Daiki Ueno [Wed, 15 May 2024 01:17:41 +0000 (10:17 +0900)]
nettle: utilize nettle_cbc_aes*_encrypt for performance
While CBC encryption is inherently slow for lack of parallelisim,
Nettle >= 3.8 provides specialized AES-CBC encryption functions to
improve performance by avoiding multiple calls to block cipher
initialization. This patch makes GnuTLS use those functions if
available.
Here are the results of benchmark:
* GNUTLS_CPUID_OVERRIDE=0x1, without nettle_cbc_aes*_encrypt:
This allows usage of PBMAC1 as the MAC to verify a PKCS#12 structure,
following draft-ietf-lamps-pkcs12-pbmac1[1]. While the MAC
verification is transparent, the generation requires a new API
gnutls_pkcs12_generate_mac3 to be used with the
GNUTLS_PKCS12_USE_PBMAC1 flag.
certtool has also been extended with the --pbmac1 option, which can be
used in combination with --to-p12.
Daiki Ueno [Tue, 14 May 2024 01:24:03 +0000 (10:24 +0900)]
_gnutls_x509_read_uint: accept values greater than 0x7FFFFFFF
_gnutls_x509_read_uint previously only accepted integer values encoded
in 4 bytes without checking if the first byte indicates a negative
integer in 2's complement format. This adds the check and also avoid
unnecessary memory allocation.
Daiki Ueno [Thu, 9 May 2024 14:29:30 +0000 (23:29 +0900)]
.gitlab-ci.yml: use correct tag for GitLab 1.70 deployment
The "shared", "linux", and "docker" tags we use to select shared CI
runners are consolidated into "saas-linux-small-amd64" in GitLab 1.70:
https://docs.gitlab.com/ee/update/deprecations.html#removal-of-tags-from-small-saas-runners-on-linux
Zoltan Fridrich [Tue, 26 Mar 2024 10:48:58 +0000 (11:48 +0100)]
Add option to disable RSAES-PKCS1-v1_5
A new option `allow-rsa-pkcs1-encrypt` has been added into the
system-wide library configuration which allows to enable/disable
the RSAES-PKCS1-v1_5. Currently, the RSAES-PKCS1-v1_5 is enabled
by default.
Since bfb326f6e ("nettle: plumb RSA-OAEP in the Nettle crypto backend"),
building gnutls statically fails due to a duplicate definition of
nettle_rsa_compute_root_tr (which comes from "rsa_compute_root_tr" being
replaced by a preprocessor macro).
This patch fixes this by renaming the GNUTLS version by redefining the
value of the rsa_compute_root_tr macro.
Daiki Ueno [Fri, 12 Jan 2024 08:56:58 +0000 (17:56 +0900)]
nettle: avoid normalization of mpz_t in deterministic ECDSA
This removes function calls that potentially leak bit-length of a
private key used to calculate a nonce in deterministic ECDSA. Namely:
- _gnutls_dsa_compute_k has been rewritten to work on always
zero-padded mp_limb_t arrays instead of mpz_t
- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
by a byte array instead of an mpz_t value
Daiki Ueno [Mon, 29 Jan 2024 04:52:46 +0000 (13:52 +0900)]
gnutls_x509_trust_list_verify_crt2: remove length limit of input
Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
chain verification logic crashed with assertion failure. This patch
removes the restriction while keeping the maximum number of
retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
Daiki Ueno [Sat, 9 Mar 2024 21:58:46 +0000 (06:58 +0900)]
x509: fix reading of MGF-1 OID
asn1_read_value may return error code in a positive integer thus the
previous code could lead to an access to uninitialized value. This is
a regression in the RSA-OAEP support. Spotted by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67300
Daiki Ueno [Fri, 23 Feb 2024 00:03:46 +0000 (09:03 +0900)]
tests: support KAT in (EC)DH tests
While the logic existed, known answer tests were omitted in
tests/dh-compute, tests/dh-compute2, tests/ecdh-compute, and
tests/ecdh-compute2. This enables the support for it as well as fixes
a couple of issues in the logic: avoid using `success` variable as it
shadows the helper function with the same name defined in
tests/utils.h, invert the memcmp condition, and properly use peer_x
and peer_y in place of x and y in ecdh-compute2.
Daiki Ueno [Thu, 8 Feb 2024 06:32:37 +0000 (15:32 +0900)]
spki: support RSA-OAEP parameters
This adds a new API gnutls_x509_spki_{get,set}_rsa_oaep_params to
retrieve and store RSA-OAEP parameters embedded in
SubjectPublicKeyInfo.
As RSA-OAEP labels are allocated, this also adds copy and clear method
on the gnutls_x509_spki_st struct and use them extensively instead of
memcpy and memset.
Daiki Ueno [Fri, 19 Aug 2022 03:32:27 +0000 (12:32 +0900)]
build: allow GMP to be statically linked
Even though we set the custom allocator[1] to zeroize sensitive data,
it can be easily invalidated if the application sets its own custom
allocator. An approach to prevent that is to link against a static
library of GMP, so the use of GMP is privatized and the custom
allocator configuration is not shared with other applications.
This patch allows libgnutls to be linked with the static library of
GMP. Note that, to this work libgmp.a needs to be compiled with -fPIC
and libhogweed in Nettle is also linked to the static library of GMP.
Xin Long [Thu, 1 Feb 2024 22:21:05 +0000 (17:21 -0500)]
lib: fix a potential segfault in _gnutls13_recv_finished
In _gnutls13_recv_finished(), 'buf' is not initialized or set when
_gnutls13_compute_finished() returns an err, and goto cleanup may
cause a segfault crash as it frees the uninitialized buf.allocd in
_gnutls_buffer_clear().
So fix it by return if _gnutls13_compute_finished() returns an err
in _gnutls13_recv_finished().
The root cause is that _gnutls_buffer_clear() was trying to free
'buf' that is not initialized or set if GNUTLS_NO_END_OF_EARLY_DATA
flag is set on server side.
This patch fixes it by simply initializing buf at the begginning of
_gnutls13_recv_end_of_early_data().
Daiki Ueno [Wed, 10 Jan 2024 10:13:17 +0000 (19:13 +0900)]
rsa-psk: minimize branching after decryption
This moves any non-trivial code between gnutls_privkey_decrypt_data2
and the function return in _gnutls_proc_rsa_psk_client_kx up until the
decryption. This also avoids an extra memcpy to session->key.key.
Daiki Ueno [Thu, 11 Jan 2024 06:45:11 +0000 (15:45 +0900)]
x509: detect loop in certificate chain
There can be a loop in a certificate chain, when multiple CA
certificates are cross-signed with each other, such as A → B, B → C,
and C → A. Previously, the verification logic was not capable of
handling this scenario while sorting the certificates in the chain in
_gnutls_sort_clist, resulting in an assertion failure. This patch
properly detects such loop and aborts further processing in a graceful
manner.
Clemens Lang [Fri, 12 Jan 2024 10:12:14 +0000 (11:12 +0100)]
fips: Zeroize temporary values
The standard says "temporary value(s) generated during the integrity
test of the module's software […] shall be zeroised from the module upon
completion of the integrity test".
That includes the computed HMAC value, which is currently not zeroized
after the test. Add explicit calls to gnutls_memset() to fix that.
Clemens Lang [Fri, 12 Jan 2024 10:32:22 +0000 (11:32 +0100)]
.gitlab-ci.yml: Adjust to Alpine Linux' clang-format path change
According to Alpine Linux' package database search functionality, the
clang16-extra-tools package now installs clang-format in
/usr/lib/llvm16/bin/clang-format.
/usr/bin/clang-format is provided by clang17-extra-tools instead, but
requires changes in formatting. Add /usr/lib/llvm16/bin to PATH for the
formatting script to continue using the previous version.
Daiki Ueno [Mon, 1 Jan 2024 05:26:08 +0000 (14:26 +0900)]
tests/pkcs11-tool.sh: skip if neither p11tool nor certool is built
When compiled with --disable-tools, we can't assume p11tool and
certool are available. This also switches to using create_testdir and
locate any intermediate files under a temporary directory which is
cleaned up at exit.
projects / thirdparty / gnutls.git / log
