crypto-selftests-pk.c: Use deterministic signatures in test_known_sig()
Use deterministic signatures for ECDSA and DSA in test_known_sig(). Do
not call test_known_sig() for non-deterministic algorithms. Do not run
PK_TEST() for algorithms tested with PK_KNOWN_TEST().
The deterministic algorithms are used if in FIPS-140 POST or if FIPS-140
mode is disabled. When called explicitly with FIPS-140 mode enabled,
the pairwise-consistency test (PK_TEST()) is used instead.
test_known_sig() was modified to support only deterministic algorithms.
The "deterministic" parameter was replaced with the "flags" parameter
through which the flags to be used in gnutls_privkey_sign_data() are
passed.
The hard-coded values for the ECDSA and DSA signatures were replaced
with the values corresponding to the deterministic signatures to be used
in known answer tests. The unused values for GOST signatures were
removed.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
crypto-selftests-pk.c: Use specified key in test_sig()
Previously, test_sig() would use the same key regardless the value
provided in bits parameter. The changes introduced make test_sig() to
choose the key according to the value provided in bits.
For RSA, only 2048 bits key is available for testing. The calls were
adjusted accordingly.
Introduced 2048 bits DSA key in test_sig(). Removed unused 512 bits
key, leaving only the 2048 bits key available.
For GOST, use the same keys for test_sig() and test_known_sig(). Remove
the unused keys.
Reorder constant values and change variables names for better
readability.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Daiki Ueno [Mon, 16 Mar 2020 10:03:41 +0000 (11:03 +0100)]
algorithms: properly calculate hash strength for Ed448
The Ed448 signature scheme internally uses XOF (SHAKE256) as the hash
function with 114-octet output. According to FIPS-202, the strength
against collisions is calculated as:
min(114*8/2, 256) = 256
Reported by Peter Dettman in:
https://gitlab.com/gnutls/gnutls/-/issues/128#note_304892538
Dmitry Baryshkov [Thu, 12 Mar 2020 09:56:37 +0000 (12:56 +0300)]
lib/x509: use common routine for parsing data version
OSS Fuzzer noted an issue in parsing (incorrect) CRL files with
zero-length version field. Certificate parser does not have this issue,
while CRL and OCSP Request and Response parsers shows this problem. To
remove code duplication extract common function and use it from all four
parsers.
crypto-selftests-pk.c: Fix PK_KNOWN_TEST and PK_TEST
Previously, when multiple tests where declared in sequence using one of
the macros, only the first test would be executed. This happened
because a check for the GNUTLS_SELF_TEST_FLAG_ALL was embedded in the
macro. To allow more than one test to be executed in sequence, the
check for the flag was removed from both macros.
To keep the previous behaviour (execute only the first test) the check
for the flag was moved to be after the first test, except for RSA since
the RSA encryption test must be executed in FIPS mode.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Dmitry Baryshkov [Tue, 10 Mar 2020 09:12:36 +0000 (12:12 +0300)]
x509: drop endless loop in print_extensions
If crq is malformed in extensions part, print_extensions() might loop
endlessly because gnutls_x509_crq_get_extension_info would return
unhandled GNUTLS_ASN1_DER_ERROR looping over extension index, rather
than bailing out. Fix this by handling this error code properly. Found
thanks to oss-fuzz.
Daiki Ueno [Sat, 29 Feb 2020 16:01:10 +0000 (17:01 +0100)]
lib: use static assertion to check enum values
We previously had checks of enum values with '#if', such as below:
#define GNUTLS_EXTENSION_MAX_VALUE 31
typedef enum extensions_t {
...
GNUTLS_EXTENSION_MAX /* not real extension - used for iterators */
} extensions_t;
/* we must provide at least 16 extensions for users to register */
#if GNUTLS_EXTENSION_MAX_VALUE - GNUTLS_EXTENSION_MAX < 16
# error not enough extension types
#endif
This doesn't work as expected; because GNUTLS_EXTENSION_MAX is not
defined as a preprocessor macro, it always expands to 0. To properly
do this check, we need to use static assert as provided as the
'verify' macro in gnulib.
Daiki Ueno [Sun, 1 Mar 2020 09:16:08 +0000 (10:16 +0100)]
hello_ext: use 64-bit integer to track extensions
We currently have 26 predefined extensions, allowing the user to
define 5 extra as tested in tests/handshake-large-packet.c. However,
if we introduce one more, session->internals.used_exts exceeds.
Daiki Ueno [Fri, 21 Feb 2020 15:38:29 +0000 (16:38 +0100)]
keylogfile: simplify the callback mechanism
This partially reverts commit 97117556 with a simpler interface. The
original intention of having the callback mechanism was to reuse it
for monitoring QUIC encryption changes. However, it turned out to be
insufficient because such changes must be emitted after a new epoch is
ready.
Fiona Klute [Sat, 8 Feb 2020 22:47:17 +0000 (23:47 +0100)]
gnutls-cli: Add option to store all stapled OCSP responses
Note that there's a small modification to the behavior of the existing
--ocsp-save option: If there is no stapled OCSP response the output
file is still created and will be empty.
Daiki Ueno [Sun, 2 Feb 2020 07:13:50 +0000 (08:13 +0100)]
keylogfile: generalize with a callback
This refactors the keylogfile mechanism by adding a callback to get
notified when a new secret is derived and installed. That way,
consumers can implement custom logging feature per session, which is
particularly useful in QUIC implementation.
testcompat-openssl: improve testing against secured OpenSSL versions.
In Debian, and soon Ubuntu, OpenSSL is compiled with SECLEVEL=2 and
requiring minimum TLSv1.2. However, smaller hashes/keys/versions are
allowed if one enables SECLEVEL=1. Do so when testing pre v1.2 algos,
and thus enabling testing more compatability combinations.
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Daiki Ueno [Sun, 2 Feb 2020 13:44:05 +0000 (14:44 +0100)]
crypto-api: add generic crypto functions for KDF
This exposes HKDF and PBKDF2 functions from the library. Instead of
defining a single KDF interface as in PKCS #11, this patch defines 3
distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2
derivation, so that we can take advantage of compile time checking of
necesssary parameters.
This test requires a TLS-1.3-only server as its tests clash with
extensions supported by a TLS-1.2 server. Ensure that the extensions
that overlap with TLS-1.2 are not manipulated as we don't have
a pure TLS-1.3-only implementation.
GOSTR341194: mark as insecure for digital signatures
Although there are no practical attacks known on the algorithm, the practical
strength of the algorithm is weaker than the theoritical. In addition this algorithm
is already considered legacy, and as such mark it as insecure for digital
signatures to reduce the attack surface.
This adds new tests, reduces running time, and removes test-tls13-obsolete-curves.py.
The latter introduced too pendantic tests on curves we don't implement,
and requires significant changes to passing with limited benefit. For example
it requires the server to error on mismatching entries (and we simply ignore
them). As its value is low (we do not target to be a reference implementation
for testing broken clients), it was removed.
The fuzzer files for ed448 were the reverse for client and server.
Enhanced the fuzzer tools to run a single fuzzer, and added more
clear documentation on how to generate and manually test the fuzzer
outputs.
projects / thirdparty / gnutls.git / log
