Markus Theil [Tue, 13 Jan 2026 11:05:13 +0000 (12:05 +0100)]
rnd: always clear internal RNG state and confidential temporary data
Internal RNG state should not be left in memory after deallocating
the RNG or exiting a process using GnuTLS. Fix this for the ChaCha20
based RNG implementation. The FIPS RNG impl. already does this, due
to FIPS requirements.
Signed-off-by: Markus Theil <theil.markus@gmail.com>
srptool: fix stack buffer overflow with large SRP groups
The static buffer result in _srp_crypt() was only 1024 bytes, while the
8192-bit SRP group code produces base64-encoded verifier of 1366
characters.
Using sprintf() with the old buffer caused a stack buffer overflow
(undefined behaviour) when --index=6 or --index=7 was used.
This commit:
- increases the static buffer size to 2048 bytes (sufficient for all
currently supported groups),
- replaces sprintf() with snprintf() to prevent overflow even if the
buffer were accidentally too small.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
xinpeng.wang [Wed, 14 Jan 2026 05:19:46 +0000 (13:19 +0800)]
lib: add support for Hygon Genuine CPUs in x86 acceleration
Hygon CPUs (HygonGenuine) share the same AES-NI and other crypto
instruction sets with AMD Zen architecture. However, they were previously
falling back to the generic software provider because the vendor check
only recognized Intel and AMD.
This fallback to the software provider (Nettle wrapper) could lead to
numerical issues or crashes (e.g., divide-by-zero) in certain
environments like Photoshop.
This patch:
1. Adds X86_CPU_VENDOR_HYGON to x86_cpu_vendor enum.
2. Updates check_x86_cpu_vendor() to recognize Hygon CPUs.
3. Enables hardware acceleration for Hygon CPUs.
Daiki Ueno [Mon, 22 Dec 2025 06:29:06 +0000 (15:29 +0900)]
pkcs11: properly fall back to thread-unsafe module init
The PKCS#11 module initialization logic introduced in aa5f15a872e62e54abe58624ee393e68d1faf689 first attempts to initialize
the module with CKR_NEED_TO_CREATE_THREADS|CKF_OS_LOCKING_OK, which
may return either CKR_CANT_LOCK or CKR_NEED_TO_CREATE_THREADS, where
the latter was previously treated as a hard error. This fixes it and
also makes the second attempt to not supply any flags.
This moves the test introduced in commit 7a7d3e44c0f769eb7bae6c6ee21a0a8a3f9e5144, from tests/slow/hash-large.c
to the library selftests, because the former is tailored for
excessively large input, ignoring SIGSEGV.
Daiki Ueno [Tue, 2 Dec 2025 06:10:37 +0000 (15:10 +0900)]
accelerated: accept NULL as digest argument for gnutls_hash_output
As a follow-up of commit eced4c0c2b3d3ee6a35dab99616a25910b623f79 this
also extends the accelerated version of gnutls_hash_output to be able
to reset the context by passing NULL as the digest argument.
Julien Olivain [Sun, 23 Nov 2025 17:17:19 +0000 (18:17 +0100)]
audit: crau: fix compilation with gcc < 11
If the CRAU_MAYBE_UNUSED macro is unset, the crau.h file tries to
automatically detect an appropriate value for it.
This autodetection is using the cpp special operator
`__has_c_attribute` [1], introduced in gcc 11 [2].
When compiling with a gcc older than version 11, the compilation fails
with the error:
In file included from audit.h:22,
from audit.c:26:
crau/crau.h:255:23: error: missing binary operator before token "("
__has_c_attribute (__maybe_unused__)
^
This has been observed, for example, in Rocky Linux 8.10, which
contains a gcc v8.5.0.
The issue happens because the test for the `__has_c_attribute`
availability and the test for the `__maybe_unused__` attribute
are in the same directive. Those tests should be separated in
two different directives, following the same logic described in
the `__has_builtin` documentation [3].
This issue was found in Buildroot, after updating gnutls to
version 3.8.11 in [4].
This commit fixes the issue by splitting the test in two.
Daiki Ueno [Tue, 18 Nov 2025 04:17:55 +0000 (13:17 +0900)]
pkcs11: avoid stack overwrite when initializing a token
If gnutls_pkcs11_token_init is called with label longer than 32
characters, the internal storage used to blank-fill it would
overflow. This adds a guard to prevent that.
Daiki Ueno [Tue, 18 Nov 2025 00:28:26 +0000 (09:28 +0900)]
build: bump Nettle version requirement from 3.6 to 3.10
Given Nettle 3.10 is ABI compatible with 3.6 and includes several
security relevant fixes, this updates the library's minimum
requirement of Nettle to 3.10. The bundled code will stay for the
next couple of release cycles in case any downstream issues are found,
as suggested in:
https://lists.gnupg.org/pipermail/gnutls-help/2025-November/004905.html
Make it explicit that only a single credentials object of a given
type may be set against a session. Any further attempts to set
credentials for a type will replace previously set crdentials.
The act of replacement also allows the previously set credentials
to be freed by the caller.
lib/kx: Only report file open error if there is an error
Previously all attempts to open a `SSLKEYLOGFILE` would result in a
"unable to open keylog file" regardless of if the file was opened or
not. Instead let's only report the issue if the file fails to open.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Daiki Ueno [Mon, 17 Nov 2025 23:57:43 +0000 (08:57 +0900)]
tests/pkcs11-provider: match token with --provider when initializing
Even if the "module-path" query attribute is given in the PKCS#11 URI,
p11tool does not filter tokens based on that when called with
--initialize. As this is not part of the pkcs11-provider
functionality, use --provider option to specify the token.
Also defer the settings of GNUTLS_SYSTEM_PRIORITY_FILE and
GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID after the token initialization.
Daiki Ueno [Thu, 30 Oct 2025 05:12:54 +0000 (14:12 +0900)]
build: derive the location of default config file from $sysconfdir
Previously we hard-coded "/etc" as part of the path of the default
configuration file. It is more palatable to respect the --sysconfdir
configure option and locate the file there.
Per recommendation at [1], the path is expanded at "make" time, not at
"configure" time.
Daiki Ueno [Mon, 20 Oct 2025 07:42:36 +0000 (16:42 +0900)]
x509: encode ECDSA private key in fixed length
RFC 5915 section 3 says that the privateKey field of ECPrivateKey
structure should be fixed length, though the library encoded it in
variable length, depending on the leading byte. This patch enforces
that the field is always encoded in fixed length, as well as
consolidates the code paths for EdDSA and X25519/X448 keys.
Daiki Ueno [Tue, 14 Oct 2025 05:32:33 +0000 (14:32 +0900)]
audit: wrap crau interface and expose it partly as public API
This adds 3 new functions: gnutls_audit_push_context,
gnutls_audit_pop_context, and gnutls_audit_current_context, which
would be useful when the applications define their own crypto-auditing
probe points.
Alistair Francis [Mon, 26 May 2025 04:41:46 +0000 (14:41 +1000)]
tls13/key_update: Expose a manual KeyUpdate function
As part of supporting KeyUpdate in ktls-utils and NVMe-OF we need to
trigger an update of the local keys after the kernel has received a
KeyUpdate message.
This patch creates a new gnutls_handshake_update_receiving_key() function
that allows updating the local keys without sending any KeyUpdate
requests.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Modified-by: Daiki Ueno <ueno@gnu.org>
pkcs11: use the same initialization code for provider
This makes the pkcs11-provider code use the thread-safe module
initialization code introduced in commit aa5f15a872e62e54abe58624ee393e68d1faf689. As the mechanism works over
p11-kit managed modules, this switches the "path" config option to
using PKCS#11 URI, through the "url" keyword.
pkcs11: use CRYPTOKI_GNU interface in the provider code
This mass-rewrites the pkcs11-provider code to match the rest of
PKCS#11 support in the library, to be able to share the same module
initialization code everywhere.
pkcs11: try to initialize modules in thread-safe mode
When modules are initialized without CKF_OS_LOCKING_OK nor custom
locking functions, they may skip their internal locking assuming that
the applications will take care of thread-safety, which is costly and
GnuTLS currently doesn't do that.
To mitigate this, this patch changes the module initialization code to
tell the modules to guarantee thread-safety by themselves. If they are
unable to do that, this falls back to the normal initialization
without C_Initialize parameters. This also omits the custom_init flag,
which indicated whether the module is initialized with
p11_kit_module_initialize or a direct call to C_Initialize, now that
modules are always initialized with C_Initialize.
build: unconditionally use zeroize_key/zrelease_mpi_key
Since 39aaa63a1a4cb8432e090887f38241afb2b264a6, zeroize_temp_key is an
alias to zeroize_key, and zrelease_temp_mpi_key is an alias to
zrelease_mpi_key. Use the latter directly and also remove
_gnutls_free_temp_key_datum.
Wilfred Mallawa [Mon, 18 Aug 2025 02:40:57 +0000 (12:40 +1000)]
lib/psk: add null check for binder algo
Currently, `pskcred->binder_algo` is used without checking first if it
is valid. This can lead to a NULL pointer dereference in cases such as
[1]. This patch adds NULL check `pskcred->binder_algo` before using it.
This also makes it more explicit in
gnutls_psk_allocate_server_credentials2() that `pskcred->binder_algo
== NULL` indicates auto-detection, while avoiding the linear lookup
for a NULL entry.
Daiki Ueno [Tue, 17 Dec 2024 01:03:26 +0000 (10:03 +0900)]
fips: only run the first test vector for each symmetric algorithm
FIPS 140-3 doesn't require to run multiple test vectors for a single
algorithm, and one of the test vector for PBKDF2, with an 80000
iteration count is known to be too costly. Therefore, this patch
changes gnutls_*_self_test to pick only the first test from the test
vectors, unless GNUTLS_SELF_TEST_FLAG_ALL is specified. The existing
test vectors have been reviewed and modified for the first element to
use the sane parameters, namely: aes128_gcm_vectors to use non-zero
key and non-empty AAD, aes256_gcm_vectors to use non-empty AAD, and
pbkdf2_sha256_vectors to use iteration count greater than 1.
Daiki Ueno [Fri, 13 Dec 2024 09:42:03 +0000 (18:42 +0900)]
fips: run AES-256 self-tests with only a single mode
Previously we ran FIPS power-on self-tests for AES-256-CBC,
AES-256-GCM, AES-256-XTS, and AES-256-CFB8, though only one mode per
key size suffices according to FIPS 140-3 IG. This omits AES-256-CBC,
AES-256-XTS, and AES-256-CFB8, keeping AES-256-GCM for performance.
projects / thirdparty / gnutls.git / log
