chenjianhu [Fri, 1 Aug 2025 09:18:23 +0000 (17:18 +0800)]
x509: fix incorrect handling in name constraints merging
As mentioned in commit ca573d65 ("x509: Fix asymmetry in name
constraints intersection", 2016-07-29), the
_gnutls_name_constraints_intersect function exhibited an
asymmetry in name constraints intersection behavior, specifically
manifested as:
1. Nodes of unique types in PERMITTED (absent in PERMITTED2) were
preserved
2. Nodes of unique types in PERMITTED2 (absent in PERMITTED) were
discarded
A 'used' flag was introduced, where if a node from PERMITTED2 was
not used for the intersection, it would be copied to PERMITTED.
However,an unresolved edge case persisted:
- When 'removed.size > 0', the 'used' flag was unconditionally set
to 1
- This prevented copying of PERMITTED2 nodes with unique types
Adds a new function to max_record library to extract
the endpoints maximum record send size. Which may have been negotiated
through the record_size_limit or the max_fragment_length extensions.
Jiasheng Jiang [Mon, 4 Aug 2025 00:17:10 +0000 (00:17 +0000)]
src/pkcs11.c: Add check for gnutls_malloc and gnutls_strdup
Add check for the return value of gnutls_malloc() and gnutls_strdup() to avoid potential NULL pointer dereference. Fixes: 44541d17 ("p11tool: copy vendor query attributes when listing privkeys") Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Jiasheng Jiang [Sat, 2 Aug 2025 16:07:59 +0000 (16:07 +0000)]
lib/pkcs11_privkey.c: Add check for gnutls_malloc
Add check for the return value of gnutls_malloc() to avoid potential NULL pointer dereference.
Fixes: be560a813 ("Added gnutls_pkcs11_privkey_t and gnutls_privkey_t types. Those are an abstract private key type that can be used to sign/encrypt any private key of pkcs11,x509 or openpgp types. Added support for PKCS11 in gnutls-cli/gnutls-serv.") Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Jiasheng Jiang [Sat, 2 Aug 2025 15:38:40 +0000 (15:38 +0000)]
lib/anon_cred.c: Add check for gnutls_calloc
According to the comment above, add check for the return value of gnutls_calloc() and return an error code if it fails.
Fixes: 23efd9990 ("The Diffie Hellman parameters are now stored in the credentials structures. This will allow precomputation of signatures (for DHE cipher suites).") Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
While RFC 8446 4.6.3 says that the sender of a KeyUpdate message
should only update its sending key, the previous implementation
updated both the sending and receiving keys, preventing that any
application data interleaved being decrypted.
This splits the key update logic into 2 phases: when sending a
KeyUpdate, only update the sending key, and when receiving a
KeyUpdate, only update the receiving key. In both cases, KeyUpdate
messages are encrypted/decrypted with the old keys.
The previous logic of epoch lookup was utilizing the fact that epoch
numbers are monotonically increasing and there are no gaps in between
after garbarge collection. That is, however, no longer true when a TLS
1.3 key update is happening in only one direction.
This patch switches to using linear search instead, at the cost of
approx MAX_EPOCH_INDEX * 2 (= 8) comparison.
Daiki Ueno [Mon, 27 Jan 2025 07:36:41 +0000 (16:36 +0900)]
fips: perform both PCTs for unrestricted RSA key
As PKCS#1 v1.5-padding is no longer allowed, exercise PCT with both
RSA-PSS and RSA-OAEP for unrestricted RSA keys. Note that, it is no
longer possible to create 512-bit RSA key under FIPS mode, because
there is a restriction of message size in RSA-OAEP based on the key
size, i.e., mLen > k - 2hLen - 2.
Daiki Ueno [Tue, 11 Feb 2025 22:23:59 +0000 (07:23 +0900)]
pk: sprinkle SPKI over encryption functions
Similarly to signing, the encrypt/decrypt/decrypt2 functions defined
in gnutls_crypto_pk_st now take SPKI as an additional parameter, so
the encryption/decryption behavior can be overridden.
Daiki Ueno [Tue, 17 Dec 2024 07:55:47 +0000 (16:55 +0900)]
fips: perform RSA self-tests using RSA-PSS instead of PKCS#1 v1.5
Previously the RSA self-tests were using PKCS#1 v1.5, for both
signature generation and encryption/decryption, which turned a bit
problematic as GnuTLS now has a run-time option to disable that
scheme.
According to FIPS 140-3 IG 10.3.A, for each FIPS 186-4 and FIPS 186-5
public key digital signature algorithm, a CAST shall be performed
using at least one of the schemes approved for use in the approved
mode. Similarly, the IG annex D.G mentions that if the RSA signature
generation algorithm and RSA un-encapsulation scheme use the same
implementation, only test for signature generation suffices.
Therefore, this switches to using RSA-PSS only and drop the
RSA encryption/decryption self-tests.
* tests/testpkcs11.softhsm (init_card): Use POSIX's 'command' to test
if softhsm2-util or softhsm is available from PATH.
tests: Check softhsm2-util from PATH.
* tests/pkcs11/softhsm.h (softhsm_bin): Check from PATH.
lib/ext/srp.c: Add gnutls_free() to avoid memory leak
Add gnutls_free() to free priv->username if the allocation of priv->password fails to avoid memory leak.
Moreover, replace "return" with "goto" to avoid memory leak.
Fixes: a1a15422 ("Fixes and memory leak elimination in SRP authentication.") Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Add new functions gnutls_psk_allocate_client_credentials2() and
gnutls_psk_allocate_server_credentials2() which allow to specify
the hash algorithm for the PSK. This fixes a bug in the current
implementation where the binder is always calculated with SHA256.
Signed-off-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Daiki Ueno <ueno@gnu.org>
fastopen: check return value of connect before inspecting errno
Spotted by clang-analyzer from Clang 19:
system/fastopen.c:131:7: warning: An undefined value may be read from 'errno' [unix.Errno]
131 | if (errno == ENOTCONN || errno == EINPROGRESS) {
| ^~~~~
This also fixes the check at the end of tfo_writev for successful TFO
enablement, which previously checked the return value was 0, while it
should have been checking >= 0.
Now that we pin Nettle to the 3.10 branch, building Nettle from source
always result in the (almost) identical binaries. Skip them for now,
until GnuTLS supports the Nettle 4 API.
Use leancrypto from the container image instead of building from
source, as well as control the GNUTLS_FORCE_FIPS_MODE and
crypto-policies setting through parallel::matrix.
This splits UB+ASAN-Werror.Fedora.x86_64.gcc into build and test
phases and make it simpler by:
- Stop doing 2 builds for trust store, given the same code path is
exercised when the trust store is enabled at build time
- Stop doing 2 builds for AGGRESSIVE_REALLOC, now that the buffer
allocation strategy can be tuned with the GNUTLS_BUFFER_RECLAIM
envvar
- Remove -Werror check from this pipeline, as it has nothing to do
with sanitizers
handshake: clear HSK_PSK_SELECTED is when resetting binders
When a TLS 1.3 handshake involves HRR and resumption or PSK, and the
second Client Hello omits PSK, the server would result in a NULL
pointer dereference as the PSK binder information is cleared while the
HSK_PSK_SELECTED flag is still set. This makes sure that
HSK_PSK_SELECTED flag is always cleared when the PSK binders are
reset. This also makes it clear the HSK_PSK_SELECTED flag is valid
only during a handshake; after that, whether PSK is used can be
checked with gnutls_auth_client_get_type.
certtool: avoid 1-byte write buffer overrun when parsing template
Previously, when parsing a template file with a number of key value
pairs, certtool could write a NUL byte after the heap buffer, causing
a memory corruption. This fixes the issue by allocating the NUL byte.
Reported by David Aitel.
x509: avoid double free when exporting othernames in SAN
Previously, the _gnutls_write_new_othername function, called by
gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
certificate's SAN extension, freed the caller allocated ASN.1
structure upon error, resulting in a potential double-free.
Andrew Hamilton [Mon, 7 Jul 2025 01:35:54 +0000 (10:35 +0900)]
x509: reject zero-length version in certificate request
Ensure zero size asn1 values are considered invalid in
gnutls_x509_crq_get_version, this ensures crq version is not used
uninitialized. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42536706
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Signed-off-by: Daiki Ueno <ueno@gnu.org>
Andrew Hamilton [Mon, 7 Jul 2025 01:31:55 +0000 (10:31 +0900)]
psk: fix read buffer overrun in the "pre_shared_key" extension
While processing the "pre_shared_key" extension in TLS 1.3, if there
are certain malformed data in the extension headers, then the code may
read uninitialized memory (2 bytes) beyond the received TLS extension
buffer. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42513990
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Signed-off-by: Daiki Ueno <ueno@gnu.org>
Andrew Hamilton [Mon, 7 Jul 2025 01:23:59 +0000 (10:23 +0900)]
x509: fix read buffer overrun in SCT timestamps
Prevent reading beyond heap buffer in call to _gnutls_parse_ct_sct
when processing x509 Signed Certificate Timestamps with certain
malformed data. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42530513
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Signed-off-by: Daiki Ueno <ueno@gnu.org>
As libminitasn1.la is always built a static library, linking it twice
makes linking fail because of duplicated symbols. This also stops
including <nettle/bignum.h> as it is unused and causing compile error
on macOS homebrew:
In file included from p11_pk.c:32:
/opt/homebrew/Cellar/nettle/3.10.2/include/nettle/bignum.h:50:11: fatal error: 'gmp.h' file not found
# include <gmp.h>
^~~~~~~
1 error generated.
projects / thirdparty / gnutls.git / log
