Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gnutls for openSUSE:Factory checked
in at 2023-01-23 18:30:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
and /work/SRC/openSUSE:Factory/.gnutls.new.32243 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls"
Mon Jan 23 18:30:24 2023 rev:144 rq:1060038 version:3.7.8
Changes:
--------
--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2022-12-16
17:51:04.575827625 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.32243/gnutls.changes 2023-01-23
18:30:25.755493823 +0100
@@ -1,0 +2,13 @@
+Fri Jan 20 09:58:53 UTC 2023 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: Change all the 140-2 references to FIPS 140-3 in order to
+ account for the new FIPS certification [bsc#1207346]
+ * Add gnutls-FIPS-140-3-references.patch
+
+-------------------------------------------------------------------
+Mon Jan 16 12:52:55 UTC 2023 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183]
+ * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch
+
+-------------------------------------------------------------------
New:
----
gnutls-FIPS-140-3-references.patch
gnutls-FIPS-PCT-DH.patch
gnutls-FIPS-PCT-ECDH.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gnutls.spec ++++++
--- /var/tmp/diff_new_pack.pILUY2/_old 2023-01-23 18:30:26.831500464 +0100
+++ /var/tmp/diff_new_pack.pILUY2/_new 2023-01-23 18:30:26.839500514 +0100
@@ -1,7 +1,7 @@
#
# spec file for package gnutls
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -68,6 +68,11 @@
Patch8: gnutls-disable-flaky-test-dtls-resume.patch
#PATCH-FIX-OPENSUSE bsc#1199881 Verify only the libgnutls library HMAC
Patch9: gnutls-verify-library-HMAC.patch
+#PATCH-FIX-SUSE bsc#1207183 FIPS: DH/ECDH PCT public key regeneration
+Patch10: gnutls-FIPS-PCT-DH.patch
+Patch11: gnutls-FIPS-PCT-ECDH.patch
+#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
+Patch12: gnutls-FIPS-140-3-references.patch
BuildRequires: autogen
BuildRequires: automake
BuildRequires: datefudge
++++++ gnutls-FIPS-140-3-references.patch ++++++
++++ 1335 lines (skipped)
++++++ gnutls-FIPS-PCT-DH.patch ++++++
Index: gnutls-3.7.8/lib/nettle/pk.c
===================================================================
--- gnutls-3.7.8.orig/lib/nettle/pk.c
+++ gnutls-3.7.8/lib/nettle/pk.c
@@ -2498,6 +2498,48 @@ static int pct_test(gnutls_pk_algorithm_
}
break;
case GNUTLS_PK_DH:
+ if (_gnutls_fips_mode_enabled()) {
+ /* Perform Owner Assurance of Pair-wise Consistency
+ * according to SP800-56A (revision 3), 5.6.2.1.4.
+ *
+ * DH params (see lib/crypto-backend.h)
+ * [DSA_P] [0] is p (prime number)
+ * [DSA_Q] [1] is q (prime order)
+ * [DSA_G] [2] is g (generator)
+ * [DSA_Y] [3] is y (public key)
+ * [DSA_X] [4] is x (private key only)
+ *
+ * Regenerate the public key from the private key with
+ * y = g^x mod p and compare it with the previous one.
+ */
+
+ mpz_t p, g, y, x;
+
+ mpz_init(p);
+ mpz_init(g);
+ mpz_init(y);
+ mpz_init(x);
+
+ mpz_set(p, params->params[DSA_P]);
+ mpz_set(g, params->params[DSA_G]);
+ mpz_set(x, params->params[DSA_X]);
+
+ mpz_powm(y, g, x, p);
+
+ ret = mpz_cmp(y, params->params[DSA_Y]);
+ if (unlikely(ret != 0)) {
+ ret =
gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+ }
+
+ mpz_clear(p);
+ mpz_clear(g);
+ mpz_clear(y);
+ mpz_clear(x);
+ if (ret < 0) {
+ goto cleanup;
+ }
+ }
+ break;
case GNUTLS_PK_ECDH_X25519:
case GNUTLS_PK_ECDH_X448:
ret = 0;
@@ -2780,8 +2822,17 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a
}
}
#endif
-
- ret = _gnutls_mpi_init_multi(¶ms->params[DSA_Y],
¶ms->params[DSA_X], NULL);
+ if (_gnutls_fips_mode_enabled()) {
+ ret =
_gnutls_mpi_init_multi(¶ms->params[DSA_P],
+
¶ms->params[DSA_G],
+
¶ms->params[DSA_Y],
+
¶ms->params[DSA_X],
+ NULL);
+ } else {
+ ret =
_gnutls_mpi_init_multi(¶ms->params[DSA_Y],
+
¶ms->params[DSA_X],
+ NULL);
+ }
if (ret < 0) {
gnutls_assert();
goto dh_fail;
@@ -2790,6 +2841,11 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a
mpz_set(TOMPZ(params->params[DSA_Y]), y);
mpz_set(TOMPZ(params->params[DSA_X]), x);
params->params_nr += 2;
+ if (_gnutls_fips_mode_enabled()) {
+ mpz_set(TOMPZ(params->params[DSA_P]), pub.p);
+ mpz_set(TOMPZ(params->params[DSA_G]), pub.g);
+ params->params_nr += 2;
+ }
ret = 0;
++++++ gnutls-FIPS-PCT-ECDH.patch ++++++
Index: gnutls-3.7.3/lib/nettle/pk.c
===================================================================
--- gnutls-3.7.3.orig/lib/nettle/pk.c
+++ gnutls-3.7.3/lib/nettle/pk.c
@@ -71,6 +71,9 @@
static inline const struct ecc_curve *get_supported_nist_curve(int curve);
static inline const struct ecc_curve *get_supported_gost_curve(int curve);
+static inline const char *get_supported_nist_curve_order(int curve);
+static inline const char *get_supported_nist_curve_modulus(int curve);
+
/* When these callbacks are used for a nettle operation, the
* caller must check the macro HAVE_LIB_ERROR() after the operation
* is complete. If the macro is true, the operation is to be considered
@@ -406,6 +409,10 @@ dh_cleanup:
struct ecc_scalar ecc_priv;
struct ecc_point ecc_pub;
const struct ecc_curve *curve;
+ struct ecc_scalar n;
+ struct ecc_scalar m;
+ struct ecc_point r;
+ mpz_t x, y, xx, yy, nn, mm;
out->data = NULL;
@@ -425,10 +432,21 @@ dh_cleanup:
not_approved = true;
}
+ mpz_init(x);
+ mpz_init(y);
+ mpz_init(xx);
+ mpz_init(yy);
+ mpz_init(nn);
+ mpz_init(mm);
+
+ ecc_scalar_init(&n, curve);
+ ecc_scalar_init(&m, curve);
+ ecc_point_init(&r, curve);
+
ret = _ecc_params_to_pubkey(pub, &ecc_pub, curve);
if (ret < 0) {
gnutls_assert();
- goto cleanup;
+ goto ecc_pub_cleanup;
}
ret =
@@ -436,7 +454,7 @@ dh_cleanup:
if (ret < 0) {
ecc_point_clear(&ecc_pub);
gnutls_assert();
- goto cleanup;
+ goto ecc_priv_cleanup;
}
out->size = gnutls_ecc_curve_get_size(priv->curve);
@@ -449,16 +467,111 @@ dh_cleanup:
goto ecc_cleanup;
}
+ /* Perform ECC Full Public-Key Validation Routine
+ * according to SP800-56A (revision 3), 5.6.2.3.3.
+ */
+
+ /* Step 1: verify that Q is not an identity
+ * element (an infinity point). Note that this
+ * cannot happen in the nettle implementation,
+ * because it cannot represent an infinity point
+ * on curves. */
ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data,
out->size);
- if (ret < 0)
+ if (ret < 0) {
gnutls_free(out->data);
+ goto ecc_cleanup;
+ }
+
+#ifdef ENABLE_FIPS140
+ if (_gnutls_fips_mode_enabled()) {
+ const char *order, *modulus;
+
+ ecc_point_mul(&r, &ecc_priv, &ecc_pub);
+ ecc_point_get(&r, x, y);
+
+ /* Step 2: verify that both coordinates of Q are
+ * in the range [0, p - 1].
+ *
+ * Step 3: verify that Q lie on the curve
+ *
+ * Both checks are performed in nettle. */
+ if (!ecc_point_set(&r, x, y)) {
+ ret =
gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_cleanup;
+ }
+
+ /* Step 4: verify that n * Q, where n is the
+ * curve order, result in an identity element
+ *
+ * Since nettle internally cannot represent an
+ * identity element on curves, we validate this
+ * instead:
+ *
+ * (n - 1) * Q = -Q
+ *
+ * That effectively means: n * Q = -Q + Q = O
+ */
+ order =
get_supported_nist_curve_order(priv->curve);
+ if (unlikely(order == NULL)) {
+ ret =
gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ goto ecc_cleanup;
+ }
+
+ ret = mpz_set_str(nn, order, 16);
+ if (unlikely(ret < 0)) {
+ ret =
gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
+ goto ecc_cleanup;
+ }
+
+ modulus =
get_supported_nist_curve_modulus(priv->curve);
+ if (unlikely(modulus == NULL)) {
+ ret =
gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ goto ecc_cleanup;
+ }
+
+ ret = mpz_set_str(mm, modulus, 16);
+ if (unlikely(ret < 0)) {
+ ret =
gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
+ goto ecc_cleanup;
+ }
+
+ /* (n - 1) * Q = -Q */
+ mpz_sub_ui (nn, nn, 1);
+ ecc_scalar_set(&n, nn);
+ ecc_point_mul(&r, &n, &r);
+ ecc_point_get(&r, xx, yy);
+ mpz_sub (mm, mm, y);
+
+ if (mpz_cmp(xx, x) != 0 || mpz_cmp(yy, mm) !=
0) {
+ ret =
gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_cleanup;
+ }
+ } else {
+ not_approved = true;
+ }
+#endif
+
+ ret = 0;
ecc_cleanup:
- ecc_point_clear(&ecc_pub);
ecc_scalar_zclear(&ecc_priv);
+ ecc_priv_cleanup:
+ ecc_point_clear(&ecc_pub);
+ ecc_pub_cleanup:
+ mpz_clear(x);
+ mpz_clear(y);
+ mpz_clear(xx);
+ mpz_clear(yy);
+ mpz_clear(nn);
+ mpz_clear(mm);
+ ecc_point_clear(&r);
+ ecc_scalar_clear(&n);
+ ecc_scalar_clear(&m);
+
if (ret < 0)
goto cleanup;
+
break;
}
case GNUTLS_PK_ECDH_X25519:
