From 22f837ba0bc7d13c3d738a8583566368fc12aee1 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sat, 30 Oct 2021 08:56:07 +0200 Subject: x509: fix thread-safety in gnutls_x509_trust_list_verify_crt2 This function previously used gnutls_x509_trust_list_get_issuer without GNUTLS_TL_GET_COPY flag, which is required when the function is called from multi-threaded application and PKCS #11 trust store is in use. Reported and the change suggested by Remi Gacogne in: https://gitlab.com/gnutls/gnutls/-/issues/1277 Signed-off-by: Daiki Ueno --- lib/x509/verify-high.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index ab8e006ca7..5698d4f372 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -1102,7 +1102,8 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, * gnutls_x509_trust_list_get_issuer: * @list: The list * @cert: is the certificate to find issuer for - * @issuer: Will hold the issuer if any. Should be treated as constant. + * @issuer: Will hold the issuer if any. Should be treated as constant + * unless %GNUTLS_TL_GET_COPY is set in @flags. * @flags: flags from %gnutls_trust_list_flags_t (%GNUTLS_TL_GET_COPY is applicable) * * This function will find the issuer of the given certificate. @@ -1521,7 +1522,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, if (gnutls_x509_trust_list_get_issuer(list, cert_list[i - 1], &issuer, - 0) == 0) { + GNUTLS_TL_GET_COPY) == 0) { + gnutls_x509_crt_deinit(issuer); cert_list_size = i; break; } -- cgit v1.2.1 From 34ae4f9074d6359c4360445dbe01c345d3237421 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 18 Jan 2022 06:43:07 +0100 Subject: tests: privkey-keygen: fix memory leak Signed-off-by: Daiki Ueno --- tests/privkey-keygen.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c index cac530fc43..2766afee08 100644 --- a/tests/privkey-keygen.c +++ b/tests/privkey-keygen.c @@ -251,5 +251,6 @@ void doit(void) } } + gnutls_fips140_context_deinit(fips_context); gnutls_global_deinit(); } -- cgit v1.2.1 From 68c744abfd4aad720a7ae93b31674ee7a267bad1 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 17 Jan 2022 16:48:10 +0100 Subject: Release 3.7.3 Signed-off-by: Daiki Ueno --- NEWS | 64 +++++++++++++++++++++++++++++++++++++++--------- configure.ac | 2 +- devel/abi-dump | 2 +- devel/libgnutls.abignore | 56 ------------------------------------------ m4/hooks.m4 | 4 +-- 5 files changed, 57 insertions(+), 71 deletions(-) diff --git a/NEWS b/NEWS index ae494e1e40..673d1c7e94 100644 --- a/NEWS +++ b/NEWS @@ -5,29 +5,69 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2019 Nikos Mavrogiannopoulos See the end for copying conditions. -* Version 3.7.3 (unreleased) +* Version 3.7.3 (released 2022-01-17) ** libgnutls: The allowlisting configuration mode has been added to the system-wide settings. In this mode, all the algorithms are initially marked as insecure or disabled, while the applications can re-enable them either through the [overrides] section of the configuration file or the new API (#1172). -** certtool: Certtool can now generate, manipulate, and evaluate x25519 and - x448 public keys, private keys, and certificates. +** The build infrastructure no longer depends on GNU AutoGen for generating + command-line option handling, template file parsing in certtool, and + documentation generation (#773, #774). This change also removes run-time or + bundled dependency on the libopts library, and requires Python 3.6 or later + to regenerate the distribution tarball. -** libgnutls: disabling a hashing algorithm through "insecure-hash" - configuration directive now also disables TLS ciphersuites that use it - as a PRF algorithm. + Note that this brings in known backward incompatibility in command-line + tools, such as long options are now case sensitive, while previously they + were treated in a case insensitive manner: for example --RSA is no longer a + valid option of certtool. The existing scripts using GnuTLS tools may need + adjustment for this change. ** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and - used as a gnutls_privkey_t. The code was originally written for the - OpenConnect VPN project by David Woodhouse. To generate such blobs, - use the tpm2tss-genkey tool from tpm2-tss-engine: + used as a gnutls_privkey_t (#594). The code was originally written for the + OpenConnect VPN project by David Woodhouse. To generate such blobs, use the + tpm2tss-genkey tool from tpm2-tss-engine: https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations + or the tpm2_encodeobject tool from unreleased tpm2-tools. + +** libgnutls: The library now transparently enables Linux KTLS + (kernel TLS) when the feature is compiled in with --enable-ktls configuration + option (#1113). If the KTLS initialization fails it automatically falls back + to the user space implementation. + +** certtool: The certtool command can now read the Certificate Transparency + (RFC 6962) SCT extension (#232). New API functions are also provided to + access and manipulate the extension values. + +** certtool: The certtool command can now generate, manipulate, and evaluate + x25519 and x448 public keys, private keys, and certificates. + +** libgnutls: Disabling a hashing algorithm through "insecure-hash" + configuration directive now also disables TLS ciphersuites that use it as a + PRF algorithm. + +** libgnutls: PKCS#12 files are now created with modern algorithms by default + (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and + HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with + PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the + default PBKDF2 iteration count has been increased to 600000. ** libgnutls: PKCS#12 keys derived using GOST algorithm now uses - HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for - integrity, to conform with the latest TC-26 requirements + HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to + conform with the latest TC-26 requirements (#1225). + +** libgnutls: The library now provides a means to report the status of approved + cryptographic operations (!1465). To adhere to the FIPS140-3 IG 2.4.C., this + complements the existing mechanism to prohibit the use of unapproved + algorithms by making the library unusable state. + +** gnutls-cli: The gnutls-cli command now provides a --list-config option to + print the library configuration (!1508). + +** libgnutls: Fixed possible race condition in + gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared + among multiple threads (#1277). [GNUTLS-SA-2022-01-17, CVSS: low] ** API and ABI modifications: GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t @@ -43,6 +83,8 @@ gnutls_fips140_push_context: New function gnutls_fips140_pop_context: New function gnutls_fips140_get_operation_state: New function gnutls_fips140_operation_state_t: New enum +gnutls_transport_is_ktls_enabled: New function +gnutls_get_library_configuration: New function * Version 3.7.2 (released 2021-05-29) diff --git a/configure.ac b/configure.ac index 895f845872..eed499ca94 100644 --- a/configure.ac +++ b/configure.ac @@ -23,7 +23,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.64) dnl when updating version also update LT_REVISION in m4/hooks.m4 -AC_INIT([GnuTLS], [3.7.2], [bugs@gnutls.org]) +AC_INIT([GnuTLS], [3.7.3], [bugs@gnutls.org]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIRS([m4 src/gl/m4 lib/unistring/m4]) AC_CANONICAL_HOST diff --git a/devel/abi-dump b/devel/abi-dump index e1d454e4f7..c0cd665948 160000 --- a/devel/abi-dump +++ b/devel/abi-dump @@ -1 +1 @@ -Subproject commit e1d454e4f76653ae786f882526fed74c094c9cf9 +Subproject commit c0cd665948fb958951280a6d40cd1072a430dfcb diff --git a/devel/libgnutls.abignore b/devel/libgnutls.abignore index 8c7e7f2abe..c19dce38e1 100644 --- a/devel/libgnutls.abignore +++ b/devel/libgnutls.abignore @@ -70,59 +70,3 @@ name = drbg_aes_reseed # The following should be removed in the new release, after updating the # abi-dump repository: -[suppress_function] -name = gnutls_digest_set_secure - -[suppress_function] -name = gnutls_ecc_curve_set_enabled - -[suppress_function] -name = gnutls_protocol_set_enabled - -[suppress_function] -name = gnutls_sign_set_secure - -[suppress_function] -name = gnutls_sign_set_secure_for_certs - -[suppress_function] -name = gnutls_x509_ext_ct_scts_init - -[suppress_function] -name = gnutls_x509_ext_ct_scts_deinit - -[suppress_function] -name = gnutls_x509_ext_ct_import_scts - -[suppress_function] -name = gnutls_x509_ext_ct_export_scts - -[suppress_function] -name = gnutls_x509_ct_sct_get_version - -[suppress_function] -name = gnutls_x509_ct_sct_get - -[suppress_function] -name = gnutls_transport_is_ktls_enabled - -[suppress_function] -name = gnutls_fips140_context_init - -[suppress_function] -name = gnutls_fips140_context_deinit - -[suppress_function] -name = gnutls_fips140_push_context - -[suppress_function] -name = gnutls_fips140_pop_context - -[suppress_function] -name = gnutls_fips140_get_operation_state - -[suppress_type] -name = gnutls_fips140_operation_state_t - -[suppress_function] -name = gnutls_get_library_config diff --git a/m4/hooks.m4 b/m4/hooks.m4 index f0efe52cf6..d2e9a653de 100644 --- a/m4/hooks.m4 +++ b/m4/hooks.m4 @@ -40,9 +40,9 @@ AC_DEFUN([LIBGNUTLS_HOOKS], # in CONTRIBUTION.md for more info. # # Interfaces removed: AGE=0 (+bump all symbol versions in .map) - AC_SUBST(LT_CURRENT, 60) + AC_SUBST(LT_CURRENT, 61) AC_SUBST(LT_REVISION, 0) - AC_SUBST(LT_AGE, 30) + AC_SUBST(LT_AGE, 31) AC_SUBST(LT_SSL_CURRENT, 27) AC_SUBST(LT_SSL_REVISION, 2) -- cgit v1.2.1