import gnutls-3.6.14-6.el8

This commit is contained in:
CentOS Sources 2020-11-03 06:49:12 -05:00 committed by Andrew Lukoshko
parent 851c991dda
commit 5a71e1e561
26 changed files with 10770 additions and 6137 deletions

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/gnutls-3.6.8.tar.xz SOURCES/gnutls-3.6.14.tar.xz
SOURCES/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

View File

@ -1,2 +1,2 @@
e1243188791af409bca118d31faf3ec3d5f0a5ab SOURCES/gnutls-3.6.8.tar.xz bea1b5abcb691acf014e592f41d0a9580a41216a SOURCES/gnutls-3.6.14.tar.xz
e6f8a1400839ce7b4021cdd0f8d08d71b0693486 SOURCES/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg 648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

View File

@ -1,29 +0,0 @@
From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
Date: Fri, 27 Mar 2020 17:17:57 +0100
Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This broke with bcf4de03 "handshake: treat reply to HRR as a reply to
hello verify request", which failed to "De Morgan" properly.
Signed-off-by: Stefan Bühler <stbuehler@web.de>
---
lib/handshake.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: gnutls-3.6.8/lib/handshake.c
===================================================================
--- gnutls-3.6.8.orig/lib/handshake.c
+++ gnutls-3.6.8/lib/handshake.c
@@ -2164,7 +2164,7 @@ static int send_client_hello(gnutls_sess
/* Generate random data
*/
if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
- !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) {
+ !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
ret = _gnutls_gen_client_random(session);
if (ret < 0) {
gnutls_assert();

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,36 @@
From cf1de82bedd01c01e70921699c84a473b08d0dab Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 1 Jun 2020 17:23:59 +0200
Subject: [PATCH] serv: omit upper bound of --maxearlydata option definition
It turned out that AutoGen treats numbers that exceed INT_MAX in a
platform dependent way. In this case, 4294967295 (UINT_MAX) is
treated as is on 64-bit platforms, while it is interpreted as "-1" on
32-bit platforms. This causes a problem when the program
documentation is compiled under multilib environment.
Reported by Ivan Molodetskikh in:
https://bugzilla.redhat.com/show_bug.cgi?id=1841844
and the cause was identified by Anderson Toshiyuki Sasaki.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
src/serv-args.def | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/serv-args.def b/src/serv-args.def
index 996fbe36b..a584085e2 100644
--- a/src/serv-args.def
+++ b/src/serv-args.def
@@ -51,7 +51,7 @@ flag = {
flag = {
name = maxearlydata;
arg-type = number;
- arg-range = "1->4294967295";
+ arg-range = "1->";
descrip = "The maximum early data size to accept";
doc = "";
};
--
2.26.2

View File

@ -0,0 +1,676 @@
From bea53f1b46a64d6dcf5bbe4794740c4d4459f9bf Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 10 Jul 2020 09:35:49 +0200
Subject: [PATCH 1/5] dh: check validity of Z before export
SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the
calculated shared secret is verified before the data is returned to the
caller. This patch adds the validation check.
Suggested by Stephan Mueller.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/nettle/pk.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 57a8560ed..08c7d4860 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -288,7 +288,7 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
switch (algo) {
case GNUTLS_PK_DH: {
bigint_t f, x, q, prime;
- bigint_t k = NULL, ff = NULL, r = NULL;
+ bigint_t k = NULL, primesub1 = NULL, r = NULL;
unsigned int bits;
if (nonce != NULL)
@@ -299,21 +299,20 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
q = priv->params[DH_Q];
prime = priv->params[DH_P];
- ret = _gnutls_mpi_init_multi(&k, &ff, &r, NULL);
+ ret = _gnutls_mpi_init_multi(&k, &primesub1, &r, NULL);
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _gnutls_mpi_add_ui(ff, f, 1);
+ ret = _gnutls_mpi_sub_ui(primesub1, prime, 1);
if (ret < 0) {
gnutls_assert();
goto dh_cleanup;
}
- /* check if f==0,1, or f >= p-1.
- * or (ff=f+1) equivalently ff==1,2, ff >= p */
- if ((_gnutls_mpi_cmp_ui(ff, 2) == 0)
- || (_gnutls_mpi_cmp_ui(ff, 1) == 0)
- || (_gnutls_mpi_cmp(ff, prime) >= 0)) {
+ /* check if f==0,1, or f >= p-1 */
+ if ((_gnutls_mpi_cmp_ui(f, 1) == 0)
+ || (_gnutls_mpi_cmp_ui(f, 0) == 0)
+ || (_gnutls_mpi_cmp(f, primesub1) >= 0)) {
gnutls_assert();
ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
goto dh_cleanup;
@@ -354,6 +353,15 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
goto dh_cleanup;
}
+ /* check if k==0,1, or k = p-1 */
+ if ((_gnutls_mpi_cmp_ui(k, 1) == 0)
+ || (_gnutls_mpi_cmp_ui(k, 0) == 0)
+ || (_gnutls_mpi_cmp(k, primesub1) == 0)) {
+ gnutls_assert();
+ ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ goto dh_cleanup;
+ }
+
if (flags & PK_DERIVE_TLS13) {
ret =
_gnutls_mpi_dprint_size(k, out,
@@ -370,7 +378,7 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
ret = 0;
dh_cleanup:
_gnutls_mpi_release(&r);
- _gnutls_mpi_release(&ff);
+ _gnutls_mpi_release(&primesub1);
zrelease_temp_mpi_key(&k);
if (ret < 0)
goto cleanup;
--
2.26.2
From 13202600d3e42258d8758b05ff45a3e3d0f07e4e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 10 Jul 2020 09:42:30 +0200
Subject: [PATCH 2/5] ecdh: check validity of P before export
SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of
the calculated shared secret is verified before the data is returned
to the caller. This patch adds the validation check.
Suggested by Stephan Mueller.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/nettle/pk.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 08c7d4860..7f0fa8e03 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -229,25 +229,38 @@ _gost_params_to_pubkey(const gnutls_pk_params_st * pk_params,
}
#endif
-static void
+static int
ecc_shared_secret(struct ecc_scalar *private_key,
struct ecc_point *public_key, void *out, unsigned size)
{
struct ecc_point r;
- mpz_t x;
+ mpz_t x, y;
+ int ret = 0;
mpz_init(x);
+ mpz_init(y);
ecc_point_init(&r, public_key->ecc);
ecc_point_mul(&r, private_key, public_key);
- ecc_point_get(&r, x, NULL);
+ ecc_point_get(&r, x, y);
+
+ /* Check if the point is not an identity element. Note that this cannot
+ * happen in nettle implementation, because it cannot represent an
+ * infinity point. */
+ if (mpz_cmp_ui(x, 0) == 0 && mpz_cmp_ui(y, 0) == 0) {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto cleanup;
+ }
+
nettle_mpz_get_str_256(size, out, x);
+ cleanup:
mpz_clear(x);
+ mpz_clear(y);
ecc_point_clear(&r);
- return;
+ return ret;
}
#define MAX_DH_BITS DEFAULT_MAX_VERIFY_BITS
@@ -423,8 +436,10 @@ dh_cleanup:
goto ecc_cleanup;
}
- ecc_shared_secret(&ecc_priv, &ecc_pub, out->data,
- out->size);
+ ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data,
+ out->size);
+ if (ret < 0)
+ gnutls_free(out->data);
ecc_cleanup:
ecc_point_clear(&ecc_pub);
--
2.26.2
From 245fb622e82bfa7b80d2cec7cafdbc65014ca3cb Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 17 Jul 2020 17:45:17 +0200
Subject: [PATCH 3/5] dh-primes: make the FIPS approved check return Q value
This is necessary for full public key validation in
SP800-56A (revision 3), section 5.6.2.3.1.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/auth/dh_common.c | 2 +-
lib/dh-primes.c | 38 +++++++++++++++++++++++---------------
lib/dh.h | 10 ++++++----
3 files changed, 30 insertions(+), 20 deletions(-)
diff --git a/lib/auth/dh_common.c b/lib/auth/dh_common.c
index 252eea0cb..fcd696d4d 100644
--- a/lib/auth/dh_common.c
+++ b/lib/auth/dh_common.c
@@ -259,7 +259,7 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session,
#ifdef ENABLE_FIPS140
if (gnutls_fips140_mode_enabled() &&
- !_gnutls_dh_prime_is_fips_approved(data_p, n_p, data_g, n_g)) {
+ !_gnutls_dh_prime_match_fips_approved(data_p, n_p, data_g, n_g, NULL, NULL)) {
gnutls_assert();
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
}
diff --git a/lib/dh-primes.c b/lib/dh-primes.c
index a43a8e5de..a440b5b98 100644
--- a/lib/dh-primes.c
+++ b/lib/dh-primes.c
@@ -1894,25 +1894,28 @@ const gnutls_datum_t gnutls_modp_8192_group_generator = {
const unsigned int gnutls_modp_8192_key_bits = 512;
unsigned
-_gnutls_dh_prime_is_fips_approved(const uint8_t *prime,
- size_t prime_size,
- const uint8_t *generator,
- size_t generator_size)
+_gnutls_dh_prime_match_fips_approved(const uint8_t *prime,
+ size_t prime_size,
+ const uint8_t *generator,
+ size_t generator_size,
+ uint8_t **q,
+ size_t *q_size)
{
static const struct {
const gnutls_datum_t *prime;
const gnutls_datum_t *generator;
+ const gnutls_datum_t *q;
} primes[] = {
- { &gnutls_ffdhe_8192_group_prime, &gnutls_ffdhe_8192_group_generator },
- { &gnutls_ffdhe_6144_group_prime, &gnutls_ffdhe_6144_group_generator },
- { &gnutls_ffdhe_4096_group_prime, &gnutls_ffdhe_4096_group_generator },
- { &gnutls_ffdhe_3072_group_prime, &gnutls_ffdhe_3072_group_generator },
- { &gnutls_ffdhe_2048_group_prime, &gnutls_ffdhe_2048_group_generator },
- { &gnutls_modp_8192_group_prime, &gnutls_modp_8192_group_generator },
- { &gnutls_modp_6144_group_prime, &gnutls_modp_6144_group_generator },
- { &gnutls_modp_4096_group_prime, &gnutls_modp_4096_group_generator },
- { &gnutls_modp_3072_group_prime, &gnutls_modp_3072_group_generator },
- { &gnutls_modp_2048_group_prime, &gnutls_modp_2048_group_generator },
+ { &gnutls_ffdhe_8192_group_prime, &gnutls_ffdhe_8192_group_generator, &gnutls_ffdhe_8192_group_q },
+ { &gnutls_ffdhe_6144_group_prime, &gnutls_ffdhe_6144_group_generator, &gnutls_ffdhe_6144_group_q },
+ { &gnutls_ffdhe_4096_group_prime, &gnutls_ffdhe_4096_group_generator, &gnutls_ffdhe_4096_group_q },
+ { &gnutls_ffdhe_3072_group_prime, &gnutls_ffdhe_3072_group_generator, &gnutls_ffdhe_3072_group_q },
+ { &gnutls_ffdhe_2048_group_prime, &gnutls_ffdhe_2048_group_generator, &gnutls_ffdhe_2048_group_q },
+ { &gnutls_modp_8192_group_prime, &gnutls_modp_8192_group_generator, &gnutls_modp_8192_group_q },
+ { &gnutls_modp_6144_group_prime, &gnutls_modp_6144_group_generator, &gnutls_modp_6144_group_q },
+ { &gnutls_modp_4096_group_prime, &gnutls_modp_4096_group_generator, &gnutls_modp_4096_group_q },
+ { &gnutls_modp_3072_group_prime, &gnutls_modp_3072_group_generator, &gnutls_modp_3072_group_q },
+ { &gnutls_modp_2048_group_prime, &gnutls_modp_2048_group_generator, &gnutls_modp_2048_group_q },
};
size_t i;
@@ -1920,8 +1923,13 @@ _gnutls_dh_prime_is_fips_approved(const uint8_t *prime,
if (primes[i].prime->size == prime_size &&
memcmp(primes[i].prime->data, prime, primes[i].prime->size) == 0 &&
primes[i].generator->size == generator_size &&
- memcmp(primes[i].generator->data, generator, primes[i].generator->size) == 0)
+ memcmp(primes[i].generator->data, generator, primes[i].generator->size) == 0) {
+ if (q) {
+ *q = primes[i].q->data;
+ *q_size = primes[i].q->size;
+ }
return 1;
+ }
}
return 0;
diff --git a/lib/dh.h b/lib/dh.h
index 672451947..f5c2c0924 100644
--- a/lib/dh.h
+++ b/lib/dh.h
@@ -61,9 +61,11 @@ extern const gnutls_datum_t gnutls_modp_2048_group_generator;
extern const unsigned int gnutls_modp_2048_key_bits;
unsigned
-_gnutls_dh_prime_is_fips_approved(const uint8_t *prime,
- size_t prime_size,
- const uint8_t *generator,
- size_t generator_size);
+_gnutls_dh_prime_match_fips_approved(const uint8_t *prime,
+ size_t prime_size,
+ const uint8_t *generator,
+ size_t generator_size,
+ uint8_t **q,
+ size_t *q_size);
#endif /* GNUTLS_LIB_DH_H */
--
2.26.2
From 8b575625614fbe5a22b68dc8d1877efb1d44dd37 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 17 Jul 2020 17:47:06 +0200
Subject: [PATCH 4/5] dh: perform SP800-56A rev3 full pubkey validation on
keygen
This implements full public key validation required in SP800-56A rev3,
section 5.6.2.3.1.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/nettle/pk.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 7f0fa8e03..057836bc2 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -71,6 +71,7 @@
#include "int/dsa-compute-k.h"
#include <gnettle.h>
#include <fips.h>
+#include "dh.h"
static inline const struct ecc_curve *get_supported_nist_curve(int curve);
static inline const struct ecc_curve *get_supported_gost_curve(int curve);
@@ -2131,6 +2132,53 @@ edwards_curve_mul_g(gnutls_pk_algorithm_t algo,
}
}
+static inline int
+dh_find_q(const gnutls_pk_params_st *pk_params, mpz_t q)
+{
+ gnutls_datum_t prime = { NULL, 0 };
+ gnutls_datum_t generator = { NULL, 0 };
+ uint8_t *data_q;
+ size_t n_q;
+ bigint_t _q;
+ int ret = 0;
+
+ ret = _gnutls_mpi_dprint(pk_params->params[DSA_P], &prime);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ ret = _gnutls_mpi_dprint(pk_params->params[DSA_G], &generator);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ if (!_gnutls_dh_prime_match_fips_approved(prime.data,
+ prime.size,
+ generator.data,
+ generator.size,
+ &data_q,
+ &n_q)) {
+ ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ goto cleanup;
+ }
+
+ if (_gnutls_mpi_init_scan_nz(&_q, data_q, n_q) != 0) {
+ ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
+ goto cleanup;
+ }
+
+ mpz_set(q, TOMPZ(_q));
+ _gnutls_mpi_release(&_q);
+
+ cleanup:
+ gnutls_free(prime.data);
+ gnutls_free(generator.data);
+
+ return ret;
+}
+
/* To generate a DH key either q must be set in the params or
* level should be set to the number of required bits.
*/
@@ -2212,6 +2260,9 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
mpz_t x, y;
int max_tries;
unsigned have_q = 0;
+ mpz_t q;
+ mpz_t primesub1;
+ mpz_t ypowq;
if (algo != params->algo)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -2229,6 +2280,10 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
mpz_init(x);
mpz_init(y);
+ mpz_init(q);
+ mpz_init(primesub1);
+ mpz_init(ypowq);
+
max_tries = 3;
do {
if (have_q) {
@@ -2260,8 +2315,40 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
ret = GNUTLS_E_LIB_IN_ERROR_STATE;
goto dh_fail;
}
+
} while(mpz_cmp_ui(y, 1) == 0);
+#ifdef ENABLE_FIPS140
+ if (_gnutls_fips_mode_enabled()) {
+ /* Perform FFC full public key validation checks
+ * according to SP800-56A (revision 3), 5.6.2.3.1.
+ */
+
+ /* Step 1: 2 <= y <= p - 2 */
+ mpz_sub_ui(primesub1, pub.p, 1);
+
+ if (mpz_cmp_ui(y, 2) < 0 || mpz_cmp(y, primesub1) >= 0) {
+ ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
+ goto dh_fail;
+ }
+
+ /* Step 2: 1 = y^q mod p */
+ if (have_q)
+ mpz_set(q, pub.q);
+ else {
+ ret = dh_find_q(params, q);
+ if (ret < 0)
+ goto dh_fail;
+ }
+
+ mpz_powm(ypowq, y, q, pub.p);
+ if (mpz_cmp_ui(ypowq, 1) != 0) {
+ ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
+ goto dh_fail;
+ }
+ }
+#endif
+
ret = _gnutls_mpi_init_multi(&params->params[DSA_Y], &params->params[DSA_X], NULL);
if (ret < 0) {
gnutls_assert();
@@ -2278,6 +2365,9 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
mpz_clear(r);
mpz_clear(x);
mpz_clear(y);
+ mpz_clear(q);
+ mpz_clear(primesub1);
+ mpz_clear(ypowq);
if (ret < 0)
goto fail;
--
2.26.2
From 23756c8580dff99d0856adca49dd22a55352ad62 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Sat, 18 Jul 2020 08:26:48 +0200
Subject: [PATCH 5/5] ecdh: perform SP800-56A rev3 full pubkey validation on
keygen
This implements full public key validation required in
SP800-56A rev3, section 5.6.2.3.3.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/nettle/pk.c | 182 +++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 180 insertions(+), 2 deletions(-)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 057836bc2..588e9df50 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -1552,6 +1552,80 @@ static inline const struct ecc_curve *get_supported_nist_curve(int curve)
}
}
+static inline const char *get_supported_nist_curve_order(int curve)
+{
+ static const struct {
+ int curve;
+ const char *order;
+ } orders[] = {
+#ifdef ENABLE_NON_SUITEB_CURVES
+ { GNUTLS_ECC_CURVE_SECP192R1,
+ "ffffffffffffffffffffffff99def836"
+ "146bc9b1b4d22831" },
+ { GNUTLS_ECC_CURVE_SECP224R1,
+ "ffffffffffffffffffffffffffff16a2"
+ "e0b8f03e13dd29455c5c2a3d" },
+#endif
+ { GNUTLS_ECC_CURVE_SECP256R1,
+ "ffffffff00000000ffffffffffffffff"
+ "bce6faada7179e84f3b9cac2fc632551" },
+ { GNUTLS_ECC_CURVE_SECP384R1,
+ "ffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffc7634d81f4372ddf"
+ "581a0db248b0a77aecec196accc52973" },
+ { GNUTLS_ECC_CURVE_SECP521R1,
+ "1fffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffff"
+ "ffa51868783bf2f966b7fcc0148f709a"
+ "5d03bb5c9b8899c47aebb6fb71e91386"
+ "409" },
+ };
+ size_t i;
+
+ for (i = 0; i < sizeof(orders)/sizeof(orders[0]); i++) {
+ if (orders[i].curve == curve)
+ return orders[i].order;
+ }
+ return NULL;
+}
+
+static inline const char *get_supported_nist_curve_modulus(int curve)
+{
+ static const struct {
+ int curve;
+ const char *order;
+ } orders[] = {
+#ifdef ENABLE_NON_SUITEB_CURVES
+ { GNUTLS_ECC_CURVE_SECP192R1,
+ "fffffffffffffffffffffffffffffffe"
+ "ffffffffffffffff" },
+ { GNUTLS_ECC_CURVE_SECP224R1,
+ "ffffffffffffffffffffffffffffffff"
+ "000000000000000000000001" },
+#endif
+ { GNUTLS_ECC_CURVE_SECP256R1,
+ "ffffffff000000010000000000000000"
+ "00000000ffffffffffffffffffffffff" },
+ { GNUTLS_ECC_CURVE_SECP384R1,
+ "ffffffffffffffffffffffffffffffff"
+ "fffffffffffffffffffffffffffffffe"
+ "ffffffff0000000000000000ffffffff" },
+ { GNUTLS_ECC_CURVE_SECP521R1,
+ "1ff"
+ "ffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffff" },
+ };
+ size_t i;
+
+ for (i = 0; i < sizeof(orders)/sizeof(orders[0]); i++) {
+ if (orders[i].curve == curve)
+ return orders[i].order;
+ }
+ return NULL;
+}
+
static inline const struct ecc_curve *get_supported_gost_curve(int curve)
{
switch (curve) {
@@ -2507,6 +2581,10 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
struct ecc_scalar key;
struct ecc_point pub;
const struct ecc_curve *curve;
+ struct ecc_scalar n;
+ struct ecc_scalar m;
+ struct ecc_point r;
+ mpz_t x, y, xx, yy, nn, mm;
curve = get_supported_nist_curve(level);
if (curve == NULL)
@@ -2514,8 +2592,18 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
gnutls_assert_val
(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
+ mpz_init(x);
+ mpz_init(y);
+ mpz_init(xx);
+ mpz_init(yy);
+ mpz_init(nn);
+ mpz_init(mm);
+
ecc_scalar_init(&key, curve);
ecc_point_init(&pub, curve);
+ ecc_scalar_init(&n, curve);
+ ecc_scalar_init(&m, curve);
+ ecc_point_init(&r, curve);
ecdsa_generate_keypair(&pub, &key, NULL, rnd_func);
if (HAVE_LIB_ERROR()) {
@@ -2533,15 +2621,105 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
params->curve = level;
params->params_nr = ECC_PRIVATE_PARAMS;
- ecc_point_get(&pub, TOMPZ(params->params[ECC_X]),
- TOMPZ(params->params[ECC_Y]));
+ ecc_point_get(&pub, x, y);
+
+#ifdef ENABLE_FIPS140
+ if (_gnutls_fips_mode_enabled()) {
+ /* Perform ECC full public key validation checks
+ * according to SP800-56A (revision 3), 5.6.2.3.3.
+ */
+
+ const char *order, *modulus;
+
+ /* Step 1: verify that Q is not an identity
+ * element (an infinity point). Note that this
+ * cannot happen in the nettle implementation,
+ * because it cannot represent an infinity point
+ * on curves. */
+ if (mpz_cmp_ui(x, 0) == 0 && mpz_cmp_ui(y, 0) == 0) {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_fail;
+ }
+
+ /* Step 2: verify that both coordinates of Q are
+ * in the range [0, p - 1].
+ *
+ * Step 3: verify that Q lie on the curve
+ *
+ * Both checks are performed in nettle. */
+ if (!ecc_point_set(&r, x, y)) {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_fail;
+ }
+
+ /* Step 4: verify that n * Q, where n is the
+ * curve order, result in an identity element
+ *
+ * Since nettle internally cannot represent an
+ * identity element on curves, we validate this
+ * instead:
+ *
+ * (n - 1) * Q = -Q
+ *
+ * That effectively means: n * Q = -Q + Q = O
+ */
+ order = get_supported_nist_curve_order(level);
+ if (unlikely(order == NULL)) {
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ goto ecc_fail;
+ }
+
+ ret = mpz_set_str(nn, order, 16);
+ if (unlikely(ret < 0)) {
+ ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
+ goto ecc_fail;
+ }
+
+ modulus = get_supported_nist_curve_modulus(level);
+ if (unlikely(modulus == NULL)) {
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ goto ecc_fail;
+ }
+
+ ret = mpz_set_str(mm, modulus, 16);
+ if (unlikely(ret < 0)) {
+ ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
+ goto ecc_fail;
+ }
+
+ /* (n - 1) * Q = -Q */
+ mpz_sub_ui (nn, nn, 1);
+ ecc_scalar_set(&n, nn);
+ ecc_point_mul(&r, &n, &r);
+ ecc_point_get(&r, xx, yy);
+ mpz_sub (mm, mm, y);
+
+ if (mpz_cmp(xx, x) != 0 || mpz_cmp(yy, mm) != 0) {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_fail;
+ }
+ }
+#endif
+
+ mpz_set(TOMPZ(params->params[ECC_X]), x);
+ mpz_set(TOMPZ(params->params[ECC_Y]), y);
+
ecc_scalar_get(&key, TOMPZ(params->params[ECC_K]));
ret = 0;
ecc_fail:
+ mpz_clear(x);
+ mpz_clear(y);
+ mpz_clear(xx);
+ mpz_clear(yy);
+ mpz_clear(nn);
+ mpz_clear(mm);
ecc_point_clear(&pub);
ecc_scalar_clear(&key);
+ ecc_point_clear(&r);
+ ecc_scalar_clear(&n);
+ ecc_scalar_clear(&m);
if (ret < 0)
goto fail;
--
2.26.2

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,42 @@
From d1dc655cd2c8ae417381e5f966941c75cfe287ee Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 4 Jun 2020 16:42:07 +0200
Subject: [PATCH] _gnutls_fips_mode_enabled: treat selftest failure as FIPS
disabled
Previously gnutls_fips140_mode_enabled() returned true, even after
selftests have failed and the library state has switched to error.
While later calls to crypto operations fails, it would be more
convenient to have a function to detect that state.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/fips.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/lib/fips.c b/lib/fips.c
index acdd2ec23..f8b10f750 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -491,8 +491,17 @@ unsigned gnutls_fips140_mode_enabled(void)
#ifdef ENABLE_FIPS140
unsigned ret = _gnutls_fips_mode_enabled();
- if (ret > GNUTLS_FIPS140_DISABLED)
+ if (ret > GNUTLS_FIPS140_DISABLED) {
+ /* If the previous run of selftests has failed, return as if
+ * the FIPS mode is disabled. We could use HAVE_LIB_ERROR, if
+ * we can assume that all the selftests run atomically from
+ * the ELF constructor.
+ */
+ if (_gnutls_get_lib_state() == LIB_STATE_ERROR)
+ return 0;
+
return ret;
+ }
#endif
return 0;
}
--
2.26.2

View File

@ -0,0 +1,152 @@
From 6fbff7fc8aabeee2254405f254220bbe8c05c67d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 5 Jun 2020 16:26:33 +0200
Subject: [PATCH] crypto-api: always allocate memory when serializing iovec_t
The AEAD iov interface falls back to serializing the input buffers if
the low-level cipher doesn't support scatter/gather encryption.
However, there was a bug in the functions used for the serialization,
which causes memory leaks under a certain condition (i.e. the number
of input buffers is 1).
This patch makes the logic of the functions simpler, by removing a
micro-optimization that tries to minimize the number of calls to
malloc/free.
The original problem was reported by Marius Steffen in:
https://bugzilla.samba.org/show_bug.cgi?id=14399
and the cause was investigated by Alexander Haase in:
https://gitlab.com/gnutls/gnutls/-/merge_requests/1277
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/crypto-api.c | 36 +++++++++++-------------------------
tests/aead-cipher-vec.c | 33 ++++++++++++++++++---------------
2 files changed, 29 insertions(+), 40 deletions(-)
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index 45be64ed1..8524f5ed4 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -891,32 +891,23 @@ gnutls_aead_cipher_encrypt(gnutls_aead_cipher_hd_t handle,
struct iov_store_st {
void *data;
size_t size;
- unsigned allocated;
};
static void iov_store_free(struct iov_store_st *s)
{
- if (s->allocated) {
- gnutls_free(s->data);
- s->allocated = 0;
- }
+ gnutls_free(s->data);
}
static int iov_store_grow(struct iov_store_st *s, size_t length)
{
- if (s->allocated || s->data == NULL) {
- s->size += length;
- s->data = gnutls_realloc(s->data, s->size);
- if (s->data == NULL)
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- s->allocated = 1;
- } else {
- void *data = s->data;
- size_t size = s->size + length;
- s->data = gnutls_malloc(size);
- memcpy(s->data, data, s->size);
- s->size += length;
- }
+ void *data;
+
+ s->size += length;
+ data = gnutls_realloc(s->data, s->size);
+ if (data == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ s->data = data;
return 0;
}
@@ -926,11 +917,6 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
memset(dst, 0, sizeof(*dst));
if (iovcnt == 0) {
return 0;
- } else if (iovcnt == 1) {
- dst->data = iov[0].iov_base;
- dst->size = iov[0].iov_len;
- /* implies: dst->allocated = 0; */
- return 0;
} else {
int i;
uint8_t *p;
@@ -944,11 +930,11 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
p = dst->data;
for (i=0;i<iovcnt;i++) {
- memcpy(p, iov[i].iov_base, iov[i].iov_len);
+ if (iov[i].iov_len > 0)
+ memcpy(p, iov[i].iov_base, iov[i].iov_len);
p += iov[i].iov_len;
}
- dst->allocated = 1;
return 0;
}
}
diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c
index fba9010d9..6a30a35f7 100644
--- a/tests/aead-cipher-vec.c
+++ b/tests/aead-cipher-vec.c
@@ -49,6 +49,7 @@ static void start(const char *name, int algo)
giovec_t auth_iov[2];
uint8_t tag[64];
size_t tag_size = 0;
+ size_t i;
key.data = key16;
key.size = gnutls_cipher_get_key_size(algo);
@@ -82,21 +83,23 @@ static void start(const char *name, int algo)
if (ret < 0)
fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret));
- ret = gnutls_aead_cipher_encryptv2(ch,
- iv.data, iv.size,
- auth_iov, 2,
- iov, 3,
- tag, &tag_size);
- if (ret < 0)
- fail("could not encrypt data: %s\n", gnutls_strerror(ret));
-
- ret = gnutls_aead_cipher_decryptv2(ch,
- iv.data, iv.size,
- auth_iov, 2,
- iov, 3,
- tag, tag_size);
- if (ret < 0)
- fail("could not decrypt data: %s\n", gnutls_strerror(ret));
+ for (i = 0; i < 2; i++) {
+ ret = gnutls_aead_cipher_encryptv2(ch,
+ iv.data, iv.size,
+ auth_iov, 2,
+ iov, i + 1,
+ tag, &tag_size);
+ if (ret < 0)
+ fail("could not encrypt data: %s\n", gnutls_strerror(ret));
+
+ ret = gnutls_aead_cipher_decryptv2(ch,
+ iv.data, iv.size,
+ auth_iov, 2,
+ iov, i + 1,
+ tag, tag_size);
+ if (ret < 0)
+ fail("could not decrypt data: %s\n", gnutls_strerror(ret));
+ }
gnutls_aead_cipher_deinit(ch);
}
--
2.25.4

View File

@ -0,0 +1,131 @@
From 9acc0f68320db4c7c6dadacb974e77c7fbca72a7 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 21 Jun 2020 16:03:54 +0200
Subject: [PATCH] safe_memcmp: remove in favor of gnutls_memcmp
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/accelerated/x86/aes-xts-x86-aesni.c | 2 +-
lib/ext/pre_shared_key.c | 2 +-
lib/mem.h | 9 ---------
lib/nettle/cipher.c | 8 ++++----
lib/tls13/finished.c | 2 +-
lib/x509/x509.c | 3 ++-
6 files changed, 9 insertions(+), 17 deletions(-)
diff --git a/lib/accelerated/x86/aes-xts-x86-aesni.c b/lib/accelerated/x86/aes-xts-x86-aesni.c
index 3371d0812..b904cbf00 100644
--- a/lib/accelerated/x86/aes-xts-x86-aesni.c
+++ b/lib/accelerated/x86/aes-xts-x86-aesni.c
@@ -72,7 +72,7 @@ x86_aes_xts_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
/* Check key block according to FIPS-140-2 IG A.9 */
if (_gnutls_fips_mode_enabled()){
- if (safe_memcmp(key, key + (keysize / 2), keysize / 2) == 0) {
+ if (gnutls_memcmp(key, key + (keysize / 2), keysize / 2) == 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR);
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
}
diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
index fef67d341..240be2162 100644
--- a/lib/ext/pre_shared_key.c
+++ b/lib/ext/pre_shared_key.c
@@ -650,7 +650,7 @@ static int server_recv_params(gnutls_session_t session,
}
if (_gnutls_mac_get_algo_len(prf) != binder_recvd.size ||
- safe_memcmp(binder_value, binder_recvd.data, binder_recvd.size)) {
+ gnutls_memcmp(binder_value, binder_recvd.data, binder_recvd.size)) {
gnutls_assert();
ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
goto fail;
diff --git a/lib/mem.h b/lib/mem.h
index dc838a2b4..d3eea97a4 100644
--- a/lib/mem.h
+++ b/lib/mem.h
@@ -35,15 +35,6 @@ char *_gnutls_strdup(const char *);
unsigned _gnutls_mem_is_zero(const uint8_t *ptr, unsigned size);
-/* To avoid undefined behavior when s1 or s2 are null and n = 0 */
-inline static
-int safe_memcmp(const void *s1, const void *s2, size_t n)
-{
- if (n == 0)
- return 0;
- return memcmp(s1, s2, n);
-}
-
#define zrelease_mpi_key(mpi) if (*mpi!=NULL) { \
_gnutls_mpi_clear(*mpi); \
_gnutls_mpi_release(mpi); \
diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c
index b0a52deb5..ec0c1ab04 100644
--- a/lib/nettle/cipher.c
+++ b/lib/nettle/cipher.c
@@ -482,7 +482,7 @@ _xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key,
const uint8_t *key)
{
if (_gnutls_fips_mode_enabled() &&
- safe_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0)
+ gnutls_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0)
_gnutls_switch_lib_state(LIB_STATE_ERROR);
xts_aes128_set_encrypt_key(xts_key, key);
@@ -493,7 +493,7 @@ _xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key,
const uint8_t *key)
{
if (_gnutls_fips_mode_enabled() &&
- safe_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0)
+ gnutls_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0)
_gnutls_switch_lib_state(LIB_STATE_ERROR);
xts_aes128_set_decrypt_key(xts_key, key);
@@ -504,7 +504,7 @@ _xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key,
const uint8_t *key)
{
if (_gnutls_fips_mode_enabled() &&
- safe_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0)
+ gnutls_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0)
_gnutls_switch_lib_state(LIB_STATE_ERROR);
xts_aes256_set_encrypt_key(xts_key, key);
@@ -515,7 +515,7 @@ _xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key,
const uint8_t *key)
{
if (_gnutls_fips_mode_enabled() &&
- safe_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0)
+ gnutls_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0)
_gnutls_switch_lib_state(LIB_STATE_ERROR);
xts_aes256_set_decrypt_key(xts_key, key);
diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c
index 68eab993e..ec646e673 100644
--- a/lib/tls13/finished.c
+++ b/lib/tls13/finished.c
@@ -112,7 +112,7 @@ int _gnutls13_recv_finished(gnutls_session_t session)
#if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
# warning This is unsafe for production builds
#else
- if (safe_memcmp(verifier, buf.data, buf.length) != 0) {
+ if (gnutls_memcmp(verifier, buf.data, buf.length) != 0) {
gnutls_assert();
ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
goto cleanup;
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 2091f3ae6..2b68fe440 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -360,7 +360,8 @@ static int compare_sig_algorithm(gnutls_x509_crt_t cert)
}
if (empty1 != empty2 ||
- sp1.size != sp2.size || safe_memcmp(sp1.data, sp2.data, sp1.size) != 0) {
+ sp1.size != sp2.size ||
+ (sp1.size > 0 && memcmp(sp1.data, sp2.data, sp1.size) != 0)) {
gnutls_assert();
ret = GNUTLS_E_CERTIFICATE_ERROR;
goto cleanup;
--
2.26.2

View File

@ -1,85 +0,0 @@
From c2646aeee94e71cb15c90a3147cf3b5b0ca158ca Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 2 Jun 2020 20:53:11 +0200
Subject: [PATCH] stek: differentiate initial state from valid time window of
TOTP
There was a confusion in the TOTP implementation in stek.c. When the
mechanism is initialized at the first time, it records the timestamp
but doesn't initialize the key. This removes the timestamp recording
at the initialization phase, so the key is properly set later.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/stek.c | 17 +++++------------
tests/resume-with-previous-stek.c | 4 ++--
tests/tls13/prf-early.c | 8 ++++----
3 files changed, 11 insertions(+), 18 deletions(-)
diff --git a/lib/stek.c b/lib/stek.c
index 2f885cee3..5ab9e7d2d 100644
--- a/lib/stek.c
+++ b/lib/stek.c
@@ -323,20 +323,13 @@ int _gnutls_initialize_session_ticket_key_rotation(gnutls_session_t session, con
if (unlikely(session == NULL || key == NULL))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
- if (session->key.totp.last_result == 0) {
- int64_t t;
- memcpy(session->key.initial_stek, key->data, key->size);
- t = totp_next(session);
- if (t < 0)
- return gnutls_assert_val(t);
+ if (unlikely(session->key.totp.last_result != 0))
+ return GNUTLS_E_INVALID_REQUEST;
- session->key.totp.last_result = t;
- session->key.totp.was_rotated = 0;
-
- return GNUTLS_E_SUCCESS;
- }
+ memcpy(session->key.initial_stek, key->data, key->size);
- return GNUTLS_E_INVALID_REQUEST;
+ session->key.totp.was_rotated = 0;
+ return 0;
}
/*
diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c
index f212b188b..05c1c9086 100644
--- a/tests/resume-with-previous-stek.c
+++ b/tests/resume-with-previous-stek.c
@@ -196,8 +196,8 @@ static void server(int fd, unsigned rounds, const char *prio)
serverx509cred = NULL;
}
- if (num_stek_rotations != 2)
- fail("STEK should be rotated exactly twice (%d)!\n", num_stek_rotations);
+ if (num_stek_rotations != 3)
+ fail("STEK should be rotated exactly three times (%d)!\n", num_stek_rotations);
if (serverx509cred)
gnutls_certificate_free_credentials(serverx509cred);
diff --git a/tests/tls13/prf-early.c b/tests/tls13/prf-early.c
index 414b1db5e..bc3196248 100644
--- a/tests/tls13/prf-early.c
+++ b/tests/tls13/prf-early.c
@@ -123,10 +123,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size)
} \
}
-#define KEY_EXP_VALUE "\xc0\x1e\xc2\xa4\xb7\xb4\x04\xaa\x91\x5d\xaf\xe8\xf7\x4d\x19\xdf\xd0\xe6\x08\xd6\xb4\x3b\xcf\xca\xc9\x32\x75\x3b\xe3\x11\x19\xb1\xac\x68"
-#define HELLO_VALUE "\x77\xdb\x10\x0b\xe8\xd0\xb9\x38\xbc\x49\xe6\xbe\xf2\x47\x2a\xcc\x6b\xea\xce\x85\x04\xd3\x9e\xd8\x06\x16\xad\xff\xcd\xbf\x4b"
-#define CONTEXT_VALUE "\xf2\x17\x9f\xf2\x66\x56\x87\x66\xf9\x5c\x8a\xd7\x4e\x1d\x46\xee\x0e\x44\x41\x4c\xcd\xac\xcb\xc0\x31\x41\x2a\xb6\xd7\x01\x62"
-#define NULL_CONTEXT_VALUE "\xcd\x79\x07\x93\xeb\x96\x07\x3e\xec\x78\x90\x89\xf7\x16\x42\x6d\x27\x87\x56\x7c\x7b\x60\x2b\x20\x44\xd1\xea\x0c\x89\xfb\x8b"
+#define KEY_EXP_VALUE "\xc1\x6b\x6c\xb9\x88\x33\xd5\x28\x80\xec\x27\x87\xa2\x6f\x4b\xd0\x01\x5e\x7f\xca\xd7\xd4\x8a\x3f\xe2\x48\x92\xef\x02\x14\xfb\x81\x90\x04"
+#define HELLO_VALUE "\x2a\x73\xd9\x74\x04\x4e\x0a\x5f\x41\x8a\x09\xcb\x45\x33\x1a\xec\xd3\xfc\xdc\x1b\x2c\x67\x26\xe4\x9c\xfe\x1f\xa5\x74\xf1\x4f"
+#define CONTEXT_VALUE "\x87\xf6\x88\xe3\xd7\xf2\x05\xbc\xa4\x10\xa3\x48\x9f\xf5\xcf\x97\x06\x22\x4e\xfd\x18\x32\x52\x1d\xbd\x26\xf5\x5b\x21\x20\xec"
+#define NULL_CONTEXT_VALUE "\xf9\xca\xfe\x45\x44\x96\xdb\xc5\x41\x8f\x7e\x8e\xd7\xb0\x7d\x19\x45\xaf\x09\xbc\x1e\x82\x94\xac\x55\xe5\xb9\xb4\x3b\xe8\xc0"
static int handshake_callback_called;
--
2.26.2

Binary file not shown.

View File

@ -1,728 +0,0 @@
From 2c44e9f8b2e7a1ebc65caeb03f9f106d31e30822 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Wed, 3 Apr 2019 13:40:04 +0200
Subject: [PATCH 1/7] crypto-selftests-pk.c: Move hardcoded values to the top
The objective of moving these values to the top is to allow them to be
used by other functions, in particular test_sig().
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
lib/crypto-selftests-pk.c | 224 +++++++++++++++++++-------------------
1 file changed, 112 insertions(+), 112 deletions(-)
diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
index 1aa53ea29..4fadd4161 100644
--- a/lib/crypto-selftests-pk.c
+++ b/lib/crypto-selftests-pk.c
@@ -107,6 +107,118 @@ static const char gost12_512_key[] =
"KjL7CLBERDm7Yvlv\n"
"-----END PRIVATE KEY-----\n";
+/* A precomputed RSA-SHA256 signature using the rsa_key2048 */
+static const char rsa_sig[] =
+ "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb";
+
+/* ECDSA key and signature */
+static const char ecdsa_secp256r1_privkey[] =
+ "-----BEGIN EC PRIVATE KEY-----\n"
+ "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n"
+ "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n"
+ "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n"
+ "-----END EC PRIVATE KEY-----\n";
+
+static const char ecdsa_secp256r1_sig[] =
+ "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35";
+
+#ifdef ENABLE_NON_SUITEB_CURVES
+/* sha256 */
+static const char ecdsa_secp192r1_privkey[] =
+ "-----BEGIN EC PRIVATE KEY-----"
+ "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA"
+ "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL"
+ "Fg==" "-----END EC PRIVATE KEY-----";
+
+static const char ecdsa_secp192r1_sig[] =
+ "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c";
+
+static const char ecdsa_secp224r1_privkey[] =
+ "-----BEGIN EC PRIVATE KEY-----"
+ "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6"
+ "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9"
+ "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----";
+
+static const char ecdsa_secp224r1_sig[] =
+ "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda";
+#endif
+
+static const char ecdsa_secp384r1_privkey[] =
+ "-----BEGIN EC PRIVATE KEY-----"
+ "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS"
+ "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH"
+ "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n"
+ "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----";
+
+static const char ecdsa_secp384r1_sig[] =
+ "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad";
+
+static const char ecdsa_secp521r1_privkey[] =
+ "-----BEGIN EC PRIVATE KEY-----"
+ "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w"
+ "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo"
+ "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R"
+ "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t"
+ "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV"
+ "-----END EC PRIVATE KEY-----";
+
+static const char ecdsa_secp521r1_sig[] =
+ "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3";
+
+/* DSA key and signature */
+static const char dsa_privkey[] =
+ "-----BEGIN DSA PRIVATE KEY-----\n"
+ "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n"
+ "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n"
+ "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n"
+ "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n"
+ "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n"
+ "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n"
+ "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n"
+ "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n"
+ "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n"
+ "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n"
+ "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n"
+ "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n"
+ "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n"
+ "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n"
+ "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n"
+ "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n"
+ "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n"
+ "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n"
+ "-----END DSA PRIVATE KEY-----\n";
+
+static const char dsa_sig[] =
+ "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42";
+
+static const char gost01_privkey[] =
+ "-----BEGIN PRIVATE KEY-----\n"
+ "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n"
+ "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n"
+ "-----END PRIVATE KEY-----\n";
+
+static const char gost01_sig[] =
+ "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb";
+
+static const char gost12_256_privkey[] =
+ "-----BEGIN PRIVATE KEY-----\n"
+ "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n"
+ "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n"
+ "-----END PRIVATE KEY-----\n";
+
+static const char gost12_256_sig[] =
+ "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0";
+
+static const char gost12_512_privkey[] =
+ "-----BEGIN PRIVATE KEY-----\n"
+ "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n"
+ "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n"
+ "hsQ3JCCy4xnd5jWT\n"
+ "-----END PRIVATE KEY-----\n";
+
+static const char gost12_512_sig[] =
+ "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f";
+
static int test_rsa_enc(gnutls_pk_algorithm_t pk,
unsigned bits, gnutls_digest_algorithm_t ign)
{
@@ -302,118 +414,6 @@ static int test_sig(gnutls_pk_algorithm_t pk,
return ret;
}
-/* A precomputed RSA-SHA1 signature using the rsa_key2048 */
-static const char rsa_sig[] =
- "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb";
-
-/* ECDSA key and signature */
-static const char ecdsa_secp256r1_privkey[] =
- "-----BEGIN EC PRIVATE KEY-----\n"
- "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n"
- "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n"
- "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n"
- "-----END EC PRIVATE KEY-----\n";
-
-static const char ecdsa_secp256r1_sig[] =
- "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35";
-
-#ifdef ENABLE_NON_SUITEB_CURVES
-/* sha256 */
-static const char ecdsa_secp192r1_privkey[] =
- "-----BEGIN EC PRIVATE KEY-----"
- "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA"
- "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL"
- "Fg==" "-----END EC PRIVATE KEY-----";
-
-static const char ecdsa_secp192r1_sig[] =
- "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c";
-
-static const char ecdsa_secp224r1_privkey[] =
- "-----BEGIN EC PRIVATE KEY-----"
- "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6"
- "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9"
- "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----";
-
-static const char ecdsa_secp224r1_sig[] =
- "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda";
-#endif
-
-static const char ecdsa_secp384r1_privkey[] =
- "-----BEGIN EC PRIVATE KEY-----"
- "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS"
- "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH"
- "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n"
- "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----";
-
-static const char ecdsa_secp384r1_sig[] =
- "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad";
-
-static const char ecdsa_secp521r1_privkey[] =
- "-----BEGIN EC PRIVATE KEY-----"
- "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w"
- "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo"
- "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R"
- "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t"
- "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV"
- "-----END EC PRIVATE KEY-----";
-
-static const char ecdsa_secp521r1_sig[] =
- "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3";
-
-/* DSA key and signature */
-static const char dsa_privkey[] =
- "-----BEGIN DSA PRIVATE KEY-----\n"
- "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n"
- "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n"
- "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n"
- "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n"
- "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n"
- "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n"
- "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n"
- "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n"
- "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n"
- "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n"
- "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n"
- "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n"
- "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n"
- "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n"
- "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n"
- "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n"
- "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n"
- "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n"
- "-----END DSA PRIVATE KEY-----\n";
-
-static const char dsa_sig[] =
- "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42";
-
-static const char gost01_privkey[] =
- "-----BEGIN PRIVATE KEY-----\n"
- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n"
- "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n"
- "-----END PRIVATE KEY-----\n";
-
-static const char gost01_sig[] =
- "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb";
-
-static const char gost12_256_privkey[] =
- "-----BEGIN PRIVATE KEY-----\n"
- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n"
- "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n"
- "-----END PRIVATE KEY-----\n";
-
-static const char gost12_256_sig[] =
- "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0";
-
-static const char gost12_512_privkey[] =
- "-----BEGIN PRIVATE KEY-----\n"
- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n"
- "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n"
- "hsQ3JCCy4xnd5jWT\n"
- "-----END PRIVATE KEY-----\n";
-
-static const char gost12_512_sig[] =
- "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f";
-
static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
gnutls_digest_algorithm_t dig,
const void *privkey, size_t privkey_size,
--
2.20.1
From 4b04d899849ea566ae33862289276d9b297cd493 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Wed, 3 Apr 2019 13:44:56 +0200
Subject: [PATCH 2/7] crypto-selftests-pk.c: Add a comparison with a known
signature
For RSA, compare the generated signature with a stored known value in
test_sig().
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
lib/crypto-selftests-pk.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
index 4fadd4161..0233e6b9f 100644
--- a/lib/crypto-selftests-pk.c
+++ b/lib/crypto-selftests-pk.c
@@ -313,6 +313,7 @@ static int test_sig(gnutls_pk_algorithm_t pk,
{
int ret;
gnutls_datum_t sig = { NULL, 0 };
+ gnutls_datum_t known_sig = { NULL, 0 };
gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 };
gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 };
gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 };
@@ -343,6 +344,8 @@ static int test_sig(gnutls_pk_algorithm_t pk,
}
if (pk == GNUTLS_PK_RSA) {
+ known_sig.data = (void *)rsa_sig;
+ known_sig.size = sizeof(rsa_sig) - 1;
ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0);
} else if (pk == GNUTLS_PK_RSA_PSS) {
ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0);
@@ -378,6 +381,16 @@ static int test_sig(gnutls_pk_algorithm_t pk,
goto cleanup;
}
+ /* Compare with a stored known signature */
+ if (known_sig.data != NULL) {
+ if (sig.size != known_sig.size
+ || memcmp(sig.data, known_sig.data, sig.size) != 0) {
+ ret = GNUTLS_E_SELF_TEST_ERROR;
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+
ret =
gnutls_pubkey_verify_data2(pub, sigalgo, 0,
&signed_data, &sig);
--
2.20.1
From db2b308fdbe98420b722eaf678c1a911bc51b0a5 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Thu, 18 Apr 2019 17:22:18 +0200
Subject: [PATCH 4/7] tests: Run rng-no-onload test in FIPS mode
This changes the function used in the test to override gnutls_rnd() to
fill the given buffer with a different value each time it is called.
This allows the test to run when FIPS mode is enabled.
Previously the rng-no-onload test could get stuck if FIPS mode was
enabled. This happened if gnutls_rnd() function was called during
global_init() in a loop that checks the generated value (e.g. if ECDSA
signature generation is called during self tests).
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
tests/rng-no-onload.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/tests/rng-no-onload.c b/tests/rng-no-onload.c
index ac01be214..a485a440d 100644
--- a/tests/rng-no-onload.c
+++ b/tests/rng-no-onload.c
@@ -50,18 +50,20 @@ static int _rnd_called = 0;
int __attribute__ ((visibility ("protected")))
gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len)
{
+ static unsigned int value = 0;
+
_rnd_called = 1;
- memset(data, 0xff, len);
+ /* Increment 'value' in each call up to 255, then start again from 0 */
+ value = (value + 1) & 0xFF;
+
+ memset(data, value, len);
+
return 0;
}
void doit(void)
{
- if (gnutls_fips140_mode_enabled()) {
- exit(77);
- }
-
global_init();
if (_rnd_called != 0)
--
2.20.1
From fc926cd65f1de06f359315c6693c1a9c9899ba8c Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Thu, 4 Apr 2019 15:45:02 +0200
Subject: [PATCH 5/7] crypto-selftests-pk.c: Fix test_known_sig
Previously a new signature was generated only for deterministic
algorithms (i.e. only RSA). With this, a new signature is always
generated (and compared with a stored signature for deterministic
algorithms). The signature verification is tested for both generated
and stored signatures.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
lib/crypto-selftests-pk.c | 31 ++++++++++++++++++++-----------
1 file changed, 20 insertions(+), 11 deletions(-)
diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
index 0233e6b9f..ba8f5e376 100644
--- a/lib/crypto-selftests-pk.c
+++ b/lib/crypto-selftests-pk.c
@@ -475,19 +475,17 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
goto cleanup;
}
- /* Test if the signature we generate matches the stored */
+ ret = gnutls_privkey_sign_data(key, dig, 0, &signed_data, &sig);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ /* Test if the generated signature matches the stored */
ssig.data = (void *) stored_sig;
ssig.size = stored_sig_size;
if (deterministic_sigs != 0) { /* do not compare against stored signature if not provided */
- ret =
- gnutls_privkey_sign_data(key, dig, 0, &signed_data,
- &sig);
- if (ret < 0) {
- gnutls_assert();
- goto cleanup;
- }
-
if (sig.size != ssig.size
|| memcmp(sig.data, ssig.data, sig.size) != 0) {
ret = GNUTLS_E_SELF_TEST_ERROR;
@@ -507,7 +505,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
}
}
- /* Test if we can verify the signature */
+ /* Test if we can verify the generated signature */
ret = gnutls_pubkey_import_privkey(pub, key, 0, 0);
if (ret < 0) {
@@ -515,6 +513,17 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
goto cleanup;
}
+ ret =
+ gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
+ &signed_data, &sig);
+ if (ret < 0) {
+ ret = GNUTLS_E_SELF_TEST_ERROR;
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ /* Test if we can verify the stored signature */
+
ret =
gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
&signed_data, &ssig);
@@ -528,7 +537,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
ret =
gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
- &bad_data, &ssig);
+ &bad_data, &sig);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) {
ret = GNUTLS_E_SELF_TEST_ERROR;
--
2.20.1
From 7e49999db264556ac73ff498bd8f7edce401cdd1 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Thu, 4 Apr 2019 17:22:04 +0200
Subject: [PATCH 6/7] crypto-selftests-pk.c: Fix PK_KNOWN_TEST and PK_TEST
Remove the flag check from the end of the macros. This change allows
more than one test to run in sequence when GNUTLS_SELF_TEST_FLAG_ALL is
not set. Move the flags checks to run the minimal set of tests required
for FIPS and keep the previous behaviour for GOST (run the first test
for each algorithm).
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
lib/crypto-selftests-pk.c | 37 ++++++++++++++++++++-----------------
1 file changed, 20 insertions(+), 17 deletions(-)
diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
index ba8f5e376..fc8ee2525 100644
--- a/lib/crypto-selftests-pk.c
+++ b/lib/crypto-selftests-pk.c
@@ -568,18 +568,14 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
if (ret < 0) { \
gnutls_assert(); \
goto cleanup; \
- } \
- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \
- return 0
+ }
#define PK_KNOWN_TEST(pk, det, bits, dig, pkey, sig) \
ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, det); \
if (ret < 0) { \
gnutls_assert(); \
goto cleanup; \
- } \
- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \
- return 0
+ }
/* This file is also included by the test app in tests/slow/cipher-test, so in that
@@ -812,11 +808,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
PK_KNOWN_TEST(GNUTLS_PK_RSA, 1, 2048, GNUTLS_DIG_SHA256,
rsa_key2048, rsa_sig);
PK_TEST(GNUTLS_PK_RSA, test_rsa_enc, 2048, 0);
- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256);
if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
return 0;
+ PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256);
+
FALLTHROUGH;
case GNUTLS_PK_RSA_PSS:
PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256);
@@ -828,11 +825,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
case GNUTLS_PK_DSA:
PK_KNOWN_TEST(GNUTLS_PK_DSA, 0, 2048, GNUTLS_DIG_SHA256,
dsa_privkey, dsa_sig);
- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256);
if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
return 0;
+ PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256);
+
FALLTHROUGH;
case GNUTLS_PK_EC:
/* Test ECDH and ECDSA */
@@ -850,13 +848,14 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
(GNUTLS_ECC_CURVE_SECP256R1),
GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey,
ecdsa_secp256r1_sig);
- PK_TEST(GNUTLS_PK_EC, test_sig,
- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1),
- GNUTLS_SIGN_ECDSA_SHA256);
if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
return 0;
+ PK_TEST(GNUTLS_PK_EC, test_sig,
+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1),
+ GNUTLS_SIGN_ECDSA_SHA256);
+
PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
GNUTLS_CURVE_TO_BITS
(GNUTLS_ECC_CURVE_SECP384R1),
@@ -900,31 +899,35 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
case GNUTLS_PK_GOST_01:
PK_KNOWN_TEST(GNUTLS_PK_GOST_01, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_GOSTR_94,
gost01_privkey, gost01_sig);
- PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
- GNUTLS_SIGN_GOST_94);
if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
return 0;
+ PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
+ GNUTLS_SIGN_GOST_94);
+
FALLTHROUGH;
case GNUTLS_PK_GOST_12_256:
PK_KNOWN_TEST(GNUTLS_PK_GOST_12_256, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_STREEBOG_256,
gost12_256_privkey, gost12_256_sig);
- PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
- GNUTLS_SIGN_GOST_256);
if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
return 0;
+ PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
+ GNUTLS_SIGN_GOST_256);
+
FALLTHROUGH;
case GNUTLS_PK_GOST_12_512:
PK_KNOWN_TEST(GNUTLS_PK_GOST_12_512, 0, GNUTLS_ECC_CURVE_GOST512A, GNUTLS_DIG_STREEBOG_512,
gost12_512_privkey, gost12_512_sig);
- PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A),
- GNUTLS_SIGN_GOST_512);
if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
return 0;
+
+ PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A),
+ GNUTLS_SIGN_GOST_512);
+
#endif
break;
--
2.20.1
From c2e83d2110b98d93588f1b6187bc932feb958ca4 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Mon, 8 Apr 2019 14:21:57 +0200
Subject: [PATCH 7/7] crypto-selftests-pk.c: Cleanup self tests
test_sig() always uses the same key for RSA, DSA, and ECDSA regardless
of the value provided in the "bits" parameter. Therefore, avoid
printing specific information (number of bits or name of the curve).
Changes test_sig() to use 2048 bits key for DSA; deleted hardcoded 512
bits DSA key;
Avoid calling test_sig() multiple times for ECDSA: the same key is
used regardless of the curve provided in the parameters.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
lib/crypto-selftests-pk.c | 42 +++++++++------------------------------
1 file changed, 9 insertions(+), 33 deletions(-)
diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
index fc8ee2525..3d665b723 100644
--- a/lib/crypto-selftests-pk.c
+++ b/lib/crypto-selftests-pk.c
@@ -78,16 +78,6 @@ static const char ecc_key[] =
"MSHpe5vd0TQz+/GAa1zxle8mB/Cdh0JaTrA=\n"
"-----END EC PRIVATE KEY-----\n";
-static const char dsa_key[] =
- "-----BEGIN DSA PRIVATE KEY-----\n"
- "MIH4AgEAAkEA6KUOSXfFNcInFLPdOlLlKNCe79zJrkxnsQN+lllxuk1ifZrE07r2\n"
- "3edTrc4riQNnZ2nZ372tYUAMJg+5jM6IIwIVAOa58exwZ+42Tl+p3b4Kbpyu2Ron\n"
- "AkBocj7gkiBYHtv6HMIIzooaxn4vpGR0Ns6wBfroBUGvrnSAgfT3WyiNaHkIF28e\n"
- "quWcEeOJjUgFvatcM8gcY288AkEAyKWlgzBurIYST8TM3j4PuQJDTvdHDaGoAUAa\n"
- "EfjmOw2UXKwqTmwPiT5BYKgCo2ILS87ttlTpd8vndH37pmnmVQIUQIVuKpZ8y9Bw\n"
- "VzO8qcrLCFvTOXY=\n"
- "-----END DSA PRIVATE KEY-----\n";
-
static const char gost01_key[] =
"-----BEGIN PRIVATE KEY-----\n"
"MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n"
@@ -315,22 +305,20 @@ static int test_sig(gnutls_pk_algorithm_t pk,
gnutls_datum_t sig = { NULL, 0 };
gnutls_datum_t known_sig = { NULL, 0 };
gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 };
- gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 };
+ gnutls_datum_t raw_dsa_key = { (void*)dsa_privkey, sizeof(dsa_privkey)-1 };
gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 };
gnutls_datum_t raw_gost01_key = { (void*)gost01_key, sizeof(gost01_key)-1 };
gnutls_datum_t raw_gost12_256_key = { (void*)gost12_256_key, sizeof(gost12_256_key)-1 };
gnutls_datum_t raw_gost12_512_key = { (void*)gost12_512_key, sizeof(gost12_512_key)-1 };
gnutls_privkey_t key;
gnutls_pubkey_t pub = NULL;
- char param_name[32];
+ char param_name[32] = "";
- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 ||
- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) {
- snprintf(param_name, sizeof(param_name), "%s",
+ if (pk == GNUTLS_PK_GOST_01 || pk == GNUTLS_PK_GOST_12_256 ||
+ pk == GNUTLS_PK_GOST_12_512) {
+ snprintf(param_name, sizeof(param_name), "-%s",
gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE
(bits)));
- } else {
- snprintf(param_name, sizeof(param_name), "%u", bits);
}
ret = gnutls_privkey_init(&key);
@@ -418,10 +406,10 @@ static int test_sig(gnutls_pk_algorithm_t pk,
gnutls_free(sig.data);
if (ret == 0)
- _gnutls_debug_log("%s-%s-sig self test succeeded\n",
+ _gnutls_debug_log("%s%s-sig self test succeeded\n",
gnutls_pk_get_name(pk), param_name);
else
- _gnutls_debug_log("%s-%s-sig self test failed\n",
+ _gnutls_debug_log("%s%s-sig self test failed\n",
gnutls_pk_get_name(pk), param_name);
return ret;
@@ -812,7 +800,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
return 0;
- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256);
+ PK_TEST(GNUTLS_PK_RSA, test_sig, 2048, GNUTLS_SIGN_RSA_SHA256);
FALLTHROUGH;
case GNUTLS_PK_RSA_PSS:
@@ -829,7 +817,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
return 0;
- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256);
+ PK_TEST(GNUTLS_PK_DSA, test_sig, 2048, GNUTLS_SIGN_DSA_SHA256);
FALLTHROUGH;
case GNUTLS_PK_EC:
@@ -861,18 +849,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
(GNUTLS_ECC_CURVE_SECP384R1),
GNUTLS_DIG_SHA256, ecdsa_secp384r1_privkey,
ecdsa_secp384r1_sig);
- PK_TEST(GNUTLS_PK_EC, test_sig,
- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1),
- GNUTLS_SIGN_ECDSA_SHA384);
PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
GNUTLS_CURVE_TO_BITS
(GNUTLS_ECC_CURVE_SECP521R1),
GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey,
ecdsa_secp521r1_sig);
- PK_TEST(GNUTLS_PK_EC, test_sig,
- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1),
- GNUTLS_SIGN_ECDSA_SHA512);
#ifdef ENABLE_NON_SUITEB_CURVES
PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
@@ -880,18 +862,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
(GNUTLS_ECC_CURVE_SECP192R1),
GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey,
ecdsa_secp192r1_sig);
- PK_TEST(GNUTLS_PK_EC, test_sig,
- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1),
- GNUTLS_SIGN_ECDSA_SHA256);
PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
GNUTLS_CURVE_TO_BITS
(GNUTLS_ECC_CURVE_SECP224R1),
GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey,
ecdsa_secp224r1_sig);
- PK_TEST(GNUTLS_PK_EC, test_sig,
- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1),
- GNUTLS_SIGN_ECDSA_SHA256);
#endif
#if ENABLE_GOST
--
2.20.1

File diff suppressed because it is too large Load Diff

View File

@ -1,687 +0,0 @@
From e0fe31f1fc2ba13ada1d6bc35231847b75be4ee9 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 8 Aug 2019 18:02:08 +0200
Subject: [PATCH 1/2] gnutls_int.h: make DECR_LEN neutral to signedness
DECR_LEN was previously implemented in a way that it first decrements
the given length and then checks whether the result is negative. This
requires the caller to properly coerce the length argument to a signed
integer, before invoking the macro.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/gnutls_int.h | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 179d71b4a..7f7b6a7c9 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -256,14 +256,15 @@ typedef enum record_send_state_t {
#define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y))
-#define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0)
+#define DECR_LEN(len, x) DECR_LENGTH_RET(len, x, GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
#define DECR_LEN_FINAL(len, x) do { \
- len-=x; \
- if (len != 0) \
+ if (len != x) \
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); \
+ else \
+ len = 0; \
} while (0)
-#define DECR_LENGTH_RET(len, x, RET) do { len-=x; if (len<0) {gnutls_assert(); return RET;} } while (0)
-#define DECR_LENGTH_COM(len, x, COM) do { len-=x; if (len<0) {gnutls_assert(); COM;} } while (0)
+#define DECR_LENGTH_RET(len, x, RET) DECR_LENGTH_COM(len, x, return RET)
+#define DECR_LENGTH_COM(len, x, COM) do { if (len<x) {gnutls_assert(); COM;} else len-=x; } while (0)
#define GNUTLS_POINTER_TO_INT(_) ((int) GNUTLS_POINTER_TO_INT_CAST (_))
#define GNUTLS_INT_TO_POINTER(_) ((void*) GNUTLS_POINTER_TO_INT_CAST (_))
--
2.21.0
From 5e9b2ec29449c76b1b938a0ebf0dc9b92cae7057 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 8 Aug 2019 18:04:18 +0200
Subject: [PATCH 2/2] lib/*: remove unnecessary cast to ssize_t
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/crypto-api.c | 10 +++++-----
lib/ext/alpn.c | 3 +--
lib/ext/client_cert_type.c | 9 ++++-----
lib/ext/cookie.c | 5 ++---
lib/ext/ec_point_formats.c | 7 +++----
lib/ext/key_share.c | 5 ++---
lib/ext/max_record.c | 3 +--
lib/ext/psk_ke_modes.c | 3 +--
lib/ext/record_size_limit.c | 3 +--
lib/ext/safe_renegotiation.c | 3 +--
lib/ext/server_cert_type.c | 9 ++++-----
lib/ext/server_name.c | 3 +--
lib/ext/session_ticket.c | 5 ++---
lib/ext/signature.c | 3 +--
lib/ext/srp.c | 3 +--
lib/ext/srtp.c | 5 ++---
lib/ext/status_request.c | 3 +--
lib/ext/supported_groups.c | 3 +--
lib/ext/supported_versions.c | 5 ++---
lib/extv.c | 8 ++++----
lib/sslv2_compat.c | 3 +--
lib/supplemental.c | 4 ++--
lib/tls13/certificate.c | 21 +++++++++++----------
lib/tls13/psk_ext_parser.c | 4 +---
lib/tls13/psk_ext_parser.h | 4 ++--
lib/tls13/session_ticket.c | 2 +-
26 files changed, 58 insertions(+), 78 deletions(-)
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index 2834c0199..09b3d7bfc 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -990,9 +990,9 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
api_aead_cipher_hd_st *h = handle;
ssize_t ret;
uint8_t *dst;
- ssize_t dst_size, total = 0;
+ size_t dst_size, total = 0;
uint8_t *p;
- ssize_t blocksize = handle->ctx_enc.e->blocksize;
+ size_t blocksize = handle->ctx_enc.e->blocksize;
struct iov_iter_st iter;
size_t blocks;
@@ -1071,7 +1071,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
if (ret == 0)
break;
blocks = ret;
- if (unlikely((size_t) dst_size < blocksize * blocks))
+ if (unlikely(dst_size < blocksize * blocks))
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p,
blocksize * blocks,
@@ -1083,7 +1083,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
total += blocksize * blocks;
}
if (iter.block_offset > 0) {
- if (unlikely((size_t) dst_size < iter.block_offset))
+ if (unlikely(dst_size < iter.block_offset))
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
iter.block, iter.block_offset,
@@ -1095,7 +1095,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
total += iter.block_offset;
}
- if ((size_t)dst_size < tag_size)
+ if (dst_size < tag_size)
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
_gnutls_cipher_tag(&handle->ctx_enc, dst, tag_size);
diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c
index 34f6ce09d..b9991f0a1 100644
--- a/lib/ext/alpn.c
+++ b/lib/ext/alpn.c
@@ -51,13 +51,12 @@ const hello_ext_entry_st ext_mod_alpn = {
static int
_gnutls_alpn_recv_params(gnutls_session_t session,
- const uint8_t * data, size_t _data_size)
+ const uint8_t * data, size_t data_size)
{
unsigned int i;
int ret;
const uint8_t *p = data;
unsigned len1, len;
- ssize_t data_size = _data_size;
alpn_ext_st *priv;
gnutls_ext_priv_data_t epriv;
int selected_protocol_index;
diff --git a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c
index 471d42c5f..b627b71f9 100644
--- a/lib/ext/client_cert_type.c
+++ b/lib/ext/client_cert_type.c
@@ -73,7 +73,6 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
gnutls_certificate_type_t cert_type;
uint8_t i, found = 0;
- ssize_t len = data_size;
const uint8_t* pdata = data;
/* Only activate this extension if we have cert credentials set
@@ -86,7 +85,7 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
/* Compare packet length with expected packet length. For the
* client this is a single byte. */
- if (len != 1) {
+ if (data_size != 1) {
return
gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
}
@@ -136,8 +135,8 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
} else { // server mode
// Compare packet length with expected packet length.
- DECR_LEN(len, 1);
- if (data[0] != len) {
+ DECR_LEN(data_size, 1);
+ if (data[0] != data_size) {
return
gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
}
@@ -145,7 +144,7 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
// Assign the contents of our data buffer to a gnutls_datum_t
cert_types.data = (uint8_t*)pdata; // Need casting to get rid of 'discards const qualifier' warning
- cert_types.size = len;
+ cert_types.size = data_size;
// Store the client certificate types in our session
_gnutls_hello_ext_set_datum(session,
diff --git a/lib/ext/cookie.c b/lib/ext/cookie.c
index 1e66c3d49..0feb2f0e5 100644
--- a/lib/ext/cookie.c
+++ b/lib/ext/cookie.c
@@ -53,10 +53,9 @@ const hello_ext_entry_st ext_mod_cookie = {
/* Only client sends this extension. */
static int
cookie_recv_params(gnutls_session_t session,
- const uint8_t * data, size_t _data_size)
+ const uint8_t * data, size_t data_size)
{
- ssize_t data_size = _data_size;
- ssize_t csize;
+ size_t csize;
int ret;
gnutls_datum_t tmp;
diff --git a/lib/ext/ec_point_formats.c b/lib/ext/ec_point_formats.c
index eb59ec139..c702d434c 100644
--- a/lib/ext/ec_point_formats.c
+++ b/lib/ext/ec_point_formats.c
@@ -57,11 +57,10 @@ const hello_ext_entry_st ext_mod_supported_ec_point_formats = {
static int
_gnutls_supported_ec_point_formats_recv_params(gnutls_session_t session,
const uint8_t * data,
- size_t _data_size)
+ size_t data_size)
{
- int len, i;
+ size_t len, i;
int uncompressed = 0;
- int data_size = _data_size;
if (session->security_parameters.entity == GNUTLS_CLIENT) {
if (data_size < 1)
@@ -91,7 +90,7 @@ _gnutls_supported_ec_point_formats_recv_params(gnutls_session_t session,
/* only sanity check here. We only support uncompressed points
* and a client must support it thus nothing to check.
*/
- if (_data_size < 1)
+ if (data_size < 1)
return
gnutls_assert_val
(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION);
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index 599eff8fb..8f0912e69 100644
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -504,11 +504,10 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
static int
key_share_recv_params(gnutls_session_t session,
- const uint8_t * data, size_t _data_size)
+ const uint8_t * data, size_t data_size)
{
int ret;
- ssize_t data_size = _data_size;
- ssize_t size;
+ size_t size;
unsigned gid;
const version_entry_st *ver;
const gnutls_group_entry_st *group;
diff --git a/lib/ext/max_record.c b/lib/ext/max_record.c
index dbb98cf62..3cada69be 100644
--- a/lib/ext/max_record.c
+++ b/lib/ext/max_record.c
@@ -65,10 +65,9 @@ const hello_ext_entry_st ext_mod_max_record_size = {
static int
_gnutls_max_record_recv_params(gnutls_session_t session,
- const uint8_t * data, size_t _data_size)
+ const uint8_t * data, size_t data_size)
{
ssize_t new_size;
- ssize_t data_size = _data_size;
if (session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED)
return 0;
diff --git a/lib/ext/psk_ke_modes.c b/lib/ext/psk_ke_modes.c
index da7a55098..8d8effb43 100644
--- a/lib/ext/psk_ke_modes.c
+++ b/lib/ext/psk_ke_modes.c
@@ -106,10 +106,9 @@ psk_ke_modes_send_params(gnutls_session_t session,
*/
static int
psk_ke_modes_recv_params(gnutls_session_t session,
- const unsigned char *data, size_t _len)
+ const unsigned char *data, size_t len)
{
uint8_t ke_modes_len;
- ssize_t len = _len;
const version_entry_st *vers = get_version(session);
gnutls_psk_server_credentials_t cred;
int dhpsk_pos = MAX_POS;
diff --git a/lib/ext/record_size_limit.c b/lib/ext/record_size_limit.c
index e9fe6a1d8..0e94fece3 100644
--- a/lib/ext/record_size_limit.c
+++ b/lib/ext/record_size_limit.c
@@ -48,10 +48,9 @@ const hello_ext_entry_st ext_mod_record_size_limit = {
static int
_gnutls_record_size_limit_recv_params(gnutls_session_t session,
- const uint8_t * data, size_t _data_size)
+ const uint8_t * data, size_t data_size)
{
ssize_t new_size;
- ssize_t data_size = _data_size;
const version_entry_st *vers;
DECR_LEN(data_size, 2);
diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c
index 6424f45b5..bb4a57e45 100644
--- a/lib/ext/safe_renegotiation.c
+++ b/lib/ext/safe_renegotiation.c
@@ -265,10 +265,9 @@ int _gnutls_ext_sr_send_cs(gnutls_session_t session)
static int
_gnutls_sr_recv_params(gnutls_session_t session,
- const uint8_t * data, size_t _data_size)
+ const uint8_t * data, size_t data_size)
{
unsigned int len;
- ssize_t data_size = _data_size;
sr_ext_st *priv;
gnutls_ext_priv_data_t epriv;
int set = 0, ret;
diff --git a/lib/ext/server_cert_type.c b/lib/ext/server_cert_type.c
index dbcb3971b..864a44bbc 100644
--- a/lib/ext/server_cert_type.c
+++ b/lib/ext/server_cert_type.c
@@ -73,7 +73,6 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
gnutls_certificate_type_t cert_type;
uint8_t i, found = 0;
- ssize_t len = data_size;
const uint8_t* pdata = data;
/* Only activate this extension if we have cert credentials set
@@ -86,7 +85,7 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
/* Compare packet length with expected packet length. For the
* client this is a single byte. */
- if (len != 1) {
+ if (data_size != 1) {
return
gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
}
@@ -135,8 +134,8 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
} else { // server mode
// Compare packet length with expected packet length.
- DECR_LEN(len, 1);
- if (data[0] != len) {
+ DECR_LEN(data_size, 1);
+ if (data[0] != data_size) {
return
gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
}
@@ -144,7 +143,7 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
// Assign the contents of our data buffer to a gnutls_datum_t
cert_types.data = (uint8_t*)pdata; // Need casting to get rid of 'discards const qualifier' warning
- cert_types.size = len;
+ cert_types.size = data_size;
// Store the server certificate types in our session
_gnutls_hello_ext_set_datum(session,
diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c
index 259dc998e..0c6331569 100644
--- a/lib/ext/server_name.c
+++ b/lib/ext/server_name.c
@@ -66,11 +66,10 @@ const hello_ext_entry_st ext_mod_server_name = {
*/
static int
_gnutls_server_name_recv_params(gnutls_session_t session,
- const uint8_t * data, size_t _data_size)
+ const uint8_t * data, size_t data_size)
{
const unsigned char *p;
uint16_t len, type;
- ssize_t data_size = _data_size;
gnutls_datum_t name;
if (session->security_parameters.entity == GNUTLS_SERVER) {
diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
index 98db39ff8..263273fa2 100644
--- a/lib/ext/session_ticket.c
+++ b/lib/ext/session_ticket.c
@@ -78,7 +78,7 @@ static int
unpack_ticket(const gnutls_datum_t *ticket_data, struct ticket_st *ticket)
{
const uint8_t * data = ticket_data->data;
- ssize_t data_size = ticket_data->size;
+ size_t data_size = ticket_data->size;
const uint8_t *encrypted_state;
/* Format:
@@ -371,11 +371,10 @@ unpack_session(gnutls_session_t session, const gnutls_datum_t *state)
static int
session_ticket_recv_params(gnutls_session_t session,
- const uint8_t * data, size_t _data_size)
+ const uint8_t * data, size_t data_size)
{
gnutls_datum_t ticket_data;
gnutls_datum_t state;
- ssize_t data_size = _data_size;
int ret;
if (session->internals.flags & GNUTLS_NO_TICKETS)
diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index e734d2c7d..a90f58d53 100644
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -187,9 +187,8 @@ _gnutls_sign_algorithm_parse_data(gnutls_session_t session,
static int
_gnutls_signature_algorithm_recv_params(gnutls_session_t session,
const uint8_t * data,
- size_t _data_size)
+ size_t data_size)
{
- ssize_t data_size = _data_size;
int ret;
if (session->security_parameters.entity == GNUTLS_CLIENT) {
diff --git a/lib/ext/srp.c b/lib/ext/srp.c
index 8b58222e0..07f6e6883 100644
--- a/lib/ext/srp.c
+++ b/lib/ext/srp.c
@@ -59,10 +59,9 @@ const hello_ext_entry_st ext_mod_srp = {
static int
_gnutls_srp_recv_params(gnutls_session_t session, const uint8_t * data,
- size_t _data_size)
+ size_t data_size)
{
uint8_t len;
- ssize_t data_size = _data_size;
gnutls_ext_priv_data_t epriv;
srp_ext_st *priv;
diff --git a/lib/ext/srtp.c b/lib/ext/srtp.c
index 3fc7ed35a..412e26d45 100644
--- a/lib/ext/srtp.c
+++ b/lib/ext/srtp.c
@@ -162,13 +162,12 @@ const char *gnutls_srtp_get_profile_name(gnutls_srtp_profile_t profile)
static int
_gnutls_srtp_recv_params(gnutls_session_t session,
- const uint8_t * data, size_t _data_size)
+ const uint8_t * data, size_t data_size)
{
unsigned int i;
int ret;
const uint8_t *p = data;
- int len;
- ssize_t data_size = _data_size;
+ size_t len;
srtp_ext_st *priv;
gnutls_ext_priv_data_t epriv;
uint16_t profile;
diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
index d8779e8cf..cf9d5bd03 100644
--- a/lib/ext/status_request.c
+++ b/lib/ext/status_request.c
@@ -86,9 +86,8 @@ client_send(gnutls_session_t session,
static int
server_recv(gnutls_session_t session,
status_request_ext_st * priv,
- const uint8_t * data, size_t size)
+ const uint8_t * data, size_t data_size)
{
- ssize_t data_size = size;
unsigned rid_bytes = 0;
/* minimum message is type (1) + responder_id_list (2) +
diff --git a/lib/ext/supported_groups.c b/lib/ext/supported_groups.c
index 952d3bb0c..ef7859f73 100644
--- a/lib/ext/supported_groups.c
+++ b/lib/ext/supported_groups.c
@@ -93,10 +93,9 @@ static unsigned get_min_dh(gnutls_session_t session)
*/
static int
_gnutls_supported_groups_recv_params(gnutls_session_t session,
- const uint8_t * data, size_t _data_size)
+ const uint8_t * data, size_t data_size)
{
int i;
- ssize_t data_size = _data_size;
uint16_t len;
const uint8_t *p = data;
const gnutls_group_entry_st *group = NULL;
diff --git a/lib/ext/supported_versions.c b/lib/ext/supported_versions.c
index 52828ee37..8d52fad5c 100644
--- a/lib/ext/supported_versions.c
+++ b/lib/ext/supported_versions.c
@@ -54,12 +54,11 @@ const hello_ext_entry_st ext_mod_supported_versions = {
static int
supported_versions_recv_params(gnutls_session_t session,
- const uint8_t * data, size_t _data_size)
+ const uint8_t * data, size_t data_size)
{
const version_entry_st *vers;
- ssize_t data_size = _data_size;
uint8_t major, minor;
- ssize_t bytes;
+ size_t bytes;
int ret;
if (session->security_parameters.entity == GNUTLS_SERVER) {
diff --git a/lib/extv.c b/lib/extv.c
index bfdfdf974..0c0c46f32 100644
--- a/lib/extv.c
+++ b/lib/extv.c
@@ -105,7 +105,7 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb,
const gnutls_datum_t *data, unsigned int flags)
{
if (flags & GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO) {
- ssize_t size = data->size;
+ size_t size = data->size;
size_t len;
uint8_t *p = data->data;
@@ -137,12 +137,12 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb,
DECR_LEN(size, len);
p += len;
- if (size <= 0)
+ if (size == 0)
return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
return _gnutls_extv_parse(ctx, cb, p, size);
} else if (flags & GNUTLS_EXT_RAW_FLAG_DTLS_CLIENT_HELLO) {
- ssize_t size = data->size;
+ size_t size = data->size;
size_t len;
uint8_t *p = data->data;
@@ -181,7 +181,7 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb,
DECR_LEN(size, len);
p += len;
- if (size <= 0)
+ if (size == 0)
return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
return _gnutls_extv_parse(ctx, cb, p, size);
diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c
index 6122d1098..9d247ba4c 100644
--- a/lib/sslv2_compat.c
+++ b/lib/sslv2_compat.c
@@ -87,14 +87,13 @@ _gnutls_handshake_select_v2_suite(gnutls_session_t session,
*/
int
_gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data,
- unsigned int datalen)
+ unsigned int len)
{
uint16_t session_id_len = 0;
int pos = 0;
int ret = 0, sret = 0;
uint16_t sizeOfSuites;
uint8_t rnd[GNUTLS_RANDOM_SIZE], major, minor;
- int len = datalen;
int neg_version;
const version_entry_st *vers;
uint16_t challenge;
diff --git a/lib/supplemental.c b/lib/supplemental.c
index cd90fa1fb..07b38cc93 100644
--- a/lib/supplemental.c
+++ b/lib/supplemental.c
@@ -192,14 +192,14 @@ _gnutls_parse_supplemental(gnutls_session_t session,
const uint8_t * data, int datalen)
{
const uint8_t *p = data;
- ssize_t dsize = datalen;
+ size_t dsize = datalen;
size_t total_size;
DECR_LEN(dsize, 3);
total_size = _gnutls_read_uint24(p);
p += 3;
- if (dsize != (ssize_t) total_size) {
+ if (dsize != total_size) {
gnutls_assert();
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
}
diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c
index bd257237f..8a1a11872 100644
--- a/lib/tls13/certificate.c
+++ b/lib/tls13/certificate.c
@@ -360,11 +360,12 @@ static int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t *data
static int
parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size)
{
- int len, ret;
+ int ret;
+ size_t len;
uint8_t *p = data;
cert_auth_info_t info;
gnutls_certificate_credentials_t cred;
- ssize_t dsize = data_size, size;
+ size_t size;
int i;
unsigned npeer_certs, npeer_ocsp, j;
crt_cert_ctx_st ctx;
@@ -395,31 +396,31 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size)
if (info == NULL)
return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
- DECR_LEN(dsize, 3);
+ DECR_LEN(data_size, 3);
size = _gnutls_read_uint24(p);
p += 3;
- if (size != dsize)
+ if (size != data_size)
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
if (size == 0)
return gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND);
- i = dsize;
+ i = data_size;
while (i > 0) {
- DECR_LEN(dsize, 3);
+ DECR_LEN(data_size, 3);
len = _gnutls_read_uint24(p);
if (len == 0)
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
- DECR_LEN(dsize, len);
+ DECR_LEN(data_size, len);
p += len + 3;
i -= len + 3;
- DECR_LEN(dsize, 2);
+ DECR_LEN(data_size, 2);
len = _gnutls_read_uint16(p);
- DECR_LEN(dsize, len);
+ DECR_LEN(data_size, len);
i -= len + 2;
p += len + 2;
@@ -427,7 +428,7 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size)
nentries++;
}
- if (dsize != 0)
+ if (data_size != 0)
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
/* this is unnecessary - keeping to avoid a regression due to a re-org
diff --git a/lib/tls13/psk_ext_parser.c b/lib/tls13/psk_ext_parser.c
index 6e3a12f90..33ebc0461 100644
--- a/lib/tls13/psk_ext_parser.c
+++ b/lib/tls13/psk_ext_parser.c
@@ -28,10 +28,8 @@
* are present, or 0, on success.
*/
int _gnutls13_psk_ext_parser_init(psk_ext_parser_st *p,
- const unsigned char *data, size_t _len)
+ const unsigned char *data, size_t len)
{
- ssize_t len = _len;
-
if (!p || !data || !len)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
diff --git a/lib/tls13/psk_ext_parser.h b/lib/tls13/psk_ext_parser.h
index 30b47e904..f46b211e0 100644
--- a/lib/tls13/psk_ext_parser.h
+++ b/lib/tls13/psk_ext_parser.h
@@ -25,10 +25,10 @@
struct psk_ext_parser_st {
const unsigned char *identities_data;
- ssize_t identities_len;
+ size_t identities_len;
const unsigned char *binders_data;
- ssize_t binders_len;
+ size_t binders_len;
};
typedef struct psk_ext_parser_st psk_ext_parser_st;
diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c
index 146aee9b1..072a56d9c 100644
--- a/lib/tls13/session_ticket.c
+++ b/lib/tls13/session_ticket.c
@@ -105,7 +105,7 @@ unpack_ticket(gnutls_session_t session, gnutls_datum_t *packed, tls13_ticket_st
gnutls_mac_algorithm_t kdf;
const mac_entry_st *prf;
uint8_t *p;
- ssize_t len;
+ size_t len;
uint64_t v;
int ret;
--
2.21.0

View File

@ -1,36 +0,0 @@
From facea2b7659e11efce7014bda8800574d35dd05d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 12 Jun 2019 14:02:05 +0200
Subject: [PATCH] fips: run selftests over overridden AES-CBC algorithm
Previously, we only tested nettle's AES-CBC in
_gnutls_fips_perform_self_checks1(), which is called before the
implementation is overridden. This adds an AES-CBC self-test in
_gnutls_fips_perform_self_checks2() so it can test the actual
implementation.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/fips.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/fips.c b/lib/fips.c
index b92edbbd7..902af5674 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -317,6 +317,12 @@ int _gnutls_fips_perform_self_checks2(void)
goto error;
}
+ ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC);
+ if (ret < 0) {
+ gnutls_assert();
+ goto error;
+ }
+
ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM);
if (ret < 0) {
gnutls_assert();
--
2.20.1

File diff suppressed because it is too large Load Diff

View File

@ -1,203 +0,0 @@
From c7a419e7868fd9342c1799a04d21c2ff6292c405 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 21 Jun 2019 15:49:26 +0200
Subject: [PATCH] nettle/rnd-fips: add FIPS 140-2 continuous RNG test
This adds a continuous random number generator test as defined in FIPS
140-2 4.9.2, by iteratively fetching fixed sized block from the system
and comparing consecutive blocks.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/nettle/rnd-fips.c | 102 +++++++++++++++++++++++++++++++++---------
1 file changed, 81 insertions(+), 21 deletions(-)
diff --git a/lib/nettle/rnd-fips.c b/lib/nettle/rnd-fips.c
index ee68cf68d..ccb92d25a 100644
--- a/lib/nettle/rnd-fips.c
+++ b/lib/nettle/rnd-fips.c
@@ -27,12 +27,13 @@
#include "gnutls_int.h"
#include "errors.h"
-#include <nettle/aes.h>
-#include <nettle/memxor.h>
-#include <locks.h>
+#include <nettle/sha2.h>
#include <atfork.h>
#include <rnd-common.h>
+/* The block size is chosen arbitrarily */
+#define ENTROPY_BLOCK_SIZE SHA256_DIGEST_SIZE
+
/* This provides a random generator for gnutls. It uses
* two instances of the DRBG-AES-CTR generator, one for
* nonce level and another for the other levels of randomness.
@@ -41,11 +42,13 @@ struct fips_ctx {
struct drbg_aes_ctx nonce_context;
struct drbg_aes_ctx normal_context;
unsigned int forkid;
+ uint8_t entropy_hash[SHA256_DIGEST_SIZE];
};
static int _rngfips_ctx_reinit(struct fips_ctx *fctx);
static int _rngfips_ctx_init(struct fips_ctx *fctx);
-static int drbg_reseed(struct drbg_aes_ctx *ctx);
+static int drbg_reseed(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx);
+static int get_entropy(struct fips_ctx *fctx, uint8_t *buffer, size_t length);
static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx,
void *buffer, size_t length)
@@ -59,7 +62,7 @@ static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx,
}
if (ctx->reseed_counter > DRBG_AES_RESEED_TIME) {
- ret = drbg_reseed(ctx);
+ ret = drbg_reseed(fctx, ctx);
if (ret < 0)
return gnutls_assert_val(ret);
}
@@ -71,54 +74,111 @@ static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx,
return 0;
}
+static int get_entropy(struct fips_ctx *fctx, uint8_t *buffer, size_t length)
+{
+ int ret;
+ uint8_t block[ENTROPY_BLOCK_SIZE];
+ uint8_t hash[SHA256_DIGEST_SIZE];
+ struct sha256_ctx ctx;
+ size_t total = 0;
+
+ /* For FIPS 140-2 4.9.2 continuous random number generator
+ * test, iteratively fetch fixed sized block from the system
+ * RNG and compare consecutive blocks.
+ *
+ * Note that we store the hash of the entropy block rather
+ * than the block itself for backward secrecy.
+ */
+ while (total < length) {
+ ret = _rnd_get_system_entropy(block, ENTROPY_BLOCK_SIZE);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ sha256_init(&ctx);
+ sha256_update(&ctx, sizeof(block), block);
+ sha256_digest(&ctx, sizeof(hash), hash);
+
+ if (memcmp(hash, fctx->entropy_hash, sizeof(hash)) == 0) {
+ _gnutls_switch_lib_state(LIB_STATE_ERROR);
+ return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
+ }
+ memcpy(fctx->entropy_hash, hash, sizeof(hash));
+
+ memcpy(buffer, block, MIN(length - total, sizeof(block)));
+ total += sizeof(block);
+ buffer += sizeof(block);
+ }
+ zeroize_key(block, sizeof(block));
+
+ return 0;
+}
+
#define PSTRING "gnutls-rng"
#define PSTRING_SIZE (sizeof(PSTRING)-1)
-static int drbg_init(struct drbg_aes_ctx *ctx)
+static int drbg_init(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx)
{
uint8_t buffer[DRBG_AES_SEED_SIZE];
int ret;
- /* Get a key from the standard RNG or from the entropy source. */
- ret = _rnd_get_system_entropy(buffer, sizeof(buffer));
+ ret = get_entropy(fctx, buffer, sizeof(buffer));
if (ret < 0)
return gnutls_assert_val(ret);
- ret = drbg_aes_init(ctx, sizeof(buffer), buffer, PSTRING_SIZE, (void*)PSTRING);
+ ret = drbg_aes_init(ctx, sizeof(buffer), buffer,
+ PSTRING_SIZE, (void*)PSTRING);
+ zeroize_key(buffer, sizeof(buffer));
if (ret == 0)
return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
- zeroize_key(buffer, sizeof(buffer));
-
- return 0;
+ return GNUTLS_E_SUCCESS;
}
/* Reseed a generator. */
-static int drbg_reseed(struct drbg_aes_ctx *ctx)
+static int drbg_reseed(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx)
{
uint8_t buffer[DRBG_AES_SEED_SIZE];
int ret;
- /* The other two generators are seeded from /dev/random. */
- ret = _rnd_get_system_entropy(buffer, sizeof(buffer));
+ ret = get_entropy(fctx, buffer, sizeof(buffer));
if (ret < 0)
return gnutls_assert_val(ret);
- drbg_aes_reseed(ctx, sizeof(buffer), buffer, 0, NULL);
+ ret = drbg_aes_reseed(ctx, sizeof(buffer), buffer, 0, NULL);
+ zeroize_key(buffer, sizeof(buffer));
+ if (ret == 0)
+ return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
- return 0;
+ return GNUTLS_E_SUCCESS;
}
static int _rngfips_ctx_init(struct fips_ctx *fctx)
{
+ uint8_t block[ENTROPY_BLOCK_SIZE];
+ struct sha256_ctx ctx;
int ret;
+ /* For FIPS 140-2 4.9.2 continuous random number generator
+ * test, get the initial entropy from the system RNG and keep
+ * it for comparison.
+ *
+ * Note that we store the hash of the entropy block rather
+ * than the block itself for backward secrecy.
+ */
+ ret = _rnd_get_system_entropy(block, sizeof(block));
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ sha256_init(&ctx);
+ sha256_update(&ctx, sizeof(block), block);
+ zeroize_key(block, sizeof(block));
+ sha256_digest(&ctx, sizeof(fctx->entropy_hash), fctx->entropy_hash);
+
/* normal */
- ret = drbg_init(&fctx->normal_context);
+ ret = drbg_init(fctx, &fctx->normal_context);
if (ret < 0)
return gnutls_assert_val(ret);
/* nonce */
- ret = drbg_init(&fctx->nonce_context);
+ ret = drbg_init(fctx, &fctx->nonce_context);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -132,12 +192,12 @@ static int _rngfips_ctx_reinit(struct fips_ctx *fctx)
int ret;
/* normal */
- ret = drbg_reseed(&fctx->normal_context);
+ ret = drbg_reseed(fctx, &fctx->normal_context);
if (ret < 0)
return gnutls_assert_val(ret);
/* nonce */
- ret = drbg_reseed(&fctx->nonce_context);
+ ret = drbg_reseed(fctx, &fctx->nonce_context);
if (ret < 0)
return gnutls_assert_val(ret);
--
2.21.0

View File

@ -1,124 +0,0 @@
From fbb6dd2a65c6fc7a2e9bd82fe66fde54f6cf2952 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 16 Aug 2019 17:01:05 +0200
Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests
Nettle's RSA signing, encryption and decryption functions still
require randomness for blinding, so fallback to use a fixed buffer in
selftests where entropy might not be available.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++----
1 file changed, 33 insertions(+), 4 deletions(-)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index b2d27cf74..772fcdc21 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -94,6 +94,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
nettle_mpz_get_str_256 (length, data, *k);
}
+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
+{
+ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) {
+ _gnutls_switch_lib_state(LIB_STATE_ERROR);
+ }
+
+ memset(data, 0xAA, length);
+}
+
static void
ecc_scalar_zclear (struct ecc_scalar *s)
{
@@ -435,6 +444,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
case GNUTLS_PK_RSA:
{
struct rsa_public_key pub;
+ nettle_random_func *random_func;
ret = _rsa_params_to_pubkey(pk_params, &pub);
if (ret < 0) {
@@ -442,8 +452,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
goto cleanup;
}
+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+ random_func = rnd_nonce_func_fallback;
+ else
+ random_func = rnd_nonce_func;
ret =
- rsa_encrypt(&pub, NULL, rnd_nonce_func,
+ rsa_encrypt(&pub, NULL, random_func,
plaintext->size, plaintext->data,
p);
if (ret == 0 || HAVE_LIB_ERROR()) {
@@ -496,6 +510,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
struct rsa_public_key pub;
size_t length;
bigint_t c;
+ nettle_random_func *random_func;
_rsa_params_to_privkey(pk_params, &priv);
ret = _rsa_params_to_pubkey(pk_params, &pub);
@@ -526,8 +541,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
goto cleanup;
}
+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+ random_func = rnd_nonce_func_fallback;
+ else
+ random_func = rnd_nonce_func;
ret =
- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func,
+ rsa_decrypt_tr(&pub, &priv, NULL, random_func,
&length, plaintext->data,
TOMPZ(c));
_gnutls_mpi_release(&c);
@@ -573,6 +592,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
bigint_t c;
uint32_t is_err;
int ret;
+ nettle_random_func *random_func;
if (algo != GNUTLS_PK_RSA || plaintext == NULL) {
gnutls_assert();
@@ -592,7 +612,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED);
}
- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func,
+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+ random_func = rnd_nonce_func_fallback;
+ else
+ random_func = rnd_nonce_func;
+ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func,
plaintext_size, plaintext, TOMPZ(c));
/* after this point, any conditional on failure that cause differences
* in execution may create a timing or cache access pattern side
@@ -942,6 +966,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
{
struct rsa_private_key priv;
struct rsa_public_key pub;
+ nettle_random_func *random_func;
mpz_t s;
_rsa_params_to_privkey(pk_params, &priv);
@@ -952,8 +977,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
mpz_init(s);
+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+ random_func = rnd_nonce_func_fallback;
+ else
+ random_func = rnd_nonce_func;
ret =
- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func,
+ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func,
vdata->size, vdata->data, s);
if (ret == 0 || HAVE_LIB_ERROR()) {
gnutls_assert();
--
2.21.0

View File

@ -1,767 +0,0 @@
From bbb312749780928cc10b45662c6d7eadcaa98f0b Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 3 Oct 2019 10:34:18 +0200
Subject: [PATCH 1/3] iov: _gnutls_iov_iter_next: return bytes instead of
blocks
This eliminates the need of special handling of final block. Also
adds more tests in exceptional cases.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/crypto-api.c | 82 +++++-------------------------
lib/iov.c | 31 +++++++++---
tests/iov.c | 126 ++++++++++++++++++++++++++++++++---------------
3 files changed, 121 insertions(+), 118 deletions(-)
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index 09b3d7bfc..41e759b74 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -992,9 +992,9 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
uint8_t *dst;
size_t dst_size, total = 0;
uint8_t *p;
+ size_t len;
size_t blocksize = handle->ctx_enc.e->blocksize;
struct iov_iter_st iter;
- size_t blocks;
/* Limitation: this function provides an optimization under the internally registered
* AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(),
@@ -1045,15 +1045,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
return gnutls_assert_val(ret);
if (ret == 0)
break;
- blocks = ret;
- ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
- blocksize * blocks);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
- if (iter.block_offset > 0) {
- ret = _gnutls_cipher_auth(&handle->ctx_enc,
- iter.block, iter.block_offset);
+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
}
@@ -1070,29 +1062,15 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
return gnutls_assert_val(ret);
if (ret == 0)
break;
- blocks = ret;
- if (unlikely(dst_size < blocksize * blocks))
- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p,
- blocksize * blocks,
- dst, dst_size);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- DECR_LEN(dst_size, blocksize * blocks);
- dst += blocksize * blocks;
- total += blocksize * blocks;
- }
- if (iter.block_offset > 0) {
- if (unlikely(dst_size < iter.block_offset))
- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ len = ret;
ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
- iter.block, iter.block_offset,
+ p, len,
dst, dst_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
- DECR_LEN(dst_size, iter.block_offset);
- dst += iter.block_offset;
- total += iter.block_offset;
+ DECR_LEN(dst_size, len);
+ dst += len;
+ total += len;
}
if (dst_size < tag_size)
@@ -1137,7 +1115,6 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
uint8_t *p;
ssize_t blocksize = handle->ctx_enc.e->blocksize;
struct iov_iter_st iter;
- size_t blocks;
size_t _tag_size;
if (tag_size == NULL || *tag_size == 0)
@@ -1220,15 +1197,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
return gnutls_assert_val(ret);
if (ret == 0)
break;
- blocks = ret;
- ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
- blocksize * blocks);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
- if (iter.block_offset > 0) {
- ret = _gnutls_cipher_auth(&handle->ctx_enc,
- iter.block, iter.block_offset);
+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
}
@@ -1242,17 +1211,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
return gnutls_assert_val(ret);
if (ret == 0)
break;
- blocks = ret;
- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
- p, blocksize * blocks,
- p, blocksize * blocks);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
- if (iter.block_offset > 0) {
- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
- iter.block, iter.block_offset,
- iter.block, iter.block_offset);
+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, ret, p, ret);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
}
@@ -1296,7 +1255,6 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
uint8_t *p;
ssize_t blocksize = handle->ctx_enc.e->blocksize;
struct iov_iter_st iter;
- size_t blocks;
uint8_t _tag[MAX_HASH_SIZE];
if (tag_size == 0)
@@ -1370,15 +1328,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
return gnutls_assert_val(ret);
if (ret == 0)
break;
- blocks = ret;
- ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
- blocksize * blocks);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
- if (iter.block_offset > 0) {
- ret = _gnutls_cipher_auth(&handle->ctx_enc,
- iter.block, iter.block_offset);
+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
}
@@ -1392,17 +1342,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
return gnutls_assert_val(ret);
if (ret == 0)
break;
- blocks = ret;
- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc,
- p, blocksize * blocks,
- p, blocksize * blocks);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
- if (iter.block_offset > 0) {
- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc,
- iter.block, iter.block_offset,
- iter.block, iter.block_offset);
+ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, ret, p, ret);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
}
diff --git a/lib/iov.c b/lib/iov.c
index 5dc29c54b..17272886c 100644
--- a/lib/iov.c
+++ b/lib/iov.c
@@ -58,8 +58,8 @@ _gnutls_iov_iter_init(struct iov_iter_st *iter,
* @data: the return location of extracted data
*
* Retrieve block(s) pointed by @iter and advance it to the next
- * position. It returns the number of consecutive blocks in @data.
- * At the end of iteration, 0 is returned.
+ * position. It returns the number of bytes in @data. At the end of
+ * iteration, 0 is returned.
*
* If the data stored in @iter is not multiple of the block size, the
* remaining data is stored in the "block" field of @iter with the
@@ -88,25 +88,30 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data)
if ((len % iter->block_size) == 0) {
iter->iov_index++;
iter->iov_offset = 0;
- } else
- iter->iov_offset +=
- len - (len % iter->block_size);
+ } else {
+ len -= (len % iter->block_size);
+ iter->iov_offset += len;
+ }
/* Return the blocks. */
*data = p;
- return len / iter->block_size;
+ return len;
}
/* We can complete one full block to return. */
block_left = iter->block_size - iter->block_offset;
if (len >= block_left) {
memcpy(iter->block + iter->block_offset, p, block_left);
- iter->iov_offset += block_left;
+ if (len == block_left) {
+ iter->iov_index++;
+ iter->iov_offset = 0;
+ } else
+ iter->iov_offset += block_left;
iter->block_offset = 0;
/* Return the filled block. */
*data = iter->block;
- return 1;
+ return iter->block_size;
}
/* Not enough data for a full block, store in temp
@@ -116,5 +121,15 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data)
iter->iov_index++;
iter->iov_offset = 0;
}
+
+ if (iter->block_offset > 0) {
+ size_t len = iter->block_offset;
+
+ /* Return the incomplete block. */
+ *data = iter->block;
+ iter->block_offset = 0;
+ return len;
+ }
+
return 0;
}
diff --git a/tests/iov.c b/tests/iov.c
index eda5583a7..3d116b471 100644
--- a/tests/iov.c
+++ b/tests/iov.c
@@ -32,7 +32,6 @@ struct exp_st {
ssize_t ret;
size_t iov_index;
size_t iov_offset;
- size_t block_offset;
};
struct test_st {
@@ -42,7 +41,6 @@ struct test_st {
size_t block_size;
const struct exp_st *exp;
size_t expcnt;
- size_t remaining;
};
static const giovec_t iov16[] = {
@@ -53,40 +51,41 @@ static const giovec_t iov16[] = {
};
static const struct exp_st exp16_64[] = {
- {1, 3, 16, 0},
- {0, 0, 0, 0}
+ {64, 4, 0},
+ {0, 0, 0}
};
static const struct exp_st exp16_32[] = {
- {1, 1, 16, 0},
- {1, 3, 16, 0},
- {0, 0, 0, 0}
+ {32, 2, 0},
+ {32, 4, 0},
+ {0, 0, 0}
};
static const struct exp_st exp16_16[] = {
- {1, 1, 0, 0},
- {1, 2, 0, 0},
- {1, 3, 0, 0},
- {1, 4, 0, 0},
- {0, 0, 0, 0}
+ {16, 1, 0},
+ {16, 2, 0},
+ {16, 3, 0},
+ {16, 4, 0},
+ {0, 0, 0}
};
static const struct exp_st exp16_4[] = {
- {4, 1, 0, 0},
- {4, 2, 0, 0},
- {4, 3, 0, 0},
- {4, 4, 0, 0},
- {0, 0, 0, 0}
+ {16, 1, 0},
+ {16, 2, 0},
+ {16, 3, 0},
+ {16, 4, 0},
+ {0, 0, 0}
};
static const struct exp_st exp16_3[] = {
- {5, 0, 15, 0},
- {1, 1, 2, 0},
- {4, 1, 14, 0},
- {1, 2, 1, 0},
- {5, 3, 0, 0},
- {5, 3, 15, 0},
- {0, 0, 0, 1}
+ {15, 0, 15},
+ {3, 1, 2},
+ {12, 1, 14},
+ {3, 2, 1},
+ {15, 3, 0},
+ {15, 3, 15},
+ {1, 4, 0},
+ {0, 0, 0}
};
static const giovec_t iov8[] = {
@@ -97,22 +96,74 @@ static const giovec_t iov8[] = {
};
static const struct exp_st exp8_64[] = {
- {0, 0, 0, 32}
+ {32, 4, 0},
+ {0, 0, 0}
+};
+
+static const giovec_t iov_odd[] = {
+ {(void *) "0", 1},
+ {(void *) "012", 3},
+ {(void *) "01234", 5},
+ {(void *) "0123456", 7},
+ {(void *) "012345678", 9},
+ {(void *) "01234567890", 11},
+ {(void *) "0123456789012", 13},
+ {(void *) "012345678901234", 15}
+};
+
+static const struct exp_st exp_odd_16[] = {
+ {16, 4, 0},
+ {16, 5, 7},
+ {16, 6, 12},
+ {16, 8, 0},
+ {0, 0, 0}
+};
+
+static const giovec_t iov_skip[] = {
+ {(void *) "0123456789012345", 16},
+ {(void *) "01234567", 8},
+ {(void *) "", 0},
+ {(void *) "", 0},
+ {(void *) "0123456789012345", 16}
+};
+
+static const struct exp_st exp_skip_16[] = {
+ {16, 1, 0},
+ {16, 4, 8},
+ {8, 5, 0},
+ {0, 0, 0}
+};
+
+static const giovec_t iov_empty[] = {
+ {(void *) "", 0},
+ {(void *) "", 0},
+ {(void *) "", 0},
+ {(void *) "", 0}
+};
+
+static const struct exp_st exp_empty_16[] = {
+ {0, 0, 0}
};
static const struct test_st tests[] = {
{ "16/64", iov16, sizeof(iov16)/sizeof(iov16[0]), 64,
- exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]), 0 },
+ exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]) },
{ "16/32", iov16, sizeof(iov16)/sizeof(iov16[0]), 32,
- exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]), 0 },
+ exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]) },
{ "16/16", iov16, sizeof(iov16)/sizeof(iov16[0]), 16,
- exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]), 0 },
+ exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]) },
{ "16/4", iov16, sizeof(iov16)/sizeof(iov16[0]), 4,
- exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]), 0 },
+ exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]) },
{ "16/3", iov16, sizeof(iov16)/sizeof(iov16[0]), 3,
- exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]), 1 },
+ exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]) },
{ "8/64", iov8, sizeof(iov8)/sizeof(iov8[0]), 64,
- exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]), 32 }
+ exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]) },
+ { "odd/16", iov_odd, sizeof(iov_odd)/sizeof(iov_odd[0]), 16,
+ exp_odd_16, sizeof(exp_odd_16)/sizeof(exp_odd_16[0]) },
+ { "skip/16", iov_skip, sizeof(iov_skip)/sizeof(iov_skip[0]), 16,
+ exp_skip_16, sizeof(exp_skip_16)/sizeof(exp_skip_16[0]) },
+ { "empty/16", iov_empty, sizeof(iov_empty)/sizeof(iov_empty[0]), 16,
+ exp_empty_16, sizeof(exp_empty_16)/sizeof(exp_empty_16[0]) },
};
void
@@ -155,16 +206,13 @@ doit (void)
else if (debug)
success("iter.iov_offset: %u == %u\n",
(unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset);
- if (iter.block_offset != exp[j].block_offset)
- fail("iter.block_offset: %u != %u\n",
- (unsigned) iter.block_offset, (unsigned) exp[j].block_offset);
+ if (iter.block_offset != 0)
+ fail("iter.block_offset: %u != 0\n",
+ (unsigned) iter.block_offset);
else if (debug)
- success("iter.block_offset: %u == %u\n",
- (unsigned) iter.block_offset, (unsigned) exp[j].block_offset);
+ success("iter.block_offset: %u == 0\n",
+ (unsigned) iter.block_offset);
}
}
- if (iter.block_offset != tests[i].remaining)
- fail("remaining: %u != %u\n",
- (unsigned) iter.block_offset, (unsigned) tests[i].remaining);
}
}
--
2.21.0
From c684814cc456a9792a9183ce77d32d435f29e6b7 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 1 Oct 2019 18:14:48 +0200
Subject: [PATCH 2/3] iov: add _gnutls_iov_iter_sync to write back cached data
to iov
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/iov.c | 59 +++++++++++++++++++++++++++++++++++++++++++++
lib/iov.h | 4 +++-
lib/libgnutls.map | 1 +
tests/iov.c | 61 +++++++++++++++++++++++++++++++++++++++++++----
4 files changed, 119 insertions(+), 6 deletions(-)
diff --git a/lib/iov.c b/lib/iov.c
index 17272886c..1cd8d46dd 100644
--- a/lib/iov.c
+++ b/lib/iov.c
@@ -133,3 +133,62 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data)
return 0;
}
+
+/**
+ * _gnutls_iov_iter_sync:
+ * @iter: the iterator
+ * @data: data returned by _gnutls_iov_iter_next
+ * @data_size: size of @data
+ *
+ * Flush the content of temp buffer (if any) to the data buffer.
+ */
+int
+_gnutls_iov_iter_sync(struct iov_iter_st *iter, const uint8_t *data,
+ size_t data_size)
+{
+ size_t iov_index;
+ size_t iov_offset;
+
+ /* We didn't return the cached block. */
+ if (data != iter->block)
+ return 0;
+
+ iov_index = iter->iov_index;
+ iov_offset = iter->iov_offset;
+
+ /* When syncing a cache block we walk backwards because we only have a
+ * pointer to were the block ends in the iovec, walking backwards is
+ * fine as we are always writing a full block, so the whole content
+ * is written in the right places:
+ * iovec: |--0--|---1---|--2--|-3-|
+ * block: |-----------------------|
+ * 1st write |---|
+ * 2nd write |-----
+ * 3rd write |-------
+ * last write |-----
+ */
+ while (data_size > 0) {
+ const giovec_t *iov;
+ uint8_t *p;
+ size_t to_write;
+
+ while (iov_offset == 0) {
+ if (unlikely(iov_index == 0))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ iov_index--;
+ iov_offset = iter->iov[iov_index].iov_len;
+ }
+
+ iov = &iter->iov[iov_index];
+ p = iov->iov_base;
+ to_write = MIN(data_size, iov_offset);
+
+ iov_offset -= to_write;
+ data_size -= to_write;
+
+ memcpy(p + iov_offset, &iter->block[data_size], to_write);
+ }
+
+ return 0;
+}
diff --git a/lib/iov.h b/lib/iov.h
index 47fba559a..5b9903460 100644
--- a/lib/iov.h
+++ b/lib/iov.h
@@ -34,7 +34,6 @@ struct iov_iter_st {
uint8_t block[MAX_CIPHER_BLOCK_SIZE]; /* incomplete block for reading */
size_t block_size; /* actual block size of the cipher */
size_t block_offset; /* offset in block */
-
};
int _gnutls_iov_iter_init(struct iov_iter_st *iter,
@@ -43,4 +42,7 @@ int _gnutls_iov_iter_init(struct iov_iter_st *iter,
ssize_t _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data);
+int _gnutls_iov_iter_sync(struct iov_iter_st *iter, const uint8_t *data,
+ size_t data_size);
+
#endif /* GNUTLS_LIB_IOV_H */
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index f83a21e9b..d6973f72e 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1394,4 +1394,5 @@ GNUTLS_PRIVATE_3_4 {
# needed by tests/iov:
_gnutls_iov_iter_init;
_gnutls_iov_iter_next;
+ _gnutls_iov_iter_sync;
} GNUTLS_3_4;
diff --git a/tests/iov.c b/tests/iov.c
index 3d116b471..2acd2b5f5 100644
--- a/tests/iov.c
+++ b/tests/iov.c
@@ -44,10 +44,10 @@ struct test_st {
};
static const giovec_t iov16[] = {
- {(void *) "0123456789abcdef", 16},
- {(void *) "0123456789abcdef", 16},
- {(void *) "0123456789abcdef", 16},
- {(void *) "0123456789abcdef", 16}
+ {(void *) "0123456789012345", 16},
+ {(void *) "0123456789012345", 16},
+ {(void *) "0123456789012345", 16},
+ {(void *) "0123456789012345", 16}
};
static const struct exp_st exp16_64[] = {
@@ -166,20 +166,53 @@ static const struct test_st tests[] = {
exp_empty_16, sizeof(exp_empty_16)/sizeof(exp_empty_16[0]) },
};
+static void
+copy(giovec_t *dst, uint8_t *buffer, const giovec_t *src, size_t iovcnt)
+{
+ uint8_t *p = buffer;
+ size_t i;
+
+ for (i = 0; i < iovcnt; i++) {
+ dst[i].iov_base = p;
+ dst[i].iov_len = src[i].iov_len;
+ memcpy(dst[i].iov_base, src[i].iov_base, src[i].iov_len);
+ p += src[i].iov_len;
+ }
+}
+
+static void
+translate(uint8_t *data, size_t len)
+{
+ for (; len > 0; len--) {
+ uint8_t *p = &data[len - 1];
+ if (*p >= '0' && *p <= '9')
+ *p = 'A' + *p - '0';
+ else if (*p >= 'A' && *p <= 'Z')
+ *p = '0' + *p - 'A';
+ }
+}
+
+#define MAX_BUF 1024
+#define MAX_IOV 16
+
void
doit (void)
{
+ uint8_t buffer[MAX_BUF];
size_t i;
for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
+ giovec_t iov[MAX_IOV];
struct iov_iter_st iter;
const struct exp_st *exp = tests[i].exp;
uint8_t *data;
size_t j;
+ copy(iov, buffer, tests[i].iov, tests[i].iovcnt);
+
success("%s\n", tests[i].name);
assert(_gnutls_iov_iter_init(&iter,
- tests[i].iov, tests[i].iovcnt,
+ iov, tests[i].iovcnt,
tests[i].block_size) == 0);
for (j = 0; j < tests[i].expcnt; j++) {
ssize_t ret;
@@ -212,7 +245,25 @@ doit (void)
else if (debug)
success("iter.block_offset: %u == 0\n",
(unsigned) iter.block_offset);
+
+ translate(data, ret);
+
+ ret = _gnutls_iov_iter_sync(&iter, data, ret);
+ if (ret < 0)
+ fail("sync failed\n");
}
}
+
+ for (j = 0; j < tests[i].iovcnt; j++) {
+ translate(iov[j].iov_base, iov[j].iov_len);
+
+ if (memcmp(iov[j].iov_base, tests[i].iov[j].iov_base,
+ iov[j].iov_len) != 0)
+ fail("iov doesn't match: %*s != %*s\n",
+ (int)iov[j].iov_len,
+ (char *)iov[j].iov_base,
+ (int)tests[i].iov[j].iov_len,
+ (char *)tests[i].iov[j].iov_len);
+ }
}
}
--
2.21.0
From 6df0cf1c0ec727fc237a9b429684c8f2ef5d34b7 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 1 Oct 2019 18:15:19 +0200
Subject: [PATCH 3/3] gnutls_aead_cipher_{en,de}cryptv2: write back cached data
to buffers
Previously, those functions failed to write the output to the buffers
if the buffer length is not multiple of cipher block size. This makes
sure that the cached data is always flushed.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/crypto-api.c | 18 ++++++++++++++++--
tests/aead-cipher-vec.c | 14 ++++++++------
2 files changed, 24 insertions(+), 8 deletions(-)
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index 41e759b74..7308d7e7b 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -1113,6 +1113,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
api_aead_cipher_hd_st *h = handle;
ssize_t ret;
uint8_t *p;
+ size_t len;
ssize_t blocksize = handle->ctx_enc.e->blocksize;
struct iov_iter_st iter;
size_t _tag_size;
@@ -1211,7 +1212,13 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
return gnutls_assert_val(ret);
if (ret == 0)
break;
- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, ret, p, ret);
+
+ len = ret;
+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, len, p, len);
+ if (unlikely(ret < 0))
+ return gnutls_assert_val(ret);
+
+ ret = _gnutls_iov_iter_sync(&iter, p, len);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
}
@@ -1253,6 +1260,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
api_aead_cipher_hd_st *h = handle;
ssize_t ret;
uint8_t *p;
+ size_t len;
ssize_t blocksize = handle->ctx_enc.e->blocksize;
struct iov_iter_st iter;
uint8_t _tag[MAX_HASH_SIZE];
@@ -1342,7 +1350,13 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
return gnutls_assert_val(ret);
if (ret == 0)
break;
- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, ret, p, ret);
+
+ len = ret;
+ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, len, p, len);
+ if (unlikely(ret < 0))
+ return gnutls_assert_val(ret);
+
+ ret = _gnutls_iov_iter_sync(&iter, p, len);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
}
diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c
index 6c2542cf1..10e3db862 100644
--- a/tests/aead-cipher-vec.c
+++ b/tests/aead-cipher-vec.c
@@ -43,9 +43,9 @@ static void start(const char *name, int algo)
uint8_t key16[64];
uint8_t iv16[32];
uint8_t auth[128];
- uint8_t data[128+64];
+ uint8_t data[64+56+36];
gnutls_datum_t key, iv;
- giovec_t iov[2];
+ giovec_t iov[3];
giovec_t auth_iov[2];
uint8_t tag[64];
size_t tag_size = 0;
@@ -60,13 +60,15 @@ static void start(const char *name, int algo)
memset(iv.data, 0xff, iv.size);
memset(key.data, 0xfe, key.size);
- memset(data, 0xfa, 128);
+ memset(data, 0xfa, sizeof(data));
memset(auth, 0xaa, sizeof(auth));
iov[0].iov_base = data;
iov[0].iov_len = 64;
iov[1].iov_base = data + 64;
- iov[1].iov_len = 64;
+ iov[1].iov_len = 56;
+ iov[2].iov_base = data + 64 + 56;
+ iov[2].iov_len = 36;
auth_iov[0].iov_base = auth;
auth_iov[0].iov_len = 64;
@@ -83,7 +85,7 @@ static void start(const char *name, int algo)
ret = gnutls_aead_cipher_encryptv2(ch,
iv.data, iv.size,
auth_iov, 2,
- iov, 2,
+ iov, 3,
tag, &tag_size);
if (ret < 0)
fail("could not encrypt data: %s\n", gnutls_strerror(ret));
@@ -91,7 +93,7 @@ static void start(const char *name, int algo)
ret = gnutls_aead_cipher_decryptv2(ch,
iv.data, iv.size,
auth_iov, 2,
- iov, 2,
+ iov, 3,
tag, tag_size);
if (ret < 0)
fail("could not decrypt data: %s\n", gnutls_strerror(ret));
--
2.21.0

View File

@ -1,204 +0,0 @@
From 1c2135506825ae80966fe2797613806916b7e3c0 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 6 Nov 2019 12:07:24 +0100
Subject: [PATCH 1/2] nettle: backport fixes to cfb8_decrypt
cfb8: don't truncate output IV if input is shorter than block size:
https://git.lysator.liu.se/nettle/nettle/commit/f4a9c842621baf5d71aa9cc3989851f44dc46861
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/nettle/backport/cfb8.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/lib/nettle/backport/cfb8.c b/lib/nettle/backport/cfb8.c
index e9816feb7..1762192f4 100644
--- a/lib/nettle/backport/cfb8.c
+++ b/lib/nettle/backport/cfb8.c
@@ -110,10 +110,12 @@ cfb8_decrypt(const void *ctx, nettle_cipher_func *f,
src += i;
dst += i;
- memcpy(buffer, buffer + block_size, block_size);
- memcpy(buffer + block_size, src,
- length < block_size ? length : block_size);
-
+ if (i == block_size)
+ {
+ memcpy(buffer, buffer + block_size, block_size);
+ memcpy(buffer + block_size, src,
+ length < block_size ? length : block_size);
+ }
}
memcpy(iv, buffer + i, block_size);
--
2.21.0
From cc01347302678719f0bcfb4f3383fe0f1e905ed8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 6 Nov 2019 13:17:57 +0100
Subject: [PATCH 2/2] crypto-selftests: test CFB8 ciphers with different
chunksizes
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/crypto-selftests.c | 124 +++++++++++++++++++++++++++++++++++++++--
1 file changed, 118 insertions(+), 6 deletions(-)
diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
index 6caf817e8..5f0a4ec8b 100644
--- a/lib/crypto-selftests.c
+++ b/lib/crypto-selftests.c
@@ -710,6 +710,107 @@ static int test_cipher(gnutls_cipher_algorithm_t cipher,
return 0;
}
+static int test_cipher_all_block_sizes(gnutls_cipher_algorithm_t cipher,
+ const struct cipher_vectors_st *vectors,
+ size_t vectors_size, unsigned flags)
+{
+ gnutls_cipher_hd_t hd;
+ int ret;
+ unsigned int i;
+ uint8_t tmp[384];
+ gnutls_datum_t key, iv = {NULL, 0};
+ size_t block;
+ size_t offset;
+
+ for (i = 0; i < vectors_size; i++) {
+ for (block = 1; block <= vectors[i].plaintext_size; block++) {
+ key.data = (void *) vectors[i].key;
+ key.size = vectors[i].key_size;
+
+ iv.data = (void *) vectors[i].iv;
+ iv.size = gnutls_cipher_get_iv_size(cipher);
+
+ if (iv.size != vectors[i].iv_size)
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+
+ ret = gnutls_cipher_init(&hd, cipher, &key, &iv);
+ if (ret < 0) {
+ _gnutls_debug_log("error initializing: %s\n",
+ gnutls_cipher_get_name(cipher));
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+
+ for (offset = 0;
+ offset < vectors[i].plaintext_size;
+ offset += block) {
+ ret =
+ gnutls_cipher_encrypt2(hd,
+ vectors[i].plaintext + offset,
+ MIN(block, vectors[i].plaintext_size - offset),
+ tmp + offset,
+ sizeof(tmp) - offset);
+ if (ret < 0)
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+
+ if (memcmp
+ (tmp, vectors[i].ciphertext,
+ vectors[i].plaintext_size) != 0) {
+ _gnutls_debug_log("%s encryption of test vector %d failed with block size %d/%d!\n",
+ gnutls_cipher_get_name(cipher),
+ i, (int)block, (int)vectors[i].plaintext_size);
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+
+ gnutls_cipher_deinit(hd);
+ }
+ }
+
+ for (i = 0; i < vectors_size; i++) {
+ for (block = 1; block <= vectors[i].plaintext_size; block++) {
+ key.data = (void *) vectors[i].key;
+ key.size = vectors[i].key_size;
+
+ iv.data = (void *) vectors[i].iv;
+ iv.size = gnutls_cipher_get_iv_size(cipher);
+
+ ret = gnutls_cipher_init(&hd, cipher, &key, &iv);
+ if (ret < 0)
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+
+ for (offset = 0;
+ offset + block <= vectors[i].plaintext_size;
+ offset += block) {
+ ret =
+ gnutls_cipher_decrypt2(hd,
+ vectors[i].ciphertext + offset,
+ MIN(block, vectors[i].plaintext_size - offset),
+ tmp + offset,
+ sizeof(tmp) - offset);
+ if (ret < 0)
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+
+ if (memcmp
+ (tmp, vectors[i].plaintext,
+ vectors[i].plaintext_size) != 0) {
+ _gnutls_debug_log("%s decryption of test vector %d failed with block size %d!\n",
+ gnutls_cipher_get_name(cipher),
+ i, (int)block);
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+
+ gnutls_cipher_deinit(hd);
+ }
+ }
+
+ _gnutls_debug_log
+ ("%s self check succeeded\n",
+ gnutls_cipher_get_name(cipher));
+
+ return 0;
+}
+
/* AEAD modes (compat APIs) */
static int test_cipher_aead_compat(gnutls_cipher_algorithm_t cipher,
const struct cipher_aead_vectors_st *vectors,
@@ -1721,6 +1822,14 @@ static int test_mac(gnutls_mac_algorithm_t mac,
if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \
return ret
+#define CASE2(x, func, func2, vectors) case x: \
+ ret = func(x, V(vectors), flags); \
+ if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \
+ return ret; \
+ ret = func2(x, V(vectors), flags); \
+ if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \
+ return ret
+
#define NON_FIPS_CASE(x, func, vectors) case x: \
if (_gnutls_fips_mode_enabled() == 0) { \
ret = func(x, V(vectors), flags); \
@@ -1786,14 +1895,17 @@ int gnutls_cipher_self_test(unsigned flags, gnutls_cipher_algorithm_t cipher)
NON_FIPS_CASE(GNUTLS_CIPHER_CHACHA20_POLY1305, test_cipher_aead,
chacha_poly1305_vectors);
FALLTHROUGH;
- CASE(GNUTLS_CIPHER_AES_128_CFB8, test_cipher,
- aes128_cfb8_vectors);
+ CASE2(GNUTLS_CIPHER_AES_128_CFB8, test_cipher,
+ test_cipher_all_block_sizes,
+ aes128_cfb8_vectors);
FALLTHROUGH;
- CASE(GNUTLS_CIPHER_AES_192_CFB8, test_cipher,
- aes192_cfb8_vectors);
+ CASE2(GNUTLS_CIPHER_AES_192_CFB8, test_cipher,
+ test_cipher_all_block_sizes,
+ aes192_cfb8_vectors);
FALLTHROUGH;
- CASE(GNUTLS_CIPHER_AES_256_CFB8, test_cipher,
- aes256_cfb8_vectors);
+ CASE2(GNUTLS_CIPHER_AES_256_CFB8, test_cipher,
+ test_cipher_all_block_sizes,
+ aes256_cfb8_vectors);
FALLTHROUGH;
CASE(GNUTLS_CIPHER_AES_128_XTS, test_cipher,
aes128_xts_vectors);
--
2.21.0

View File

@ -1,286 +0,0 @@
From 6023c69c616d866e19ab1c0bb87931e5143c79d3 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 5 Jun 2019 16:48:39 +0200
Subject: [PATCH] tls13/key_update: ignore multiple key updates instead of
error
This fixes the multiple KeyUpdate messages handling in commit
65e2aa80d114d4bef095d129c2eda475e473244a, where illegal_parameter is
sent even if the limit doesn't exceed.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
.gitignore | 1 +
lib/tls13/key_update.c | 2 -
tests/Makefile.am | 2 +
tests/tls13/key_update_multiple.c | 232 ++++++++++++++++++++++++++++++
4 files changed, 235 insertions(+), 2 deletions(-)
create mode 100644 tests/tls13/key_update_multiple.c
diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
index d542a214b..c6f6e0aa1 100644
--- a/lib/tls13/key_update.c
+++ b/lib/tls13/key_update.c
@@ -117,8 +117,6 @@ int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st *buf)
session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_1;
else if (session->internals.rsend_state == RECORD_SEND_CORKED)
session->internals.rsend_state = RECORD_SEND_CORKED_TO_KU;
- else
- return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
break;
default:
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ca0481879..4ffa69825 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -119,6 +119,8 @@ ctests += tls13/psk-ext
ctests += tls13/key_update
+ctests += tls13/key_update_multiple
+
ctests += tls13/key_limits
ctests += tls13/multi-ocsp
diff --git a/tests/tls13/key_update_multiple.c b/tests/tls13/key_update_multiple.c
new file mode 100644
index 000000000..8b2c2db4b
--- /dev/null
+++ b/tests/tls13/key_update_multiple.c
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) 2017-2019 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include <assert.h>
+#include "cert-common.h"
+
+#include "utils.h"
+#include "virt-time.h"
+#define RANDOMIZE
+#include "eagain-common.h"
+
+const char *side = "";
+
+/* This program tests whether multiple key update messages are handled
+ * properly with rate-limit. */
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "%s|<%d>| %s", side, level, str);
+}
+
+#define MAX_BUF 1024
+#define MSG "Hello TLS, and hi and how are you and more data here... and more... and even more and even more more data..."
+
+/* These must match the definitions in lib/tls13/key_update.c. */
+#define KEY_UPDATES_WINDOW 1000
+#define KEY_UPDATES_PER_WINDOW 8
+
+static unsigned key_update_msg_inc = 0;
+static unsigned key_update_msg_out = 0;
+
+static int hsk_callback(gnutls_session_t session, unsigned int htype,
+ unsigned post, unsigned int incoming, const gnutls_datum_t *msg)
+{
+ assert(post == GNUTLS_HOOK_PRE);
+
+ assert(msg->size == 1);
+
+ if (htype == GNUTLS_HANDSHAKE_KEY_UPDATE) {
+ if (incoming)
+ key_update_msg_inc++;
+ else
+ key_update_msg_out++;
+ }
+
+ return 0;
+}
+
+static void run(const char *name, bool exceed_limit)
+{
+ /* Server stuff. */
+ gnutls_certificate_credentials_t ccred;
+ gnutls_certificate_credentials_t scred;
+ gnutls_session_t server;
+ int sret, cret;
+ /* Client stuff. */
+ gnutls_session_t client;
+ /* Need to enable anonymous KX specifically. */
+ char buffer[MAX_BUF + 1];
+ int ret, transferred = 0;
+ size_t i;
+
+ success("%s\n", name);
+
+ /* General init. */
+ global_init();
+ gnutls_global_set_log_function(tls_log_func);
+ if (debug)
+ gnutls_global_set_log_level(9);
+
+ /* Init server */
+ assert(gnutls_certificate_allocate_credentials(&scred) >= 0);
+ assert(gnutls_certificate_set_x509_key_mem(scred,
+ &server_ca3_localhost_cert,
+ &server_ca3_key,
+ GNUTLS_X509_FMT_PEM) >= 0);
+
+ assert(gnutls_init(&server, GNUTLS_SERVER) >= 0);
+ ret =
+ gnutls_priority_set_direct(server,
+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3",
+ NULL);
+ if (ret < 0)
+ exit(1);
+
+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
+ gnutls_transport_set_push_function(server, server_push);
+ gnutls_transport_set_pull_function(server, server_pull);
+ gnutls_transport_set_ptr(server, server);
+
+ /* Init client */
+ assert(gnutls_certificate_allocate_credentials(&ccred) >= 0);
+ assert(gnutls_certificate_set_x509_trust_mem
+ (ccred, &ca3_cert, GNUTLS_X509_FMT_PEM) >= 0);
+
+ gnutls_init(&client, GNUTLS_CLIENT);
+ ret =
+ gnutls_priority_set_direct(client,
+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3",
+ NULL);
+ assert(ret >= 0);
+
+ ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred);
+ if (ret < 0)
+ exit(1);
+
+ gnutls_transport_set_push_function(client, client_push);
+ gnutls_transport_set_pull_function(client, client_pull);
+ gnutls_transport_set_ptr(client, client);
+
+
+ HANDSHAKE(client, server);
+ if (debug)
+ success("Handshake established\n");
+
+ key_update_msg_inc = 0;
+ key_update_msg_out = 0;
+
+ gnutls_handshake_set_hook_function(client, -1, GNUTLS_HOOK_PRE, hsk_callback);
+
+ /* schedule multiple key updates */
+ for (i = 0; i < KEY_UPDATES_PER_WINDOW; i++) {
+ do {
+ ret = gnutls_session_key_update(client, 1);
+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+ if (ret < 0)
+ fail("error in key update: %s\n", gnutls_strerror(ret));
+ }
+
+ /* server receives the client key update and sends data */
+ TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF);
+ TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF);
+ EMPTY_BUF(server, client, buffer, MAX_BUF);
+
+ if (key_update_msg_out != KEY_UPDATES_PER_WINDOW)
+ fail("unexpected number of key updates are sent: %d\n",
+ key_update_msg_out);
+ else {
+ if (debug)
+ success("successfully sent %d key updates\n",
+ KEY_UPDATES_PER_WINDOW);
+ }
+ if (key_update_msg_inc != 1)
+ fail("unexpected number of key updates received: %d\n",
+ key_update_msg_inc);
+ else {
+ if (debug)
+ success("successfully received 1 key update\n");
+ }
+
+ if (exceed_limit) {
+ /* excessive key update in the same time window should
+ * be rejected by the peer */
+ do {
+ ret = gnutls_session_key_update(client, 1);
+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
+ /* server receives the client key update and sends data */
+ ret = record_send_loop(client, MSG, strlen(MSG), 0);
+ assert(ret == strlen(MSG));
+ ret = gnutls_record_recv(server, buffer, MAX_BUF);
+ if (ret != GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS)
+ fail("server didn't reject excessive number of key updates\n");
+ else {
+ if (debug)
+ success("server rejected excessive number of key updates\n");
+ }
+ } else {
+ virt_sec_sleep(KEY_UPDATES_WINDOW / 1000 + 1);
+
+ /* the time window should be rolled over now */
+ do {
+ ret = gnutls_session_key_update(client, 1);
+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+ if (ret < 0)
+ fail("error in key update: %s\n", gnutls_strerror(ret));
+
+ /* server receives the client key update and sends data */
+ TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF);
+ TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF);
+ EMPTY_BUF(server, client, buffer, MAX_BUF);
+ }
+
+ gnutls_bye(client, GNUTLS_SHUT_WR);
+ gnutls_bye(server, GNUTLS_SHUT_WR);
+
+ gnutls_deinit(client);
+ gnutls_deinit(server);
+
+ gnutls_certificate_free_credentials(scred);
+ gnutls_certificate_free_credentials(ccred);
+
+ gnutls_global_deinit();
+ reset_buffers();
+}
+
+void doit(void)
+{
+ virt_time_init();
+
+ run("not exceeding limit", 0);
+ run("exceeding limit", 1);
+}
--
2.20.1

View File

@ -1,265 +0,0 @@
From fa5147c86941512921282b84819b896a0d4f29bb Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 19 Jun 2019 17:21:16 +0200
Subject: [PATCH] pkcs11: ignore login error when traversing tokens
If a token is a general access device, it is expected that login
attempt to that token returns error:
https://github.com/p11-glue/p11-kit/blob/master/trust/module.c#L852
On the other hand, _pkcs11_traverse_tokens treats the error as fatal
and stops iteration. This behavior prevents object search without
token specifier if such tokens are registered in the system.
Reported by Stanislav Zidek in
https://bugzilla.redhat.com/show_bug.cgi?id=1705478
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
.gitignore | 1 +
lib/pkcs11.c | 8 +-
tests/Makefile.am | 2 +-
tests/p11-kit-load.sh | 23 ++++++
tests/pkcs11/list-objects.c | 150 ++++++++++++++++++++++++++++++++++++
5 files changed, 182 insertions(+), 2 deletions(-)
create mode 100644 tests/pkcs11/list-objects.c
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index de5309b29..2ef0e3e02 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -1617,7 +1617,13 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input,
info, flags);
if (ret < 0) {
gnutls_assert();
- return ret;
+ pkcs11_close_session(&sinfo);
+
+ /* treat the error as fatal only if
+ * the token requires login */
+ if (l_tinfo.flags & CKF_LOGIN_REQUIRED)
+ return ret;
+ continue;
}
ret =
diff --git a/tests/Makefile.am b/tests/Makefile.am
index a67f1549c..7fe954f63 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -496,7 +496,7 @@ dist_check_SCRIPTS += p11-kit-trust.sh testpkcs11.sh certtool-pkcs11.sh
if HAVE_PKCS11_TRUST_STORE
if P11KIT_0_23_11_API
dist_check_SCRIPTS += p11-kit-load.sh
-indirect_tests += pkcs11/list-tokens
+indirect_tests += pkcs11/list-tokens pkcs11/list-objects
endif
endif
diff --git a/tests/p11-kit-load.sh b/tests/p11-kit-load.sh
index 3201a2c5f..419900f6a 100755
--- a/tests/p11-kit-load.sh
+++ b/tests/p11-kit-load.sh
@@ -22,6 +22,7 @@
srcdir="${srcdir:-.}"
builddir="${builddir:-.}"
CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}"
+P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}"
DIFF="${DIFF:-diff}"
PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}"
TMP_SOFTHSM_DIR="./softhsm-load.$$.tmp"
@@ -90,6 +91,12 @@ if test $? != 0; then
exit 1
fi
+GNUTLS_PIN="${PIN}" ${P11TOOL} --login --label GnuTLS-Test-RSA --generate-privkey rsa --provider "${SOFTHSM_MODULE}" pkcs11: --outfile /dev/null
+if test $? != 0; then
+ echo "failed to generate privkey"
+ exit 1
+fi
+
FILTERTOKEN="sed s/token=.*//g"
# Check whether both are listed
@@ -175,6 +182,22 @@ if test "$nr" != 2;then
exit 1
fi
+# Check whether public key and privkey are listed.
+nr=$(GNUTLS_PIN="${PIN}" ${builddir}/pkcs11/list-objects -o ${P11DIR} -t all pkcs11:token=GnuTLS-Test|sort -u|wc -l)
+if test "$nr" != 2;then
+ echo "Error in test 8: did not find all objects"
+ ${builddir}/pkcs11/list-objects -o ${P11DIR} -t all pkcs11:token=GnuTLS-Test
+ exit 1
+fi
+
+# Check whether all privkeys are listed even if trust module is registered.
+nr=$(GNUTLS_PIN="${PIN}" ${builddir}/pkcs11/list-objects -o ${P11DIR} -t privkey pkcs11:|sort -u|wc -l)
+if test "$nr" != 1;then
+ echo "Error in test 9: did not find privkey objects"
+ ${builddir}/pkcs11/list-objects -o ${P11DIR} -t privkey pkcs11:
+ exit 1
+fi
+
rm -f ${P11DIR}/*
rm -rf ${TMP_SOFTHSM_DIR}
diff --git a/tests/pkcs11/list-objects.c b/tests/pkcs11/list-objects.c
new file mode 100644
index 000000000..ab30cd568
--- /dev/null
+++ b/tests/pkcs11/list-objects.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2016-2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+#include <getopt.h>
+#define P11_KIT_FUTURE_UNSTABLE_API
+#include <p11-kit/p11-kit.h>
+#include "cert-common.h"
+
+/* lists the registered PKCS#11 modules by p11-kit.
+ */
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "|<%d>| %s", level, str);
+}
+
+static const char *opt_pin;
+
+static
+int pin_func(void* userdata, int attempt, const char* url, const char *label,
+ unsigned flags, char *pin, size_t pin_max)
+{
+ if (attempt == 0) {
+ strcpy(pin, opt_pin);
+ return 0;
+ }
+ return -1;
+}
+
+int main(int argc, char **argv)
+{
+ int ret;
+ unsigned i;
+ int opt;
+ char *url, *mod;
+ unsigned flags;
+ unsigned obj_flags = 0;
+ int attrs = GNUTLS_PKCS11_OBJ_ATTR_ALL;
+ gnutls_pkcs11_obj_t *crt_list;
+ unsigned int crt_list_size = 0;
+ const char *envvar;
+
+ ret = gnutls_global_init();
+ if (ret != 0) {
+ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret));
+ exit(1);
+ }
+
+ gnutls_global_set_log_function(tls_log_func);
+
+ while((opt = getopt(argc, argv, "o:t:")) != -1) {
+ switch(opt) {
+ case 'o':
+ mod = strdup(optarg);
+ p11_kit_override_system_files(NULL, NULL, mod, mod, NULL);
+ break;
+ case 't':
+ /* specify the object type to list */
+ if (strcmp(optarg, "all") == 0)
+ attrs = GNUTLS_PKCS11_OBJ_ATTR_ALL;
+ else if (strcmp(optarg, "privkey") == 0)
+ attrs = GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY;
+ else {
+ fprintf(stderr, "Unknown object type %s\n", optarg);
+ exit(1);
+ }
+ break;
+ default:
+ fprintf(stderr, "Unknown option %c\n", (char)opt);
+ exit(1);
+ }
+ }
+
+ if (optind == argc) {
+ fprintf(stderr, "specify URL\n");
+ exit(1);
+ }
+ url = argv[optind];
+
+ envvar = getenv("GNUTLS_PIN");
+ if (envvar && *envvar != '\0') {
+ opt_pin = envvar;
+ obj_flags |= GNUTLS_PKCS11_OBJ_FLAG_LOGIN;
+ gnutls_pkcs11_set_pin_function(pin_func, NULL);
+ }
+
+ ret = gnutls_pkcs11_token_get_flags(url, &flags);
+ if (ret < 0) {
+ flags = 0;
+ }
+
+ ret =
+ gnutls_pkcs11_obj_list_import_url2(&crt_list, &crt_list_size,
+ url, attrs, obj_flags);
+ if (ret != 0) {
+ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret));
+ exit(1);
+ }
+
+ for (i = 0; i < crt_list_size; i++) {
+ char *output;
+
+ ret =
+ gnutls_pkcs11_obj_export_url(crt_list[i], 0,
+ &output);
+ if (ret != 0) {
+ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret));
+ exit(1);
+ }
+
+ fprintf(stdout, "%s\n", output);
+ gnutls_free(output);
+ gnutls_pkcs11_obj_deinit(crt_list[i]);
+ }
+ gnutls_free(crt_list);
+
+ gnutls_global_deinit();
+}
--
2.21.0

View File

@ -1,51 +0,0 @@
From 1f6bbceeeeb613cf4d790874bdd1e917a7071159 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 8 Jul 2019 16:54:56 +0200
Subject: [PATCH] ext/session_ticket: avoid calling memcpy on overlapping
memory areas
In _gnutls_encrypt_session_ticket, ticket.encrypted_state is allocated
from ticket_data->data, thus those memory areas may overlap. Using
memcpy here leads to undefined behavior.
Spotted by valgrind run on ppc64le.
==95231== Source and destination overlap in memcpy(0x47ce3a2, 0x47ce3a2, 160)
==95231== at 0x408A840: memcpy (vg_replace_strmem.c:1023)
==95231== by 0x424EE9F: pack_ticket (session_ticket.c:139)
==95231== by 0x424FA4F: _gnutls_encrypt_session_ticket (session_ticket.c:335)
==95231== by 0x4199E3B: generate_session_ticket (session_ticket.c:249)
==95231== by 0x419A333: _gnutls13_send_session_ticket (session_ticket.c:307)
==95231== by 0x40F8817: _gnutls13_handshake_server (handshake-tls13.c:511)
==95231== by 0x4110DEB: handshake_server (handshake.c:3331)
==95231== by 0x410C70B: gnutls_handshake (handshake.c:2727)
==95231== by 0x10009EBF: retry_handshake (serv.c:1306)
==95231== by 0x1000AB67: tcp_server (serv.c:1500)
==95231== by 0x10009E5B: main (serv.c:1297)
==95231==
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/ext/session_ticket.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
index 09e240c2d..98db39ff8 100644
--- a/lib/ext/session_ticket.c
+++ b/lib/ext/session_ticket.c
@@ -136,7 +136,11 @@ pack_ticket(const struct ticket_st *ticket, gnutls_datum_t *ticket_data)
_gnutls_write_uint16(ticket->encrypted_state_len, p);
p += 2;
- memcpy(p, ticket->encrypted_state, ticket->encrypted_state_len);
+ /* We use memmove instead of memcpy here because
+ * ticket->encrypted_state is allocated from
+ * ticket_data->data, and thus both memory areas may overlap.
+ */
+ memmove(p, ticket->encrypted_state, ticket->encrypted_state_len);
p += ticket->encrypted_state_len;
memcpy(p, ticket->mac, TICKET_MAC_SIZE);
--
2.21.0

Binary file not shown.

View File

@ -1,21 +1,14 @@
Version: 3.6.8 Version: 3.6.14
Release: 11%{?dist} Release: 6%{?dist}
Patch1: gnutls-3.2.7-rpath.patch Patch1: gnutls-3.2.7-rpath.patch
Patch2: gnutls-3.6.4-no-now-guile.patch Patch2: gnutls-3.6.4-no-now-guile.patch
Patch3: gnutls-3.6.5-fix-fips-signature-post.patch Patch3: gnutls-3.6.13-enable-intel-cet.patch
Patch4: gnutls-3.6.8-fips-aes-cbc-kat.patch Patch4: gnutls-3.6.14-autogen-int.patch
Patch5: gnutls-3.6.8-multiple-key-updates.patch Patch5: gnutls-3.6.14-fips-mode-check.patch
Patch6: gnutls-3.6.8-fips-rng-continuous.patch Patch6: gnutls-3.6.14-fips-dh-primes.patch
Patch7: gnutls-3.6.8-session-ticket-ub.patch Patch7: gnutls-3.6.14-memcmp.patch
Patch8: gnutls-3.6.8-pkcs11-login-error.patch Patch8: gnutls-3.6.14-fips-dh-check.patch
Patch9: gnutls-3.6.8-fips-deterministic-ecdsa.patch Patch9: gnutls-3.6.14-fix-iovec-memory-leak.patch
Patch10: gnutls-3.6.8-aead-cipher-encryptv2.patch
Patch11: gnutls-3.6.8-fips-rsa-random-selftests.patch
Patch12: gnutls-3.6.8-decr-len.patch
Patch13: gnutls-3.6.8-fix-aead-cipher-encryptv2.patch
Patch14: gnutls-3.6.8-fix-cfb8-decrypt.patch
Patch15: gnutls-3.6.12-dtls-random.patch
Patch16: gnutls-3.6.14-totp-init.patch
%bcond_without dane %bcond_without dane
%if 0%{?rhel} %if 0%{?rhel}
%bcond_with guile %bcond_with guile
@ -61,7 +54,7 @@ BuildRequires: guile-devel
URL: http://www.gnutls.org/ URL: http://www.gnutls.org/
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
Provides: bundled(gnulib) = 20130424 Provides: bundled(gnulib) = 20130424
@ -299,11 +292,35 @@ fi
%endif %endif
%changelog %changelog
* Mon Jun 8 2020 Daiki Ueno <dueno@redhat.com> - 3.6.8-11 * Mon Aug 24 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-6
- Fix CVE-2020-13777 (#1844147) - Fix memory leak when serializing iovec_t (#1844112)
* Sat Jul 18 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-5
- Perform validation checks on (EC)DH public keys and share secrets (#1855803)
* Mon Jun 29 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-4
- Tighten FIPS DH primes check according to SP800-56A (rev 3) (#1849079)
* Fri Jun 5 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-3
- Update gnutls-3.6.14-fips-mode-check.patch
* Thu Jun 4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-2
- Return false from gnutls_fips140_mode_enabled() if selftests failed (#1827687)
* Thu Jun 4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-1
- Update to upstream 3.6.14 release
* Mon May 25 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-3
- Add an option to gnutls-cli to wait for resumption under TLS 1.3 (#1677754)
* Wed May 20 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-2
- Enable Intel CET (#1838476)
* Tue May 5 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-1
- Update to upstream 3.6.13 release
* Tue Apr 21 2020 Daiki Ueno <dueno@redhat.com> - 3.6.8-10 * Tue Apr 21 2020 Daiki Ueno <dueno@redhat.com> - 3.6.8-10
- Fix CVE-2020-11501 (#1826176) - Fix CVE-2020-11501 (#1822005)
* Wed Nov 6 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-9 * Wed Nov 6 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-9
- Fix CFB8 decryption when repeatedly called (#1757848) - Fix CFB8 decryption when repeatedly called (#1757848)