Daiki Ueno [Mon, 31 Oct 2022 11:15:48 +0000 (20:15 +0900)]
handshake: clear server's session ticket indication at rehandshake
While OpenSSL server doesn't indicate a session ticket in the second
handshake of TLS 1.2 rehandshake, GnuTLS client previously waited for
it as it didn't clear the internal flag (session_ticket_renew) thus
the effect remained. This patch clears the flag properly at the end
of each handshake.
Eric Blake [Fri, 14 Oct 2022 19:02:14 +0000 (14:02 -0500)]
priority: Use gnutls_free consistently
The whole point of gnutls_calloc() is to allow an alternative to
malloc() where that alternative takes over all aspects of heap
management; as such, it is never safe to pair bare free() with memory
managed by gnutls. Not to mention that it looks bad to mix calls to
gnutls_free() and free() to the same variable within the same
function.
Eric Blake [Wed, 2 Nov 2022 13:48:19 +0000 (08:48 -0500)]
privkey: Allow deinit after failed export
The documentation for gnutls_privkey_export_* states that the caller
must use gnutls_*_deinit on key, without mentioning whether this
requirement is still present when the function fails. But the
implementation has a code path where key is left uninitialized.
Similar to the recent fix for *_init, guarantee that *key is set to a
sane value on all exit paths.
Eric Blake [Fri, 14 Oct 2022 18:40:50 +0000 (13:40 -0500)]
lib: Consistenly return sane results for all *_init()
After looking at gnutls_init(), I went and audited all other
*_init(gnutls_*_t) functions, to see if Bug #1414 applies in more
situations. We had an inconsistent mix: some functions that went out
of their way to leave the parameter uninitialized on failure (such as
gnutls_x509_crt_init()); many that always left the parameter
initialized on failure (such as gnutls_x509_ext_ct_scts_init()), often
by relying on the gnutls_free() macro that assigns the pointer to NULL
after using the gnutls_free_function() callback pointer (such as
gnutls_pkcs11_obj_init()); but a few others that left stale pointers
on certain failures (such as gnutls_priority_init2()) or even which
used the wrong deallocation function (such as
gnutls_pkcs11_privkey_init()).
As with gnutls_init(), portable programs should either pre-initialize
memory to zero before calling _init() if they plan to unconditionally
call _deinit() (safe for all but gnutls_pkcs11_privkey_init()), or
they should avoid calling _deinit() if _init() failed. But since we
can't force all existing clients to change, it is safest if we
unconditionally and consistently initialize the client's memory before
ALL failure paths.
Rather than try to adjust documentation of each *_init() function
(including those not needing a change), I instead generalized
documentation into the manual.
Eric Blake [Thu, 13 Oct 2022 19:07:29 +0000 (14:07 -0500)]
gnutls_init: Always initialize *session
We provide gnutls_session_t as an opaque type, therefore, unless we
document otherwise, client code should not assume that there is a safe
initialization value to assign to such storage, leaving the only way
to properly initialize the type as a call to gnutls_init(). Likewise,
the documentation was clear that gnutls_deinit(session) must be used
after success, but ambiguous as to whether that was necessary after
failure.
Our implementation has always been such that the opaque types are
pointers under the hood, where gnutls_deinit(NULL) is a no-op, and
that (for gnutls_init at least) it is safe to omit a call to
gnutls_deinit(session) on failure. But without documentation, clients
cannot rely on either of those facts; and our code base was
inconsistent on whether all other *_init/*_deinit function pairs
behave in the same manner (see the next commit).
A search of existing code in the wild shows that some clients
pre-initialize the memory to 0 (which happens to be safe although
currently undocumented), often by passing in a pointer to a
gnutls_session_t residing in a larger struct that was reserved with
calloc(), cleared with memset(), or similar; but this is not
universal, and there are other clients in the wild that pass in
uninitialized memory. It's too late to change the documentation to
mandate that users should pre-initialize their memory to 0 prior to
gnutls_init(), although it doesn't hurt to recommend it for
portability when building for older versions of gnutls.
In most cases, using gnutls_deinit(session) after failure was a no-op
- most of our error exit paths use the gnutls_free() macro which has
the side effect of forcing the caller's pointer to NULL on failure
(since gnutls is built with GNUTLS_INTERNAL_BUILD defined). We also
happen to be lucky for a user that pre-initializes their memory to 0
before calling gnutls_init() - any error exit path where we did not
touch the user's pointer leaves the client with gnutls_deinit(session)
being a no-op. But if the client passes in an uninitialized pointer,
and FAIL_IF_LIB_ERROR triggers, then we fail the function while
leaving the pointer uninitialized, at which point the caller using
gnutls_deinit(session) attempts to free uninitialized memory, which
has potential security implications - yet we did not warn the client
to avoid gnutls_deinit() in that scenario.
The most robust fix is thus along two fronts: improving the
documentation to inform the user what they can expect, but also
tweaking our code to avoid undefined behavior with existing client
code bases by guaranteeing that whether or not the client
pre-initializes memory to 0 and/or calls gnutls_deinit() on failure,
they can't mess up.
Fixes: bug #1414. Signed-off-by: Eric Blake <eblake@redhat.com>
Eric Blake [Wed, 2 Nov 2022 13:40:08 +0000 (08:40 -0500)]
build: Silence cppcheck false positive
An upcoming patch will touch gnutls_pkcs11_privkey_init(), which is
sufficient to make the cppcheck portion of CI choke on a false
positive in the unrelated gnutls_pkcs11_privkey_import_url() because
the file becomes interesting again. cppcheck is not smart enough to
realize that an out-of-scope memory reference stored in a[1] is not
going to be utilized by the later pkcs11_get_attribute_value(..., a,
1) outside the if block; but the solution is as simple as expanding
the scope of tval.
Tim Kosse [Fri, 14 Oct 2022 13:51:28 +0000 (15:51 +0200)]
Handle private keys with lowercase hex digits in DEK-Info
Some tools, for example win-acme, create encrypted private keys in OpenSSL's
traditional format containing lowercase hex digits in the IV part of the
DEK-Info PEM header. These key files are accepted by OpenSSL. Prior to this
patch, GnuTLS did reject these keys with GNUTLS_E_INVALID_REQUEST.
Signed-off-by: Tim Kosse <tim.kosse@filezilla-project.org> Co-authored-by: Daiki Ueno <ueno@gnu.org>
Daiki Ueno [Fri, 21 Oct 2022 06:48:39 +0000 (15:48 +0900)]
cipher: add restriction on CCM tag length under FIPS mode
This change prohibits any use of tag length other than 4, 6, 8, 10,
12, 14, and 16 bytes in CCM used under FIPS mode, in accordance with
SP800-38C A.1. While use of tag lengths smaller than 8 bytes is not
recommended, we simply allow 4 and 6 bytes tags for now.
This makes the FIPS service indicator to transit to not-approved when
gnutls_privkey_sign_hash* is used. In FIPS, single-shot
API (gnutls_privkey_sign_data*) is preferred over composite API.
accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s
If the LD doesn't have support for version scripts,
_gnutls_x86_cpuid_s is exported through libtool's
--export-symbols-regex and that causes link error with clang:
compress-cert: support compression of client certificates
Previously the compress_certificate extension was sent by the server
as part of ServerHello, which violates RFC 8879. This patch instead
send it as an extension of CertificateRequest.
Daiki Ueno [Sun, 28 Aug 2022 21:41:46 +0000 (06:41 +0900)]
gnutls_session_channel_binding: perform check on "tls-exporter"
According to RFC9622 4.2, the "tls-exporter" channel binding is only
usable when the handshake is bound to a unique master secret. This
adds a check whether either TLS 1.3 or extended master secret
extension is negotiated.
Daiki Ueno [Mon, 15 Aug 2022 00:39:18 +0000 (09:39 +0900)]
accelerated: clear AVX bits if it cannot be queried through XSAVE
The algorithm to detect AVX is described in 14.3 of "Intel® 64 and IA-32
Architectures Software Developer’s Manual".
GnuTLS previously only followed that algorithm when registering the
crypto backend, while the CRYPTOGAMS derived SHA code assembly expects
that the extension bits are propagated to _gnutls_x86_cpuid_s.
Daiki Ueno [Thu, 18 Aug 2022 00:01:20 +0000 (09:01 +0900)]
srptool: resurrect default value for -i
The default option value for -i (--index) was dropped during the
cligen conversion. This adds it back for compatibility with the
existing command line usage.
Daiki Ueno [Wed, 3 Aug 2022 07:39:47 +0000 (16:39 +0900)]
nettle: mark RSA SigVer operation approved for known modulus sizes
SP800-131A rev2 suggests certain RSA modulus sizes under 2048
bits (1024, 1280, 1536, and 1792) may continue to be used for
signature verification but not for signature generation. This loosen
the current service indicator report to approve them.
Daiki Ueno [Tue, 9 Aug 2022 03:55:04 +0000 (12:55 +0900)]
nettle: check RSA modulus size in bits rather than bytes
Previously we checked RSA modulus size clamped to byte unit instead of
bits. This makes the check stricter by explicitly calculating the
modulus size in bits.
Stanislav Zidek [Thu, 11 Feb 2021 12:57:27 +0000 (13:57 +0100)]
interoperability testing with openssl
GitLab CI extended to run 2way interoperability tests with openssl on
Fedora. Also prepared for adding further interoperability tests once
they are in better shape.
Signed-off-by: Stanislav Zidek <szidek@redhat.com>
Daiki Ueno [Thu, 4 Aug 2022 07:37:51 +0000 (16:37 +0900)]
_gnutls_decrypt_pbes1_des_md5_data: use public crypto API
This is a follow-up of e7f9267342bc2231149a640163c82b63c86f1dfd. In
the decryption code path with PBES1, algorithm checks for FIPS was not
applied, because it used internal functions that bypass those checks.
projects / thirdparty / gnutls.git / log
