File libgcrypt-FIPS-SLI-cipher-Add-KAT-for-non-rfc6979-ECDSA-with-fixed-k.patch of Package libgcrypt.38414

From 31703ea704d2dd4d1b590b150472d8b2a0c9cc77 Mon Sep 17 00:00:00 2001
From: Lucas Mulling <lucas.mulling@suse.com>
Date: Wed, 12 Feb 2025 15:22:52 -0300
Subject: [PATCH] cipher: Add KAT for non-rfc6979 ECDSA with fixed k

* cipher/ecc.c (run_selftests): Implement KAT for non-deterministic
ECDSA.
* cipher/ecc. (rfc6979_ecdsa_sample_data, rfc6979_ecdsa_sample_data_bad,
rfc6979_ecdsa_data_tmpl): New.

Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
---
 cipher/ecc.c | 43 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 5 deletions(-)

Index: libgcrypt-1.10.3/cipher/ecc.c
===================================================================
--- libgcrypt-1.10.3.orig/cipher/ecc.c
+++ libgcrypt-1.10.3/cipher/ecc.c
@@ -73,7 +73,6 @@ static const char *ecc_names[] =
     NULL,
   };
 
-
 /* Sample NIST P-256 key from RFC 6979 A.2.5 */
 static const char sample_public_key_secp256[] =
   "(public-key"
@@ -101,7 +100,7 @@ static void *progress_cb_data;
 
 /* Local prototypes. */
 static void test_keys (mpi_ec_t ec, unsigned int nbits);
-static int test_keys_fips (gcry_sexp_t skey);
+static int test_keys_fips (gcry_sexp_t skey, const char* data_tmpl);
 static void test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags);
 static unsigned int ecc_get_nbits (gcry_sexp_t parms);
 
@@ -309,11 +308,10 @@ test_keys (mpi_ec_t ec, unsigned int nbi
  * having the fips bit set in ecc_domain_parms_t struct so this is slightly
  * simpler than the whole ecc_generate function */
 static int
-test_keys_fips (gcry_sexp_t skey)
+test_keys_fips (gcry_sexp_t skey, const char* data_tmpl)
 {
   int result = -1; /* Default to failure */
   gcry_md_hd_t hd = NULL;
-  const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
   gcry_sexp_t sig = NULL;
   char plaintext[128];
   int rc;
@@ -693,7 +691,15 @@ ecc_generate (const gcry_sexp_t genparms
         log_debug ("ecgen result  using Ed25519+EdDSA\n");
     }
 
-  if (fips_mode () && test_keys_fips (*r_skey))
+  if (fips_mode () && test_keys_fips (*r_skey, "(data (flags rfc6979) (hash %s %b))"))
+    {
+      sexp_release (*r_skey);
+      *r_skey = NULL;
+      fips_signal_error ("self-test after key generation failed");
+      rc = GPG_ERR_SELFTEST_FAILED;
+    }
+
+  if (fips_mode () && test_keys_fips (*r_skey, "(data (flags raw) (hash %s %b))"))
     {
       sexp_release (*r_skey);
       *r_skey = NULL;
@@ -1845,11 +1851,11 @@ _gcry_pk_ecc_get_sexp (gcry_sexp_t *r_se
  */
 
 static const char *
-selftest_hash_sign (gcry_sexp_t pkey, gcry_sexp_t skey)
+selftest_hash_sign (gcry_sexp_t pkey, gcry_sexp_t skey,
+                    const char *data_tmpl)
 {
   int md_algo = GCRY_MD_SHA256;
   gcry_md_hd_t hd = NULL;
-  const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
   /* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */
   static const char sample_data[] = "sample";
   static const char sample_data_bad[] = "sbmple";
@@ -1965,17 +1971,10 @@ selftest_hash_sign (gcry_sexp_t pkey, gc
 
 
 static const char *
-selftest_sign (gcry_sexp_t pkey, gcry_sexp_t skey)
+selftest_sign (gcry_sexp_t pkey, gcry_sexp_t skey,
+               const char* sample_data, const char* sample_data_bad)
 {
   /* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */
-  static const char sample_data[] =
-    "(data (flags rfc6979 prehash)"
-    " (hash-algo sha256)"
-    " (value 6:sample))";
-  static const char sample_data_bad[] =
-    "(data (flags rfc6979)"
-    " (hash sha256 #bf2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915"
-    /**/           "62113d8a62add1bf#))";
   static const char signature_r[] =
     "efd48b2aacb6a8fd1140dd9cd45e81d69d2c877b56aaf991c34d0ea84eaf3716";
   static const char signature_s[] =
@@ -2114,14 +2113,44 @@ selftests_ecdsa (selftest_report_func_t
 
   if (extended)
     {
+      what = "sign rfc6979";
+      errtxt = selftest_sign (pkey, skey,
+                    "(data (flags rfc6979 prehash)"
+                    " (hash-algo sha256)"
+                    " (value 6:sample))",
+                    "(data (flags rfc6979)"
+                    " (hash sha256 #bf2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915"
+                    /**/           "62113d8a62add1bf#))");
+      if (errtxt)
+        goto failed;
+
       what = "sign";
-      errtxt = selftest_sign (pkey, skey);
+      errtxt = selftest_sign (pkey, skey,
+                    "(data (flags raw prehash)"
+                    " (label #A6E3C57DD01ABE90086538398355DD4C3B17AA873382B0F24D6129"
+                    /**/     "493D8AAD60#)"
+                    " (hash-algo sha256)"
+                    " (value 6:sample))",
+                    "(data (flags raw)"
+                    " (label #A6E3C57DD01ABE90086538398355DD4C3B17AA873382B0F24D6129"
+                    /**/     "493D8AAD60#)"
+                    " (hash sha256 #bf2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915"
+                    /**/           "62113d8a62add1bf#))");
       if (errtxt)
         goto failed;
     }
 
+  what = "digest sign rfc6979";
+  errtxt = selftest_hash_sign (pkey, skey, "(data (flags rfc6979) (hash %s %b))");
+  if (errtxt)
+    goto failed;
+
   what = "digest sign";
-  errtxt = selftest_hash_sign (pkey, skey);
+  errtxt = selftest_hash_sign (pkey, skey,
+          "(data "
+          " (flags raw)"
+          " (label #A6E3C57DD01ABE90086538398355DD4C3B17AA873382B0F24D6129493D8AAD60#)"
+          " (hash %s %b))");
   if (errtxt)
     goto failed;