| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The documentation for gnutls_privkey_export_* states that the caller
must use gnutls_*_deinit on key, without mentioning whether this
requirement is still present when the function fails. But the
implementation has a code path where key is left uninitialized.
Similar to the recent fix for *_init, guarantee that *key is set to a
sane value on all exit paths.
Signed-off-by: Eric Blake <eblake@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
After looking at gnutls_init(), I went and audited all other
*_init(gnutls_*_t) functions, to see if Bug #1414 applies in more
situations. We had an inconsistent mix: some functions that went out
of their way to leave the parameter uninitialized on failure (such as
gnutls_x509_crt_init()); many that always left the parameter
initialized on failure (such as gnutls_x509_ext_ct_scts_init()), often
by relying on the gnutls_free() macro that assigns the pointer to NULL
after using the gnutls_free_function() callback pointer (such as
gnutls_pkcs11_obj_init()); but a few others that left stale pointers
on certain failures (such as gnutls_priority_init2()) or even which
used the wrong deallocation function (such as
gnutls_pkcs11_privkey_init()).
As with gnutls_init(), portable programs should either pre-initialize
memory to zero before calling _init() if they plan to unconditionally
call _deinit() (safe for all but gnutls_pkcs11_privkey_init()), or
they should avoid calling _deinit() if _init() failed. But since we
can't force all existing clients to change, it is safest if we
unconditionally and consistently initialize the client's memory before
ALL failure paths.
Rather than try to adjust documentation of each *_init() function
(including those not needing a change), I instead generalized
documentation into the manual.
Signed-off-by: Eric Blake <eblake@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We provide gnutls_session_t as an opaque type, therefore, unless we
document otherwise, client code should not assume that there is a safe
initialization value to assign to such storage, leaving the only way
to properly initialize the type as a call to gnutls_init(). Likewise,
the documentation was clear that gnutls_deinit(session) must be used
after success, but ambiguous as to whether that was necessary after
failure.
Our implementation has always been such that the opaque types are
pointers under the hood, where gnutls_deinit(NULL) is a no-op, and
that (for gnutls_init at least) it is safe to omit a call to
gnutls_deinit(session) on failure. But without documentation, clients
cannot rely on either of those facts; and our code base was
inconsistent on whether all other *_init/*_deinit function pairs
behave in the same manner (see the next commit).
A search of existing code in the wild shows that some clients
pre-initialize the memory to 0 (which happens to be safe although
currently undocumented), often by passing in a pointer to a
gnutls_session_t residing in a larger struct that was reserved with
calloc(), cleared with memset(), or similar; but this is not
universal, and there are other clients in the wild that pass in
uninitialized memory. It's too late to change the documentation to
mandate that users should pre-initialize their memory to 0 prior to
gnutls_init(), although it doesn't hurt to recommend it for
portability when building for older versions of gnutls.
In most cases, using gnutls_deinit(session) after failure was a no-op
- most of our error exit paths use the gnutls_free() macro which has
the side effect of forcing the caller's pointer to NULL on failure
(since gnutls is built with GNUTLS_INTERNAL_BUILD defined). We also
happen to be lucky for a user that pre-initializes their memory to 0
before calling gnutls_init() - any error exit path where we did not
touch the user's pointer leaves the client with gnutls_deinit(session)
being a no-op. But if the client passes in an uninitialized pointer,
and FAIL_IF_LIB_ERROR triggers, then we fail the function while
leaving the pointer uninitialized, at which point the caller using
gnutls_deinit(session) attempts to free uninitialized memory, which
has potential security implications - yet we did not warn the client
to avoid gnutls_deinit() in that scenario.
The most robust fix is thus along two fronts: improving the
documentation to inform the user what they can expect, but also
tweaking our code to avoid undefined behavior with existing client
code bases by guaranteeing that whether or not the client
pre-initializes memory to 0 and/or calls gnutls_deinit() on failure,
they can't mess up.
Fixes: bug #1414.
Signed-off-by: Eric Blake <eblake@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
An upcoming patch will touch gnutls_pkcs11_privkey_init(), which is
sufficient to make the cppcheck portion of CI choke on a false
positive in the unrelated gnutls_pkcs11_privkey_import_url() because
the file becomes interesting again. cppcheck is not smart enough to
realize that an out-of-scope memory reference stored in a[1] is not
going to be utilized by the later pkcs11_get_attribute_value(..., a,
1) outside the if block; but the solution is as simple as expanding
the scope of tval.
Signed-off-by: Eric Blake <eblake@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Some tools, for example win-acme, create encrypted private keys in OpenSSL's
traditional format containing lowercase hex digits in the IV part of the
DEK-Info PEM header. These key files are accepted by OpenSSL. Prior to this
patch, GnuTLS did reject these keys with GNUTLS_E_INVALID_REQUEST.
Signed-off-by: Tim Kosse <tim.kosse@filezilla-project.org>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
Fix removal of duplicate certs during verification
Closes #1335
See merge request gnutls/gnutls!1653
|
| | | |
| | |
| | |
| | |
| | | |
Co-authored-by: Daiki Ueno <ueno@gnu.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| |\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
Fix handshake segfault if no privkey is supplied
Closes #1412
See merge request gnutls/gnutls!1657
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Ignore unknown algorithms received in compress_certificate extension
Closes #1416
See merge request gnutls/gnutls!1660
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| | |/ /
| | |
| | |
| | | |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| |\ \ \
| |/ /
|/| |
| | |
| | | |
cipher: add restriction on CCM tag length under FIPS mode
See merge request gnutls/gnutls!1658
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change prohibits any use of tag length other than 4, 6, 8, 10,
12, 14, and 16 bytes in CCM used under FIPS mode, in accordance with
SP800-38C A.1. While use of tag lengths smaller than 8 bytes is not
recommended, we simply allow 4 and 6 bytes tags for now.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |
| | |
| | |
| | |
| | | |
Co-authored-by: Pedro Marzo <marzo.pedro@gmail.com>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| |\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
Add NO_STATUS_REQUEST priority string modifier
Closes #1378
See merge request gnutls/gnutls!1650
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As ACVP only allows HMAC used with PBKDF2[1], this change marks other
hash algorithms not-approved.
1. https://pages.nist.gov/ACVP/draft-celi-acvp-pbkdf.html
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
fips: fix checking on hash algorithm used in ECDSA
See merge request gnutls/gnutls!1644
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This makes the FIPS service indicator to transit to not-approved when
gnutls_privkey_sign_hash* is used. In FIPS, single-shot
API (gnutls_privkey_sign_data*) is preferred over composite API.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | | |
Previously we checked against the "preferred" hash algorithm based on
the curve, instead of the one actually used.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If an error occurs during setting of keys either initial or key update
then fallback to default mode of operation (disable ktls) and let the
user know
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Use callback for sending alerts.
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
handle received GNUTLS_HANDSHAKE_KEY_UPDATE set keys accordingly
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Set hanshake send function after interface initialization
TODO: handel setting function differently
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
set new keys durring gnutls_session_key_update()
setting keys
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| | |/
|/|
| |
| |
| |
| |
| | |
It is now possible to set key on specific interface.
If interface given is not ktls enabled then it will be ignored.
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | | |
Reduce sensitive language
See merge request gnutls/gnutls!1640
|
| | |/
| |
| |
| | |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| |\ \
| |/
|/|
| |
| |
| |
| | |
accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s
Closes #1370
See merge request gnutls/gnutls!1642
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the LD doesn't have support for version scripts,
_gnutls_x86_cpuid_s is exported through libtool's
--export-symbols-regex and that causes link error with clang:
libtool: link: nmedit -s .libs/libgnutls-symbols.expsym .libs/libgnutls.30.dylib
/Library/Developer/CommandLineTools/usr/bin/nmedit: error: symbols names listed in: .libs/libgnutls-symbols.expsym not in: /opt/local/var/macports/build/_Users_marius_Development_MacPorts_ports_devel_gnutls/gnutls-devel/work/gnutls-3.7.5/lib/.libs/libgnutls.30.dylib
__gnutls_x86_cpuid_s
make[4]: *** [libgnutls.la] Error 1
This patch renames _gnutls_x86_cpuid_s to GNUTLS_x86_cpuid_s to avoid
the issue.
Problem investigated and fix suggested by Clemens Lang in:
https://gitlab.com/gnutls/gnutls/-/issues/1370#note_967832583
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
|
|
|
|
| |
Previously the compress_certificate extension was sent by the server
as part of ServerHello, which violates RFC 8879. This patch instead
send it as an extension of CertificateRequest.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| |\
| |
| |
| |
| | |
cipher: Ensure correct alignment
See merge request gnutls/gnutls!1633
|
| | |
| |
| |
| |
| |
| | |
Unsigned math is required to calculate the current alignment.
Signed-off-by: Doug Nazar <nazard@nazar.ca>
|
| |/
|
|
|
|
|
|
|
| |
According to RFC9622 4.2, the "tls-exporter" channel binding is only
usable when the handshake is bound to a unique master secret. This
adds a check whether either TLS 1.3 or extended master secret
extension is negotiated.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| |
| |
| | |
accelerated: clear AVX bits if it cannot be queried through XSAVE
Closes #1282
See merge request gnutls/gnutls!1631
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The algorithm to detect AVX is described in 14.3 of "Intel® 64 and IA-32
Architectures Software Developer’s Manual".
GnuTLS previously only followed that algorithm when registering the
crypto backend, while the CRYPTOGAMS derived SHA code assembly expects
that the extension bits are propagated to _gnutls_x86_cpuid_s.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| | |
Closes #1398
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
|
| |\ \
| | |
| | |
| | |
| | | |
restrict allowlisting api to before priority string initialization
See merge request gnutls/gnutls!1533
|
| | | |
| | |
| | |
| | |
| | |
| | | |
(in a separate commit so that it's easier to compare)
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
fips: mark RSA SigVer operation approved for known modulus sizes
See merge request gnutls/gnutls!1630
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
SP800-131A rev2 suggests certain RSA modulus sizes under 2048
bits (1024, 1280, 1536, and 1792) may continue to be used for
signature verification but not for signature generation. This loosen
the current service indicator report to approve them.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | | |
Previously we checked RSA modulus size clamped to byte unit instead of
bits. This makes the check stricter by explicitly calculating the
modulus size in bits.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
