| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Use proper record version in client hello after hello retry request
Closes #1053
See merge request gnutls/gnutls!1346
(cherry picked from commit c93fab21ab7abb805b4db22cd155996b3ce96361)
136b6a47 Use proper record version in client hello after hello retry request
|
|\
| |
| |
| |
| | |
nettle: port upstream hardening of EC point multiplication [3.6.x]
See merge request gnutls/gnutls!1407
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some internal functions used in point multiplications are known to
misbehave if the scaler is out-of-range. This performs canonical
reduction on scalers, before point multiplication.
This ports the fixes from Nettle upstream to the bundled EC code.
See the Nettle 3.7.2 release announcement for details:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009458.html
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This helps detect common mistakes[1] in realloc usage with valgrind,
where the caller assumes that the original ptr is always returned.
1. https://bugzilla.mozilla.org/show_bug.cgi?id=1377618
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>
|
|/
|
|
|
|
| |
The function shared the same logic as in _gnutls_buffer_resize.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the initial handshake is incomplete and the server sends a
no_renegotiation alert, the client should treat it as a fatal error
even if its level is warning. Otherwise the same handshake
state (e.g., DHE parameters) are reused in the next gnutls_handshake
call, if it is called in the loop idiom:
do {
ret = gnutls_handshake(session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The server needs to take into account of multiple factors when
determining the TLS protocol version actually being used:
- the legacy version
- "supported_versions" extension
- user_hello_func that may modify the server's priorities
Only after that it can check whether the TLS version is enabled in the
server's priorities.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
| |
While the documentation of gnutls_aead_cipher_decrypt indicates that
the inout argument ptext_len initially holds the size that
sufficiently fits the expected output size, there was no runtime check
on that. This makes the interface robuster against misuses.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
| |
This aligns the behavior to the documentation.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
Some compilers don't support -Wno-type-limits, while they support
-Wtype-limits.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
| |
Previously gnutls_fips140_mode_enabled() returned true, even after
selftests have failed and the library state has switched to error.
While later calls to crypto operations fails, it would be more
convenient to have a function to detect that state.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
| |
Spotted by codespell.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
| |
According to the documentation, the GNUTLS_CERT_INVALID flag must
always be set in case of verification failure, together with the flag
indicating the actual error cause.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When checking in _gnutls_pubkey_compatible_with_sig() whether a public
key is compatible with a signature algorithm, run first
pubkey_supports_sig() before performing weaker checks that can accept
the given algorithm but with an audit-log warning. This avoids an issue
when a weaker check would log an audit message for some signature
algorithm that would then be determined as incompatible by the
pubkey_supports_sig() check anyway.
For instance, a GnuTLS server might have a certificate with a SECP384R1
public key and a client can report that it supports
ECDSA-SECP256R1-SHA256 and ECDSA-SECP384R1-SHA384. In such a case, the
GnuTLS server will eventually find that it must use
ECDSA-SECP384R1-SHA384 with this public key. However, the code would
first run _gnutls_pubkey_compatible_with_sig() to check if SECP384R1 is
compatible with ECDSA-SECP256R1-SHA256. The function would report the
audit warning "The hash size used in signature (32) is less than the
expected (48)" but then reject the signature algorithm in
pubkey_supports_sig() as incompatible because it has a different curve.
Since the algorithm gets rejected it is not necessary to inform about
its hash size difference in the audit log.
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
|
|
|
|
|
|
|
| |
This implements full public key validation required in
SP800-56A rev3, section 5.6.2.3.3.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
This implements full public key validation required in SP800-56A rev3,
section 5.6.2.3.1.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
This is necessary for full public key validation in
SP800-56A (revision 3), section 5.6.2.3.1.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
| |
SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of
the calculated shared secret is verified before the data is returned
to the caller. This patch adds the validation check.
Suggested by Stephan Mueller.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
| |
SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the
calculated shared secret is verified before the data is returned to the
caller. This patch adds the validation check.
Suggested by Stephan Mueller.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On a very recent openSUSE build, libgnutls is getting built without
libpthread. This caused a thread related error when trying to load a
pkcs11 module that uses threading. The reason is rather convoluted:
glibc actually controls all the pthread_ function calls, but it
returns success without doing anything unless -lpthread is in the link
list. What's happening is that gnutls_system_mutex_init() is being
called on _gnutls_pkcs11_mutex before library pthreading is
initialized, so the pthread_mutex_init ends up being a nop. Then, when
the pkcs11 module is loaded, pthreads get initialized and the call to
pthread_mutex_lock is real, but errors out on the uninitialized mutex.
The problem seems to be that nothing in the gnulib macros gnutls
relies on for threading support detection actually sets LTLIBPTHREAD,
they only set LIBPTHREAD. The fix is to use LIBPTHREAD in
lib/Makefile.in
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes this compilation error:
system/fastopen.c:134:9: error: 'connectx' is only available on macOS 10.11 or newer [-Werror,-Wunguarded-availability]
ret = connectx(fd, &endpoints, SAE_ASSOCID_ANY, CONNECT_RESUME_ON_READ_WRITE | CONNECT_DATA_IDEMPOTENT, NULL, 0, NULL, NULL);
^~~~~~~~
/Applications/Xcode9.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/usr/include/sys/socket.h:713:5: note: 'connectx' has been marked as being introduced in macOS 10.11 here, but the deployment target is macOS 10.7.0
The detection is the same as found in curl [1].
If HAVE_BUILTIN_AVAILABLE is not available we fallback to the code without
TCP_FASTOPEN_OSX.
The OS values match exactly the values found in
https://opensource.apple.com/source/xnu/xnu-4570.41.2/bsd/sys/socket.h
[1] https://github.com/curl/curl/commit/870d849d48a26b8eeb0d4bb1f4655367a4a191ca
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
| |
SP800-56A rev. 3 restricts the FIPS compliant clients to use only
approved DH parameters, defined in RFC 7919 and RFC 3526. This adds a
check in the handling of ServerKeyExchange if DHE is negotiated.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This includes both a copy of the master key and one or two derived
keys, all of which could be used to decrypt session tickets if
stolen. The derived keys could only be used for tickets issued within
a certain time frame (by default several hours).
The documentation for gnutls_session_ticket_enable_server() already
states that the master key should be wiped before releasing it, and
the same should apply to internal copies.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
|
|
|
|
| |
Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
| |
Upon failure this function returns without freeing memory allocated
internally. This makes sure that it is released and do not touch the
output handle argument.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
| |
When _gnutls_aead_cipher_init() fails, the function returns without
freeing the allocted handle. This was once fixed in commit
502be130493e8ce802cdf60fffdbb5f1885352a5 but regressed after a code
reorganization in commit 2eef509ce5f2d250f8dcaeffa46444dd2b694e91.
Reported by Miroslav Lichvar.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AEAD iov interface falls back to serializing the input buffers if
the low-level cipher doesn't support scatter/gather encryption.
However, there was a bug in the functions used for the serialization,
which causes memory leaks under a certain condition (i.e. the number
of input buffers is 1).
This patch makes the logic of the functions simpler, by removing a
micro-optimization that tries to minimize the number of calls to
malloc/free.
The original problem was reported by Marius Steffen in:
https://bugzilla.samba.org/show_bug.cgi?id=14399
and the cause was investigated by Alexander Haase in:
https://gitlab.com/gnutls/gnutls/-/merge_requests/1277
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
| |
This should fix #1020 where bcrypt is missing from thirdparty_libadd.
Ultimately it would be good to add libraries that always need to be linked in
one variable that is shared between the Makefile and the pkg-config file.
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
|
|
|
|
|
|
|
| |
This adds a valgrind client request for
session->key.session_ticket_key to make sure that it is not used
without initialization.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
| |
There was a confusion in the TOTP implementation in stek.c. When the
mechanism is initialized at the first time, it records the timestamp
but doesn't initialize the key. This removes the timestamp recording
at the initialization phase, so the key is properly set later.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\
| |
| |
| |
| | |
_gnutls_pkcs11_verify_crt_status: check validity against system cert
See merge request gnutls/gnutls!1271
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN
to trigger the fallback verification path if the signer of the last
certificate is not in the trust store. Previously, it doesn't take
into account of the condition where the certificate is expired.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To verify a certificate chain, this function replaces known
certificates with the ones in the system trust store if possible.
However, if it is found, the function checks the validity of the
original certificate rather than the certificate found in the trust
store. That reveals a problem in a scenario that (1) a certificate is
signed by multiple issuers and (2) one of the issuers' certificate has
expired and included in the input chain.
This patch makes it a little robuster by actually retrieving the
certificate from the trust store and perform check against it.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| |/
|/|
| |
| | |
use bcrypt for the windows random generator instead of wincrypt
See merge request gnutls/gnutls!1255
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CryptoAPI is a deprecated API [1] that is forbidden in UWP builds.
Rewrite the CryptoAPI calls in bcrypt.
bcrypt is used instead of CryptoAPI when targeting Windows Vista and above.
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptdecrypt
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
|\ \
| | |
| | |
| | |
| | | |
lib: add support for AES-192-GCM
See merge request gnutls/gnutls!1267
|
| | |
| | |
| | |
| | |
| | |
| | | |
Add support for AES-192 in GCM mode.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\ \ \
| |_|/
|/| |
| | |
| | | |
lib: improve external file loading
See merge request gnutls/gnutls!1261
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This makes it clear that "fd" is not a file descriptor but a FILE
pointer. Suggested by Tim Rühsen.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This makes use of the RF_SENSITIVE flag newly added to read_file
function when reading potentially senstive information from a file.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This makes use of the "e" flag of fopen, provided by the Gnulib's
fopen-gnu module.
Reported by Remi Denis-Courmont in:
https://gitlab.com/gnutls/gnutls/-/issues/985
and fix suggested by Tim Rühsen.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This brings in the new fopen-gnu module and the RF_SENSITIVE flag for
fread_file and read_file. This also adds the following changes to be
consistent with the latest changes in Gnulib:
- the callers of fread_file and read_file to be adjusted for the FLAGS
argument
- "attribute.h" needs to be used extensively
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|