Fix off-by one exit condition in pkcs#11 priv keys lookup
In function find_privkeys(), the list-> array is allocated to be of size
lists->key_ids_size. "current" is the index where the next found key will
be written (starts at 0).
The current exit condition is thus incorrect:
if (current > list->key_ids_size)
break;
This will allow "current" to be equal to list->key_ids_size which will
potentially cause an overflow if more keys are returned by the loop than
was originally found when calculating that size.
This is very unlikely, but incorrect nonetheless.
Fix this by using the more classic construct of testing for the array bound
in the loop exit condition, as suggested by Daiki Ueno.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Retrieving the cert for the last key of a token fails due to an
off-by-one bug in find_privkeys():
In the loop that iterates the keys, "current" contains the index
of the "next" key slot, which is also the active "count" of populated
slots in the output struct find_pkey_list_st.
The current statement:
list->key_ids_size = current - 1;
Means we return a "key_ids_size" of the current count minus one, ie 0
for 1 key etc... However, this isn't what the callers expect, for example:
find_multi_objs_cb() does:
ret = find_privkeys(sinfo, tinfo, &plist);
if (ret < 0) {
gnutls_assert();
return ret;
}
if (plist.key_ids_size == 0) {
gnutls_assert();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
So a slot with a single key will fail when trying to find a certificate
Subsequent uses of "plist" in that function also show that it's expected
to contain the real slot count:
for (i = 0; i < plist.key_ids_size; i++) {
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Sam James [Fri, 18 Mar 2022 05:51:29 +0000 (05:51 +0000)]
configure.ac: fix zstd detection
Fixes typo in zstd detection.
None of the used autoconf macros will define `has_zstd_h` so
configure will (AFAICT) always fail to find zstd, even if it succeeded
via pkg-config moments before.
Drop it and rely solely on pkg-config as that's the only search
we're actually doing.
Fixes: https://gitlab.com/gnutls/gnutls/-/issues/1343 Signed-off-by: Sam James <sam@gentoo.org>
Daiki Ueno [Wed, 9 Mar 2022 07:07:58 +0000 (08:07 +0100)]
locks: define lock functions as a macro
When threads are not supported, glthread_* functions are defined as
no-op and thus dereferencing lock variables in inline functions will
cause compilation error. This change fixes it by redefining our lock
functions as a macro so it will also be compiled out.
Reported by Fabrice Fontaine in:
https://gitlab.com/gnutls/gnutls/-/issues/1330
Daiki Ueno [Wed, 23 Feb 2022 18:48:52 +0000 (19:48 +0100)]
tpm2: dynamically load tss2 libraries as needed
libtss2-esys links to OpenSSL or mbed TLS for cryptography, which may
cause packaging issues. This instead dlopen's tss2 libraries as
needed so non-TPM applications continue working without loading
multiple crypto libraries.
Craig Gallek [Sun, 27 Feb 2022 15:39:07 +0000 (10:39 -0500)]
x509: fix return error code for failed decryption without key
Decrypting an encrypted private key previously returned
GNUTLS_E_DECRYPTION_FAILED when no password was supplied. This changed when
decryption via pin callbacks was added in d31b89de.
That change should have included a check for callback existence in order to
preserve the error path of the no-password case.
This adds the check and a test for the previous behavior.
Resolves bug #1321
Daiki Ueno [Thu, 24 Feb 2022 08:55:01 +0000 (09:55 +0100)]
gnutls_record_send_file: make it work with non-blocking I/O
When either read() or gnutls_record_send() returns EAGAIN, just return
to the caller so it can call this function again, instead of retrying
internally.
Marvin Scholz [Wed, 23 Feb 2022 18:03:51 +0000 (19:03 +0100)]
configure.ac: add missing Libs.private for macOS
On macOS the CoreFoundation and Security frameworks are used by
GnuTLS, however those were missing in the Libs.private in the .pc
resulting in link failures with static builds when relying on the
output of pkg-config --static.
This aligns the behavior of _list() function for sign/pk to the one
for cipher/mac: the former previously returned all the algorithms
defined, while the latter returns only algorithms compiled in.
added API function: gnutls_record_send_file().
added: _gnutls_ktls_send_file() function which increases the performance
by offloading the file encryption to kernel, thus the data never goes
to userspace.
updated tests/gnutls_ktls to cover new API
Daiki Ueno [Mon, 21 Feb 2022 15:36:32 +0000 (16:36 +0100)]
algorithms: compile out GOST algorithm IDs if they are disabled
When compiled with --disable-gost, gnutls-cli --list still prints GOST
algorithms for public key systems and signatures. This change adds
compile time checks to suppress them.
Daiki Ueno [Mon, 21 Feb 2022 15:28:49 +0000 (16:28 +0100)]
priority: compile out GOST algorithms IDs if they are disabled
When compiled with --disable-gost, gnutls-cli --priority NORMAL --list
still prints GOST algorithms for ciphers, MACs, and signatures. This
change adds compile time checks to suppress them.
Fedora 36 LEGACY crypto-policy uses allowlisting format
and is long enough to blow past the 64 priority string
elements mark, causing, effectively, priority string truncation.
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
Daiki Ueno [Wed, 12 Jan 2022 09:37:53 +0000 (10:37 +0100)]
gnutls_ciphersuite_get: new function to get unique ciphersuite name
The existing method to obtain the name of the currently negotiated TLS
ciphersuite is as follows:
- call gnutls_cipher_get, gnutls_mac_get, gnutls_kx_get
- call gnutls_cipher_suite_get_name with the value from the above functions
This process is cumbersome and only works with TLS 1.2 or earlier;
moreover the returned names are GnuTLS specific.
This change adds a new function gnutls_ciphersuite_get to eliminate
those limitations. It returns the "canonical" name of the
ciphersuite, which is mostly identical to the ones registered in IANA,
with an exception for compatibility.
Daiki Ueno [Fri, 26 Nov 2021 08:37:58 +0000 (09:37 +0100)]
.gitlab-ci.yml: fix nettle installation path
.fedora-nettle/build clones the nettle into "nettle-git" and
temporarily change the working directory while buidling it. After
moving back to the original working directory, the installation path
should be prefixed with "${PWD}/nettle-git/".
Daiki Ueno [Thu, 27 Jan 2022 17:17:43 +0000 (18:17 +0100)]
rsa_generate_fips186_4_keypair: accept a few more modulus sizes
While _rsa_generate_fips186_4_keypair was modified to accept modulus
sizes other than 2048 and 3076, rsa_generate_fips186_4_keypair, which
calls that function, was not updated to accept such modulus sizes.
projects / thirdparty / gnutls.git / log
