diff options
-rw-r--r-- | NEWS | 34 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | lib/state.c | 5 | ||||
-rw-r--r-- | lib/stek.c | 25 | ||||
-rw-r--r-- | m4/hooks.m4 | 4 | ||||
-rw-r--r-- | tests/resume-with-previous-stek.c | 4 | ||||
-rw-r--r-- | tests/tls13/prf-early.c | 8 |
7 files changed, 59 insertions, 23 deletions
@@ -5,7 +5,39 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2019 Nikos Mavrogiannopoulos See the end for copying conditions. -* Version 3.6.14 (unreleased) +* Version 3.6.14 (released 2020-06-03) + +** libgnutls: Fixed insecure session ticket key construction, since 3.6.4. + The TLS server would not bind the session ticket encryption key with a + value supplied by the application until the initial key rotation, allowing + attacker to bypass authentication in TLS 1.3 and recover previous + conversations in TLS 1.2 (#1011). + [GNUTLS-SA-2020-06-03, CVSS: high] + +** libgnutls: Fixed handling of certificate chain with cross-signed + intermediate CA certificates (#1008). + +** libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997). + +** libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName + (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority + Key Identifier (AKI) properly (#989, #991). + +** certtool: PKCS #7 attributes are now printed with symbolic names (!1246). + +** libgnutls: Added several improvements on Windows Vista and later releases + (!1257, !1254, !1256). Most notably the system random number generator now + uses Windows BCrypt* API if available (!1255). + +** libgnutls: Use accelerated AES-XTS implementation if possible (!1244). + Also both accelerated and non-accelerated implementations check key block + according to FIPS-140-2 IG A.9 (!1233). + +** libgnutls: Added support for AES-SIV ciphers (#463). + +** libgnutls: Added support for 192-bit AES-GCM cipher (!1267). + +** libgnutls: No longer use internal symbols exported from Nettle (!1235) ** API and ABI modifications: GNUTLS_CIPHER_AES_128_SIV: Added diff --git a/configure.ac b/configure.ac index a09cbfd92d..d59553b6a1 100644 --- a/configure.ac +++ b/configure.ac @@ -23,7 +23,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.63) dnl when updating version also update LT_REVISION in m4/hooks.m4 -AC_INIT([GnuTLS], [3.6.13], [bugs@gnutls.org]) +AC_INIT([GnuTLS], [3.6.14], [bugs@gnutls.org]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIRS([m4 src/gl/m4 src/libopts/m4 lib/unistring/m4]) AC_CANONICAL_HOST diff --git a/lib/state.c b/lib/state.c index 8ba2cc4a32..7d0a77dc95 100644 --- a/lib/state.c +++ b/lib/state.c @@ -578,9 +578,12 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags) if (flags & GNUTLS_CLIENT) VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.client_random, GNUTLS_RANDOM_SIZE); - if (flags & GNUTLS_SERVER) + if (flags & GNUTLS_SERVER) { VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.server_random, GNUTLS_RANDOM_SIZE); + VALGRIND_MAKE_MEM_UNDEFINED((*session)->key.session_ticket_key, + TICKET_MASTER_KEY_SIZE); + } } #endif handshake_internal_state_clear1(*session); diff --git a/lib/stek.c b/lib/stek.c index 2f885cee37..316555b49a 100644 --- a/lib/stek.c +++ b/lib/stek.c @@ -21,6 +21,9 @@ */ #include "gnutls_int.h" #include "stek.h" +#ifdef HAVE_VALGRIND_MEMCHECK_H +#include <valgrind/memcheck.h> +#endif #define NAME_POS (0) #define KEY_POS (TICKET_KEY_NAME_SIZE) @@ -143,6 +146,11 @@ static int rotate(gnutls_session_t session) call_rotation_callback(session, key, t); session->key.totp.last_result = t; memcpy(session->key.session_ticket_key, key, sizeof(key)); +#ifdef HAVE_VALGRIND_MEMCHECK_H + if (RUNNING_ON_VALGRIND) + VALGRIND_MAKE_MEM_DEFINED(session->key.session_ticket_key, + TICKET_MASTER_KEY_SIZE); +#endif session->key.totp.was_rotated = 1; } else if (t < 0) { @@ -323,20 +331,13 @@ int _gnutls_initialize_session_ticket_key_rotation(gnutls_session_t session, con if (unlikely(session == NULL || key == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - if (session->key.totp.last_result == 0) { - int64_t t; - memcpy(session->key.initial_stek, key->data, key->size); - t = totp_next(session); - if (t < 0) - return gnutls_assert_val(t); - - session->key.totp.last_result = t; - session->key.totp.was_rotated = 0; + if (unlikely(session->key.totp.last_result != 0)) + return GNUTLS_E_INVALID_REQUEST; - return GNUTLS_E_SUCCESS; - } + memcpy(session->key.initial_stek, key->data, key->size); - return GNUTLS_E_INVALID_REQUEST; + session->key.totp.was_rotated = 0; + return 0; } /* diff --git a/m4/hooks.m4 b/m4/hooks.m4 index d0963f35cd..1f83d35f68 100644 --- a/m4/hooks.m4 +++ b/m4/hooks.m4 @@ -40,9 +40,9 @@ AC_DEFUN([LIBGNUTLS_HOOKS], # in CONTRIBUTION.md for more info. # # Interfaces removed: AGE=0 (+bump all symbol versions in .map) - AC_SUBST(LT_CURRENT, 57) + AC_SUBST(LT_CURRENT, 58) AC_SUBST(LT_REVISION, 0) - AC_SUBST(LT_AGE, 27) + AC_SUBST(LT_AGE, 28) AC_SUBST(LT_SSL_CURRENT, 27) AC_SUBST(LT_SSL_REVISION, 2) diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c index f212b188b9..05c1c90868 100644 --- a/tests/resume-with-previous-stek.c +++ b/tests/resume-with-previous-stek.c @@ -196,8 +196,8 @@ static void server(int fd, unsigned rounds, const char *prio) serverx509cred = NULL; } - if (num_stek_rotations != 2) - fail("STEK should be rotated exactly twice (%d)!\n", num_stek_rotations); + if (num_stek_rotations != 3) + fail("STEK should be rotated exactly three times (%d)!\n", num_stek_rotations); if (serverx509cred) gnutls_certificate_free_credentials(serverx509cred); diff --git a/tests/tls13/prf-early.c b/tests/tls13/prf-early.c index 414b1db5ea..bc3196248f 100644 --- a/tests/tls13/prf-early.c +++ b/tests/tls13/prf-early.c @@ -123,10 +123,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size) } \ } -#define KEY_EXP_VALUE "\xc0\x1e\xc2\xa4\xb7\xb4\x04\xaa\x91\x5d\xaf\xe8\xf7\x4d\x19\xdf\xd0\xe6\x08\xd6\xb4\x3b\xcf\xca\xc9\x32\x75\x3b\xe3\x11\x19\xb1\xac\x68" -#define HELLO_VALUE "\x77\xdb\x10\x0b\xe8\xd0\xb9\x38\xbc\x49\xe6\xbe\xf2\x47\x2a\xcc\x6b\xea\xce\x85\x04\xd3\x9e\xd8\x06\x16\xad\xff\xcd\xbf\x4b" -#define CONTEXT_VALUE "\xf2\x17\x9f\xf2\x66\x56\x87\x66\xf9\x5c\x8a\xd7\x4e\x1d\x46\xee\x0e\x44\x41\x4c\xcd\xac\xcb\xc0\x31\x41\x2a\xb6\xd7\x01\x62" -#define NULL_CONTEXT_VALUE "\xcd\x79\x07\x93\xeb\x96\x07\x3e\xec\x78\x90\x89\xf7\x16\x42\x6d\x27\x87\x56\x7c\x7b\x60\x2b\x20\x44\xd1\xea\x0c\x89\xfb\x8b" +#define KEY_EXP_VALUE "\xc1\x6b\x6c\xb9\x88\x33\xd5\x28\x80\xec\x27\x87\xa2\x6f\x4b\xd0\x01\x5e\x7f\xca\xd7\xd4\x8a\x3f\xe2\x48\x92\xef\x02\x14\xfb\x81\x90\x04" +#define HELLO_VALUE "\x2a\x73\xd9\x74\x04\x4e\x0a\x5f\x41\x8a\x09\xcb\x45\x33\x1a\xec\xd3\xfc\xdc\x1b\x2c\x67\x26\xe4\x9c\xfe\x1f\xa5\x74\xf1\x4f" +#define CONTEXT_VALUE "\x87\xf6\x88\xe3\xd7\xf2\x05\xbc\xa4\x10\xa3\x48\x9f\xf5\xcf\x97\x06\x22\x4e\xfd\x18\x32\x52\x1d\xbd\x26\xf5\x5b\x21\x20\xec" +#define NULL_CONTEXT_VALUE "\xf9\xca\xfe\x45\x44\x96\xdb\xc5\x41\x8f\x7e\x8e\xd7\xb0\x7d\x19\x45\xaf\x09\xbc\x1e\x82\x94\xac\x55\xe5\xb9\xb4\x3b\xe8\xc0" static int handshake_callback_called; |