Always pass in and check Q in TLS 1.3

In FIPS mode do an extra check that we did have Q, but it is always
passed into the tls13 derive function from the callers.

Signed-off-by: Simo Sorce <simo@redhat.com>

diff --git a/lib/algorithms/groups.c b/lib/algorithms/groups.c
index c5adb063bae4479d99d50051fae2f18a3428f539..25195c121cf4a0d0c9edfe94fb9757dc25d93a7c 100644 (file)
--- a/lib/algorithms/groups.c
+++ b/lib/algorithms/groups.c
@@ -79,6 +79,7 @@ static const gnutls_group_entry_st supported_groups[] = {
         .id = GNUTLS_GROUP_FFDHE2048,
         .generator = &gnutls_ffdhe_2048_group_generator,
         .prime = &gnutls_ffdhe_2048_group_prime,
+        .q = &gnutls_ffdhe_2048_group_q,
         .q_bits = &gnutls_ffdhe_2048_key_bits,
         .pk = GNUTLS_PK_DH,
         .tls_id = 0x100
@@ -88,6 +89,7 @@ static const gnutls_group_entry_st supported_groups[] = {
         .id = GNUTLS_GROUP_FFDHE3072,
         .generator = &gnutls_ffdhe_3072_group_generator,
         .prime = &gnutls_ffdhe_3072_group_prime,
+        .q = &gnutls_ffdhe_3072_group_q,
         .q_bits = &gnutls_ffdhe_3072_key_bits,
         .pk = GNUTLS_PK_DH,
         .tls_id = 0x101
@@ -97,6 +99,7 @@ static const gnutls_group_entry_st supported_groups[] = {
         .id = GNUTLS_GROUP_FFDHE4096,
         .generator = &gnutls_ffdhe_4096_group_generator,
         .prime = &gnutls_ffdhe_4096_group_prime,
+        .q = &gnutls_ffdhe_4096_group_q,
         .q_bits = &gnutls_ffdhe_4096_key_bits,
         .pk = GNUTLS_PK_DH,
         .tls_id = 0x102
@@ -106,6 +109,7 @@ static const gnutls_group_entry_st supported_groups[] = {
         .id = GNUTLS_GROUP_FFDHE6144,
         .generator = &gnutls_ffdhe_6144_group_generator,
         .prime = &gnutls_ffdhe_6144_group_prime,
+        .q = &gnutls_ffdhe_6144_group_q,
         .q_bits = &gnutls_ffdhe_6144_key_bits,
         .pk = GNUTLS_PK_DH,
         .tls_id = 0x103
@@ -115,6 +119,7 @@ static const gnutls_group_entry_st supported_groups[] = {
         .id = GNUTLS_GROUP_FFDHE8192,
         .generator = &gnutls_ffdhe_8192_group_generator,
         .prime = &gnutls_ffdhe_8192_group_prime,
+        .q = &gnutls_ffdhe_8192_group_q,
         .q_bits = &gnutls_ffdhe_8192_key_bits,
         .pk = GNUTLS_PK_DH,
         .tls_id = 0x104

diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index 3efc46a60c6968a5c2f2579c60ab29b1db67696c..599eff8fbca7201ee1164bca8f5d13a09599877d 100644 (file)
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -152,10 +152,15 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent
                if (ret < 0)
                        return gnutls_assert_val(ret);
 
+               ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_Q],
+                       group->q->data, group->q->size);
+               if (ret < 0)
+                       return gnutls_assert_val(ret);
+
                session->key.kshare.dh_params.algo = group->pk;
                session->key.kshare.dh_params.dh_group = group->id; /* no curve in FFDH, we write the group */
                session->key.kshare.dh_params.qbits = *group->q_bits;
-               session->key.kshare.dh_params.params_nr = 3; /* empty q */
+               session->key.kshare.dh_params.params_nr = 3;
 
                ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1);
                if (ret < 0)
@@ -350,9 +355,14 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
                if (ret < 0)
                        return gnutls_assert_val(ret);
 
+               ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_Q],
+                       group->q->data, group->q->size);
+               if (ret < 0)
+                       return gnutls_assert_val(ret);
+
                session->key.kshare.dh_params.algo = GNUTLS_PK_DH;
                session->key.kshare.dh_params.qbits = *group->q_bits;
-               session->key.kshare.dh_params.params_nr = 3; /* empty q */
+               session->key.kshare.dh_params.params_nr = 3;
 
                /* generate our keys */
                ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1);

diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 177a8be01891b66862b6ba068fb3cfb687e5b39e..da0a92ebcba0458239158f59f2f1686ac0bd0893 100644 (file)
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -664,6 +664,7 @@ typedef struct gnutls_group_entry_st {
        const char *name;
        gnutls_group_t id;
        const gnutls_datum_t *prime;
+       const gnutls_datum_t *q;
        const gnutls_datum_t *generator;
        const unsigned *q_bits;
        gnutls_ecc_curve_t curve;

diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 6bb2cef87790dc99ce92c72efca16c92e11afc14..08117c2d82b5ac2a48257f5b93d83b8756965d65 100644 (file)
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -282,6 +282,11 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
                                ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
                                goto dh_cleanup;
                        }
+               } else if ((flags & PK_DERIVE_TLS13) &&
+                          _gnutls_fips_mode_enabled()) {
+                       /* Mandatory in FIPS mode for TLS 1.3 */
+                       ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+                       goto dh_cleanup;
                }
 
                /* prevent denial of service */