File 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch of Package gnutls.31638

From 30cd55456b574b2eadd0bea93ca12492441e0d5d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 20 May 2019 17:13:12 -0400
Subject: [PATCH 4/6] Always pass in and check Q in TLS 1.3

In FIPS mode do an extra check that we did have Q, but it is always
passed into the tls13 derive function from the callers.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 lib/algorithms/groups.c |  5 +++++
 lib/ext/key_share.c     | 14 ++++++++++++--
 lib/gnutls_int.h        |  1 +
 lib/nettle/pk.c         |  5 +++++
 4 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/lib/algorithms/groups.c b/lib/algorithms/groups.c
index c5adb063ba..25195c121c 100644
--- a/lib/algorithms/groups.c
+++ b/lib/algorithms/groups.c
@@ -79,6 +79,7 @@ static const gnutls_group_entry_st supported_groups[] = {
 	 .id = GNUTLS_GROUP_FFDHE2048,
 	 .generator = &gnutls_ffdhe_2048_group_generator,
 	 .prime = &gnutls_ffdhe_2048_group_prime,
+	 .q = &gnutls_ffdhe_2048_group_q,
 	 .q_bits = &gnutls_ffdhe_2048_key_bits,
 	 .pk = GNUTLS_PK_DH,
 	 .tls_id = 0x100
@@ -88,6 +89,7 @@ static const gnutls_group_entry_st supported_groups[] = {
 	 .id = GNUTLS_GROUP_FFDHE3072,
 	 .generator = &gnutls_ffdhe_3072_group_generator,
 	 .prime = &gnutls_ffdhe_3072_group_prime,
+	 .q = &gnutls_ffdhe_3072_group_q,
 	 .q_bits = &gnutls_ffdhe_3072_key_bits,
 	 .pk = GNUTLS_PK_DH,
 	 .tls_id = 0x101
@@ -97,6 +99,7 @@ static const gnutls_group_entry_st supported_groups[] = {
 	 .id = GNUTLS_GROUP_FFDHE4096,
 	 .generator = &gnutls_ffdhe_4096_group_generator,
 	 .prime = &gnutls_ffdhe_4096_group_prime,
+	 .q = &gnutls_ffdhe_4096_group_q,
 	 .q_bits = &gnutls_ffdhe_4096_key_bits,
 	 .pk = GNUTLS_PK_DH,
 	 .tls_id = 0x102
@@ -106,6 +109,7 @@ static const gnutls_group_entry_st supported_groups[] = {
 	 .id = GNUTLS_GROUP_FFDHE6144,
 	 .generator = &gnutls_ffdhe_6144_group_generator,
 	 .prime = &gnutls_ffdhe_6144_group_prime,
+	 .q = &gnutls_ffdhe_6144_group_q,
 	 .q_bits = &gnutls_ffdhe_6144_key_bits,
 	 .pk = GNUTLS_PK_DH,
 	 .tls_id = 0x103
@@ -115,6 +119,7 @@ static const gnutls_group_entry_st supported_groups[] = {
 	 .id = GNUTLS_GROUP_FFDHE8192,
 	 .generator = &gnutls_ffdhe_8192_group_generator,
 	 .prime = &gnutls_ffdhe_8192_group_prime,
+	 .q = &gnutls_ffdhe_8192_group_q,
 	 .q_bits = &gnutls_ffdhe_8192_key_bits,
 	 .pk = GNUTLS_PK_DH,
 	 .tls_id = 0x104
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index 3efc46a60c..599eff8fbc 100644
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -152,10 +152,15 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 
+		ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_Q],
+			group->q->data, group->q->size);
+		if (ret < 0)
+			return gnutls_assert_val(ret);
+
 		session->key.kshare.dh_params.algo = group->pk;
 		session->key.kshare.dh_params.dh_group = group->id; /* no curve in FFDH, we write the group */
 		session->key.kshare.dh_params.qbits = *group->q_bits;
-		session->key.kshare.dh_params.params_nr = 3; /* empty q */
+		session->key.kshare.dh_params.params_nr = 3;
 
 		ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1);
 		if (ret < 0)
@@ -350,9 +355,14 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 
+		ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_Q],
+			group->q->data, group->q->size);
+		if (ret < 0)
+			return gnutls_assert_val(ret);
+
 		session->key.kshare.dh_params.algo = GNUTLS_PK_DH;
 		session->key.kshare.dh_params.qbits = *group->q_bits;
-		session->key.kshare.dh_params.params_nr = 3; /* empty q */
+		session->key.kshare.dh_params.params_nr = 3;
 
 		/* generate our keys */
 		ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 177a8be018..da0a92ebcb 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -664,6 +664,7 @@ typedef struct gnutls_group_entry_st {
 	const char *name;
 	gnutls_group_t id;
 	const gnutls_datum_t *prime;
+	const gnutls_datum_t *q;
 	const gnutls_datum_t *generator;
 	const unsigned *q_bits;
 	gnutls_ecc_curve_t curve;
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 6bb2cef877..08117c2d82 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -282,6 +282,11 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
 				ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 				goto dh_cleanup;
 			}
+		} else if ((flags & PK_DERIVE_TLS13) &&
+			   _gnutls_fips_mode_enabled()) {
+			/* Mandatory in FIPS mode for TLS 1.3 */
+			ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+			goto dh_cleanup;
 		}
 
 		/* prevent denial of service */
-- 
2.27.0

openSUSE Build Service is sponsored by