curve;
++			struct ecc_scalar n;
++			struct ecc_scalar m;
++			struct ecc_point r;
++			mpz_t x, y, xx, yy, nn, mm;
+ 
+ 			out->data = NULL;
+ 
+@@ -425,10 +432,21 @@ dh_cleanup:
+ 				not_approved = true;
+ 			}
+ 
++			mpz_init(x);
++			mpz_init(y);
++			mpz_init(xx);
++			mpz_init(yy);
++			mpz_init(nn);
++			mpz_init(mm);
++
++			ecc_scalar_init(&n, curve);
++			ecc_scalar_init(&m, curve);
++			ecc_point_init(&r, curve);
++
+ 			ret = _ecc_params_to_pubkey(pub, &ecc_pub, curve);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+-				goto cleanup;
++				goto ecc_pub_cleanup;
+ 			}
+ 
+ 			ret =
+@@ -436,7 +454,7 @@ dh_cleanup:
+ 			if (ret < 0) {
+ 				ecc_point_clear(&ecc_pub);
+ 				gnutls_assert();
+-				goto cleanup;
++				goto ecc_priv_cleanup;
+ 			}
+ 
+ 			out->size = gnutls_ecc_curve_get_size(priv->curve);
+@@ -449,16 +467,111 @@ dh_cleanup:
+ 				goto ecc_cleanup;
+ 			}
+ 
++			/* Perform ECC Full Public-Key Validation Routine
++			 * according to SP800-56A (revision 3), 5.6.2.3.3.
++			 */
++
++			/* Step 1: verify that Q is not an identity
++			 * element (an infinity point).  Note that this
++			 * cannot happen in the nettle implementation,
++			 * because it cannot represent an infinity point
++			 * on curves. */
+ 			ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data,
+ 						out->size);
+-			if (ret < 0)
++			if (ret < 0) {
+ 				gnutls_free(out->data);
++				goto ecc_cleanup;
++			}
++
++#ifdef ENABLE_FIPS140
++			if (_gnutls_fips_mode_enabled()) {
++				const char *order, *modulus;
++
++				ecc_point_mul(&r, &ecc_priv, &ecc_pub);
++				ecc_point_get(&r, x, y);
++
++				/* Step 2: verify that both coordinates of Q are
++				 * in the range [0, p - 1].
++				 *
++				 * Step 3: verify that Q lie on the curve
++				 *
++				 * Both checks are performed in nettle.  */
++				if (!ecc_point_set(&r, x, y)) {
++					ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
++					goto ecc_cleanup;
++				}
++
++				/* Step 4: verify that n * Q, where n is the
++				 * curve order, result in an identity element
++				 *
++				 * Since nettle internally cannot represent an
++				 * identity element on curves, we validate this
++				 * instead:
++				 *
++				 *   (n - 1) * Q = -Q
++				 *
++				 * That effectively means: n * Q = -Q + Q = O
++				 */
++				order = get_supported_nist_curve_order(priv->curve);
++				if (unlikely(order == NULL)) {
++					ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++					goto ecc_cleanup;
++				}
++
++				ret = mpz_set_str(nn, order, 16);
++				if (unlikely(ret < 0)) {
++					ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
++					goto ecc_cleanup;
++				}
++
++				modulus = get_supported_nist_curve_modulus(priv->curve);
++				if (unlikely(modulus == NULL)) {
++					ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++					goto ecc_cleanup;
++				}
++
++				ret = mpz_set_str(mm, modulus, 16);
++				if (unlikely(ret < 0)) {
++					ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
++					goto ecc_cleanup;
++				}
++
++				/* (n - 1) * Q = -Q */
++				mpz_sub_ui (nn, nn, 1);
++				ecc_scalar_set(&n, nn);
++				ecc_point_mul(&r, &n, &r);
++				ecc_point_get(&r, xx, yy);
++				mpz_sub (mm, mm, y);
++
++				if (mpz_cmp(xx, x) != 0 || mpz_cmp(yy, mm) != 0) {
++					ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
++					goto ecc_cleanup;
++				}
++			} else {
++				not_approved = true;
++			}
++#endif
++
++			ret = 0;
+ 
+ 		      ecc_cleanup:
+-			ecc_point_clear(&ecc_pub);
+ 			ecc_scalar_zclear(&ecc_priv);
++		      ecc_priv_cleanup:
++			ecc_point_clear(&ecc_pub);
++		      ecc_pub_cleanup:
++			mpz_clear(x);
++			mpz_clear(y);
++			mpz_clear(xx);
++			mpz_clear(yy);
++			mpz_clear(nn);
++			mpz_clear(mm);
++			ecc_point_clear(&r);
++			ecc_scalar_clear(&n);
++			ecc_scalar_clear(&m);
++
+ 			if (ret < 0)
+ 				goto cleanup;
++
+ 			break;
+ 		}
+ 	case GNUTLS_PK_ECDH_X25519:

gnutls.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Jan 20 09:58:53 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Change all the 140-2 references to FIPS 140-3 in order to
+  account for the new FIPS certification [bsc#1207346]
+  * Add gnutls-FIPS-140-3-references.patch
+
+-------------------------------------------------------------------
+Mon Jan 16 12:52:55 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183]
+  * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch
+
 -------------------------------------------------------------------
 Mon Dec 12 08:58:58 UTC 2022 - Dirk Müller <dmueller@suse.com>
 

gnutls.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -68,6 +68,11 @@ Patch7:         gnutls-Make-XTS-key-check-failure-not-fatal.patch
 Patch8:         gnutls-disable-flaky-test-dtls-resume.patch
 #PATCH-FIX-OPENSUSE bsc#1199881 Verify only the libgnutls library HMAC
 Patch9:         gnutls-verify-library-HMAC.patch
+#PATCH-FIX-SUSE bsc#1207183 FIPS: DH/ECDH PCT public key regeneration
+Patch10:        gnutls-FIPS-PCT-DH.patch
+Patch11:        gnutls-FIPS-PCT-ECDH.patch
+#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
+Patch12:        gnutls-FIPS-140-3-references.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge