summaryrefslogtreecommitdiff
path: root/lib/nettle
Commit message (Collapse)AuthorAgeFilesLines
* nettle: use the nettle_get_secp API when availabletmp-new-nettle-abiNikos Mavrogiannopoulos2018-02-071-5/+15
| | | | | | Resolves #380 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* rnd-fuzzer: use ifdef instead of conditional compilationNikos Mavrogiannopoulos2017-08-192-5/+3
| | | | | | | This allows compiling in fuzzying mode even when --enable-fuzzer-target is not specified on configure, but the definition is present. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* sign APIs: introduce RSA-RAW signing algorithmNikos Mavrogiannopoulos2017-08-171-1/+7
| | | | | | | | | This ensures that there is a signing algorithm for all the operations we support. Previously, we required GNUTLS_SIGN_UNKNOWN to be acceptable by signing functions to accomodate for raw RSA operations. Now we make that explicit and in the process clean-up the API. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* fuzzer: Suppress unsigned integer overflow in rnd-fuzzer.cTim Rühsen2017-08-161-0/+6
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* fuzzer: added a fuzzer targetNikos Mavrogiannopoulos2017-08-162-0/+146
| | | | | | | | This allows to compile the library with flags which will add predictable random generation and eliminate some crypto checks, in order for the library to be used for testing (fuzzying). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* rnd: use time_t for prng_reseed_timeNikos Mavrogiannopoulos2017-08-091-1/+1
| | | | | | | This ensures that all time comparisons are done under the same type. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pk_params_st: separate flags/qbits and curveNikos Mavrogiannopoulos2017-08-081-25/+25
| | | | | | | | | | Previously we were using the field flags to store the size of q in case of GNUTLS_PK_DH, some key generation flags in case of GNUTLS_PK_RSA, and the curve in case of elliptic curve key. Separate this into multiple fields to reduce confusion on the field. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* wrap_nettle_pk_fixup: added sanity check in RSA-PSS param checkingNikos Mavrogiannopoulos2017-08-061-1/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* introduced error code GNUTLS_E_PK_INVALID_PUBKEY_PARAMSNikos Mavrogiannopoulos2017-08-041-2/+2
| | | | | | | This is being use to indicate errors in the public key parameters such as the RSA-PSS salt size or digest algorithm. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _rsa_pss_verify_digest: verify the validity of the salt_size length on ↵Nikos Mavrogiannopoulos2017-08-041-0/+2
| | | | | | verification Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* wrap_nettle_pk_fixup: check RSA PSS parameters for validity on importNikos Mavrogiannopoulos2017-08-041-2/+14
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pct_test: use local SPKI structure to override parameters if not setNikos Mavrogiannopoulos2017-08-041-3/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _wrap_nettle_pk_encrypt: return GNUTLS_E_INVALID_REQUEST on unsupported ↵Nikos Mavrogiannopoulos2017-08-041-2/+2
| | | | | | | | algorithms That is a more specific error code than internal error. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cleanup: removed unnecessary/duplicate parameters in _dsa_q_to_hashNikos Mavrogiannopoulos2017-08-031-5/+5
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pk_params_st: renamed sign field to spkiNikos Mavrogiannopoulos2017-08-031-3/+3
| | | | | | | | | | The name "sign" was ambiguous with regard to its intented use, as it could refer to digital signature parameters which was not exactly the case. That field contains parameters present in the subject public key info (SPKI), which could be used in a digital signature, but not necessarily. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Clarified the purpose of the spki params related functionsNikos Mavrogiannopoulos2017-08-031-3/+3
| | | | | | | | | | | | | | | | _gnutls_privkey_get_sign_params was renamed to _gnutls_privkey_get_spki_params, _gnutls_privkey_update_sign_params to _gnutls_privkey_update_spki_params, and the dig entry of gnutls_x509_spki_st was renamed to rsa_pss_dig. The reason is that there could be a confusion on the purpose of the 'dig' entry, as it could be assumed to be the signature's hash algorithm in the general case. That could not be because the SPKI parameters do not contain it for any other algorithm than RSA-PSS. As such, make a logical separation from SPKI reading functions with the signature reading functions and try to use the gnutls_sign_entry_st when signature information is required. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Ensure that public key parameters are initialized on importNikos Mavrogiannopoulos2017-07-211-0/+3
| | | | | | | | Previously we depended on initialization during the _init() call, however, there can be cases where this re-initialization is needed (e.g., on multiple tries to load a key). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle: wrap_nettle_pk_verify_priv_params: verify whether public key matches ↵Nikos Mavrogiannopoulos2017-07-171-1/+15
| | | | | | | | private This enables gnutls_privkey_verify_params() for Ed25519 keys. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Renamed GNUTLS_PK_ECDHX to GNUTLS_PK_ECDH_X25519Nikos Mavrogiannopoulos2017-07-171-3/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added support for EdDSA (Ed25519) curve keysNikos Mavrogiannopoulos2017-07-171-12/+145
| | | | | | | | This adds support for draft-ietf-curdle-pkix-04. Resolves #25 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Removed support for openpgp certificates and keysNikos Mavrogiannopoulos2017-06-161-35/+2
| | | | | | Resolves #178 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle: ported fix for assertion failure in pss_verify_mgf1Daiki Ueno2017-06-161-4/+8
| | | | | | | Backport the upstream fix from: https://git.lysator.liu.se/nettle/nettle/commit/b1252fedf6ee1dbb8468d1d3f177711a16e83e52 Signed-off-by: Daiki Ueno <dueno@redhat.com>
* nettle: use older GMP macros for mpz_mod_2exp and mpz_div_2expNikos Mavrogiannopoulos2017-06-082-3/+3
| | | | | | These ensure that compilation will succeed even when building with gmp-mini. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle/cipher: document that ctx_ptr is 16-byte aligned, and use void* to ↵Nikos Mavrogiannopoulos2017-06-081-4/+6
| | | | | | avoid compiler assumptions Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* prf: implement the TLS 1.0 and 1.2 PRFs using nettleNikos Mavrogiannopoulos2017-06-014-2/+322
| | | | | | | That simplifies the existing PRF code and moves it in the crypto-backend component. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: implement RSA-PSS signature schemeDaiki Ueno2017-05-291-4/+215
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables RSA-PSS signature scheme in the X.509 functions and certtool. When creating RSA-PSS signature, there are 3 different scenarios: a. both a private key and a certificate are RSA-PSS b. the private key is RSA, while the certificate is RSA-PSS c. both the private key and the certificate are RSA For (a) and (b), the RSA-PSS parameters are read from the certificate. Any conflicts in parameters between the private key and the certificate are reported as an error. For (c), the sign functions, such as gnutls_x509_crt_privkey_sign() or gnutls_privkey_sign_data(), shall be instructed to generate an RSA-PSS signature. This can be done with the new flag GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS. Verification is similar to signing, except for the case (c), use the flag GNUTLS_VERIFY_USE_RSA_PSS instead of GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS. From the command line, certtool has a couple of new options: --rsa-pss and --rsa-pss-sign. The --rsa-pss option indicates that the generated private key or certificate is restricted to RSA-PSS, while the --rsa-pss-sign option indicates that the generated certificate is signed with RSA-PSS. For simplicity, there is no means of choosing arbitrary salt length. When it is not given by a private key or a certificate, it is automatically calculated from the underlying hash algorithm and the RSA modulus bits. [minor naming changes by nmav] Signed-off-by: Daiki Ueno <dueno@redhat.com> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* build: import files from Nettle for RSA-PSSDaiki Ueno2017-05-2911-0/+782
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* sysrng-linux: improved detection of getrandom()tmp-remove-arcfour-from-benchmarksNikos Mavrogiannopoulos2017-05-201-2/+2
| | | | | | The getrandom() call is defined in sys/random.h. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Added explicit check for the bounds of the generated 'd'.Nikos Mavrogiannopoulos2017-04-251-0/+6
| | | | | | This is according to FIPS186-4 sec. B.3.1. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* fips140-2: enhanced check of generated parametersNikos Mavrogiannopoulos2017-04-251-4/+12
| | | | | | | That is, replaced all assert() calls with if statements to allow gracefull fail. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* dsa-fips.h: include nettle/bignum.h to allow compilation under nettle-miniNikos Mavrogiannopoulos2017-04-251-1/+1
| | | | | | Relates #197 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* mpi: openpgp integer scanning was put into conditionalNikos Mavrogiannopoulos2017-04-051-1/+8
| | | | | | | That is, no longer include that code when compiling without openpgp support. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Revert "nettle/rnd: use gettime() instead of gnutls_time()"Nikos Mavrogiannopoulos2017-03-211-4/+4
| | | | | | This reverts commit c4842a21f65c7fc9a27932eb1792b1fc9e65f722. The time() syscall is also implemented as syscall() and is in fact performing better than gettime().
* nettle/rnd: use gettime() instead of gnutls_time()Nikos Mavrogiannopoulos2017-03-201-4/+4
| | | | | | | | The gnulib gettime() maps to gettimeofday() or clock_gettime() which are both implemented as fast system calls - see vdso(7)- and as such are available without a switch to kernel mode. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle/rnd: re-seed both key and nonce levels based on timeNikos Mavrogiannopoulos2017-03-201-12/+15
| | | | | | | The time(0) is quite cheap on modern operating systems, and thus we can rely on it to provide improved assurance in the output randomness. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle/pk: use nonce level for RSA paddingNikos Mavrogiannopoulos2017-03-201-2/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle/rnd: introduced time limit for key generatorNikos Mavrogiannopoulos2017-03-161-9/+34
| | | | | | | | | That is, force re-key of the KEY and RANDOM PRNG after 2 hours of operation, irrespective of the amount of data having been output. At the same time, increase limits for key and nonce generators, to prevent a large amount of system calls in busy servers. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_pk_generate_keys: separate between ephemeral and long-term keysNikos Mavrogiannopoulos2017-03-161-10/+21
| | | | | | That allows using the faster generator for ephemeral keys. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle/pk: use the nonce level for digital signaturesNikos Mavrogiannopoulos2017-03-161-3/+3
| | | | | | | That is, we do not really require high quality secret data for the generation of signatures. A better approach would be to switch to predictable signatures (RFC6979). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* sysrng-linux: define _rnd_get_system_entropy unconditionallyNikos Mavrogiannopoulos2017-03-091-1/+2
| | | | | | This fixes compilation in systems without getrandom(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle/rnd-fips: combined the FIPS-compliant generators to twoNikos Mavrogiannopoulos2017-03-061-15/+5
| | | | | | This brings the FIPS generators in par with the non-FIPS chacha-based ones. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle/rnd: use two random generators instead of 3Nikos Mavrogiannopoulos2017-03-061-19/+26
| | | | | | | | | That combines the levels GNUTLS_RND_RANDOM and GNUTLS_RND_KEY, while at the same time makes sure that backtracking is impossible on the GNUTLS_RND_KEY level, by reinitializing the RNG after a call requesting data for the GNUTLS_RND_KEY level. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle/pk: corrected call to gnutls_rnd() for rnd_nonce_funcNikos Mavrogiannopoulos2017-03-061-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle/rnd: specify different limits for rekey in PRNGsNikos Mavrogiannopoulos2017-03-061-6/+14
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* nettle/pk: use the GNUTLS_RND_RANDOM level for DH/DSA paramsNikos Mavrogiannopoulos2017-03-061-2/+2
| | | | | | This are not long term keys and do not require the key level. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* rnd: reduce calls to _rnd_get_system_entropyNikos Mavrogiannopoulos2017-03-061-7/+7
| | | | | | | | | | That is, no longer obtain the initial nonces for the RNG via _rnd_get_system_entropy() but instead use time-based ones which are typically faster kernel calls. This reduces the number of expensive system calls done during thread and process initialization. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* rnd: when reseeding the generators use the next best generatorNikos Mavrogiannopoulos2017-03-061-23/+24
| | | | | | | | That is, use the RANDOM level to obtain keys to reseed the NONCE level, and the KEY level to reseed the RANDOM. The KEY level is reseeded using the system random generator. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pk: always use _gnutls_switch_lib_stateNikos Mavrogiannopoulos2017-03-061-21/+31
| | | | | | | | | This avoids relying on abort() for RNG errors in PK wrappers. We use instead the library state originally added for FIPS140-2 support, and if the state indicates failure the operation will fail. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* rnd: switched to 3 chacha-based PRNGs for all security levelsNikos Mavrogiannopoulos2017-03-067-282/+67
| | | | | | | | | | | | | Chacha was selected because it is already present in TLS protocol as algorithm, meaning that re-using would improve CPU caching, and it is a comparable in performance algorithm to the existing PRNG used for nonces (salsa20). The yarrow generator was removed because we are primarily seeding from system devices which are sufficiently trustworthy to offload us from coping with the handling of multiple sources of input. As such it allows us to switch to a simpler PRNG such as a stream cipher like Chacha. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* rnd: aligned type of data counter with input data type (size_t)Nikos Mavrogiannopoulos2017-03-061-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status