Daiki Ueno [Fri, 12 Jan 2024 08:56:58 +0000 (17:56 +0900)]
nettle: avoid normalization of mpz_t in deterministic ECDSA
This removes function calls that potentially leak bit-length of a
private key used to calculate a nonce in deterministic ECDSA. Namely:
- _gnutls_dsa_compute_k has been rewritten to work on always
zero-padded mp_limb_t arrays instead of mpz_t
- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
by a byte array instead of an mpz_t value
Daiki Ueno [Mon, 29 Jan 2024 04:52:46 +0000 (13:52 +0900)]
gnutls_x509_trust_list_verify_crt2: remove length limit of input
Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
chain verification logic crashed with assertion failure. This patch
removes the restriction while keeping the maximum number of
retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
Daiki Ueno [Sat, 9 Mar 2024 21:58:46 +0000 (06:58 +0900)]
x509: fix reading of MGF-1 OID
asn1_read_value may return error code in a positive integer thus the
previous code could lead to an access to uninitialized value. This is
a regression in the RSA-OAEP support. Spotted by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67300
Daiki Ueno [Fri, 23 Feb 2024 00:03:46 +0000 (09:03 +0900)]
tests: support KAT in (EC)DH tests
While the logic existed, known answer tests were omitted in
tests/dh-compute, tests/dh-compute2, tests/ecdh-compute, and
tests/ecdh-compute2. This enables the support for it as well as fixes
a couple of issues in the logic: avoid using `success` variable as it
shadows the helper function with the same name defined in
tests/utils.h, invert the memcmp condition, and properly use peer_x
and peer_y in place of x and y in ecdh-compute2.
Daiki Ueno [Thu, 8 Feb 2024 06:32:37 +0000 (15:32 +0900)]
spki: support RSA-OAEP parameters
This adds a new API gnutls_x509_spki_{get,set}_rsa_oaep_params to
retrieve and store RSA-OAEP parameters embedded in
SubjectPublicKeyInfo.
As RSA-OAEP labels are allocated, this also adds copy and clear method
on the gnutls_x509_spki_st struct and use them extensively instead of
memcpy and memset.
Daiki Ueno [Fri, 19 Aug 2022 03:32:27 +0000 (12:32 +0900)]
build: allow GMP to be statically linked
Even though we set the custom allocator[1] to zeroize sensitive data,
it can be easily invalidated if the application sets its own custom
allocator. An approach to prevent that is to link against a static
library of GMP, so the use of GMP is privatized and the custom
allocator configuration is not shared with other applications.
This patch allows libgnutls to be linked with the static library of
GMP. Note that, to this work libgmp.a needs to be compiled with -fPIC
and libhogweed in Nettle is also linked to the static library of GMP.
Xin Long [Thu, 1 Feb 2024 22:21:05 +0000 (17:21 -0500)]
lib: fix a potential segfault in _gnutls13_recv_finished
In _gnutls13_recv_finished(), 'buf' is not initialized or set when
_gnutls13_compute_finished() returns an err, and goto cleanup may
cause a segfault crash as it frees the uninitialized buf.allocd in
_gnutls_buffer_clear().
So fix it by return if _gnutls13_compute_finished() returns an err
in _gnutls13_recv_finished().
The root cause is that _gnutls_buffer_clear() was trying to free
'buf' that is not initialized or set if GNUTLS_NO_END_OF_EARLY_DATA
flag is set on server side.
This patch fixes it by simply initializing buf at the begginning of
_gnutls13_recv_end_of_early_data().
Daiki Ueno [Wed, 10 Jan 2024 10:13:17 +0000 (19:13 +0900)]
rsa-psk: minimize branching after decryption
This moves any non-trivial code between gnutls_privkey_decrypt_data2
and the function return in _gnutls_proc_rsa_psk_client_kx up until the
decryption. This also avoids an extra memcpy to session->key.key.
Daiki Ueno [Thu, 11 Jan 2024 06:45:11 +0000 (15:45 +0900)]
x509: detect loop in certificate chain
There can be a loop in a certificate chain, when multiple CA
certificates are cross-signed with each other, such as A → B, B → C,
and C → A. Previously, the verification logic was not capable of
handling this scenario while sorting the certificates in the chain in
_gnutls_sort_clist, resulting in an assertion failure. This patch
properly detects such loop and aborts further processing in a graceful
manner.
Clemens Lang [Fri, 12 Jan 2024 10:12:14 +0000 (11:12 +0100)]
fips: Zeroize temporary values
The standard says "temporary value(s) generated during the integrity
test of the module's software […] shall be zeroised from the module upon
completion of the integrity test".
That includes the computed HMAC value, which is currently not zeroized
after the test. Add explicit calls to gnutls_memset() to fix that.
Clemens Lang [Fri, 12 Jan 2024 10:32:22 +0000 (11:32 +0100)]
.gitlab-ci.yml: Adjust to Alpine Linux' clang-format path change
According to Alpine Linux' package database search functionality, the
clang16-extra-tools package now installs clang-format in
/usr/lib/llvm16/bin/clang-format.
/usr/bin/clang-format is provided by clang17-extra-tools instead, but
requires changes in formatting. Add /usr/lib/llvm16/bin to PATH for the
formatting script to continue using the previous version.
Daiki Ueno [Mon, 1 Jan 2024 05:26:08 +0000 (14:26 +0900)]
tests/pkcs11-tool.sh: skip if neither p11tool nor certool is built
When compiled with --disable-tools, we can't assume p11tool and
certool are available. This also switches to using create_testdir and
locate any intermediate files under a temporary directory which is
cleaned up at exit.
Daiki Ueno [Fri, 10 Nov 2023 06:49:53 +0000 (15:49 +0900)]
ktls: check Linux kernel version at run time
When a GnuTLS application runs in a container guest and the host
kernel is older than expected, it fails at initializing KTLS. This
adds a check at run time, using uname.
Daiki Ueno [Thu, 9 Nov 2023 08:17:36 +0000 (17:17 +0900)]
x509: clarify the calling convention of AIA callbacks
This updates the documentation of
gnutls_x509_trust_list_set_getissuer_function to explicitly mention
that the callback shall initialize the output arguments upon
successful call, even if the result is empty.
Daiki Ueno [Thu, 9 Nov 2023 04:33:13 +0000 (13:33 +0900)]
cli: fix --ca-auto-retrieve crash when no caIssuer is present in AIA
Previously, when caIssuer URI is not present in the certificate's AIA
extension, the callback successfully returned 0, but didn't initialize
the output arguments, resulting in a segmentation fault in the caller.
Daiki Ueno [Fri, 13 Oct 2023 08:36:57 +0000 (17:36 +0900)]
cli: add --starttls-name option
Some deployment of application protocols, such as XMPP, require a
different hostname than the host being connected. This adds a new
option, --starttls-name, to gnutls-cli to specify it separately.
Daiki Ueno [Sat, 7 Oct 2023 08:17:39 +0000 (17:17 +0900)]
devel: add script to fix header inclusion
This adds check-headers.sh script which scans .c files and checks that
local header files under lib/ are consistently included with #include
"foo.h" instead of #include <foo.h>.
This adds support for Ed448 keys backed by PKCS#11. To differentiate
Ed448 keys from Ed25519 keys, this requires an extra logic to check
CKA_EC_PARAMS when reading public keys.
projects / thirdparty / gnutls.git / log
