This allows the tests to set the current time to arbitrary point,
instead of the current time; useful for the tests checking the traces
such as tls13/prf-early.
gnutls_init: redefine GNUTLS_ENABLE_EARLY_DATA flag for client
The flag was only for the server, but it turned out to be useful for
client to explicitly indicate early data, when 0-RTT is handled
out-of-band as in QUIC.
Daiki Ueno [Tue, 11 May 2021 12:23:45 +0000 (14:23 +0200)]
gnutls-serv: use only async-signal-safe functions in signal handler
Spotted by gcc analyzer:
serv.c:1138:9: warning: call to 'exit' from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler]
1138 | exit(1);
| ^~~~~~~
Daiki Ueno [Tue, 11 May 2021 12:13:45 +0000 (14:13 +0200)]
certtool: tighten allocation check
Spotted by gcc analyzer:
certtool-cfg.c:856:24: warning: use of possibly-NULL 'copy' where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
856 | while (strcmp(pass, copy) != 0
| ^~~~~~~~~~~~~~~~~~
Daiki Ueno [Tue, 11 May 2021 12:08:33 +0000 (14:08 +0200)]
psktool: tighten allocation check
Spotted by gcc analyzer:
psk.c:275:21: warning: use of possibly-NULL '_username.data' where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
275 | if (strncmp(p, (const char *) _username.data,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
spelling: The possessive pronoun "its" has no apostrophe.
"it's" is for contractions like "it is" or "it has". "its" is a
possessive pronoun, like "his" or "hers" or "theirs", none of which
have an apostrophe in them either.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
certtool: Align warning about --provable with actual code
If I try to generate an ed25519 key, it is *not* an ECDSA key. But I
see this warning:
0 dkg@host:~$ certtool --generate-privkey --provable --key-type ed25519
Generating a 256 bit EdDSA (Ed25519) private key ...
The --provable parameter cannot be used with ECDSA keys.
1 dkg@host:~$
Looking at the code and documentation, it's clear that --provable only
works for RSA and DSA. This fix aligns the warning message with the
underlying mechanism.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daiki Ueno [Mon, 3 May 2021 14:35:43 +0000 (16:35 +0200)]
x509/verify: treat SHA-1 signed CA in the trusted set differently
Suppose there is a certificate chain ending with an intermediate CA:
EE → ICA1 → ICA2. If the system trust store contains a root CA
generated with the same key as ICA2 but signed with a prohibited
algorithm, such as SHA-1, the library previously reported a
verification failure, though the situation is not uncommon during a
transition period of root CA.
This changes the library behavior such that the check on signature
algorithm will be skipped when examining the trusted root CA.
Add server-end-point tls channel binding into gnutls_session_channel_binding
method. The implementation extracts session's certificate, its signature
algorithm, and calculates digest of the extracted certificate using
the function based on extracted algorithm, as per RFC5929.
Restructure gnutls_session_channel_binding and add tls-exporter
The restructure removes explicit pre-check for supported binding
type(s) and instead relies now on catch-all return which returns
UNIMPLEMENTED_FEATURE if no type was handled. In addition to that
it returns UNIMPLEMENTED_FEATURE for tls-unique request on TLSv1.3
session, since that is not supposed to work hence requires explicit
error. Finally new binding type tls-exporter implementation is
added.
It turned out that distro package building process might perform
post-processing (e.g., strip) of the shared libraries after install,
and that may cause inconsistency with the installed .hmac files.
Let's not try too hard on this but defer the final hmac calculation to
distributions. It is still useful to keep our own fipshmac as it
makes it easier to run FIPS tests.
Previously, the client was sending early data after receiving a Server
Hello message, which not only negates the benefit of 0-RTT, but also
was a logic error as it can only be decrypted by the server when the
initial handshake and the resuming handshake agree on the same
ciphersuites. This fixes that behavior in the following ways:
- extend the session data format to include the selected ciphersuites,
even in TLS 1.3
- setup the epoch for early data, right before the client sending
early data (also right after the server deciding to accept early
data).
- extend the test case to use different ciphersuites in the initial
and resuming handshakes
Ludovic Courtès [Tue, 22 Dec 2020 09:30:43 +0000 (10:30 +0100)]
guile: Avoid potentially missed reference.
There's one case where 'register_weak_reference' is called several times
on the same object, in 'set-certificate-credentials-x509-keys!', where
PRIVKEY could have been GC'd before CRED.
* guile/src/core.c (register_weak_reference): Add TO to the weak
references of FROM instead of overriding them.
crypto-selftests: tolerate errors of gnutls_{hash,hmac}_copy
Some hardware accelerated implementations, such as afalg, cannot
support the copy operation. This patch turns it a soft-error, as the
code below is already checking if the copy is non-NULL, before
performing any operation on it.
handshake: don't regenerate legacy_session_id in second CH after HRR
According to RFC 8446 4.1.2, the client must send the same Client
Hello after Hello Retry Request, except for the certain extensions,
and thus legacy_session_id must be preserved.
_gnutls_cipher_init: fallback if setiv is not implemented for AEAD
The _gnutls_cipher_init function currently assumes that all the cipher
implementations have .setiv method. This is not the case for
AEAD-only implementations such as afalg.
Stephan Mueller [Sat, 14 Oct 2017 18:46:09 +0000 (20:46 +0200)]
Add AF_ALG acceleration
The patch set adds the backend implementation to use the Linux kernel
crypto API via the AF_ALG interface. The GnuTLS AF_ALG extension uses
libkcapi [1] as the backend library which implements the actual kernel
communication.
[1] http://www.chronox.de/libkcapi.html
The symmetric cipher support, the hashing and the MAC support are
validated to work correctly using NIST CAVS test vectors.
The AEAD cipher support was tested by connecting to a remote host using
gnutls-cli (the following log strips out unrelated information):
Processed 143 CA certificate(s).
...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
...
- Description: (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA512)-(AES-256-GCM)
- Session ID: 9E:5E:FC:09:2A:4E:2A:3D:22:44:68:42:C3:F6:2D:AB:F9:67:08:CE:6D:EE:E4:A2:EF:80:43:FE:3B:D9:1E:FE
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP384R1
- Curve size: 384 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA512
- Cipher: AES-256-GCM
- MAC: AEAD
- Options: extended master secret, safe renegotiation,
- Handshake was completed
Daiki Ueno [Mon, 15 Mar 2021 08:55:20 +0000 (09:55 +0100)]
gnulib: update git submodule
This brings in the fix for parse-datetime test failures on NetBSD:
https://lists.gnu.org/archive/html/bug-gnulib/2021-03/msg00069.html
https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=35f8ff2e1162bf3ee60d99b6812f2ae10f3f2898
Daiki Ueno [Tue, 9 Mar 2021 19:29:37 +0000 (20:29 +0100)]
x86: flip polarity of check_fast_pclmul
Otherwise GCC produces the following warnings as the stub
__get_cpuid() is defined as '#define __get_cpuid(...) 0':
x86-common.c: In function 'register_x86_crypto':
x86-common.c:314:15: warning: 'a' may be used uninitialized in this function [-Wmaybe-uninitialized]
314 | family = ((a >> 8) & 0x0F);
| ~~~^~~~~
x86-common.c:308:15: note: 'a' was declared here
308 | unsigned int a,b,c,d;
| ^
Prompted by the following comment of Daiki Ueno:
> I also wonder why we keep the fd open for such a long time in the first
> place. Both OpenSSL and NSS have a similar fallback to /dev/urandom
> if getrandom is not available, but opens the device in one-shot,
> when reseeding is needed (and that's pretty rare).
https://gitlab.com/gnutls/gnutls/-/merge_requests/1383#note_521749519
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
projects / thirdparty / gnutls.git / log
