gnutls/gnutls-FIPS-PCT-DH.patch

From 51b721b69fd08ef1c4c4989f5e12b643e170ff56 Mon Sep 17 00:00:00 2001
From: Pedro Monreal <pmgdeb@gmail.com>
Date: Thu, 16 Feb 2023 17:02:38 +0100
Subject: [PATCH] pk: extend pair-wise consistency to cover DH key generation

Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise
Consistency check, even if we only support ephemeral DH, as it is
required by FIPS 140-3 IG 10.3.A.

Signed-off-by: Pedro Monreal <pmgdeb@gmail.com>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
---
 lib/nettle/pk.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

Index: gnutls-3.8.0/lib/nettle/pk.c
===================================================================
--- gnutls-3.8.0.orig/lib/nettle/pk.c
+++ gnutls-3.8.0/lib/nettle/pk.c
@@ -2520,6 +2520,35 @@ static int pct_test(gnutls_pk_algorithm_
 		}
 		break;
 	case GNUTLS_PK_DH:
+		{
+			mpz_t y;
+
+			/* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance
+			 * of Pair-wise Consistency check, even if we only
+			 * support ephemeral DH, as it is required by FIPS
+			 * 140-3 IG 10.3.A.
+			 *
+			 * Use the private key, x, along with the generator g
+			 * and prime modulus p included in the domain
+			 * parameters associated with the key pair to compute
+			 * g^x mod p. Compare the result to the public key, y.
+			 */
+			mpz_init(y);
+			mpz_powm(y,
+				 TOMPZ(params->params[DSA_G]),
+				 TOMPZ(params->params[DSA_X]),
+				 TOMPZ(params->params[DSA_P]));
+			if (unlikely
+			    (mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) {
+				ret =
+				    gnutls_assert_val
+				    (GNUTLS_E_PK_GENERATION_ERROR);
+				mpz_clear(y);
+				goto cleanup;
+			}
+			mpz_clear(y);
+			break;
+		}
 	case GNUTLS_PK_ECDH_X25519:
 	case GNUTLS_PK_ECDH_X448:
 		ret = 0;
Accepting request 1074130 from home:pmonrealgonzalez:branches:security:tls - Update to 3.8.0: [bsc#1205763, bsc#1209627] * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] * libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options: 1. include gnutlsxx.h in their application and link against the C library. (default) 2. include gnutlsxx.h in their application, compile with GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library. * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side. * libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. * libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script. * libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s commit-check. You may run devel/indent-gnutls to fix any OBS-URL: https://build.opensuse.org/request/show/1074130 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=88 2023-03-24 12:22:34 +00:00			`From 51b721b69fd08ef1c4c4989f5e12b643e170ff56 Mon Sep 17 00:00:00 2001`
			`From: Pedro Monreal <pmgdeb@gmail.com>`
			`Date: Thu, 16 Feb 2023 17:02:38 +0100`
			`Subject: [PATCH] pk: extend pair-wise consistency to cover DH key generation`

			`Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise`
			`Consistency check, even if we only support ephemeral DH, as it is`
			`required by FIPS 140-3 IG 10.3.A.`

			`Signed-off-by: Pedro Monreal <pmgdeb@gmail.com>`
			`Co-authored-by: Daiki Ueno <ueno@gnu.org>`
			`---`
			`lib/nettle/pk.c \| 29 +++++++++++++++++++++++++++++`
			`1 file changed, 29 insertions(+)`

			`Index: gnutls-3.8.0/lib/nettle/pk.c`
Accepting request 1059996 from home:pmonrealgonzalez:branches:security:tls - FIPS: Change all the 140-2 references to FIPS 140-3 in order to account for the new FIPS certification [bsc#1207346] * Add gnutls-FIPS-140-3-references.patch - FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183] * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch OBS-URL: https://build.opensuse.org/request/show/1059996 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=84 2023-01-20 20:17:13 +00:00			`===================================================================`
Accepting request 1074130 from home:pmonrealgonzalez:branches:security:tls - Update to 3.8.0: [bsc#1205763, bsc#1209627] * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] * libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options: 1. include gnutlsxx.h in their application and link against the C library. (default) 2. include gnutlsxx.h in their application, compile with GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library. * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side. * libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. * libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script. * libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s commit-check. You may run devel/indent-gnutls to fix any OBS-URL: https://build.opensuse.org/request/show/1074130 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=88 2023-03-24 12:22:34 +00:00			`--- gnutls-3.8.0.orig/lib/nettle/pk.c`
			`+++ gnutls-3.8.0/lib/nettle/pk.c`
			`@@ -2520,6 +2520,35 @@ static int pct_test(gnutls_pk_algorithm_`
Accepting request 1059996 from home:pmonrealgonzalez:branches:security:tls - FIPS: Change all the 140-2 references to FIPS 140-3 in order to account for the new FIPS certification [bsc#1207346] * Add gnutls-FIPS-140-3-references.patch - FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183] * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch OBS-URL: https://build.opensuse.org/request/show/1059996 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=84 2023-01-20 20:17:13 +00:00			`}`
			`break;`
			`case GNUTLS_PK_DH:`
Accepting request 1074130 from home:pmonrealgonzalez:branches:security:tls - Update to 3.8.0: [bsc#1205763, bsc#1209627] * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] * libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options: 1. include gnutlsxx.h in their application and link against the C library. (default) 2. include gnutlsxx.h in their application, compile with GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library. * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side. * libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. * libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script. * libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s commit-check. You may run devel/indent-gnutls to fix any OBS-URL: https://build.opensuse.org/request/show/1074130 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=88 2023-03-24 12:22:34 +00:00			`+ {`
			`+ mpz_t y;`
			`+`
			`+ /* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance`
			`+ * of Pair-wise Consistency check, even if we only`
			`+ * support ephemeral DH, as it is required by FIPS`
			`+ * 140-3 IG 10.3.A.`
Accepting request 1059996 from home:pmonrealgonzalez:branches:security:tls - FIPS: Change all the 140-2 references to FIPS 140-3 in order to account for the new FIPS certification [bsc#1207346] * Add gnutls-FIPS-140-3-references.patch - FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183] * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch OBS-URL: https://build.opensuse.org/request/show/1059996 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=84 2023-01-20 20:17:13 +00:00			`+ *`
Accepting request 1074130 from home:pmonrealgonzalez:branches:security:tls - Update to 3.8.0: [bsc#1205763, bsc#1209627] * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] * libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options: 1. include gnutlsxx.h in their application and link against the C library. (default) 2. include gnutlsxx.h in their application, compile with GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library. * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side. * libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. * libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script. * libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s commit-check. You may run devel/indent-gnutls to fix any OBS-URL: https://build.opensuse.org/request/show/1074130 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=88 2023-03-24 12:22:34 +00:00			`+ * Use the private key, x, along with the generator g`
			`+ * and prime modulus p included in the domain`
			`+ * parameters associated with the key pair to compute`
			`+ * g^x mod p. Compare the result to the public key, y.`
Accepting request 1059996 from home:pmonrealgonzalez:branches:security:tls - FIPS: Change all the 140-2 references to FIPS 140-3 in order to account for the new FIPS certification [bsc#1207346] * Add gnutls-FIPS-140-3-references.patch - FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183] * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch OBS-URL: https://build.opensuse.org/request/show/1059996 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=84 2023-01-20 20:17:13 +00:00			`+ */`
			`+ mpz_init(y);`
Accepting request 1074130 from home:pmonrealgonzalez:branches:security:tls - Update to 3.8.0: [bsc#1205763, bsc#1209627] * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] * libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options: 1. include gnutlsxx.h in their application and link against the C library. (default) 2. include gnutlsxx.h in their application, compile with GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library. * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side. * libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. * libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script. * libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s commit-check. You may run devel/indent-gnutls to fix any OBS-URL: https://build.opensuse.org/request/show/1074130 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=88 2023-03-24 12:22:34 +00:00			`+ mpz_powm(y,`
			`+ TOMPZ(params->params[DSA_G]),`
			`+ TOMPZ(params->params[DSA_X]),`
			`+ TOMPZ(params->params[DSA_P]));`
			`+ if (unlikely`
			`+ (mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) {`
			`+ ret =`
			`+ gnutls_assert_val`
			`+ (GNUTLS_E_PK_GENERATION_ERROR);`
			`+ mpz_clear(y);`
Accepting request 1059996 from home:pmonrealgonzalez:branches:security:tls - FIPS: Change all the 140-2 references to FIPS 140-3 in order to account for the new FIPS certification [bsc#1207346] * Add gnutls-FIPS-140-3-references.patch - FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183] * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch OBS-URL: https://build.opensuse.org/request/show/1059996 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=84 2023-01-20 20:17:13 +00:00			`+ goto cleanup;`
			`+ }`
Accepting request 1074130 from home:pmonrealgonzalez:branches:security:tls - Update to 3.8.0: [bsc#1205763, bsc#1209627] * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] * libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options: 1. include gnutlsxx.h in their application and link against the C library. (default) 2. include gnutlsxx.h in their application, compile with GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library. * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side. * libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. * libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script. * libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s commit-check. You may run devel/indent-gnutls to fix any OBS-URL: https://build.opensuse.org/request/show/1074130 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=88 2023-03-24 12:22:34 +00:00			`+ mpz_clear(y);`
			`+ break;`
Accepting request 1059996 from home:pmonrealgonzalez:branches:security:tls - FIPS: Change all the 140-2 references to FIPS 140-3 in order to account for the new FIPS certification [bsc#1207346] * Add gnutls-FIPS-140-3-references.patch - FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183] * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch OBS-URL: https://build.opensuse.org/request/show/1059996 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=84 2023-01-20 20:17:13 +00:00			`+ }`
			`case GNUTLS_PK_ECDH_X25519:`
			`case GNUTLS_PK_ECDH_X448:`
			`ret = 0;`