File gnutls-FIPS-PCT-DH.patch of Package gnutls.27842

From 4ea7da1a6e745d91df627bc5aa9917ebe256a6a6 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 10 Feb 2023 12:35:22 +0900
Subject: [PATCH] pk: extend pair-wise consistency to cover DH key generation

Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise
Consistency check, even if we only support ephemeral DH, as it is
required by FIPS 140-3 IG 10.3.A.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Pedro Monreal <pmonreal@suse.com>
---
 lib/nettle/pk.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

Index: gnutls-3.7.3/lib/nettle/pk.c
===================================================================
--- gnutls-3.7.3.orig/lib/nettle/pk.c
+++ gnutls-3.7.3/lib/nettle/pk.c
@@ -2405,7 +2405,30 @@ static int pct_test(gnutls_pk_algorithm_
 			goto cleanup;
 		}
 		break;
-	case GNUTLS_PK_DH:
+	case GNUTLS_PK_DH: {
+		mpz_t y;
+
+		/* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance
+		 * of Pair-wise Consistency check, even if we only
+		 * support ephemeral DH, as it is required by FIPS
+		 * 140-3 IG 10.3.A.
+		 *
+		 * Use the private key, x, along with the generator g
+		 * and prime modulus p included in the domain
+		 * parameters associated with the key pair to compute
+		 * g^x mod p. Compare the result to the public key, y.
+		 */
+		mpz_init(y);
+		mpz_powm(y,
+			 TOMPZ(params->params[DSA_G]),
+			 TOMPZ(params->params[DSA_X]),
+			 TOMPZ(params->params[DSA_P]));
+		if (unlikely(mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) {
+			ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+		}
+		mpz_clear(y);
+		break;
+	}
 	case GNUTLS_PK_ECDH_X25519:
 	case GNUTLS_PK_ECDH_X448:
 		ret = 0;