openSUSE Commits

Download

commit@lists.opensuse.org

December 2020

1 participants
2154 discussions

commit gnutls.15170 for openSUSE:Leap:15.2:Update
by User for buildservice source handling 01 Dec '20

01 Dec '20

Hello community, here is the log from the commit of package gnutls.15170 for openSUSE:Leap:15.2:Update checked in at 2020-12-01 06:25:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/gnutls.15170 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.gnutls.15170.new.5913 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gnutls.15170" Tue Dec 1 06:25:41 2020 rev:1 rq:851414 version:3.6.7 Changes: -------- New Changes file: --- /dev/null 2020-11-18 17:46:03.679371574 +0100 +++ /work/SRC/openSUSE:Leap:15.2:Update/.gnutls.15170.new.5913/gnutls.changes 2020-12-01 06:25:43.793683645 +0100 @@ -0,0 +1,3744 @@ +------------------------------------------------------------------- +Fri Nov 20 10:26:04 UTC 2020 - Vítězslav Čížek <vcizek(a)suse.com> + +- Avoid spurious audit messages about incompatible signature algorithms + (bsc#1172695) + * add 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch + +------------------------------------------------------------------- +Fri Sep 18 13:11:08 UTC 2020 - Vítězslav Čížek <vcizek(a)suse.com> + +- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) + * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch + +------------------------------------------------------------------- +Thu Sep 17 11:55:10 UTC 2020 - Vítězslav Čížek <vcizek(a)suse.com> + +- FIPS: Add TLS KDF selftest (bsc#1176671) + * add gnutls-FIPS-TLS_KDF_selftest.patch + +------------------------------------------------------------------- +Mon Sep 14 14:09:00 UTC 2020 - Vítězslav Čížek <vcizek(a)suse.com> + +- Fix heap buffer overflow in handshake with no_renegotiation alert sent + * CVE-2020-24659 (bsc#1176181) +- add gnutls-CVE-2020-24659.patch + +------------------------------------------------------------------- +Mon Sep 14 13:48:23 UTC 2020 - Vítězslav Čížek <vcizek(a)suse.com> + +- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) +- add patches + * 0001-Add-Full-Public-Key-Check-for-DH.patch + * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch + * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch + * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch + * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch + * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch + * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch + * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch + * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch + * 0001-dh-check-validity-of-Z-before-export.patch + * 0002-ecdh-check-validity-of-P-before-export.patch + * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch + * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch + * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch +- drop obsolete gnutls-3.6.7-fips_DH_ECDH_key_tests.patch + +------------------------------------------------------------------- +Thu Jun 4 12:11:08 UTC 2020 - Vítězslav Čížek <vcizek(a)suse.com> + +- GNUTLS-SA-2020-06-03 (Fixed insecure session ticket key construction) + The TLS server would not bind the session ticket encryption key with a + value supplied by the application until the initial key rotation, allowing + attacker to bypass authentication in TLS 1.3 and recover previous + conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777) + * add patches: + + gnutls-CVE-2020-13777.patch +- Fixed handling of certificate chain with cross-signed intermediate + CA certificates (#1008). (bsc#1172461) + * add patches: + + 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch + + 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch + + 0003-x509-trigger-fallback-verification-path-when-cert-is.patch + + 0004-tests-add-test-case-for-certificate-chain-supersedin.patch + +------------------------------------------------------------------- +Mon May 11 06:38:58 UTC 2020 - Alexander Bergmann <abergmann(a)suse.com> + +- Add RSA 4096 key generation support in FIPS mode (bsc#1171422) + * add gnutls-3.6.7-fips-rsa-4096.patch + +------------------------------------------------------------------- +Tue Apr 21 13:52:11 UTC 2020 - Vítězslav Čížek <vcizek(a)suse.com> + +- Don't check for /etc/system-fips which we don't have (bsc#1169992) + * add gnutls-fips_mode_enabled.patch + +------------------------------------------------------------------- +Tue Apr 7 09:02:49 UTC 2020 - Vítězslav Čížek <vcizek(a)suse.com> + +- Backport AES XTS support (bsc#1168835) + * add 0001-Vendor-in-XTS-functionality-from-Nettle.patch + * add gnutls-fips_XTS_key_check.patch + +------------------------------------------------------------------- +Thu Apr 2 08:38:40 UTC 2020 - Vítězslav Čížek <vcizek(a)suse.com> + +- Fix zero random value in DTLS client hello + (CVE-2020-11501, bsc#1168345) + * add gnutls-CVE-2020-11501.patch + +------------------------------------------------------------------- +Mon Mar 30 12:43:33 UTC 2020 - Vítězslav Čížek <vcizek(a)suse.com> + +- Split off FIPS checksums into a separate libgnutls30-hmac + subpackage (bsc#1152692) + * update baselibs.conf + +------------------------------------------------------------------- +Mon Mar 23 22:36:59 UTC 2020 - Jason Sikes <jsikes(a)suse.com> + +- bsc#1166881 - FIPS: gnutls: cfb8 decryption issue + * No longer truncate output IV if input is shorter than block size. + * Added gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch + +------------------------------------------------------------------- +Mon Mar 23 14:30:07 UTC 2020 - Jason Sikes <jsikes(a)suse.com> + +- bsc#1155327 jira#SLE-9518 - FIPS: add DH key test + * Added Diffie Hellman public key verification test. + * gnutls-3.6.7-fips_DH_ECDH_key_tests.patch + +------------------------------------------------------------------- +Tue Sep 24 13:16:02 UTC 2019 - Vítězslav Čížek <vcizek(a)suse.com> + +- Install checksums for binary integrity verification which are + required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) + +------------------------------------------------------------------- +Thu May 16 12:34:30 UTC 2019 - Vítězslav Čížek <vcizek(a)suse.com> + +- Explicitly require libnettle 3.4.1 (bsc#1134856) + * The RSA decryption code was rewritten in GnuTLS 3.6.5 in order + to fix CVE-2018-16868, the new implementation makes use of a new + rsa_sec_decrypt() function introduced in libnettle 3.4.1 + * libnettle was recently updated to the 3.4.1 version but we need + to add explicit dependency on it to prevent missing symbol errors + with the older versions + +------------------------------------------------------------------- +Tue Apr 16 23:47:37 UTC 2019 - Jason Sikes <jsikes(a)suse.de> + +- Restored autoreconf in build. +- Removed gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch + since the version requirements of required libraries are once again + automatically determined. +- Added gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch because it is a + better patch name for handling the '--with-guile-site-dir=' problem in + 3.6.7. + +------------------------------------------------------------------- +Tue Apr 2 03:21:28 UTC 2019 - Jason Sikes <jsikes(a)suse.de> + +- Update gnutls to 3.6.7 + ** libgnutls, gnutls tools: Every gnutls_free() will automatically set + the free'd pointer to NULL. This prevents possible use-after-free and + double free issues. Use-after-free will be turned into NULL dereference. + The counter-measure does not extend to applications using gnutls_free(). + + ** libgnutls: Fixed a memory corruption (double free) vulnerability in the + certificate verification API. Reported by Tavis Ormandy; addressed with + the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681] (CVE-2019-3829) + + ** libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; + Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682] (CVE-2019-3836) + + ** libgnutls: enforce key usage limitations on certificates more actively. + Previously we would enforce it for TLS1.2 protocol, now we enforce it + even when TLS1.3 is negotiated, or on client certificates as well. When + an inappropriate for TLS1.3 certificate is seen on the credentials structure + GnuTLS will disable TLS1.3 support for that session (#690). + + ** libgnutls: the default number of tickets sent under TLS 1.3 was increased to + two. This makes it easier for clients which perform multiple connections + to the server to use the tickets sent by a default server. + + ** libgnutls: enforce the equality of the two signature parameters fields in + a certificate. We were already enforcing the signature algorithm, but there + was a bug in parameter checking code. + + ** libgnutls: fixed issue preventing sending and receiving from different + threads when false start was enabled (#713). + + ** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable + session, as non-writeable security officer sessions are undefined in PKCS#11 + (#721). + + ** libgnutls: no longer send downgrade sentinel in TLS 1.3. + Previously the sentinel value was embedded to early in version + negotiation and was sent even on TLS 1.3. It is now sent only when + TLS 1.2 or earlier is negotiated (#689). + + ** gnutls-cli: Added option --logfile to redirect informational messages output. + +- Disabled dane support since dane is not shipped with SLE-15 + +- Changed configure script to hardware guile site directory since command-line + option '--with-guile-site-dir=' was removed from the configure script in 3.6.7. + + ** Modified gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch + +- Modified gnutls-3.6.0-disable-flaky-dtls_resume-test.patch to fix + compilation issues on PPC + +- Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification + and padding oracle verification (in 3.6.5) [bsc#1118087] (CVE-2018-16868) + ++++ 3547 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.gnutls.15170.new.5913/gnutls.changes New: ---- 0001-Add-Full-Public-Key-Check-for-DH.patch 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch 0001-Vendor-in-XTS-functionality-from-Nettle.patch 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch 0001-dh-check-validity-of-Z-before-export.patch 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch 0002-ecdh-check-validity-of-P-before-export.patch 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch 0003-x509-trigger-fallback-verification-path-when-cert-is.patch 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch 0004-tests-add-test-case-for-certificate-chain-supersedin.patch 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch baselibs.conf disable-psk-file-test.patch gnutls-3.5.11-skip-trust-store-tests.patch gnutls-3.6.0-disable-flaky-dtls_resume-test.patch gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch gnutls-3.6.7-fips-rsa-4096.patch gnutls-3.6.7.tar.xz gnutls-3.6.7.tar.xz.sig gnutls-CVE-2020-11501.patch gnutls-CVE-2020-13777.patch gnutls-CVE-2020-24659.patch gnutls-FIPS-TLS_KDF_selftest.patch gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch gnutls-fips_XTS_key_check.patch gnutls-fips_mode_enabled.patch gnutls.changes gnutls.keyring gnutls.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ # # spec file for package gnutls # # Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define gnutls_sover 30 %define gnutlsxx_sover 28 %define gnutls_dane_sover 0 # unbound isn't in SLE (bsc#1086428) %if 0%{?is_opensuse} %bcond_without dane %else %bcond_with dane %endif %bcond_with tpm %bcond_without guile Name: gnutls Version: 3.6.7 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later Group: Productivity/Networking/Security URL: https://www.gnutls.org/ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig Source2: %{name}.keyring Source3: baselibs.conf Patch1: gnutls-3.5.11-skip-trust-store-tests.patch Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch Patch3: disable-psk-file-test.patch Patch4: gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch Patch6: gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch Patch7: gnutls-CVE-2020-11501.patch Patch8: 0001-Vendor-in-XTS-functionality-from-Nettle.patch Patch9: gnutls-fips_XTS_key_check.patch Patch10: gnutls-fips_mode_enabled.patch Patch11: gnutls-3.6.7-fips-rsa-4096.patch Patch12: gnutls-CVE-2020-13777.patch # PATCH-FIX-UPSTREAM bsc#1172461 Patch13: 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch Patch14: 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch Patch15: 0003-x509-trigger-fallback-verification-path-when-cert-is.patch Patch16: 0004-tests-add-test-case-for-certificate-chain-supersedin.patch # (EC)DH changes required by SP800-56A rev 3 (bsc#1176086) Patch17: 0001-Add-Full-Public-Key-Check-for-DH.patch Patch18: 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch Patch19: 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch Patch20: 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch Patch21: 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch Patch22: 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch Patch23: 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch Patch24: 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch Patch25: 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch Patch26: 0001-dh-check-validity-of-Z-before-export.patch Patch27: 0002-ecdh-check-validity-of-P-before-export.patch Patch28: 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch Patch29: 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch Patch30: 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch # TLS KDF selftest Patch31: gnutls-FIPS-TLS_KDF_selftest.patch Patch32: gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch Patch33: gnutls-CVE-2020-24659.patch Patch34: 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge BuildRequires: fdupes BuildRequires: fipscheck BuildRequires: gcc-c++ # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present BuildRequires: iproute2 BuildRequires: libidn2-devel BuildRequires: libnettle-devel >= 3.4.1 BuildRequires: libtasn1-devel >= 4.9 BuildRequires: libtool BuildRequires: libunistring-devel BuildRequires: makeinfo BuildRequires: p11-kit-devel >= 0.23.1 BuildRequires: pkgconfig BuildRequires: xz BuildRequires: zlib-devel BuildRequires: pkgconfig(autoopts) # CVE-2018-16868 (bsc#1118087) fix requires rsa_sec_decrypt which was added in 3.4.1 (bsc#1134856) Requires: libnettle6 >= 3.4.1 %if 0%{?suse_version} <= 1320 BuildRequires: net-tools %else BuildRequires: net-tools-deprecated %endif %if %{with tpm} BuildRequires: trousers-devel %endif %if %{with dane} Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %if 0%{?suse_version} <= 1320 BuildRequires: unbound-devel %else BuildRequires: libunbound-devel %endif %endif %if %{with guile} BuildRequires: guile-devel %endif %description The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETFs TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later Group: System/Libraries # install libgnutls and libgnutls-hmac close together (bsc#1090765) Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} %description -n libgnutls%{gnutls_sover} The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETFs TLS working group. %package -n libgnutls%{gnutls_sover}-hmac Summary: Checksums of the GNU Transport Layer Security Library License: LGPL-2.1-or-later Group: System/Libraries Requires: libgnutls%{gnutls_sover} = %{version}-%{release} %description -n libgnutls%{gnutls_sover}-hmac FIPS SHA256 checksums of the libgnutls library. %if %{with dane} %package -n libgnutls-dane%{gnutls_dane_sover} Summary: DANE support for the GNU Transport Layer Security Library License: LGPL-2.1-or-later Group: System/Libraries %description -n libgnutls-dane%{gnutls_dane_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. This package contains the "DANE" part of gnutls. %endif %package -n libgnutlsxx%{gnutlsxx_sover} Summary: C++ API for the GNU Transport Layer Security Library License: LGPL-2.1-or-later Group: System/Libraries %description -n libgnutlsxx%{gnutlsxx_sover} The GnuTLS library provides a secure layer over a reliable transport layer. implements the proposed standards of the IETF TLS working group. %package -n libgnutls-devel Summary: Development package for the GnuTLS C API License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libgnutls%{gnutls_sover} = %{version} Requires(pre): %{install_info_prereq} Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel Files needed for software development using gnutls. %if %{with dane} %package -n libgnutls-dane-devel Summary: Development package for GnuTLS DANE component License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %description -n libgnutls-dane-devel Files needed for software development using gnutls. %endif %package -n libgnutlsxx-devel Summary: Development package for the GnuTLS C++ API License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ Requires: libgnutls-devel = %{version} Requires: libgnutlsxx%{gnutlsxx_sover} = %{version} Requires: libstdc++-devel Requires(pre): %{install_info_prereq} %description -n libgnutlsxx-devel Files needed for software development using gnutls. %package guile Summary: Guile wrappers for gnutls License: LGPL-2.1-or-later Group: Development/Libraries/Other Requires: guile %description guile GnuTLS Wrappers for GNU Guile, a dialect of Scheme. %prep %setup -q %patch1 -p1 %patch3 -p1 %patch4 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 %patch22 -p1 %patch23 -p1 %patch24 -p1 %patch25 -p1 %patch26 -p1 %patch27 -p1 %patch28 -p1 %patch29 -p1 %patch30 -p1 %patch31 -p1 %patch32 -p1 %patch33 -p1 %patch34 -p1 # dtls-resume test fails on PPC %ifarch ppc64 ppc64le ppc %patch2 -p1 %endif %build export LDFLAGS="-pie" export CFLAGS="%{optflags} -fPIE" export CXXFLAGS="%{optflags} -fPIE" autoreconf -fiv %configure \ gl_cv_func_printf_directive_n=yes \ gl_cv_func_printf_infinite_long_double=yes \ --disable-static \ --disable-rpath \ --disable-silent-rules \ --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ --with-sysroot=/%{?_sysroot} \ %if %{without tpm} --without-tpm \ %endif %if %{with dane} --with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \ %else --disable-libdane \ %endif --enable-fips140-mode \ %{nil} make %{?_smp_mflags} # the hmac hashes: # # this is a hack that re-defines the __os_install_post macro # for a simple reason: the macro strips the binaries and thereby # invalidates a HMAC that may have been created earlier. # solution: create the hashes _after_ the macro runs. # # this shows up earlier because otherwise the %expand of # the macro is too late. # remark: This is the same as running # openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP' %{expand:%%global __os_install_post {%__os_install_post %{_bindir}/fipshmac %{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover} }} %install %make_install rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot # Do not package static libs and libtool files find %{buildroot} -type f -name "*.la" -delete -print # install docs mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/ cp doc/gnutls.html doc/*.png doc/gnutls.pdf %{buildroot}%{_docdir}/libgnutls-devel/ mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/ mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/ # PNG files are replaced with the compressed files and that breaks # deduplication, this is workaround find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} + rm -rf %{buildroot}%{_datadir}/doc/gnutls %fdupes -s %{buildroot}%{_datadir} %find_lang libgnutls --all-name %check # created by 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch, # but without the executable permissions chmod a+x tests/server-weak-keys.sh chmod a+x tests//dh-fips-approved.sh %if ! 0%{?qemu_user_space_build} make %{?_smp_mflags} check || { find -name test-suite.log -print -exec cat {} + exit 1 } %endif %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %if %{with dane} %post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig %postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig %endif %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %post -n libgnutls-devel %install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %preun -n libgnutls-devel %install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %files -f libgnutls.lang %license LICENSE %doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO %{_bindir}/certtool %{_bindir}/gnutls-cli %{_bindir}/gnutls-cli-debug %{_bindir}/gnutls-serv %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool %{_bindir}/srptool %if %{with dane} %{_bindir}/danetool %endif %if %{with tpm} %{_bindir}/tpmtool %endif %{_mandir}/man1/* %files -n libgnutls%{gnutls_sover} %{_libdir}/libgnutls.so.%{gnutls_sover}* %files -n libgnutls%{gnutls_sover}-hmac %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac %if %{with dane} %files -n libgnutls-dane%{gnutls_dane_sover} %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}* %endif %files -n libgnutlsxx%{gnutlsxx_sover} %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}* %files -n libgnutls-devel %dir %{_includedir}/%{name} %{_includedir}/%{name}/abstract.h %{_includedir}/%{name}/crypto.h %{_includedir}/%{name}/compat.h %{_includedir}/%{name}/dtls.h %{_includedir}/%{name}/gnutls.h %{_includedir}/%{name}/openpgp.h %{_includedir}/%{name}/ocsp.h %{_includedir}/%{name}/pkcs7.h %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h %{_includedir}/%{name}/self-test.h %{_includedir}/%{name}/socket.h %{_includedir}/%{name}/x509.h %{_includedir}/%{name}/x509-ext.h %{_includedir}/%{name}/tpm.h %{_includedir}/%{name}/system-keys.h %{_includedir}/%{name}/urls.h %{_libdir}/libgnutls.so %{_libdir}/pkgconfig/gnutls.pc %{_mandir}/man3/* %{_infodir}/*%{ext_info} %doc %{_docdir}/libgnutls-devel %if %{with dane} %files -n libgnutls-dane-devel %dir %{_includedir}/%{name} %{_includedir}/%{name}/dane.h %{_libdir}/pkgconfig/gnutls-dane.pc %{_libdir}/libgnutls-dane.so %endif %files -n libgnutlsxx-devel %{_libdir}/libgnutlsxx.so %dir %{_includedir}/%{name} %{_includedir}/%{name}/gnutlsxx.h %if %{with guile} %files guile %{_libdir}/guile/* %{_datadir}/guile/gnutls* %endif %changelog ++++++ 0001-Add-Full-Public-Key-Check-for-DH.patch ++++++ From 2555412f8982ec0a1bbbf6b3c10a0330fe848820 Mon Sep 17 00:00:00 2001 From: Simo Sorce <simo(a)redhat.com> Date: Fri, 3 May 2019 12:32:56 -0400 Subject: [PATCH] Add Full Public Key Check for DH This is for NIST SP800-56A requirements and FIPS CAVS testing. GnuTLS never passes in a non-empty Q for normal operations, but tests will and if Q is passed in it needs to be checked. Signed-off-by: Simo Sorce <simo(a)redhat.com> --- lib/nettle/pk.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c index 9aa51660d8..1874bca54f 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c @@ -240,15 +240,16 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, switch (algo) { case GNUTLS_PK_DH: { - bigint_t f, x, prime; - bigint_t k = NULL, ff = NULL; + bigint_t f, x, q, prime; + bigint_t k = NULL, ff = NULL, r = NULL; unsigned int bits; f = pub->params[DH_Y]; x = priv->params[DH_X]; + q = priv->params[DH_Q]; prime = priv->params[DH_P]; - ret = _gnutls_mpi_init_multi(&k, &ff, NULL); + ret = _gnutls_mpi_init_multi(&k, &ff, &r, NULL); if (ret < 0) return gnutls_assert_val(ret); @@ -268,6 +269,21 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, goto dh_cleanup; } + /* if we have Q check that y ^ q mod p == 1 */ + if (q != NULL) { + ret = _gnutls_mpi_powm(r, f, q, prime); + if (ret < 0) { + gnutls_assert(); + goto dh_cleanup; + } + ret = _gnutls_mpi_cmp_ui(r, 1); + if (ret != 0) { + gnutls_assert(); + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto dh_cleanup; + } + } + /* prevent denial of service */ bits = _gnutls_mpi_get_nbits(prime); if (bits == 0 || bits > MAX_DH_BITS) { @@ -298,6 +314,7 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, ret = 0; dh_cleanup: + _gnutls_mpi_release(&r); _gnutls_mpi_release(&ff); zrelease_temp_mpi_key(&k); if (ret < 0) -- 2.27.0 ++++++ 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch ++++++ From 45c94c76c971a709c585a1fc142ce88e0945ba21 Mon Sep 17 00:00:00 2001 From: Simo Sorce <simo(a)redhat.com> Date: Fri, 10 May 2019 14:49:05 -0400 Subject: [PATCH 1/6] Add test to ensure DH exchange behaves correctly This test ensures that public keys are properly tested for validity before a DH exchange is computed. Signed-off-by: Simo Sorce <simo(a)redhat.com> --- tests/Makefile.am | 2 +- tests/dh-compute.c | 155 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 tests/dh-compute.c Index: gnutls-3.6.7/tests/dh-compute.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ gnutls-3.6.7/tests/dh-compute.c 2020-09-03 15:15:17.613940923 +0200 @@ -0,0 +1,155 @@ +/* + * Copyright (C) 2019 Red Hat, Inc. + * + * Author: Simo Sorce + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* This program tests functionality of DH exchanges */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <gnutls/gnutls.h> +#include <stdbool.h> +#include <string.h> +#include <stdlib.h> +#include "utils.h" + +#ifdef ENABLE_FIPS140 +int _gnutls_dh_generate_key(gnutls_dh_params_t dh_params, + gnutls_datum_t *priv_key, gnutls_datum_t *pub_key); + +int _gnutls_dh_compute_key(gnutls_dh_params_t dh_params, + const gnutls_datum_t *priv_key, + const gnutls_datum_t *pub_key, + const gnutls_datum_t *peer_key, gnutls_datum_t *Z); + +static void params(gnutls_dh_params_t *dh_params, unsigned int key_bits, + const gnutls_datum_t *p, const gnutls_datum_t *g) +{ + int ret; + + ret = gnutls_dh_params_init(dh_params); + if (ret != 0) + fail("error\n"); + + ret = gnutls_dh_params_import_raw2(*dh_params, p, g, key_bits); + if (ret != 0) + fail("error\n"); +} + +static void genkey(gnutls_dh_params_t *dh_params, + gnutls_datum_t *priv_key, gnutls_datum_t *pub_key) +{ + int ret; + + ret = _gnutls_dh_generate_key(*dh_params, priv_key, pub_key); + if (ret != 0) + fail("error\n"); +} + +static void compute_key(gnutls_dh_params_t *dh_params, + gnutls_datum_t *priv_key, gnutls_datum_t *pub_key, + const gnutls_datum_t *peer_key, int expect_error, + gnutls_datum_t *result, bool expect_success) +{ + gnutls_datum_t Z; + bool success; + int ret; + + ret = _gnutls_dh_compute_key(*dh_params, priv_key, pub_key, + peer_key, &Z); + if (expect_error != ret) + fail("error (%d)\n", ret); + + if (result) { + success = (Z.size != result->size && + memcmp(Z.data, result->data, Z.size)); + if (success != expect_success) + fail("error\n"); + } + gnutls_free(Z.data); +} + +struct dh_test_data { + const unsigned int key_size; + const gnutls_datum_t prime; + const gnutls_datum_t generator; + const gnutls_datum_t peer_key; + int expected_error; +}; + +void doit(void) +{ + struct dh_test_data test_data[] = { + { + /* y == 0 */ + gnutls_ffdhe_2048_key_bits, + gnutls_ffdhe_2048_group_prime, + gnutls_ffdhe_2048_group_generator, + { (void *)"\x00", 1 }, + GNUTLS_E_MPI_SCAN_FAILED + }, + { + /* y < 2 */ + gnutls_ffdhe_2048_key_bits, + gnutls_ffdhe_2048_group_prime, + gnutls_ffdhe_2048_group_generator, + { (void *)"\x01", 1 }, + GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER + }, + { + /* y > p - 2 */ + gnutls_ffdhe_2048_key_bits, + gnutls_ffdhe_2048_group_prime, + gnutls_ffdhe_2048_group_generator, + gnutls_ffdhe_2048_group_prime, + GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER + }, + { 0 } + }; + + for (int i = 0; test_data[i].key_size != 0; i++) { + gnutls_datum_t priv_key, pub_key; + gnutls_dh_params_t dh_params; + + params(&dh_params, test_data[i].key_size, + &test_data[i].prime, &test_data[i].generator); + + genkey(&dh_params, &priv_key, &pub_key); + + compute_key(&dh_params, &priv_key, &pub_key, + &test_data[i].peer_key, + test_data[i].expected_error, + NULL, 0); + + gnutls_dh_params_deinit(dh_params); + gnutls_free(priv_key.data); + gnutls_free(pub_key.data); + } + + success("all ok\n"); +} +#else +void doit(void) +{ + return; +} +#endif ++++++ 0001-Vendor-in-XTS-functionality-from-Nettle.patch ++++++ ++++ 699 lines (skipped) ++++++ 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch ++++++ From 1abb4298398ec6a942dc77384a19b3e3a2392341 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos <nmav(a)redhat.com> Date: Thu, 19 Dec 2019 09:37:34 +0100 Subject: [PATCH] _gnutls_verify_crt_status: apply algorithm checks to trusted CAs If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level. This addresses the problem of accepting CAs which would have been marked as insecure otherwise. Resolves: #877 Signed-off-by: Nikos Mavrogiannopoulos <nmav(a)redhat.com> --- NEWS | 5 +++ lib/x509/verify.c | 68 ++++++++++++++++++++++-------------- tests/Makefile.am | 5 +-- tests/certs/rsa-512.pem | 20 +++++++++++ tests/server-weak-keys.sh | 72 +++++++++++++++++++++++++++++++++++++++ tests/test-chains.h | 18 +++++++++- 6 files changed, 160 insertions(+), 28 deletions(-) create mode 100644 tests/certs/rsa-512.pem create mode 100755 tests/server-weak-keys.sh Index: gnutls-3.6.7/lib/x509/verify.c =================================================================== --- gnutls-3.6.7.orig/lib/x509/verify.c 2020-06-05 11:45:24.359554720 +0200 +++ gnutls-3.6.7/lib/x509/verify.c 2020-06-05 11:45:38.007648125 +0200 @@ -855,6 +855,36 @@ gnutls_x509_crt_check_issuer(gnutls_x509 return is_issuer(cert, issuer); } +static +unsigned check_ca_sanity(const gnutls_x509_crt_t issuer, + time_t now, unsigned int flags) +{ + unsigned int status = 0; + unsigned sigalg; + int ret; + + /* explicit time check for trusted CA that we remove from + * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS + */ + if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) && + !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { + status |= check_time_status(issuer, now); + } + + ret = + _gnutls_x509_get_signature_algorithm(issuer->cert, "signatureAlgorithm"); + sigalg = ret; + + /* we explicitly allow CAs which we do not support their self-algorithms + * to pass. */ + if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, flags)) { + status |= GNUTLS_CERT_INSECURE_ALGORITHM|GNUTLS_CERT_INVALID; + } + + return status; + +} + /* Verify X.509 certificate chain. * * Note that the return value is an OR of GNUTLS_CERT_* elements. @@ -913,25 +943,17 @@ _gnutls_verify_crt_status(const gnutls_x * CA to self-signed CA at some point. */ if (_gnutls_check_if_same_key (certificate_list[i], trusted_cas[j], i) != 0) { - /* explicit time check for trusted CA that we remove from - * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS - */ - - if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) && - !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { - status |= - check_time_status(trusted_cas[j], - now); - if (status != 0) { - if (func) - func(certificate_list[i], trusted_cas[j], NULL, status); - return status; - } - } + + status |= check_ca_sanity(trusted_cas[j], now, flags); if (func) func(certificate_list[i], trusted_cas[j], NULL, status); + + if (status != 0) { + return gnutls_assert_val(status); + } + clist_size = i; break; } @@ -1161,20 +1183,16 @@ _gnutls_pkcs11_verify_crt_status(const c if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { - if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) && - !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { - status |= - check_time_status(certificate_list[i], now); - if (status != 0) { - if (func) - func(certificate_list[i], certificate_list[i], NULL, status); - return status; - } - } + status |= check_ca_sanity(certificate_list[i], now, flags); + if (func) func(certificate_list[i], certificate_list[i], NULL, status); + if (status != 0) { + return gnutls_assert_val(status); + } + clist_size = i; break; } Index: gnutls-3.6.7/tests/Makefile.am =================================================================== --- gnutls-3.6.7.orig/tests/Makefile.am 2020-06-05 11:45:24.359554720 +0200 +++ gnutls-3.6.7/tests/Makefile.am 2020-06-05 11:46:39.168069978 +0200 @@ -38,7 +38,7 @@ EXTRA_DIST = suppressions.valgrind eagai certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \ certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem psk.passwd \ certs/rawpk_priv.pem certs/rawpk_pub.pem \ - certs/ed25519.pem certs/cert-ed25519.pem \ + certs/ed25519.pem certs/cert-ed25519.pem certs/rsa-512.pem \ system.prio pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c gnutls-asan.supp \ rsa-md5-collision/README safe-renegotiation/README starttls-smtp.txt starttls-ftp.txt \ starttls-lmtp.txt starttls-pop3.txt starttls-xmpp.txt starttls-nntp.txt starttls-sieve.txt \ @@ -467,7 +467,7 @@ dist_check_SCRIPTS += fastopen.sh pkgcon ocsp-tests/ocsp-test cipher-listings.sh sni-hostname.sh server-multi-keys.sh \ psktool.sh ocsp-tests/ocsp-load-chain gnutls-cli-save-data.sh gnutls-cli-debug.sh \ sni-resume.sh ocsp-tests/ocsptool cert-reencoding.sh pkcs7-cat.sh long-crl.sh \ - serv-udp.sh logfile-option.sh gnutls-cli-resume.sh + serv-udp.sh logfile-option.sh gnutls-cli-resume.sh server-weak-keys.sh dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh Index: gnutls-3.6.7/tests/certs/rsa-512.pem =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ gnutls-3.6.7/tests/certs/rsa-512.pem 2020-06-05 11:45:38.007648125 +0200 @@ -0,0 +1,20 @@ +-----BEGIN PRIVATE KEY----- +MIIBVwIBADANBgkqhkiG9w0BAQEFAASCAUEwggE9AgEAAkEAwZFO/Vz94lR3/TKz +76qRCV2skqthX7PB6YxeLHH3ifWSYR2qCYTBikaASm6PGDvAliviIjGjKTkdDdqZ +X2S94QIDAQABAkEAsV+L+FN8OieZBCWwCNBNsz1pY8Uzp1S7Pl3n9eZBJOKNc/tI +Tr0/zwAR+5C7IE7xjfuYHZDWN+yXg0LhH+GYgQIhAP0rzSdsjuPJ9XA9wpnYLN4O +fqXnA7mzW5QKzYuzy3RJAiEAw7sCwUSi7030NszYd7A63o2WrzqWRoX1V1vt6FMd +zNkCIQDmsytXaY0r9bU6eo0CNANutjaiZ0j1x4MD/HQhgc08QQIhALdYYLZF4xKj +RRZoQIWtURfULciq6sXZCf7xICQ2Z33RAiEA/M/OnKZijdWg13dchmdaXLgNGxJO +N90VucFVWK8nXzo= +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIBTjCB+aADAgECAhQcc65I8jSxWRjcS1czw4MRLIc8qDANBgkqhkiG9w0BAQsF +ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTkxMjE1MDI1NTU4WhcNMjkxMjEy +MDI1NTU4WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL +ADBIAkEAwZFO/Vz94lR3/TKz76qRCV2skqthX7PB6YxeLHH3ifWSYR2qCYTBikaA +Sm6PGDvAliviIjGjKTkdDdqZX2S94QIDAQABoyMwITAJBgNVHRMEAjAAMBQGA1Ud +EQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAANBAHslvfVxod5p+Gt7l4LV +M2HBxOt4YM8mRCtyNSmJEGAe+aIzXaiSiRnVkVvjQvdxacu2D4yP52BUo1vzNnCq +2UI= +-----END CERTIFICATE----- Index: gnutls-3.6.7/tests/server-weak-keys.sh =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ gnutls-3.6.7/tests/server-weak-keys.sh 2020-06-05 11:45:38.007648125 +0200 @@ -0,0 +1,72 @@ +#!/bin/sh + +# Copyright (C) 2017 Nikos Mavrogiannopoulos +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" +SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" +unset RETCODE + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi + + +SERV="${SERV} -q" + +. "${srcdir}/scripts/common.sh" + +check_for_datefudge + +echo "Checking whether a client will refuse weak but trusted keys" + +KEY1=${srcdir}/certs/rsa-512.pem +CERT1=${srcdir}/certs/rsa-512.pem + +eval "${GETPORT}" +launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1} +PID=$! +wait_server ${PID} + +timeout 1800 datefudge "2019-12-20" \ +"${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 </dev/null && \ + fail ${PID} "1. handshake with RSA should have failed!" + +timeout 1800 datefudge "2019-12-20" \ +"${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL </dev/null && \ + fail ${PID} "2. handshake with RSA should have failed!" + +kill ${PID} +wait + +exit 0 Index: gnutls-3.6.7/tests/test-chains.h =================================================================== --- gnutls-3.6.7.orig/tests/test-chains.h 2020-06-05 11:45:24.383554884 +0200 +++ gnutls-3.6.7/tests/test-chains.h 2020-06-05 11:45:38.007648125 +0200 @@ -3978,6 +3978,20 @@ static const char *gost12_512[] = { }; #endif +static const char *rsa_512[] = { + "-----BEGIN CERTIFICATE-----\n" + "MIIBTjCB+aADAgECAhQcc65I8jSxWRjcS1czw4MRLIc8qDANBgkqhkiG9w0BAQsF\n" + "ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTkxMjE1MDI1NTU4WhcNMjkxMjEy\n" + "MDI1NTU4WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL\n" + "ADBIAkEAwZFO/Vz94lR3/TKz76qRCV2skqthX7PB6YxeLHH3ifWSYR2qCYTBikaA\n" + "Sm6PGDvAliviIjGjKTkdDdqZX2S94QIDAQABoyMwITAJBgNVHRMEAjAAMBQGA1Ud\n" + "EQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAANBAHslvfVxod5p+Gt7l4LV\n" + "M2HBxOt4YM8mRCtyNSmJEGAe+aIzXaiSiRnVkVvjQvdxacu2D4yP52BUo1vzNnCq\n" + "2UI=\n" + "-----END CERTIFICATE-----\n", + NULL +}; + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) # pragma GCC diagnostic push # pragma GCC diagnostic ignored "-Wunused-variable" @@ -4138,10 +4152,12 @@ static struct #ifdef ENABLE_GOST { "gost 34.10-01 - ok", gost01, &gost01[2], 0, 0, 0, 1466612070, 1}, { "gost 34.10-01 - not ok (due to profile)", gost01, &gost01[2], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), - GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1466612070, 1}, + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1466612070, 1}, { "gost 34.10-12-256 - ok", gost12_256, &gost12_256[0], 0, 0, 0, 1466612070, 1}, { "gost 34.10-12-512 - ok", gost12_512, &gost12_512[0], 0, 0, 0, 1466612070, 1}, #endif + { "rsa-512 - not ok (due to profile)", rsa_512, &rsa_512[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM), + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, { NULL, NULL, NULL, 0, 0} }; ++++++ 0001-dh-check-validity-of-Z-before-export.patch ++++++ From bea53f1b46a64d6dcf5bbe4794740c4d4459f9bf Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno(a)gnu.org> Date: Fri, 10 Jul 2020 09:35:49 +0200 Subject: [PATCH 1/5] dh: check validity of Z before export SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the calculated shared secret is verified before the data is returned to the caller. This patch adds the validation check. Suggested by Stephan Mueller. Signed-off-by: Daiki Ueno <ueno(a)gnu.org> --- lib/nettle/pk.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) Index: gnutls-3.6.7/lib/nettle/pk.c =================================================================== --- gnutls-3.6.7.orig/lib/nettle/pk.c 2020-09-03 14:20:19.685195035 +0200 +++ gnutls-3.6.7/lib/nettle/pk.c 2020-09-03 14:20:30.393262407 +0200 @@ -241,7 +241,7 @@ static int _wrap_nettle_pk_derive(gnutls switch (algo) { case GNUTLS_PK_DH: { bigint_t f, x, q, prime; - bigint_t k = NULL, ff = NULL, r = NULL; + bigint_t k = NULL, primesub1 = NULL, r = NULL; unsigned int bits; f = pub->params[DH_Y]; @@ -249,21 +249,20 @@ static int _wrap_nettle_pk_derive(gnutls q = priv->params[DH_Q]; prime = priv->params[DH_P]; - ret = _gnutls_mpi_init_multi(&k, &ff, &r, NULL); + ret = _gnutls_mpi_init_multi(&k, &primesub1, &r, NULL); if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_mpi_add_ui(ff, f, 1); + ret = _gnutls_mpi_sub_ui(primesub1, prime, 1); if (ret < 0) { gnutls_assert(); goto dh_cleanup; } - /* check if f==0,1, or f >= p-1. - * or (ff=f+1) equivalently ff==1,2, ff >= p */ - if ((_gnutls_mpi_cmp_ui(ff, 2) == 0) - || (_gnutls_mpi_cmp_ui(ff, 1) == 0) - || (_gnutls_mpi_cmp(ff, prime) >= 0)) { + /* check if f==0,1, or f >= p-1 */ + if ((_gnutls_mpi_cmp_ui(f, 1) == 0) + || (_gnutls_mpi_cmp_ui(f, 0) == 0) + || (_gnutls_mpi_cmp(f, primesub1) >= 0)) { gnutls_assert(); ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; goto dh_cleanup; @@ -299,6 +298,15 @@ static int _wrap_nettle_pk_derive(gnutls goto dh_cleanup; } + /* check if k==0,1, or k = p-1 */ + if ((_gnutls_mpi_cmp_ui(k, 1) == 0) + || (_gnutls_mpi_cmp_ui(k, 0) == 0) + || (_gnutls_mpi_cmp(k, primesub1) == 0)) { + gnutls_assert(); + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto dh_cleanup; + } + if (flags & PK_DERIVE_TLS13) { ret = _gnutls_mpi_dprint_size(k, out, @@ -315,7 +323,7 @@ static int _wrap_nettle_pk_derive(gnutls ret = 0; dh_cleanup: _gnutls_mpi_release(&r); - _gnutls_mpi_release(&ff); + _gnutls_mpi_release(&primesub1); zrelease_temp_mpi_key(&k); if (ret < 0) goto cleanup; ++++++ 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch ++++++ ++++ 991 lines (skipped) ++++++ 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch ++++++ From 57d22ddc85a1fde180c0a5b0178eeb128792e636 Mon Sep 17 00:00:00 2001 From: Petr Pavlu <petr.pavlu(a)suse.com> Date: Wed, 8 Jul 2020 10:12:30 +0200 Subject: [PATCH] pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig() When checking in _gnutls_pubkey_compatible_with_sig() whether a public key is compatible with a signature algorithm, run first pubkey_supports_sig() before performing weaker checks that can accept the given algorithm but with an audit-log warning. This avoids an issue when a weaker check would log an audit message for some signature algorithm that would then be determined as incompatible by the pubkey_supports_sig() check anyway. For instance, a GnuTLS server might have a certificate with a SECP384R1 public key and a client can report that it supports ECDSA-SECP256R1-SHA256 and ECDSA-SECP384R1-SHA384. In such a case, the GnuTLS server will eventually find that it must use ECDSA-SECP384R1-SHA384 with this public key. However, the code would first run _gnutls_pubkey_compatible_with_sig() to check if SECP384R1 is compatible with ECDSA-SECP256R1-SHA256. The function would report the audit warning "The hash size used in signature (32) is less than the expected (48)" but then reject the signature algorithm in pubkey_supports_sig() as incompatible because it has a different curve. Since the algorithm gets rejected it is not necessary to inform about its hash size difference in the audit log. Signed-off-by: Petr Pavlu <petr.pavlu(a)suse.com> --- lib/pubkey.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/pubkey.c b/lib/pubkey.c index de95a04c3..6f9d54f11 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -2092,10 +2092,16 @@ int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session, unsigned int sig_hash_size; const mac_entry_st *me; const gnutls_sign_entry_st *se; + int ret; se = _gnutls_sign_to_entry(sign); - if (se == NULL && _gnutls_version_has_selectable_sighash(ver)) + if (se != NULL) { + ret = pubkey_supports_sig(pubkey, se); + if (ret < 0) + return gnutls_assert_val(ret); + } else if (_gnutls_version_has_selectable_sighash(ver)) { return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + } if (pubkey->params.algo == GNUTLS_PK_DSA) { me = _gnutls_dsa_q_to_hash(&pubkey->params, &hash_size); @@ -2158,9 +2164,6 @@ int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session, } } - if (se != NULL) - return pubkey_supports_sig(pubkey, se); - return 0; } -- 2.29.2 ++++++ 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch ++++++ From d0f8c4421a400feea96ba18f564b34ee594a7b85 Mon Sep 17 00:00:00 2001 From: Simo Sorce <simo(a)redhat.com> Date: Tue, 14 May 2019 18:38:33 -0400 Subject: [PATCH 2/6] Add test to ensure ECDH exchange behaves correctly This test ensures that public keys are properly tested for validity before a ECDH exchange is computed. Signed-off-by: Simo Sorce <simo(a)redhat.com> --- tests/Makefile.am | 2 +- tests/ecdh-compute.c | 209 +++++++++++++++++++++++++++++++ tests/suite/tls-fuzzer/tlsfuzzer | 2 +- 3 files changed, 211 insertions(+), 2 deletions(-) create mode 100644 tests/ecdh-compute.c Index: gnutls-3.6.7/tests/ecdh-compute.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ gnutls-3.6.7/tests/ecdh-compute.c 2020-09-03 15:17:46.222875560 +0200 @@ -0,0 +1,209 @@ +/* + * Copyright (C) 2019 Red Hat, Inc. + * + * Author: Simo Sorce + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* This program tests functionality of DH exchanges */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <gnutls/gnutls.h> +#include <stdbool.h> +#include <string.h> +#include <stdlib.h> +#include "utils.h" + +#ifdef ENABLE_FIPS140 +int _gnutls_ecdh_compute_key(gnutls_ecc_curve_t curve, + const gnutls_datum_t *x, const gnutls_datum_t *y, + const gnutls_datum_t *k, + const gnutls_datum_t *peer_x, const gnutls_datum_t *peer_y, + gnutls_datum_t *Z); + +int _gnutls_ecdh_generate_key(gnutls_ecc_curve_t curve, + gnutls_datum_t *x, gnutls_datum_t *y, + gnutls_datum_t *k); + +static void genkey(gnutls_ecc_curve_t curve, gnutls_datum_t *x, + gnutls_datum_t *y, gnutls_datum_t *key) +{ + int ret; + + ret = _gnutls_ecdh_generate_key(curve, x, y, key); + if (ret != 0) + fail("error\n"); +} + +static void compute_key(gnutls_ecc_curve_t curve, gnutls_datum_t *x, + gnutls_datum_t *y, gnutls_datum_t *key, + const gnutls_datum_t *peer_x, + const gnutls_datum_t *peer_y, + int expect_error, + gnutls_datum_t *result, bool expect_success) +{ + gnutls_datum_t Z = { 0 }; + bool success; + int ret; + + ret = _gnutls_ecdh_compute_key(curve, x, y, key, peer_x, peer_y, &Z); + if (expect_error != ret) + fail("error (%d)\n", ret); + + if (result) { + success = (Z.size != result->size && + memcmp(Z.data, result->data, Z.size)); + if (success != expect_success) + fail("error\n"); + } + gnutls_free(Z.data); +} + +struct dh_test_data { + gnutls_ecc_curve_t curve; + const gnutls_datum_t x; + const gnutls_datum_t y; + const gnutls_datum_t key; + const gnutls_datum_t peer_x; + const gnutls_datum_t peer_y; + int expected_error; +}; + +void doit(void) +{ + struct dh_test_data test_data[] = { + { + /* x == 0, y == 0 */ + GNUTLS_ECC_CURVE_SECP256R1, + { 0 }, { 0 }, { 0 }, + { (void *)"\x00", 1 }, + { (void *)"\x00", 1 }, + /* Should be GNUTLS_E_PK_INVALID_PUBKEY but mpi scan + * balks on values of 0 */ + GNUTLS_E_MPI_SCAN_FAILED, + }, + { + /* x > p -1 */ + GNUTLS_ECC_CURVE_SECP256R1, + { 0 }, { 0 }, { 0 }, + { (void *)"\xff\xff\xff\xff\x00\x00\x00\x01" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff", 1 }, + { (void *)"\x02", 1 }, + GNUTLS_E_PK_INVALID_PUBKEY, + }, + { + /* y > p -1 */ + GNUTLS_ECC_CURVE_SECP256R1, + { 0 }, { 0 }, { 0 }, + { (void *)"\x02", 1 }, + { (void *)"\xff\xff\xff\xff\x00\x00\x00\x01" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff", 1 }, + GNUTLS_E_PK_INVALID_PUBKEY, + }, + { + /* From CAVS tests */ + GNUTLS_ECC_CURVE_SECP521R1, + { (void *)"\xac\xbe\x4a\xd4\xf6\x73\x44\x0a" + "\xfc\x31\xf0\xb0\x3d\x28\xd4\xd5" + "\x14\xbe\x7b\xdd\x7a\x31\xb0\x32" + "\xec\x27\x27\x17\xa5\x7d\xc2\x6c" + "\xc4\xc9\x56\x29\xdb\x2d\x8c\x05" + "\x86\x2b\xe6\x15\xc6\x06\x28\xa3" + "\x24\xf2\x01\x7f\x98\xbd\xf9\x11" + "\xcc\xf8\x83\x5e\x43\x9e\xb2\xc1" + "\x88", 65 }, + { (void *)"\xd6\x9b\x29\xa2\x37\x82\x36\x92" + "\xe8\xdb\x90\xa3\x25\x68\x67\x6c" + "\x92\xff\x3d\x23\x85\xe2\xfd\x13" + "\x16\x12\x72\xb3\x4b\x55\x88\x72" + "\xb0\x35\xab\xb5\x10\x89\x52\x5f" + "\x42\x9f\x53\x02\x60\x80\xc3\xd5" + "\x36\x6e\xe9\xdd\x28\xae\xd2\x38" + "\xab\xbe\x68\x6a\x54\x3e\x19\xf2" + "\x77", 65 }, + { (void *)"\xd7\xdd\x17\x7c\xb9\x7f\x19\x09" + "\xbe\x56\x79\xba\x38\x7b\xee\x64" + "\xf7\xb4\x08\x4a\x4f\xaa\x6c\x31" + "\x8b\x82\xe9\xf2\xf7\x50\xc5\xc1" + "\x82\x26\x20\xd4\x88\x25\x0b\xf6" + "\xb4\x14\xea\x9b\x2c\x07\x93\x50" + "\xb9\xad\x78\x0a\x5e\xc6\xa6\xf8" + "\xb2\x9f\xa1\xc4\x76\xce\x1d\xa9" + "\xf5", 65 }, + { (void *)"\x01\x41\xbe\x1a\xfa\x21\x99\xc9" + "\xb2\x2d\xaa\x0a\xff\x90\xb2\x67" + "\x18\xa2\x67\x04\x7e\xae\x28\x40" + "\xe8\xbc\xa0\xbd\x0c\x75\x41\x51" + "\xf1\xa0\x4d\xcf\x09\xa5\x4f\x1e" + "\x13\x5e\xa0\xdd\x13\xed\x86\x74" + "\x05\xc0\xcb\x6d\xac\x14\x6a\x24" + "\xb8\xdc\xf3\x78\xed\xed\x5d\xcd" + "\x57\x5b", 66 }, + { (void *)"\x19\x52\xbd\x5d\xe6\x26\x40\xc3" + "\xfc\x8c\xc1\x55\xe2\x9c\x71\x14" + "\x5e\xdc\x62\x1c\x3a\x94\x4e\x55" + "\x56\x75\xf7\x45\x6e\xa4\x9e\x94" + "\xb8\xfe\xda\xd4\xac\x7d\x76\xc5" + "\xb4\x65\xed\xb4\x49\x34\x71\x14" + "\xdb\x8f\x10\x90\xa3\x05\x02\xdc" + "\x86\x92\x6c\xbe\x9b\x57\x32\xe3" + "\x2c", 65 }, + 0, + }, + { 0 } + }; + + for (int i = 0; test_data[i].curve != 0; i++) { + gnutls_datum_t x, y, key; + + if (test_data[i].key.data == NULL) { + genkey(test_data[i].curve, &x, &y, &key); + } else { + x = test_data[i].x; + y = test_data[i].y; + key = test_data[i].key; + } + + compute_key(test_data[i].curve, &x, &y, &key, + &test_data[i].peer_x, + &test_data[i].peer_y, + test_data[i].expected_error, + NULL, 0); + + if (test_data[i].key.data == NULL) { + gnutls_free(x.data); + gnutls_free(y.data); + gnutls_free(key.data); + } + } + + success("all ok\n"); +} +#else +void doit(void) +{ + return; +} +#endif ++++++ 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch ++++++ From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno(a)gnu.org> Date: Sun, 31 May 2020 12:39:14 +0200 Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against system cert To verify a certificate chain, this function replaces known certificates with the ones in the system trust store if possible. However, if it is found, the function checks the validity of the original certificate rather than the certificate found in the trust store. That reveals a problem in a scenario that (1) a certificate is signed by multiple issuers and (2) one of the issuers' certificate has expired and included in the input chain. This patch makes it a little robuster by actually retrieving the certificate from the trust store and perform check against it. Signed-off-by: Daiki Ueno <ueno(a)gnu.org> --- lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- lib/pkcs11_int.h | 5 +++ lib/x509/verify.c | 7 +++- 3 files changed, 80 insertions(+), 30 deletions(-) Index: gnutls-3.6.7/lib/pkcs11.c =================================================================== --- gnutls-3.6.7.orig/lib/pkcs11.c 2020-06-05 11:46:56.276188039 +0200 +++ gnutls-3.6.7/lib/pkcs11.c 2020-06-05 11:46:57.408195852 +0200 @@ -4509,34 +4509,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subj return ret; } -/** - * gnutls_pkcs11_crt_is_known: - * @url: A PKCS 11 url identifying a token - * @cert: is the certificate to find issuer for - * @issuer: Will hold the issuer if any in an allocated buffer. - * @fmt: The format of the exported issuer. - * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. - * - * This function will check whether the provided certificate is stored - * in the specified token. This is useful in combination with - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, - * to check whether a CA is present or a certificate is blacklisted in - * a trust PKCS #11 module. - * - * This function can be used with a @url of "pkcs11:", and in that case all modules - * will be searched. To restrict the modules to the marked as trusted in p11-kit - * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. - * - * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is - * specific to p11-kit trust modules. - * - * Returns: If the certificate exists non-zero is returned, otherwise zero. - * - * Since: 3.3.0 - **/ -unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - unsigned int flags) +unsigned +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + unsigned int flags, + gnutls_x509_crt_t *trusted_cert) { int ret; struct find_cert_st priv; @@ -4548,6 +4524,15 @@ unsigned gnutls_pkcs11_crt_is_known(cons memset(&priv, 0, sizeof(priv)); + if (trusted_cert) { + ret = gnutls_pkcs11_obj_init(&priv.obj); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + priv.need_import = 1; + } + if (url == NULL || url[0] == 0) { url = "pkcs11:"; } @@ -4594,8 +4579,18 @@ unsigned gnutls_pkcs11_crt_is_known(cons _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); /* attempt searching with the subject DN only */ gnutls_assert(); + if (priv.obj) + gnutls_pkcs11_obj_deinit(priv.obj); gnutls_free(priv.serial.data); memset(&priv, 0, sizeof(priv)); + if (trusted_cert) { + ret = gnutls_pkcs11_obj_init(&priv.obj); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + priv.need_import = 1; + } priv.crt = cert; priv.flags = flags; @@ -4612,9 +4607,26 @@ unsigned gnutls_pkcs11_crt_is_known(cons goto cleanup; } + if (trusted_cert) { + ret = gnutls_x509_crt_init(trusted_cert); + if (ret < 0) { + gnutls_assert(); + ret = 0; + goto cleanup; + } + ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_crt_deinit(*trusted_cert); + ret = 0; + goto cleanup; + } + } ret = 1; cleanup: + if (priv.obj) + gnutls_pkcs11_obj_deinit(priv.obj); if (info) p11_kit_uri_free(info); gnutls_free(priv.serial.data); @@ -4623,6 +4635,36 @@ unsigned gnutls_pkcs11_crt_is_known(cons } /** + * gnutls_pkcs11_crt_is_known: + * @url: A PKCS 11 url identifying a token + * @cert: is the certificate to find issuer for + * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. + * + * This function will check whether the provided certificate is stored + * in the specified token. This is useful in combination with + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, + * to check whether a CA is present or a certificate is blacklisted in + * a trust PKCS #11 module. + * + * This function can be used with a @url of "pkcs11:", and in that case all modules + * will be searched. To restrict the modules to the marked as trusted in p11-kit + * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. + * + * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is + * specific to p11-kit trust modules. + * + * Returns: If the certificate exists non-zero is returned, otherwise zero. + * + * Since: 3.3.0 + **/ +unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + unsigned int flags) +{ + return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); +} + +/** * gnutls_pkcs11_obj_get_flags: * @obj: The pkcs11 object * @oflags: Will hold the output flags Index: gnutls-3.6.7/lib/pkcs11_int.h =================================================================== --- gnutls-3.6.7.orig/lib/pkcs11_int.h 2020-06-05 11:46:57.408195852 +0200 +++ gnutls-3.6.7/lib/pkcs11_int.h 2020-06-05 11:47:51.656570223 +0200 @@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object( return 0; } +unsigned +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + unsigned int flags, + gnutls_x509_crt_t *trusted_cert); + #endif /* ENABLE_PKCS11 */ #endif Index: gnutls-3.6.7/lib/x509/verify.c =================================================================== --- gnutls-3.6.7.orig/lib/x509/verify.c 2020-06-05 11:46:56.280188067 +0200 +++ gnutls-3.6.7/lib/x509/verify.c 2020-06-05 11:46:57.408195852 +0200 @@ -34,6 +34,7 @@ #include <tls-sig.h> #include <str.h> #include <datum.h> +#include <pkcs11_int.h> #include <x509_int.h> #include <common.h> #include <pk.h> @@ -1173,6 +1174,7 @@ _gnutls_pkcs11_verify_crt_status(const c for (; i < clist_size; i++) { unsigned vflags; + gnutls_x509_crt_t trusted_cert; if (i == 0) /* in the end certificate do full comparison */ vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| @@ -1181,9 +1183,10 @@ _gnutls_pkcs11_verify_crt_status(const c vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; - if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { + if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { - status |= check_ca_sanity(certificate_list[i], now, flags); + status |= check_ca_sanity(trusted_cert, now, flags); + gnutls_x509_crt_deinit(trusted_cert); if (func) func(certificate_list[i], ++++++ 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch ++++++ ++++ 827 lines (skipped) ++++++ 0002-ecdh-check-validity-of-P-before-export.patch ++++++ From 13202600d3e42258d8758b05ff45a3e3d0f07e4e Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno(a)gnu.org> Date: Fri, 10 Jul 2020 09:42:30 +0200 Subject: [PATCH 2/5] ecdh: check validity of P before export SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of the calculated shared secret is verified before the data is returned to the caller. This patch adds the validation check. Suggested by Stephan Mueller. Signed-off-by: Daiki Ueno <ueno(a)gnu.org> --- lib/nettle/pk.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) Index: gnutls-3.6.7/lib/nettle/pk.c =================================================================== --- gnutls-3.6.7.orig/lib/nettle/pk.c 2020-09-03 14:20:20.153197979 +0200 +++ gnutls-3.6.7/lib/nettle/pk.c 2020-09-03 14:20:25.165229513 +0200 @@ -199,25 +199,38 @@ _gost_params_to_pubkey(const gnutls_pk_p } #endif -static void +static int ecc_shared_secret(struct ecc_scalar *private_key, struct ecc_point *public_key, void *out, unsigned size) { struct ecc_point r; - mpz_t x; + mpz_t x, y; + int ret = 0; mpz_init(x); + mpz_init(y); ecc_point_init(&r, public_key->ecc); ecc_point_mul(&r, private_key, public_key); - ecc_point_get(&r, x, NULL); + ecc_point_get(&r, x, y); + + /* Check if the point is not an identity element. Note that this cannot + * happen in nettle implementation, because it cannot represent an + * infinity point. */ + if (mpz_cmp_ui(x, 0) == 0 && mpz_cmp_ui(y, 0) == 0) { + ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + goto cleanup; + } + nettle_mpz_get_str_256(size, out, x); + cleanup: mpz_clear(x); + mpz_clear(y); ecc_point_clear(&r); - return; + return ret; } #define MAX_DH_BITS DEFAULT_MAX_VERIFY_BITS @@ -365,8 +378,10 @@ dh_cleanup: goto ecc_cleanup; } - ecc_shared_secret(&ecc_priv, &ecc_pub, out->data, - out->size); + ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data, + out->size); + if (ret < 0) + gnutls_free(out->data); ecc_cleanup: ecc_point_clear(&ecc_pub); ++++++ 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch ++++++ ++++ 993 lines (skipped) ++++++ 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch ++++++ From 245fb622e82bfa7b80d2cec7cafdbc65014ca3cb Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno(a)gnu.org> Date: Fri, 17 Jul 2020 17:45:17 +0200 Subject: [PATCH 3/5] dh-primes: make the FIPS approved check return Q value This is necessary for full public key validation in SP800-56A (revision 3), section 5.6.2.3.1. Signed-off-by: Daiki Ueno <ueno(a)gnu.org> --- lib/auth/dh_common.c | 2 +- lib/dh-primes.c | 38 +++++++++++++++++++++++--------------- lib/dh.h | 10 ++++++---- 3 files changed, 30 insertions(+), 20 deletions(-) Index: gnutls-3.6.7/lib/auth/dh_common.c =================================================================== --- gnutls-3.6.7.orig/lib/auth/dh_common.c 2020-09-03 14:20:20.133197853 +0200 +++ gnutls-3.6.7/lib/auth/dh_common.c 2020-09-03 14:20:20.233198482 +0200 @@ -256,7 +256,7 @@ _gnutls_proc_dh_common_server_kx(gnutls_ #ifdef ENABLE_FIPS140 if (gnutls_fips140_mode_enabled() && - !_gnutls_dh_prime_is_fips_approved(data_p, n_p, data_g, n_g)) { + !_gnutls_dh_prime_match_fips_approved(data_p, n_p, data_g, n_g, NULL, NULL)) { gnutls_assert(); return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } Index: gnutls-3.6.7/lib/dh-primes.c =================================================================== --- gnutls-3.6.7.orig/lib/dh-primes.c 2020-09-03 14:20:20.133197853 +0200 +++ gnutls-3.6.7/lib/dh-primes.c 2020-09-03 14:20:20.233198482 +0200 @@ -1446,25 +1446,28 @@ const gnutls_datum_t gnutls_modp_8192_gr const unsigned int gnutls_modp_8192_key_bits = 512; unsigned -_gnutls_dh_prime_is_fips_approved(const uint8_t *prime, - size_t prime_size, - const uint8_t *generator, - size_t generator_size) +_gnutls_dh_prime_match_fips_approved(const uint8_t *prime, + size_t prime_size, + const uint8_t *generator, + size_t generator_size, + uint8_t **q, + size_t *q_size) { static const struct { const gnutls_datum_t *prime; const gnutls_datum_t *generator; + const gnutls_datum_t *q; } primes[] = { - { &gnutls_ffdhe_8192_group_prime, &gnutls_ffdhe_8192_group_generator }, - { &gnutls_ffdhe_6144_group_prime, &gnutls_ffdhe_6144_group_generator }, - { &gnutls_ffdhe_4096_group_prime, &gnutls_ffdhe_4096_group_generator }, - { &gnutls_ffdhe_3072_group_prime, &gnutls_ffdhe_3072_group_generator }, - { &gnutls_ffdhe_2048_group_prime, &gnutls_ffdhe_2048_group_generator }, - { &gnutls_modp_8192_group_prime, &gnutls_modp_8192_group_generator }, - { &gnutls_modp_6144_group_prime, &gnutls_modp_6144_group_generator }, - { &gnutls_modp_4096_group_prime, &gnutls_modp_4096_group_generator }, - { &gnutls_modp_3072_group_prime, &gnutls_modp_3072_group_generator }, - { &gnutls_modp_2048_group_prime, &gnutls_modp_2048_group_generator }, + { &gnutls_ffdhe_8192_group_prime, &gnutls_ffdhe_8192_group_generator, &gnutls_ffdhe_8192_group_q }, + { &gnutls_ffdhe_6144_group_prime, &gnutls_ffdhe_6144_group_generator, &gnutls_ffdhe_6144_group_q }, + { &gnutls_ffdhe_4096_group_prime, &gnutls_ffdhe_4096_group_generator, &gnutls_ffdhe_4096_group_q }, + { &gnutls_ffdhe_3072_group_prime, &gnutls_ffdhe_3072_group_generator, &gnutls_ffdhe_3072_group_q }, + { &gnutls_ffdhe_2048_group_prime, &gnutls_ffdhe_2048_group_generator, &gnutls_ffdhe_2048_group_q }, + { &gnutls_modp_8192_group_prime, &gnutls_modp_8192_group_generator, &gnutls_modp_8192_group_q }, + { &gnutls_modp_6144_group_prime, &gnutls_modp_6144_group_generator, &gnutls_modp_6144_group_q }, + { &gnutls_modp_4096_group_prime, &gnutls_modp_4096_group_generator, &gnutls_modp_4096_group_q }, + { &gnutls_modp_3072_group_prime, &gnutls_modp_3072_group_generator, &gnutls_modp_3072_group_q }, + { &gnutls_modp_2048_group_prime, &gnutls_modp_2048_group_generator, &gnutls_modp_2048_group_q }, }; size_t i; @@ -1472,8 +1475,13 @@ _gnutls_dh_prime_is_fips_approved(const if (primes[i].prime->size == prime_size && memcmp(primes[i].prime->data, prime, primes[i].prime->size) == 0 && primes[i].generator->size == generator_size && - memcmp(primes[i].generator->data, generator, primes[i].generator->size) == 0) + memcmp(primes[i].generator->data, generator, primes[i].generator->size) == 0) { + if (q) { + *q = primes[i].q->data; + *q_size = primes[i].q->size; + } return 1; + } } return 0; Index: gnutls-3.6.7/lib/dh.h =================================================================== --- gnutls-3.6.7.orig/lib/dh.h 2020-09-03 14:20:20.133197853 +0200 +++ gnutls-3.6.7/lib/dh.h 2020-09-03 14:20:20.233198482 +0200 @@ -67,9 +67,11 @@ _gnutls_dh_prime_is_fips_approved(const size_t generator_size); unsigned -_gnutls_dh_prime_is_fips_approved(const uint8_t *prime, - size_t prime_size, - const uint8_t *generator, - size_t generator_size); +_gnutls_dh_prime_match_fips_approved(const uint8_t *prime, + size_t prime_size, + const uint8_t *generator, + size_t generator_size, + uint8_t **q, + size_t *q_size); #endif ++++++ 0003-x509-trigger-fallback-verification-path-when-cert-is.patch ++++++ From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno(a)gnu.org> Date: Sun, 31 May 2020 13:59:53 +0200 Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is expired gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN to trigger the fallback verification path if the signer of the last certificate is not in the trust store. Previously, it doesn't take into account of the condition where the certificate is expired. Signed-off-by: Daiki Ueno <ueno(a)gnu.org> --- lib/x509/verify-high.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index b1421ef17a..40638ad3aa 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, #define LAST_DN cert_list[cert_list_size-1]->raw_dn #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn -/* This macro is introduced to detect a verification output - * which indicates an unknown signer, or a signer which uses - * an insecure algorithm (e.g., sha1), something that indicates - * a superseded signer */ -#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) +/* This macro is introduced to detect a verification output which + * indicates an unknown signer, a signer which uses an insecure + * algorithm (e.g., sha1), a signer has expired, or something that + * indicates a superseded signer */ +#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ + (output & GNUTLS_CERT_EXPIRED) || \ + (output & GNUTLS_CERT_INSECURE_ALGORITHM)) #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) /** -- 2.25.0 ++++++ 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch ++++++ From 30cd55456b574b2eadd0bea93ca12492441e0d5d Mon Sep 17 00:00:00 2001 From: Simo Sorce <simo(a)redhat.com> Date: Mon, 20 May 2019 17:13:12 -0400 Subject: [PATCH 4/6] Always pass in and check Q in TLS 1.3 In FIPS mode do an extra check that we did have Q, but it is always passed into the tls13 derive function from the callers. Signed-off-by: Simo Sorce <simo(a)redhat.com> --- lib/algorithms/groups.c | 5 +++++ lib/ext/key_share.c | 14 ++++++++++++-- lib/gnutls_int.h | 1 + lib/nettle/pk.c | 5 +++++ 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/lib/algorithms/groups.c b/lib/algorithms/groups.c index c5adb063ba..25195c121c 100644 --- a/lib/algorithms/groups.c +++ b/lib/algorithms/groups.c @@ -79,6 +79,7 @@ static const gnutls_group_entry_st supported_groups[] = { .id = GNUTLS_GROUP_FFDHE2048, .generator = &gnutls_ffdhe_2048_group_generator, .prime = &gnutls_ffdhe_2048_group_prime, + .q = &gnutls_ffdhe_2048_group_q, .q_bits = &gnutls_ffdhe_2048_key_bits, .pk = GNUTLS_PK_DH, .tls_id = 0x100 @@ -88,6 +89,7 @@ static const gnutls_group_entry_st supported_groups[] = { .id = GNUTLS_GROUP_FFDHE3072, .generator = &gnutls_ffdhe_3072_group_generator, .prime = &gnutls_ffdhe_3072_group_prime, + .q = &gnutls_ffdhe_3072_group_q, .q_bits = &gnutls_ffdhe_3072_key_bits, .pk = GNUTLS_PK_DH, .tls_id = 0x101 @@ -97,6 +99,7 @@ static const gnutls_group_entry_st supported_groups[] = { .id = GNUTLS_GROUP_FFDHE4096, .generator = &gnutls_ffdhe_4096_group_generator, .prime = &gnutls_ffdhe_4096_group_prime, + .q = &gnutls_ffdhe_4096_group_q, .q_bits = &gnutls_ffdhe_4096_key_bits, .pk = GNUTLS_PK_DH, .tls_id = 0x102 @@ -106,6 +109,7 @@ static const gnutls_group_entry_st supported_groups[] = { .id = GNUTLS_GROUP_FFDHE6144, .generator = &gnutls_ffdhe_6144_group_generator, .prime = &gnutls_ffdhe_6144_group_prime, + .q = &gnutls_ffdhe_6144_group_q, .q_bits = &gnutls_ffdhe_6144_key_bits, .pk = GNUTLS_PK_DH, .tls_id = 0x103 @@ -115,6 +119,7 @@ static const gnutls_group_entry_st supported_groups[] = { .id = GNUTLS_GROUP_FFDHE8192, .generator = &gnutls_ffdhe_8192_group_generator, .prime = &gnutls_ffdhe_8192_group_prime, + .q = &gnutls_ffdhe_8192_group_q, .q_bits = &gnutls_ffdhe_8192_key_bits, .pk = GNUTLS_PK_DH, .tls_id = 0x104 diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c index 3efc46a60c..599eff8fbc 100644 --- a/lib/ext/key_share.c +++ b/lib/ext/key_share.c @@ -152,10 +152,15 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent if (ret < 0) return gnutls_assert_val(ret); + ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_Q], + group->q->data, group->q->size); + if (ret < 0) + return gnutls_assert_val(ret); + session->key.kshare.dh_params.algo = group->pk; session->key.kshare.dh_params.dh_group = group->id; /* no curve in FFDH, we write the group */ session->key.kshare.dh_params.qbits = *group->q_bits; - session->key.kshare.dh_params.params_nr = 3; /* empty q */ + session->key.kshare.dh_params.params_nr = 3; ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1); if (ret < 0) @@ -350,9 +355,14 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou if (ret < 0) return gnutls_assert_val(ret); + ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_Q], + group->q->data, group->q->size); + if (ret < 0) + return gnutls_assert_val(ret); + session->key.kshare.dh_params.algo = GNUTLS_PK_DH; session->key.kshare.dh_params.qbits = *group->q_bits; - session->key.kshare.dh_params.params_nr = 3; /* empty q */ + session->key.kshare.dh_params.params_nr = 3; /* generate our keys */ ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 177a8be018..da0a92ebcb 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -664,6 +664,7 @@ typedef struct gnutls_group_entry_st { const char *name; gnutls_group_t id; const gnutls_datum_t *prime; + const gnutls_datum_t *q; const gnutls_datum_t *generator; const unsigned *q_bits; gnutls_ecc_curve_t curve; diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c index 6bb2cef877..08117c2d82 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c @@ -282,6 +282,11 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; goto dh_cleanup; } + } else if ((flags & PK_DERIVE_TLS13) && + _gnutls_fips_mode_enabled()) { + /* Mandatory in FIPS mode for TLS 1.3 */ + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto dh_cleanup; } /* prevent denial of service */ -- 2.27.0 ++++++ 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch ++++++ From 8b575625614fbe5a22b68dc8d1877efb1d44dd37 Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno(a)gnu.org> Date: Fri, 17 Jul 2020 17:47:06 +0200 Subject: [PATCH 4/5] dh: perform SP800-56A rev3 full pubkey validation on keygen This implements full public key validation required in SP800-56A rev3, section 5.6.2.3.1. Signed-off-by: Daiki Ueno <ueno(a)gnu.org> --- lib/nettle/pk.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) Index: gnutls-3.6.7/lib/nettle/pk.c =================================================================== --- gnutls-3.6.7.orig/lib/nettle/pk.c 2020-09-03 14:20:20.205198306 +0200 +++ gnutls-3.6.7/lib/nettle/pk.c 2020-09-03 14:20:23.057216249 +0200 @@ -56,6 +56,7 @@ #endif #include <gnettle.h> #include <fips.h> +#include "dh.h" static inline const struct ecc_curve *get_supported_nist_curve(int curve); static inline const struct ecc_curve *get_supported_gost_curve(int curve); @@ -1856,6 +1857,54 @@ cleanup: } #endif +static inline int +dh_find_q(const gnutls_pk_params_st *pk_params, mpz_t q) +{ + gnutls_datum_t prime = { NULL, 0 }; + gnutls_datum_t generator = { NULL, 0 }; + uint8_t *data_q; + size_t n_q; + bigint_t _q; + int ret = 0; + + ret = _gnutls_mpi_dprint(pk_params->params[DSA_P], &prime); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = _gnutls_mpi_dprint(pk_params->params[DSA_G], &generator); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + if (!_gnutls_dh_prime_match_fips_approved(prime.data, + prime.size, + generator.data, + generator.size, + &data_q, + &n_q)) { + ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + goto cleanup; + } + + if (_gnutls_mpi_init_scan_nz(&_q, data_q, n_q) != 0) { + ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED); + goto cleanup; + } + + mpz_set(q, TOMPZ(_q)); + _gnutls_mpi_release(&_q); + + cleanup: + gnutls_free(prime.data); + gnutls_free(generator.data); + + return ret; +} + + /* To generate a DH key either q must be set in the params or * level should be set to the number of required bits. */ @@ -1937,6 +1986,9 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a mpz_t x, y; int max_tries; unsigned have_q = 0; + mpz_t q; + mpz_t primesub1; + mpz_t ypowq; if (algo != params->algo) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); @@ -1954,6 +2006,10 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a mpz_init(x); mpz_init(y); + mpz_init(q); + mpz_init(primesub1); + mpz_init(ypowq); + max_tries = 3; do { if (have_q) { @@ -1985,8 +2041,40 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a ret = GNUTLS_E_LIB_IN_ERROR_STATE; goto dh_fail; } + } while(mpz_cmp_ui(y, 1) == 0); +#ifdef ENABLE_FIPS140 + if (_gnutls_fips_mode_enabled()) { + /* Perform FFC full public key validation checks + * according to SP800-56A (revision 3), 5.6.2.3.1. + */ + + /* Step 1: 2 <= y <= p - 2 */ + mpz_sub_ui(primesub1, pub.p, 1); + + if (mpz_cmp_ui(y, 2) < 0 || mpz_cmp(y, primesub1) >= 0) { + ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); + goto dh_fail; + } + + /* Step 2: 1 = y^q mod p */ + if (have_q) + mpz_set(q, pub.q); + else { + ret = dh_find_q(params, q); + if (ret < 0) + goto dh_fail; + } + + mpz_powm(ypowq, y, q, pub.p); + if (mpz_cmp_ui(ypowq, 1) != 0) { + ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); + goto dh_fail; + } + } +#endif + ret = _gnutls_mpi_init_multi(&params->params[DSA_Y], &params->params[DSA_X], NULL); if (ret < 0) { gnutls_assert(); @@ -2003,6 +2091,9 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a mpz_clear(r); mpz_clear(x); mpz_clear(y); + mpz_clear(q); + mpz_clear(primesub1); + mpz_clear(ypowq); if (ret < 0) goto fail; ++++++ 0004-tests-add-test-case-for-certificate-chain-supersedin.patch ++++++ From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno(a)gnu.org> Date: Sun, 31 May 2020 14:28:48 +0200 Subject: [PATCH 3/3] tests: add test case for certificate chain superseding Signed-off-by: Daiki Ueno <ueno(a)gnu.org> --- tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) Index: gnutls-3.6.7/tests/test-chains.h =================================================================== --- gnutls-3.6.7.orig/tests/test-chains.h 2020-06-05 12:02:59.378844068 +0200 +++ gnutls-3.6.7/tests/test-chains.h 2020-06-05 12:05:18.007799062 +0200 @@ -3992,6 +3992,102 @@ static const char *rsa_512[] = { NULL }; +/* This contains an expired intermediate CA, which should be superseded. */ +static const char *superseding[] = { + "-----BEGIN CERTIFICATE-----" + "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" + "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" + "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" + "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" + "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" + "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" + "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" + "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" + "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" + "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" + "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" + "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" + "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" + "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" + "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" + "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" + "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" + "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" + "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" + "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" + "-----END CERTIFICATE-----", + "-----BEGIN CERTIFICATE-----" + "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" + "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" + "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" + "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" + "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" + "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" + "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" + "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" + "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" + "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" + "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" + "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" + "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" + "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" + "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" + "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" + "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" + "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" + "iJwOKIk=" + "-----END CERTIFICATE-----", + NULL +}; + +static const char *superseding_ca[] = { + "-----BEGIN CERTIFICATE-----" + "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" + "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" + "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" + "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" + "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" + "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" + "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" + "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" + "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" + "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" + "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" + "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" + "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" + "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" + "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" + "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" + "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" + "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" + "izchzb9eow==" + "-----END CERTIFICATE-----", + "-----BEGIN CERTIFICATE-----" + "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" + "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" + "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" + "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" + "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" + "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" + "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" + "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" + "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" + "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" + "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" + "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" + "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" + "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" + "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" + "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" + "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" + "eh1COrLsOJo+" + "-----END CERTIFICATE-----", + NULL +}; + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) # pragma GCC diagnostic push # pragma GCC diagnostic ignored "-Wunused-variable" @@ -4158,6 +4254,7 @@ static struct #endif { "rsa-512 - not ok (due to profile)", rsa_512, &rsa_512[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM), GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, + { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, { NULL, NULL, NULL, 0, 0} }; ++++++ 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch ++++++ From f5136909695e3c88f195828831fe5700fa2a1059 Mon Sep 17 00:00:00 2001 From: Simo Sorce <simo(a)redhat.com> Date: Tue, 21 May 2019 09:40:01 -0400 Subject: [PATCH 5/6] Check Q for FFDHE primes in prime-check These are mersenne primes so q = (p - 1) / 2 We check that p = (q * 2) + 1 Signed-off-by: Simo Sorce <simo(a)redhat.com> --- tests/suite/prime-check.c | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/tests/suite/prime-check.c b/tests/suite/prime-check.c index 819f5371bf..3d6429c6e1 100644 --- a/tests/suite/prime-check.c +++ b/tests/suite/prime-check.c @@ -27,7 +27,7 @@ /* Tests whether the included parameters are indeed prime */ -static void test_prime(const gnutls_datum_t * prime) +static void test_prime(const gnutls_datum_t * prime, const gnutls_datum_t * _q) { mpz_t p; unsigned bits = prime->size * 8; @@ -37,23 +37,33 @@ static void test_prime(const gnutls_datum_t * prime) assert(mpz_sizeinbase(p, 2) == bits); assert(mpz_probab_prime_p(p, 18)); + if (_q) { + mpz_t q; + + nettle_mpz_init_set_str_256_u(q, _q->size, _q->data); + mpz_mul_ui(q, q, 2); + mpz_add_ui(q, q, 1); + assert(mpz_cmp(p, q) == 0); + mpz_clear(q); + } + mpz_clear(p); } int main(int argc, char **argv) { - test_prime(&gnutls_srp_8192_group_prime); - test_prime(&gnutls_srp_4096_group_prime); - test_prime(&gnutls_srp_3072_group_prime); - test_prime(&gnutls_srp_2048_group_prime); - test_prime(&gnutls_srp_1536_group_prime); - test_prime(&gnutls_srp_1024_group_prime); - - test_prime(&gnutls_ffdhe_8192_group_prime); - test_prime(&gnutls_ffdhe_6144_group_prime); - test_prime(&gnutls_ffdhe_4096_group_prime); - test_prime(&gnutls_ffdhe_3072_group_prime); - test_prime(&gnutls_ffdhe_2048_group_prime); + test_prime(&gnutls_srp_8192_group_prime, NULL); + test_prime(&gnutls_srp_4096_group_prime, NULL); + test_prime(&gnutls_srp_3072_group_prime, NULL); + test_prime(&gnutls_srp_2048_group_prime, NULL); + test_prime(&gnutls_srp_1536_group_prime, NULL); + test_prime(&gnutls_srp_1024_group_prime, NULL); + + test_prime(&gnutls_ffdhe_8192_group_prime, &gnutls_ffdhe_8192_group_q); + test_prime(&gnutls_ffdhe_6144_group_prime, &gnutls_ffdhe_6144_group_q); + test_prime(&gnutls_ffdhe_4096_group_prime, &gnutls_ffdhe_4096_group_q); + test_prime(&gnutls_ffdhe_3072_group_prime, &gnutls_ffdhe_3072_group_q); + test_prime(&gnutls_ffdhe_2048_group_prime, &gnutls_ffdhe_2048_group_q); return 0; } -- 2.27.0 ++++++ 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch ++++++ From 23756c8580dff99d0856adca49dd22a55352ad62 Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno(a)gnu.org> Date: Sat, 18 Jul 2020 08:26:48 +0200 Subject: [PATCH 5/5] ecdh: perform SP800-56A rev3 full pubkey validation on keygen This implements full public key validation required in SP800-56A rev3, section 5.6.2.3.3. Signed-off-by: Daiki Ueno <ueno(a)gnu.org> --- lib/nettle/pk.c | 182 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 180 insertions(+), 2 deletions(-) Index: gnutls-3.6.7/lib/nettle/pk.c =================================================================== --- gnutls-3.6.7.orig/lib/nettle/pk.c 2020-09-03 14:20:20.265198684 +0200 +++ gnutls-3.6.7/lib/nettle/pk.c 2020-09-03 14:20:20.301198910 +0200 @@ -1316,6 +1316,80 @@ static inline const struct ecc_curve *ge } } +static inline const char *get_supported_nist_curve_order(int curve) +{ + static const struct { + int curve; + const char *order; + } orders[] = { +#ifdef ENABLE_NON_SUITEB_CURVES + { GNUTLS_ECC_CURVE_SECP192R1, + "ffffffffffffffffffffffff99def836" + "146bc9b1b4d22831" }, + { GNUTLS_ECC_CURVE_SECP224R1, + "ffffffffffffffffffffffffffff16a2" + "e0b8f03e13dd29455c5c2a3d" }, +#endif + { GNUTLS_ECC_CURVE_SECP256R1, + "ffffffff00000000ffffffffffffffff" + "bce6faada7179e84f3b9cac2fc632551" }, + { GNUTLS_ECC_CURVE_SECP384R1, + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffc7634d81f4372ddf" + "581a0db248b0a77aecec196accc52973" }, + { GNUTLS_ECC_CURVE_SECP521R1, + "1fffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "ffa51868783bf2f966b7fcc0148f709a" + "5d03bb5c9b8899c47aebb6fb71e91386" + "409" }, + }; + size_t i; + + for (i = 0; i < sizeof(orders)/sizeof(orders[0]); i++) { + if (orders[i].curve == curve) + return orders[i].order; + } + return NULL; +} + +static inline const char *get_supported_nist_curve_modulus(int curve) +{ + static const struct { + int curve; + const char *order; + } orders[] = { +#ifdef ENABLE_NON_SUITEB_CURVES + { GNUTLS_ECC_CURVE_SECP192R1, + "fffffffffffffffffffffffffffffffe" + "ffffffffffffffff" }, + { GNUTLS_ECC_CURVE_SECP224R1, + "ffffffffffffffffffffffffffffffff" + "000000000000000000000001" }, +#endif + { GNUTLS_ECC_CURVE_SECP256R1, + "ffffffff000000010000000000000000" + "00000000ffffffffffffffffffffffff" }, + { GNUTLS_ECC_CURVE_SECP384R1, + "ffffffffffffffffffffffffffffffff" + "fffffffffffffffffffffffffffffffe" + "ffffffff0000000000000000ffffffff" }, + { GNUTLS_ECC_CURVE_SECP521R1, + "1ff" + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" }, + }; + size_t i; + + for (i = 0; i < sizeof(orders)/sizeof(orders[0]); i++) { + if (orders[i].curve == curve) + return orders[i].order; + } + return NULL; +} + static inline const struct ecc_curve *get_supported_gost_curve(int curve) { switch (curve) { @@ -2228,6 +2302,10 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a struct ecc_scalar key; struct ecc_point pub; const struct ecc_curve *curve; + struct ecc_scalar n; + struct ecc_scalar m; + struct ecc_point r; + mpz_t x, y, xx, yy, nn, mm; curve = get_supported_nist_curve(level); if (curve == NULL) @@ -2235,8 +2313,18 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a gnutls_assert_val (GNUTLS_E_ECC_UNSUPPORTED_CURVE); + mpz_init(x); + mpz_init(y); + mpz_init(xx); + mpz_init(yy); + mpz_init(nn); + mpz_init(mm); + ecc_scalar_init(&key, curve); ecc_point_init(&pub, curve); + ecc_scalar_init(&n, curve); + ecc_scalar_init(&m, curve); + ecc_point_init(&r, curve); ecdsa_generate_keypair(&pub, &key, NULL, rnd_func); if (HAVE_LIB_ERROR()) { @@ -2254,15 +2342,105 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a params->curve = level; params->params_nr = ECC_PRIVATE_PARAMS; - ecc_point_get(&pub, TOMPZ(params->params[ECC_X]), - TOMPZ(params->params[ECC_Y])); + ecc_point_get(&pub, x, y); + +#ifdef ENABLE_FIPS140 + if (_gnutls_fips_mode_enabled()) { + /* Perform ECC full public key validation checks + * according to SP800-56A (revision 3), 5.6.2.3.3. + */ + + const char *order, *modulus; + + /* Step 1: verify that Q is not an identity + * element (an infinity point). Note that this + * cannot happen in the nettle implementation, + * because it cannot represent an infinity point + * on curves. */ + if (mpz_cmp_ui(x, 0) == 0 && mpz_cmp_ui(y, 0) == 0) { + ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + goto ecc_fail; + } + + /* Step 2: verify that both coordinates of Q are + * in the range [0, p - 1]. + * + * Step 3: verify that Q lie on the curve + * + * Both checks are performed in nettle. */ + if (!ecc_point_set(&r, x, y)) { + ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + goto ecc_fail; + } + + /* Step 4: verify that n * Q, where n is the + * curve order, result in an identity element + * + * Since nettle internally cannot represent an + * identity element on curves, we validate this + * instead: + * + * (n - 1) * Q = -Q + * + * That effectively means: n * Q = -Q + Q = O + */ + order = get_supported_nist_curve_order(level); + if (unlikely(order == NULL)) { + ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + goto ecc_fail; + } + + ret = mpz_set_str(nn, order, 16); + if (unlikely(ret < 0)) { + ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED); + goto ecc_fail; + } + + modulus = get_supported_nist_curve_modulus(level); + if (unlikely(modulus == NULL)) { + ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + goto ecc_fail; + } + + ret = mpz_set_str(mm, modulus, 16); + if (unlikely(ret < 0)) { + ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED); + goto ecc_fail; + } + + /* (n - 1) * Q = -Q */ + mpz_sub_ui (nn, nn, 1); + ecc_scalar_set(&n, nn); + ecc_point_mul(&r, &n, &r); + ecc_point_get(&r, xx, yy); + mpz_sub (mm, mm, y); + + if (mpz_cmp(xx, x) != 0 || mpz_cmp(yy, mm) != 0) { + ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + goto ecc_fail; + } + } +#endif + + mpz_set(TOMPZ(params->params[ECC_X]), x); + mpz_set(TOMPZ(params->params[ECC_Y]), y); + ecc_scalar_get(&key, TOMPZ(params->params[ECC_K])); ret = 0; ecc_fail: + mpz_clear(x); + mpz_clear(y); + mpz_clear(xx); + mpz_clear(yy); + mpz_clear(nn); + mpz_clear(mm); ecc_point_clear(&pub); ecc_scalar_clear(&key); + ecc_point_clear(&r); + ecc_scalar_clear(&n); + ecc_scalar_clear(&m); if (ret < 0) goto fail; ++++++ 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch ++++++ From e07061b29a75ff94f0dbf85ec44f7ad6c04761fa Mon Sep 17 00:00:00 2001 From: Simo Sorce <simo(a)redhat.com> Date: Wed, 22 May 2019 15:08:45 -0400 Subject: [PATCH 6/6] Pass down Q for FFDHE in al pre TLS1.3 as well Signed-off-by: Simo Sorce <simo(a)redhat.com> --- lib/auth/dh_common.c | 18 ++++++++++++++++-- lib/dh.c | 26 ++++++++++++++++++++++---- 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/lib/auth/dh_common.c b/lib/auth/dh_common.c index 2058d81e59..19c205bbe8 100644 --- a/lib/auth/dh_common.c +++ b/lib/auth/dh_common.c @@ -182,10 +182,11 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session, uint8_t * data, size_t _data_size) { uint16_t n_Y, n_g, n_p; - size_t _n_Y, _n_g, _n_p; + size_t _n_Y, _n_g, _n_p, _n_q; uint8_t *data_p; uint8_t *data_g; uint8_t *data_Y; + uint8_t *data_q = NULL; int i, bits, ret, p_bits; unsigned j; ssize_t data_size = _data_size; @@ -245,6 +246,8 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session, session->internals.hsk_flags |= HSK_USED_FFDHE; _gnutls_session_group_set(session, session->internals.priorities->groups.entry[j]); session->key.proto.tls12.dh.params.qbits = *session->internals.priorities->groups.entry[j]->q_bits; + data_q = session->internals.priorities->groups.entry[j]->q->data; + _n_q = session->internals.priorities->groups.entry[j]->q->size; break; } } @@ -265,8 +268,19 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session, _gnutls_mpi_release(&session->key.proto.tls12.dh.params.params[DH_G]); return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } + if (data_q && _gnutls_mpi_init_scan_nz( + &session->key.proto.tls12.dh.params.params[DH_Q], + data_q, _n_q) != 0) { + /* we release now because params_nr is not yet set */ + _gnutls_mpi_release( + &session->key.proto.tls12.dh.params.params[DH_P]); + _gnutls_mpi_release( + &session->key.proto.tls12.dh.params.params[DH_G]); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } - session->key.proto.tls12.dh.params.params_nr = 3; /* include empty q */ + /* include, possibly empty, q */ + session->key.proto.tls12.dh.params.params_nr = 3; session->key.proto.tls12.dh.params.algo = GNUTLS_PK_DH; if (!(session->internals.hsk_flags & HSK_USED_FFDHE)) { diff --git a/lib/dh.c b/lib/dh.c index 06bc2e1be4..ded939d0d4 100644 --- a/lib/dh.c +++ b/lib/dh.c @@ -37,7 +37,7 @@ static int set_dh_pk_params(gnutls_session_t session, bigint_t g, bigint_t p, - unsigned q_bits) + bigint_t q, unsigned q_bits) { /* just in case we are resuming a session */ gnutls_pk_params_release(&session->key.proto.tls12.dh.params); @@ -54,7 +54,16 @@ int set_dh_pk_params(gnutls_session_t session, bigint_t g, bigint_t p, return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); } - session->key.proto.tls12.dh.params.params_nr = 3; /* include empty q */ + if (q) { + session->key.proto.tls12.dh.params.params[DH_Q] = _gnutls_mpi_copy(q); + if (session->key.proto.tls12.dh.params.params[DH_Q] == NULL) { + _gnutls_mpi_release(&session->key.proto.tls12.dh.params.params[DH_P]); + _gnutls_mpi_release(&session->key.proto.tls12.dh.params.params[DH_G]); + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + } + } + /* include, possibly empty, q */ + session->key.proto.tls12.dh.params.params_nr = 3; session->key.proto.tls12.dh.params.algo = GNUTLS_PK_DH; session->key.proto.tls12.dh.params.qbits = q_bits; @@ -70,7 +79,7 @@ _gnutls_figure_dh_params(gnutls_session_t session, gnutls_dh_params_t dh_params, gnutls_params_function * func, gnutls_sec_param_t sec_param) { gnutls_params_st params; - bigint_t p, g; + bigint_t p, g, q = NULL; unsigned free_pg = 0; int ret; unsigned q_bits = 0, i; @@ -100,6 +109,14 @@ _gnutls_figure_dh_params(gnutls_session_t session, gnutls_dh_params_t dh_params, goto cleanup; } + ret = _gnutls_mpi_init_scan_nz(&q, + session->internals.priorities->groups.entry[i]->q->data, + session->internals.priorities->groups.entry[i]->q->size); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + session->internals.hsk_flags |= HSK_USED_FFDHE; q_bits = *session->internals.priorities->groups.entry[i]->q_bits; goto finished; @@ -158,7 +175,7 @@ _gnutls_figure_dh_params(gnutls_session_t session, gnutls_dh_params_t dh_params, finished: _gnutls_dh_save_group(session, g, p); - ret = set_dh_pk_params(session, g, p, q_bits); + ret = set_dh_pk_params(session, g, p, q, q_bits); if (ret < 0) { gnutls_assert(); } @@ -166,6 +183,7 @@ _gnutls_figure_dh_params(gnutls_session_t session, gnutls_dh_params_t dh_params, cleanup: if (free_pg) { _gnutls_mpi_release(&p); + _gnutls_mpi_release(&q); _gnutls_mpi_release(&g); } if (params.deinit && params.type == GNUTLS_PARAMS_DH) -- 2.27.0 ++++++ baselibs.conf ++++++ libgnutls30 suggests "libgnutls30-hmac-<targettype> = <version>-%release" obsoletes "gnutls-<targettype>" libgnutls30-hmac requires "libgnutls30-<targettype> = <version>-%release" libgnutls-devel requires -libgnutls-<targettype> requires "libgnutls30-<targettype> = <version>" ++++++ disable-psk-file-test.patch ++++++ Index: gnutls-3.6.6/tests/Makefile.in =================================================================== --- gnutls-3.6.6.orig/tests/Makefile.in 2019-01-25 08:26:36.000000000 +0100 +++ gnutls-3.6.6/tests/Makefile.in 2019-02-04 09:02:38.627539105 +0100 @@ -480,7 +480,7 @@ am__EXEEXT_12 = tls13/supported_versions pkcs7-gen$(EXEEXT) dtls-etm$(EXEEXT) \ x509sign-verify-rsa$(EXEEXT) x509sign-verify-ecdsa$(EXEEXT) \ x509sign-verify-gost$(EXEEXT) mini-alignment$(EXEEXT) \ - oids$(EXEEXT) atfork$(EXEEXT) prf$(EXEEXT) psk-file$(EXEEXT) \ + oids$(EXEEXT) atfork$(EXEEXT) prf$(EXEEXT) \ priority-init2$(EXEEXT) post-client-hello-change-prio$(EXEEXT) \ status-request$(EXEEXT) status-request-ok$(EXEEXT) \ status-request-missing$(EXEEXT) sign-verify-ext$(EXEEXT) \ @@ -1652,8 +1652,6 @@ privkey_verify_broken_OBJECTS = privkey- privkey_verify_broken_LDADD = $(LDADD) privkey_verify_broken_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \ libutils.la $(am__DEPENDENCIES_2) -psk_file_SOURCES = psk-file.c -psk_file_OBJECTS = psk-file.$(OBJEXT) psk_file_LDADD = $(LDADD) psk_file_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \ $(am__DEPENDENCIES_2) @@ -2841,7 +2839,7 @@ am__depfiles_remade = ./$(DEPDIR)/alerts ./$(DEPDIR)/priorities.Po ./$(DEPDIR)/priority-init2.Po \ ./$(DEPDIR)/priority-mix.Po ./$(DEPDIR)/priority-set.Po \ ./$(DEPDIR)/priority-set2.Po ./$(DEPDIR)/privkey-keygen.Po \ - ./$(DEPDIR)/privkey-verify-broken.Po ./$(DEPDIR)/psk-file.Po \ + ./$(DEPDIR)/privkey-verify-broken.Po \ ./$(DEPDIR)/pskself.Po ./$(DEPDIR)/pubkey-import-export.Po \ ./$(DEPDIR)/random-art.Po ./$(DEPDIR)/rawpk-api.Po \ ./$(DEPDIR)/record-pad.Po ./$(DEPDIR)/record-retvals.Po \ @@ -3153,7 +3151,7 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $ post-client-hello-change-prio.c prf.c priorities.c \ priorities-groups.c priority-init2.c priority-mix.c \ priority-set.c priority-set2.c privkey-keygen.c \ - privkey-verify-broken.c psk-file.c pskself.c \ + privkey-verify-broken.c pskself.c \ pubkey-import-export.c random-art.c rawpk-api.c record-pad.c \ record-retvals.c record-sizes.c record-sizes-range.c \ record-timeouts.c recv-data-before-handshake.c \ @@ -3323,7 +3321,7 @@ DIST_SOURCES = $(am__libpkcs11mock1_la_S post-client-hello-change-prio.c prf.c priorities.c \ priorities-groups.c priority-init2.c priority-mix.c \ priority-set.c priority-set2.c privkey-keygen.c \ - privkey-verify-broken.c psk-file.c pskself.c \ + privkey-verify-broken.c pskself.c \ pubkey-import-export.c random-art.c rawpk-api.c record-pad.c \ record-retvals.c record-sizes.c record-sizes-range.c \ record-timeouts.c recv-data-before-handshake.c \ @@ -4915,7 +4913,7 @@ ctests = tls13/supported_versions tls13/ gnutls_ocsp_resp_list_import2 server-sign-md5-rep \ privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \ x509sign-verify-rsa x509sign-verify-ecdsa x509sign-verify-gost \ - mini-alignment oids atfork prf psk-file priority-init2 \ + mini-alignment oids atfork prf priority-init2 \ post-client-hello-change-prio status-request status-request-ok \ status-request-missing sign-verify-ext fallback-scsv \ pkcs8-key-decode urls dtls-rehandshake-cert key-usage-rsa \ @@ -6099,10 +6097,6 @@ privkey-verify-broken$(EXEEXT): $(privke @rm -f privkey-verify-broken$(EXEEXT) $(AM_V_CCLD)$(LINK) $(privkey_verify_broken_OBJECTS) $(privkey_verify_broken_LDADD) $(LIBS) -psk-file$(EXEEXT): $(psk_file_OBJECTS) $(psk_file_DEPENDENCIES) $(EXTRA_psk_file_DEPENDENCIES) - @rm -f psk-file$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(psk_file_OBJECTS) $(psk_file_LDADD) $(LIBS) - pskself$(EXEEXT): $(pskself_OBJECTS) $(pskself_DEPENDENCIES) $(EXTRA_pskself_DEPENDENCIES) @rm -f pskself$(EXEEXT) $(AM_V_CCLD)$(LINK) $(pskself_OBJECTS) $(pskself_LDADD) $(LIBS) @@ -7133,7 +7127,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/priority-set2.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-keygen.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-verify-broken.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/psk-file.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pskself.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey-import-export.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-art.Po@am__quote@ # am--include-marker @@ -9258,13 +9251,6 @@ prf.log: prf$(EXEEXT) --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -psk-file.log: psk-file$(EXEEXT) - @p='psk-file$(EXEEXT)'; \ - b='psk-file'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) priority-init2.log: priority-init2$(EXEEXT) @p='priority-init2$(EXEEXT)'; \ b='priority-init2'; \ @@ -11316,7 +11302,6 @@ distclean: distclean-recursive -rm -f ./$(DEPDIR)/priority-set2.Po -rm -f ./$(DEPDIR)/privkey-keygen.Po -rm -f ./$(DEPDIR)/privkey-verify-broken.Po - -rm -f ./$(DEPDIR)/psk-file.Po -rm -f ./$(DEPDIR)/pskself.Po -rm -f ./$(DEPDIR)/pubkey-import-export.Po -rm -f ./$(DEPDIR)/random-art.Po @@ -11766,7 +11751,6 @@ maintainer-clean: maintainer-clean-recur -rm -f ./$(DEPDIR)/priority-set2.Po -rm -f ./$(DEPDIR)/privkey-keygen.Po -rm -f ./$(DEPDIR)/privkey-verify-broken.Po - -rm -f ./$(DEPDIR)/psk-file.Po -rm -f ./$(DEPDIR)/pskself.Po -rm -f ./$(DEPDIR)/pubkey-import-export.Po -rm -f ./$(DEPDIR)/random-art.Po ++++++ gnutls-3.5.11-skip-trust-store-tests.patch ++++++ From: Andreas Stieger <astieger(a)suse.com> Date: Thu, 18 May 2017 10:31:42 +0200 References: https://build.opensuse.org/request/show/493998 Upstream: never trust-store test added in https://gitlab.com/gnutls/gnutls/commit/8d740ae87fae9c1237421dd24825b78103c… need ca-certificates-mozilla to run. [ 242s] FAIL: trust-store [ 242s] ================= [ 242s] [ 242s] doit:64: no certificates were found in system trust store! [ 242s] FAIL trust-store (exit status: 1) But this would create a build cycle. Skip test. Index: gnutls-3.5.11/tests/trust-store.c =================================================================== --- gnutls-3.5.11.orig/tests/trust-store.c 2017-04-07 07:52:07.000000000 +0200 +++ gnutls-3.5.11/tests/trust-store.c 2017-05-18 10:33:53.537598763 +0200 @@ -44,6 +44,9 @@ static void tls_log_func(int level, cons void doit(void) { + /* building without ca-certificates-mozilla, skip test */ + exit(77); + gnutls_certificate_credentials_t x509_cred; int ret; ++++++ gnutls-3.6.0-disable-flaky-dtls_resume-test.patch ++++++ Index: gnutls-3.6.7/tests/Makefile.am =================================================================== --- gnutls-3.6.7.orig/tests/Makefile.am +++ gnutls-3.6.7/tests/Makefile.am @@ -453,7 +453,7 @@ if !WINDOWS # List of tests not available/functional under windows # -dist_check_SCRIPTS += dtls/dtls dtls/dtls-resume #dtls/dtls-nb +dist_check_SCRIPTS += dtls/dtls #dtls/dtls-resume #dtls/dtls-nb indirect_tests += dtls-stress Index: gnutls-3.6.7/tests/Makefile.in =================================================================== --- gnutls-3.6.7.orig/tests/Makefile.in +++ gnutls-3.6.7/tests/Makefile.in @@ -165,7 +165,7 @@ host_triplet = @host@ # # List of tests not available/functional under windows # -@WINDOWS_FALSE@am__append_13 = dtls/dtls dtls/dtls-resume fastopen.sh \ +@WINDOWS_FALSE@am__append_13 = dtls/dtls fastopen.sh \ @WINDOWS_FALSE@ pkgconfig.sh starttls.sh starttls-ftp.sh \ @WINDOWS_FALSE@ starttls-smtp.sh starttls-lmtp.sh \ @WINDOWS_FALSE@ starttls-pop3.sh starttls-xmpp.sh \ @@ -2703,7 +2703,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM $(am__DEPENDENCIES_2) am__dist_check_SCRIPTS_DIST = rfc2253-escape-test \ rsa-md5-collision/rsa-md5-collision.sh systemkey.sh dtls/dtls \ - dtls/dtls-resume fastopen.sh pkgconfig.sh starttls.sh \ + fastopen.sh pkgconfig.sh starttls.sh \ starttls-ftp.sh starttls-smtp.sh starttls-lmtp.sh \ starttls-pop3.sh starttls-xmpp.sh starttls-nntp.sh \ starttls-sieve.sh ocsp-tests/ocsp-tls-connection \ ++++++ gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch ++++++ Index: gnutls-3.6.7/m4/guile.m4 =================================================================== --- gnutls-3.6.7.orig/m4/guile.m4 +++ gnutls-3.6.7/m4/guile.m4 @@ -177,7 +177,7 @@ AC_DEFUN([GUILE_SITE_DIR], [AC_REQUIRE([GUILE_PKG]) AC_REQUIRE([GUILE_PROGS]) AC_MSG_CHECKING(for Guile site directory) - GUILE_SITE=`$PKG_CONFIG --print-errors --variable=sitedir guile-$GUILE_EFFECTIVE_VERSION` + GUILE_SITE=/usr/share/guile AC_MSG_RESULT($GUILE_SITE) if test "$GUILE_SITE" = ""; then AC_MSG_FAILURE(sitedir not found) ++++++ gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch ++++++ Index: gnutls-3.6.7/lib/nettle/backport/cfb8.c =================================================================== --- gnutls-3.6.7.orig/lib/nettle/backport/cfb8.c +++ gnutls-3.6.7/lib/nettle/backport/cfb8.c @@ -106,10 +106,12 @@ cfb8_decrypt(const void *ctx, nettle_cip src += i; dst += i; - memcpy(buffer, buffer + block_size, block_size); - memcpy(buffer + block_size, src, - length < block_size ? length : block_size); - + if (i == block_size) + { + memcpy(buffer, buffer + block_size, block_size); + memcpy(buffer + block_size, src, + length < block_size ? length : block_size); + } } memcpy(iv, buffer + i, block_size); ++++++ gnutls-3.6.7-fips-rsa-4096.patch ++++++ diff -Nurp gnutls-3.6.7-orig/lib/nettle/int/rsa-keygen-fips186.c gnutls-3.6.7/lib/nettle/int/rsa-keygen-fips186.c --- gnutls-3.6.7-orig/lib/nettle/int/rsa-keygen-fips186.c 2019-01-05 12:28:47.000000000 +0100 +++ gnutls-3.6.7/lib/nettle/int/rsa-keygen-fips186.c 2020-05-08 23:39:04.206472627 +0200 @@ -269,7 +269,8 @@ _rsa_generate_fips186_4_keypair(struct r FIPS_RULE(n_size == 2048 && seed_length != 14 * 2, 0, "seed length other than 28 bytes\n"); FIPS_RULE(n_size == 3072 && seed_length != 16 * 2, 0, "seed length other than 32 bytes\n"); - FIPS_RULE(n_size != 2048 && n_size != 3072, 0, "unsupported size for modulus\n"); + FIPS_RULE(n_size == 4096 && seed_length != 24 * 2, 0, "seed length other than 48 bytes\n"); + FIPS_RULE(n_size != 2048 && n_size != 3072 && n_size != 4096, 0, "unsupported size for modulus\n"); if (!mpz_tstbit(pub->e, 0)) { _gnutls_debug_log("Unacceptable e (it is even)\n"); @@ -407,7 +408,7 @@ rsa_generate_fips186_4_keypair(struct rs unsigned seed_length; int ret; - FIPS_RULE(n_size != 2048 && n_size != 3072, 0, "size of prime of other than 2048 or 3072\n"); + FIPS_RULE(n_size != 2048 && n_size != 3072 && n_size != 4096, 0, "size of prime of other than 2048, 3072 or 4096\n"); seed_length = SEED_LENGTH(n_size); if (seed_length > sizeof(seed)) ++++++ gnutls-CVE-2020-11501.patch ++++++ From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler(a)web.de> Date: Fri, 27 Mar 2020 17:17:57 +0100 Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This broke with bcf4de03 "handshake: treat reply to HRR as a reply to hello verify request", which failed to "De Morgan" properly. Signed-off-by: Stefan BÃ¼hler <stbuehler(a)web.de> --- lib/handshake.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: gnutls-3.6.7/lib/handshake.c =================================================================== --- gnutls-3.6.7.orig/lib/handshake.c 2020-04-02 10:41:59.591316756 +0200 +++ gnutls-3.6.7/lib/handshake.c 2020-04-02 10:43:41.263818988 +0200 @@ -2221,7 +2221,7 @@ static int send_client_hello(gnutls_sess /* Generate random data */ if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) && - !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) { + !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) { ret = _gnutls_gen_client_random(session); if (ret < 0) { gnutls_assert(); ++++++ gnutls-CVE-2020-13777.patch ++++++ From c2646aeee94e71cb15c90a3147cf3b5b0ca158ca Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno(a)gnu.org> Date: Tue, 2 Jun 2020 20:53:11 +0200 Subject: [PATCH 1/2] stek: differentiate initial state from valid time window of TOTP There was a confusion in the TOTP implementation in stek.c. When the mechanism is initialized at the first time, it records the timestamp but doesn't initialize the key. This removes the timestamp recording at the initialization phase, so the key is properly set later. Signed-off-by: Daiki Ueno <ueno(a)gnu.org> --- lib/stek.c | 17 +++++------------ tests/resume-with-previous-stek.c | 4 ++-- 3 files changed, 11 insertions(+), 18 deletions(-) diff --git a/lib/stek.c b/lib/stek.c index 2f885cee37..5ab9e7d2d1 100644 --- a/lib/stek.c +++ b/lib/stek.c @@ -323,20 +323,13 @@ int _gnutls_initialize_session_ticket_key_rotation(gnutls_session_t session, con if (unlikely(session == NULL || key == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - if (session->key.totp.last_result == 0) { - int64_t t; - memcpy(session->key.initial_stek, key->data, key->size); - t = totp_next(session); - if (t < 0) - return gnutls_assert_val(t); + if (unlikely(session->key.totp.last_result != 0)) + return GNUTLS_E_INVALID_REQUEST; - session->key.totp.last_result = t; - session->key.totp.was_rotated = 0; - - return GNUTLS_E_SUCCESS; - } + memcpy(session->key.initial_stek, key->data, key->size); - return GNUTLS_E_INVALID_REQUEST; + session->key.totp.was_rotated = 0; + return 0; } /* diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c index f212b188b9..05c1c90868 100644 --- a/tests/resume-with-previous-stek.c +++ b/tests/resume-with-previous-stek.c @@ -196,8 +196,8 @@ static void server(int fd, unsigned rounds, const char *prio) serverx509cred = NULL; } - if (num_stek_rotations != 2) - fail("STEK should be rotated exactly twice (%d)!\n", num_stek_rotations); + if (num_stek_rotations != 3) + fail("STEK should be rotated exactly three times (%d)!\n", num_stek_rotations); if (serverx509cred) gnutls_certificate_free_credentials(serverx509cred); -- 2.25.0 ++++++ gnutls-CVE-2020-24659.patch ++++++ commit 521e6492b9bbc8ec1519924526942cf2fc719497 Author: Daiki Ueno <ueno(a)gnu.org> Date: Sat Aug 22 17:19:39 2020 +0200 handshake: reject no_renegotiation alert if handshake is incomplete If the initial handshake is incomplete and the server sends a no_renegotiation alert, the client should treat it as a fatal error even if its level is warning. Otherwise the same handshake state (e.g., DHE parameters) are reused in the next gnutls_handshake call, if it is called in the loop idiom: do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); Signed-off-by: Daiki Ueno <ueno(a)gnu.org> Index: gnutls-3.6.7/lib/gnutls_int.h =================================================================== --- gnutls-3.6.7.orig/lib/gnutls_int.h 2020-09-14 14:48:26.817591531 +0200 +++ gnutls-3.6.7/lib/gnutls_int.h 2020-09-14 14:48:59.497822903 +0200 @@ -1360,6 +1360,7 @@ typedef struct { #define HSK_RECORD_SIZE_LIMIT_NEGOTIATED (1<<24) #define HSK_RECORD_SIZE_LIMIT_SENT (1<<25) /* record_size_limit extension was sent */ #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */ +#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */ /* The hsk_flags are for use within the ongoing handshake; * they are reset to zero prior to handshake start by gnutls_handshake. */ Index: gnutls-3.6.7/lib/handshake.c =================================================================== --- gnutls-3.6.7.orig/lib/handshake.c 2020-09-14 14:48:25.789584252 +0200 +++ gnutls-3.6.7/lib/handshake.c 2020-09-14 14:50:23.626418528 +0200 @@ -2038,6 +2038,8 @@ read_server_hello(gnutls_session_t sessi goto cleanup; } + session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED; + cleanup: return ret; @@ -2636,16 +2638,42 @@ int gnutls_rehandshake(gnutls_session_t return 0; } +/* This function checks whether the error code should be treated fatal + * or not, and also does the necessary state transition. In + * particular, in the case of a rehandshake abort it resets the + * handshake's internal state. + */ inline static int _gnutls_abort_handshake(gnutls_session_t session, int ret) { - if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && - (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) - || ret == GNUTLS_E_GOT_APPLICATION_DATA) - return 0; + switch (ret) { + case GNUTLS_E_WARNING_ALERT_RECEIVED: + if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) { + /* The server always toleretes a "no_renegotiation" alert. */ + if (session->security_parameters.entity == GNUTLS_SERVER) { + STATE = STATE0; + return ret; + } - /* this doesn't matter */ - return GNUTLS_E_INTERNAL_ERROR; + /* The client should tolerete a "no_renegotiation" alert only if: + * - the initial handshake has completed, or + * - a Server Hello is not yet received + */ + if (session->internals.initial_negotiation_completed || + !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) { + STATE = STATE0; + return ret; + } + + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); + } + return ret; + case GNUTLS_E_GOT_APPLICATION_DATA: + STATE = STATE0; + return ret; + default: + return ret; + } } @@ -2807,13 +2835,7 @@ int gnutls_handshake(gnutls_session_t se } if (ret < 0) { - /* In the case of a rehandshake abort - * we should reset the handshake's internal state. - */ - if (_gnutls_abort_handshake(session, ret) == 0) - STATE = STATE0; - - return ret; + return _gnutls_abort_handshake(session, ret); } /* clear handshake buffer */ ++++++ gnutls-FIPS-TLS_KDF_selftest.patch ++++++ Index: gnutls-3.6.7/lib/fips.c =================================================================== --- gnutls-3.6.7.orig/lib/fips.c 2020-09-15 09:15:32.886124297 +0200 +++ gnutls-3.6.7/lib/fips.c 2020-09-17 13:58:47.296445329 +0200 @@ -374,6 +374,28 @@ int _gnutls_fips_perform_self_checks2(vo goto error; } + /* KDF */ + + char derived[512]; + + gnutls_datum_t secret = { (void *)"\x04\x50\xb0\xea\x9e\xcd\x36\x02\xee\x0d\x76\xc5\xc3\xc8\x6f\x4a", 16 }; + gnutls_datum_t seed = { (void *)"\x20\x7a\xcc\x02\x54\xb8\x67\xf5\xb9\x25\xb4\x5a\x33\x60\x1d\x8b", 16 }; + gnutls_datum_t label = { (void *)"test label", 10 }; + gnutls_datum_t expected = { (void *)"\xae\x67\x9e\x0e\x71\x4f\x59\x75\x76\x37\x68\xb1\x66\x97\x9e\x1d", 16 }; + + ret = _gnutls_prf_raw(GNUTLS_MAC_SHA256, secret.size, secret.data, + label.size, (char*)label.data, seed.size, seed.data, expected.size, derived); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + ret = memcmp(derived, expected.data, expected.size); + if (ret != 0) { + gnutls_assert(); + goto error; + } + /* PK */ ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA); if (ret < 0) { ++++++ gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch ++++++ Index: gnutls-3.6.7/lib/crypto-selftests-pk.c =================================================================== --- gnutls-3.6.7.orig/lib/crypto-selftests-pk.c 2019-03-15 10:10:27.000000000 +0100 +++ gnutls-3.6.7/lib/crypto-selftests-pk.c 2020-09-18 15:08:10.741122343 +0200 @@ -571,18 +571,93 @@ static int test_dh(void) gnutls_pk_params_st pub; gnutls_datum_t out = {NULL, 0}; static const uint8_t known_dh_k[] = { - 0x10, 0x25, 0x04, 0xb5, 0xc6, 0xc2, 0xcb, - 0x0c, 0xe9, 0xc5, 0x58, 0x0d, 0x22, 0x62}; + 0x62, 0x68, 0x15, 0xbd, 0xc4, 0x9a, 0x3c, 0xfc, + 0xda, 0x5d, 0xc5, 0x81, 0xc9, 0xe7, 0x1b, 0xbb, + 0x94, 0x19, 0xb0, 0x5d, 0x95, 0xc3, 0x98, 0xd0, + 0xc6, 0x8b, 0x05, 0x34, 0xa5, 0xe2, 0xe4, 0xa8, + 0x7c, 0x4b, 0x7c, 0x41, 0xf9, 0x6d, 0xc1, 0xcc, + 0x6e, 0xb6, 0x34, 0xe1, 0x71, 0xc3, 0x00, 0x03, + 0x06, 0x08, 0x1d, 0x90, 0x88, 0x3c, 0x5d, 0x14, + 0x2d, 0x56, 0xac, 0x78, 0x83, 0xd6, 0xe9, 0x7c, + 0x6c, 0x34, 0xdf, 0xe0, 0x98, 0x14, 0xaa, 0xbe, + 0x3b, 0x83, 0xc5, 0xd1, 0xac, 0xec, 0xa6, 0x0b, + 0xc1, 0x94, 0x8d, 0x42, 0x3f, 0xb8, 0x63, 0xef, + 0xb1, 0x1b, 0x60, 0x4f, 0xfa, 0xfa, 0xbb, 0x57, + 0x28, 0x27, 0x4d, 0x78, 0xa4, 0x3d, 0x7a, 0xd8, + 0xab, 0x2e, 0x7d, 0x8b, 0xd3, 0xa9, 0x78, 0x74, + 0xfe, 0x3a, 0x08, 0x5f, 0xe3, 0xf5, 0x5a, 0xfa, + 0xa6, 0x93, 0x67, 0xea, 0xae, 0x5e, 0xd6, 0xc5, + 0xa1, 0xab, 0x0a, 0x1e, 0x78, 0xe7, 0xdd, 0xbc, + 0xae, 0xb7, 0x3e, 0x7d, 0x8b, 0xd8, 0x66, 0x92, + 0x38, 0x1b, 0x96, 0xeb, 0xcb, 0xcb, 0x6a, 0xcc, + 0xd8, 0x42, 0x80, 0x66, 0xa9, 0xa2, 0x75, 0xeb, + 0xe4, 0x79, 0x11, 0x7a, 0xca, 0x84, 0x77, 0x7a, + 0xe6, 0xe2, 0x13, 0xb1, 0x90, 0xd3, 0x0f, 0x87, + 0x2a, 0x0f, 0xf5, 0x17, 0x61, 0x15, 0x05, 0x31, + 0x5f, 0xdf, 0xb4, 0x8e, 0xf3, 0x21, 0x27, 0x6a, + 0x69, 0xdc, 0x52, 0x79, 0x64, 0x51, 0x1f, 0xc0, + 0xed, 0x55, 0x57, 0xd9, 0x5c, 0x6f, 0xdb, 0xaa, + 0x08, 0x44, 0xb9, 0x71, 0x71, 0x15, 0x27, 0xe8, + 0xe9, 0x42, 0x78, 0xc1, 0xc4, 0xc0, 0xbd, 0x28, + 0x23, 0xa1, 0x30, 0x57, 0xf0, 0x2e, 0x24, 0xf0, + 0x34, 0x17, 0x97, 0x1c, 0x4c, 0x2a, 0x98, 0x76, + 0x3d, 0x50, 0x7f, 0x32, 0xa2, 0x25, 0x94, 0x9e, + 0x1e, 0xbc, 0x97, 0x96, 0xd6, 0x14, 0x61, 0x5b + }; static const uint8_t test_p[] = { - 0x24, 0x85, 0xdd, 0x3a, 0x74, 0x42, 0xe4, - 0xb3, 0xf1, 0x0b, 0x13, 0xf9, 0x17, 0x4d }; + 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, + 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11, + 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5, + 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F, + 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC, + 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE, + 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39, + 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E, + 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2, + 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A, + 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A, + 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF, + 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7, + 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73, + 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6, + 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35, + 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED, + 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03, + 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC, + 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE, + 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58, + 0x4B, 0xD8, 0x37, 0xEB + }; static const uint8_t test_g[] = { 0x02 }; static const uint8_t test_x[] = { - 0x06, 0x2c, 0x96, 0xae, 0x0e, 0x9e, 0x9b, - 0xbb, 0x41, 0x51, 0x7a, 0xa7, 0xc5, 0xfe }; + 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91, + 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00, + 0xEC, 0x55, 0xF6, 0xCC + }; static const uint8_t test_y[] = { /* y=g^x mod p */ - 0x1e, 0xca, 0x23, 0x2a, 0xfd, 0x34, 0xe1, - 0x10, 0x7a, 0xff, 0xaf, 0x2d, 0xaa, 0x53 }; + 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA, + 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2, + 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12, + 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5, + 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D, + 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1, + 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51, + 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F, + 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6, + 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED, + 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46, + 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA, + 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1, + 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE, + 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53, + 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9, + 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3, + 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9, + 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56, + 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E, + 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9, + 0x36, 0x9E, 0xDA, 0xD2 + }; gnutls_pk_params_init(&priv); gnutls_pk_params_init(&pub); ++++++ gnutls-fips_XTS_key_check.patch ++++++ Index: gnutls-3.6.7/lib/nettle/backport/xts.c =================================================================== --- gnutls-3.6.7.orig/lib/nettle/backport/xts.c 2020-04-07 11:11:54.506109418 +0200 +++ gnutls-3.6.7/lib/nettle/backport/xts.c 2020-04-07 16:52:48.543404370 +0200 @@ -203,6 +203,8 @@ xts_decrypt_message(const void *dec_ctx, void xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key) { + /* FIPS requires that the key and the tweak must not be non-equal */ + assert(memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) != 0); aes128_set_encrypt_key(&xts_key->cipher, key); aes128_set_encrypt_key(&xts_key->tweak_cipher, &key[AES128_KEY_SIZE]); } @@ -210,6 +212,8 @@ xts_aes128_set_encrypt_key(struct xts_ae void xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key) { + /* FIPS requires that the key and the tweak must not be non-equal */ + assert(memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) != 0); aes128_set_decrypt_key(&xts_key->cipher, key); aes128_set_encrypt_key(&xts_key->tweak_cipher, &key[AES128_KEY_SIZE]); } @@ -238,6 +242,8 @@ xts_aes128_decrypt_message(struct xts_ae void xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key) { + /* FIPS requires that the key and the tweak must not be non-equal */ + assert(memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) != 0); aes256_set_encrypt_key(&xts_key->cipher, key); aes256_set_encrypt_key(&xts_key->tweak_cipher, &key[AES256_KEY_SIZE]); } @@ -245,6 +251,8 @@ xts_aes256_set_encrypt_key(struct xts_ae void xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key) { + /* FIPS requires that the key and the tweak must not be non-equal */ + assert(memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) != 0); aes256_set_decrypt_key(&xts_key->cipher, key); aes256_set_encrypt_key(&xts_key->tweak_cipher, &key[AES256_KEY_SIZE]); } ++++++ gnutls-fips_mode_enabled.patch ++++++ Index: gnutls-3.6.7/lib/fips.c =================================================================== --- gnutls-3.6.7.orig/lib/fips.c 2020-04-07 11:11:54.490109339 +0200 +++ gnutls-3.6.7/lib/fips.c 2020-04-21 14:54:51.262199739 +0200 @@ -38,7 +38,6 @@ unsigned int _gnutls_lib_state = LIB_STA #include <dlfcn.h> #define FIPS_KERNEL_FILE "/proc/sys/crypto/fips_enabled" -#define FIPS_SYSTEM_FILE "/etc/system-fips" /* We provide a per-thread FIPS-mode so that an application * can use gnutls_fips140_set_mode() to override a specific @@ -53,7 +52,7 @@ static int _skip_integrity_checks = 0; */ unsigned _gnutls_fips_mode_enabled(void) { - unsigned f1p = 0, f2p; + unsigned f1p = 0; FILE* fd; const char *p; unsigned ret; @@ -80,7 +79,7 @@ unsigned _gnutls_fips_mode_enabled(void) p = secure_getenv("GNUTLS_FORCE_FIPS_MODE"); if (p) { if (p[0] == '1') - ret = 1; + ret = GNUTLS_FIPS140_STRICT; else if (p[0] == '2') ret = GNUTLS_FIPS140_SELFTESTS; else if (p[0] == '3') @@ -102,22 +101,12 @@ unsigned _gnutls_fips_mode_enabled(void) else f1p = 0; } - f2p = !access(FIPS_SYSTEM_FILE, F_OK); - - if (f1p != 0 && f2p != 0) { + if (f1p != 0) { _gnutls_debug_log("FIPS140-2 mode enabled\n"); ret = GNUTLS_FIPS140_STRICT; goto exit; } - if (f2p != 0) { - /* a funny state where self tests are performed - * and ignored */ - _gnutls_debug_log("FIPS140-2 ZOMBIE mode enabled\n"); - ret = GNUTLS_FIPS140_SELFTESTS; - goto exit; - } - ret = GNUTLS_FIPS140_DISABLED; goto exit;

1 0

commit libssh2_org for openSUSE:Leap:15.2:Update
by User for buildservice source handling 01 Dec '20

01 Dec '20

Hello community, here is the log from the commit of package libssh2_org for openSUSE:Leap:15.2:Update checked in at 2020-12-01 06:25:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/libssh2_org (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.libssh2_org.new.5913 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libssh2_org" Tue Dec 1 06:25:37 2020 rev:1 rq:851401 version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- _link ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ <link package='libssh2_org.15168' cicount='copy' />

1 0

commit 00Meta for openSUSE:Leap:15.1:Images
by User for buildservice source handling 01 Dec '20

01 Dec '20

Hello community, here is the log from the commit of package 00Meta for openSUSE:Leap:15.1:Images checked in at 2020-12-01 05:15:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Images/00Meta (Old) and /work/SRC/openSUSE:Leap:15.1:Images/.00Meta.new.5913 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "00Meta" Tue Dec 1 05:15:34 2020 rev:602 rq: version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ version_totest ++++++ --- /var/tmp/diff_new_pack.r5Q8vr/_old 2020-12-01 05:15:36.426278584 +0100 +++ /var/tmp/diff_new_pack.r5Q8vr/_new 2020-12-01 05:15:36.426278584 +0100 @@ -1 +1 @@ -8.12.193 \ No newline at end of file +8.12.194 \ No newline at end of file

1 0

commit mutt for openSUSE:Leap:15.1:Update
by User for buildservice source handling 01 Dec '20

01 Dec '20

Hello community, here is the log from the commit of package mutt for openSUSE:Leap:15.1:Update checked in at 2020-12-01 01:42:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Update/mutt (Old) and /work/SRC/openSUSE:Leap:15.1:Update/.mutt.new.5913 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "mutt" Tue Dec 1 01:42:20 2020 rev:2 rq:851931 version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.rvOjen/_old 2020-12-01 01:42:21.567084983 +0100 +++ /var/tmp/diff_new_pack.rvOjen/_new 2020-12-01 01:42:21.567084983 +0100 @@ -1 +1 @@ -<link package='mutt.12985' cicount='copy' /> +<link package='mutt.15190' cicount='copy' />

1 0

Jump to page: