diff --git a/.gitignore b/.gitignore index 07267e9..a2ab7a3 100644 --- a/.gitignore +++ b/.gitignore @@ -140,3 +140,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.6.tar.xz /gnutls-3.7.6.tar.xz.sig /gmp-6.2.1.tar.xz +/gnutls-3.8.2.tar.xz +/gnutls-3.8.2.tar.xz.sig diff --git a/gnutls-3.6.7-no-now-guile.patch b/gnutls-3.6.7-no-now-guile.patch deleted file mode 100644 index d14e8df..0000000 --- a/gnutls-3.6.7-no-now-guile.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/guile/src/Makefile.in 2019-03-27 11:51:55.984398001 +0100 -+++ b/guile/src/Makefile.in 2019-03-27 11:52:27.259626076 +0100 -@@ -1472,7 +1472,7 @@ - # Use '-module' to build a "dlopenable module", in Libtool terms. - # Use '-undefined' to placate Libtool on Windows; see - # . --guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -+guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -Wl,-z,lazy - - # Linking against GnuTLS. - GNUTLS_CORE_LIBS = $(top_builddir)/lib/libgnutls.la diff --git a/gnutls-3.7.2-enable-intel-cet.patch b/gnutls-3.7.2-enable-intel-cet.patch index b7e1063..c01558c 100644 --- a/gnutls-3.7.2-enable-intel-cet.patch +++ b/gnutls-3.7.2-enable-intel-cet.patch @@ -1,26 +1,28 @@ -From 71b1812bf9a785b66e3f17175580d3d20cea9c0c Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 12 Oct 2021 13:33:31 +0200 -Subject: [PATCH] x86: port Intel CET support +From 1688e614451ac93a95702d49461c9971351ee614 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 16 Nov 2023 17:01:57 +0900 +Subject: [PATCH] gnutls-3.7.2-enable-intel-cet.patch -Signed-off-by: Daiki Ueno +Signed-off-by: rpm-build --- - lib/accelerated/x86/elf/aes-ssse3-x86.s | 30 ++++++++++++++ - lib/accelerated/x86/elf/aes-ssse3-x86_64.s | 26 +++++++++++++ - lib/accelerated/x86/elf/aesni-gcm-x86_64.s | 21 ++++++++++ - lib/accelerated/x86/elf/aesni-x86.s | 39 +++++++++++++++++++ - lib/accelerated/x86/elf/aesni-x86_64.s | 32 +++++++++++++++ - lib/accelerated/x86/elf/ghash-x86_64.s | 27 +++++++++++++ - lib/accelerated/x86/elf/sha1-ssse3-x86.s | 18 +++++++++ - lib/accelerated/x86/elf/sha1-ssse3-x86_64.s | 21 ++++++++++ - lib/accelerated/x86/elf/sha256-ssse3-x86.s | 18 +++++++++ - lib/accelerated/x86/elf/sha256-ssse3-x86_64.s | 21 ++++++++++ - lib/accelerated/x86/elf/sha512-ssse3-x86.s | 18 +++++++++ - lib/accelerated/x86/elf/sha512-ssse3-x86_64.s | 21 ++++++++++ - 12 files changed, 292 insertions(+) + lib/accelerated/x86/elf/aes-ssse3-x86.s | 30 ++ + lib/accelerated/x86/elf/aes-ssse3-x86_64.s | 26 ++ + lib/accelerated/x86/elf/aesni-gcm-x86_64.s | 21 ++ + lib/accelerated/x86/elf/aesni-x86.s | 39 +++ + lib/accelerated/x86/elf/aesni-x86_64.s | 32 ++ + lib/accelerated/x86/elf/e_padlock-x86.s | 306 ++++++++++-------- + lib/accelerated/x86/elf/e_padlock-x86_64.s | 242 +++++++++----- + lib/accelerated/x86/elf/ghash-x86_64.s | 27 ++ + lib/accelerated/x86/elf/sha1-ssse3-x86.s | 18 ++ + lib/accelerated/x86/elf/sha1-ssse3-x86_64.s | 21 ++ + lib/accelerated/x86/elf/sha256-ssse3-x86.s | 18 ++ + lib/accelerated/x86/elf/sha256-ssse3-x86_64.s | 21 ++ + lib/accelerated/x86/elf/sha512-ssse3-x86.s | 18 ++ + lib/accelerated/x86/elf/sha512-ssse3-x86_64.s | 21 ++ + 14 files changed, 625 insertions(+), 215 deletions(-) diff --git a/lib/accelerated/x86/elf/aes-ssse3-x86.s b/lib/accelerated/x86/elf/aes-ssse3-x86.s -index 265e28a7ef..7be53059f7 100644 +index 265e28a..7be5305 100644 --- a/lib/accelerated/x86/elf/aes-ssse3-x86.s +++ b/lib/accelerated/x86/elf/aes-ssse3-x86.s @@ -71,6 +71,7 @@ @@ -150,7 +152,7 @@ index 265e28a7ef..7be53059f7 100644 + .section .note.GNU-stack,"",%progbits diff --git a/lib/accelerated/x86/elf/aes-ssse3-x86_64.s b/lib/accelerated/x86/elf/aes-ssse3-x86_64.s -index ea1216baf7..5a3f336f26 100644 +index ea1216b..5a3f336 100644 --- a/lib/accelerated/x86/elf/aes-ssse3-x86_64.s +++ b/lib/accelerated/x86/elf/aes-ssse3-x86_64.s @@ -635,6 +635,7 @@ _vpaes_schedule_mangle: @@ -221,7 +223,7 @@ index ea1216baf7..5a3f336f26 100644 .section .note.GNU-stack,"",%progbits diff --git a/lib/accelerated/x86/elf/aesni-gcm-x86_64.s b/lib/accelerated/x86/elf/aesni-gcm-x86_64.s -index 461dd026b9..ea5398bc2c 100644 +index 461dd02..ea5398b 100644 --- a/lib/accelerated/x86/elf/aesni-gcm-x86_64.s +++ b/lib/accelerated/x86/elf/aesni-gcm-x86_64.s @@ -826,5 +826,26 @@ aesni_gcm_encrypt: @@ -252,7 +254,7 @@ index 461dd026b9..ea5398bc2c 100644 .section .note.GNU-stack,"",%progbits diff --git a/lib/accelerated/x86/elf/aesni-x86.s b/lib/accelerated/x86/elf/aesni-x86.s -index 6e4860209f..f41d5f9ef3 100644 +index 0c13b39..3ec4a23 100644 --- a/lib/accelerated/x86/elf/aesni-x86.s +++ b/lib/accelerated/x86/elf/aesni-x86.s @@ -43,6 +43,7 @@ @@ -433,7 +435,7 @@ index 6e4860209f..f41d5f9ef3 100644 movl 12(%esp),%edx @@ -3275,4 +3297,21 @@ aesni_set_decrypt_key: .byte 115,108,46,111,114,103,62,0 - .comm _gnutls_x86_cpuid_s,16,4 + .comm GNUTLS_x86_cpuid_s,16,4 + .section ".note.gnu.property", "a" + .p2align 2 @@ -454,7 +456,7 @@ index 6e4860209f..f41d5f9ef3 100644 + .section .note.GNU-stack,"",%progbits diff --git a/lib/accelerated/x86/elf/aesni-x86_64.s b/lib/accelerated/x86/elf/aesni-x86_64.s -index acc7c2c555..e3f9d5a995 100644 +index b844198..7edf5f1 100644 --- a/lib/accelerated/x86/elf/aesni-x86_64.s +++ b/lib/accelerated/x86/elf/aesni-x86_64.s @@ -44,6 +44,7 @@ @@ -572,285 +574,8 @@ index acc7c2c555..e3f9d5a995 100644 +4: .section .note.GNU-stack,"",%progbits -diff --git a/lib/accelerated/x86/elf/ghash-x86_64.s b/lib/accelerated/x86/elf/ghash-x86_64.s -index 1e4d18b341..8da3f294c7 100644 ---- a/lib/accelerated/x86/elf/ghash-x86_64.s -+++ b/lib/accelerated/x86/elf/ghash-x86_64.s -@@ -45,6 +45,7 @@ - .align 16 - gcm_gmult_4bit: - .cfi_startproc -+.byte 243,15,30,250 - pushq %rbx - .cfi_adjust_cfa_offset 8 - .cfi_offset %rbx,-16 -@@ -156,6 +157,7 @@ gcm_gmult_4bit: - .align 16 - gcm_ghash_4bit: - .cfi_startproc -+.byte 243,15,30,250 - pushq %rbx - .cfi_adjust_cfa_offset 8 - .cfi_offset %rbx,-16 -@@ -903,6 +905,7 @@ gcm_init_clmul: - .align 16 - gcm_gmult_clmul: - .cfi_startproc -+.byte 243,15,30,250 - .L_gmult_clmul: - movdqu (%rdi),%xmm0 - movdqa .Lbswap_mask(%rip),%xmm5 -@@ -956,6 +959,7 @@ gcm_gmult_clmul: - .align 32 - gcm_ghash_clmul: - .cfi_startproc -+.byte 243,15,30,250 - .L_ghash_clmul: - movdqa .Lbswap_mask(%rip),%xmm10 - -@@ -1450,6 +1454,7 @@ gcm_init_avx: - .align 32 - gcm_gmult_avx: - .cfi_startproc -+.byte 243,15,30,250 - jmp .L_gmult_clmul - .cfi_endproc - .size gcm_gmult_avx,.-gcm_gmult_avx -@@ -1458,6 +1463,7 @@ gcm_gmult_avx: - .align 32 - gcm_ghash_avx: - .cfi_startproc -+.byte 243,15,30,250 - vzeroupper - - vmovdqu (%rdi),%xmm10 -@@ -1884,5 +1890,26 @@ gcm_ghash_avx: - - .byte 71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 - .align 64 -+ .section ".note.gnu.property", "a" -+ .p2align 3 -+ .long 1f - 0f -+ .long 4f - 1f -+ .long 5 -+0: -+ # "GNU" encoded with .byte, since .asciz isn't supported -+ # on Solaris. -+ .byte 0x47 -+ .byte 0x4e -+ .byte 0x55 -+ .byte 0 -+1: -+ .p2align 3 -+ .long 0xc0000002 -+ .long 3f - 2f -+2: -+ .long 3 -+3: -+ .p2align 3 -+4: - - .section .note.GNU-stack,"",%progbits -diff --git a/lib/accelerated/x86/elf/sha1-ssse3-x86.s b/lib/accelerated/x86/elf/sha1-ssse3-x86.s -index 8bfbcb6b39..57b6ba58f6 100644 ---- a/lib/accelerated/x86/elf/sha1-ssse3-x86.s -+++ b/lib/accelerated/x86/elf/sha1-ssse3-x86.s -@@ -43,6 +43,7 @@ - .align 16 - sha1_block_data_order: - .L_sha1_block_data_order_begin: -+.byte 243,15,30,251 - pushl %ebp - pushl %ebx - pushl %esi -@@ -1417,4 +1418,21 @@ sha1_block_data_order: - .byte 89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112 - .byte 114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 - -+ .section ".note.gnu.property", "a" -+ .p2align 2 -+ .long 1f - 0f -+ .long 4f - 1f -+ .long 5 -+0: -+ .asciz "GNU" -+1: -+ .p2align 2 -+ .long 0xc0000002 -+ .long 3f - 2f -+2: -+ .long 3 -+3: -+ .p2align 2 -+4: -+ - .section .note.GNU-stack,"",%progbits -diff --git a/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s -index d34f34497c..54095050c8 100644 ---- a/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s -+++ b/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s -@@ -5487,5 +5487,26 @@ K_XX_XX: - .byte 0xf,0xe,0xd,0xc,0xb,0xa,0x9,0x8,0x7,0x6,0x5,0x4,0x3,0x2,0x1,0x0 - .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 - .align 64 -+ .section ".note.gnu.property", "a" -+ .p2align 3 -+ .long 1f - 0f -+ .long 4f - 1f -+ .long 5 -+0: -+ # "GNU" encoded with .byte, since .asciz isn't supported -+ # on Solaris. -+ .byte 0x47 -+ .byte 0x4e -+ .byte 0x55 -+ .byte 0 -+1: -+ .p2align 3 -+ .long 0xc0000002 -+ .long 3f - 2f -+2: -+ .long 3 -+3: -+ .p2align 3 -+4: - - .section .note.GNU-stack,"",%progbits -diff --git a/lib/accelerated/x86/elf/sha256-ssse3-x86.s b/lib/accelerated/x86/elf/sha256-ssse3-x86.s -index 8d9aaa4a81..6d16b9140e 100644 ---- a/lib/accelerated/x86/elf/sha256-ssse3-x86.s -+++ b/lib/accelerated/x86/elf/sha256-ssse3-x86.s -@@ -43,6 +43,7 @@ - .align 16 - sha256_block_data_order: - .L_sha256_block_data_order_begin: -+.byte 243,15,30,251 - pushl %ebp - pushl %ebx - pushl %esi -@@ -3384,4 +3385,21 @@ sha256_block_data_order: - ret - .size sha256_block_data_order,.-.L_sha256_block_data_order_begin - -+ .section ".note.gnu.property", "a" -+ .p2align 2 -+ .long 1f - 0f -+ .long 4f - 1f -+ .long 5 -+0: -+ .asciz "GNU" -+1: -+ .p2align 2 -+ .long 0xc0000002 -+ .long 3f - 2f -+2: -+ .long 3 -+3: -+ .p2align 2 -+4: -+ - .section .note.GNU-stack,"",%progbits -diff --git a/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s -index d196c6a793..1514ee45c0 100644 ---- a/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s -+++ b/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s -@@ -5493,5 +5493,26 @@ sha256_block_data_order_avx2: - .byte 0xf3,0xc3 - .cfi_endproc - .size sha256_block_data_order_avx2,.-sha256_block_data_order_avx2 -+ .section ".note.gnu.property", "a" -+ .p2align 3 -+ .long 1f - 0f -+ .long 4f - 1f -+ .long 5 -+0: -+ # "GNU" encoded with .byte, since .asciz isn't supported -+ # on Solaris. -+ .byte 0x47 -+ .byte 0x4e -+ .byte 0x55 -+ .byte 0 -+1: -+ .p2align 3 -+ .long 0xc0000002 -+ .long 3f - 2f -+2: -+ .long 3 -+3: -+ .p2align 3 -+4: - - .section .note.GNU-stack,"",%progbits -diff --git a/lib/accelerated/x86/elf/sha512-ssse3-x86.s b/lib/accelerated/x86/elf/sha512-ssse3-x86.s -index 481c777154..afca4eae7b 100644 ---- a/lib/accelerated/x86/elf/sha512-ssse3-x86.s -+++ b/lib/accelerated/x86/elf/sha512-ssse3-x86.s -@@ -43,6 +43,7 @@ - .align 16 - sha512_block_data_order: - .L_sha512_block_data_order_begin: -+.byte 243,15,30,251 - pushl %ebp - pushl %ebx - pushl %esi -@@ -602,4 +603,21 @@ sha512_block_data_order: - .byte 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 - .byte 62,0 - -+ .section ".note.gnu.property", "a" -+ .p2align 2 -+ .long 1f - 0f -+ .long 4f - 1f -+ .long 5 -+0: -+ .asciz "GNU" -+1: -+ .p2align 2 -+ .long 0xc0000002 -+ .long 3f - 2f -+2: -+ .long 3 -+3: -+ .p2align 2 -+4: -+ - .section .note.GNU-stack,"",%progbits -diff --git a/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s -index 446c06a3e6..a7be2cd444 100644 ---- a/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s -+++ b/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s -@@ -5498,5 +5498,26 @@ sha512_block_data_order_avx2: - .byte 0xf3,0xc3 - .cfi_endproc - .size sha512_block_data_order_avx2,.-sha512_block_data_order_avx2 -+ .section ".note.gnu.property", "a" -+ .p2align 3 -+ .long 1f - 0f -+ .long 4f - 1f -+ .long 5 -+0: -+ # "GNU" encoded with .byte, since .asciz isn't supported -+ # on Solaris. -+ .byte 0x47 -+ .byte 0x4e -+ .byte 0x55 -+ .byte 0 -+1: -+ .p2align 3 -+ .long 0xc0000002 -+ .long 3f - 2f -+2: -+ .long 3 -+3: -+ .p2align 3 -+4: - - .section .note.GNU-stack,"",%progbits --- -2.31.1 - diff --git a/lib/accelerated/x86/elf/e_padlock-x86.s b/lib/accelerated/x86/elf/e_padlock-x86.s -index ed8681ee4..dd56518f6 100644 +index ed8681e..dd56518 100644 --- a/lib/accelerated/x86/elf/e_padlock-x86.s +++ b/lib/accelerated/x86/elf/e_padlock-x86.s @@ -1,4 +1,4 @@ @@ -1753,7 +1478,7 @@ index ed8681ee4..dd56518f6 100644 - - diff --git a/lib/accelerated/x86/elf/e_padlock-x86_64.s b/lib/accelerated/x86/elf/e_padlock-x86_64.s -index c161f0a73..f92da756c 100644 +index c161f0a..f92da75 100644 --- a/lib/accelerated/x86/elf/e_padlock-x86_64.s +++ b/lib/accelerated/x86/elf/e_padlock-x86_64.s @@ -1,4 +1,4 @@ @@ -2563,3 +2288,280 @@ index c161f0a73..f92da756c 100644 .section .note.GNU-stack,"",%progbits - - +diff --git a/lib/accelerated/x86/elf/ghash-x86_64.s b/lib/accelerated/x86/elf/ghash-x86_64.s +index 856ff17..20e3c6b 100644 +--- a/lib/accelerated/x86/elf/ghash-x86_64.s ++++ b/lib/accelerated/x86/elf/ghash-x86_64.s +@@ -45,6 +45,7 @@ + .align 16 + gcm_gmult_4bit: + .cfi_startproc ++.byte 243,15,30,250 + pushq %rbx + .cfi_adjust_cfa_offset 8 + .cfi_offset %rbx,-16 +@@ -156,6 +157,7 @@ gcm_gmult_4bit: + .align 16 + gcm_ghash_4bit: + .cfi_startproc ++.byte 243,15,30,250 + pushq %rbx + .cfi_adjust_cfa_offset 8 + .cfi_offset %rbx,-16 +@@ -903,6 +905,7 @@ gcm_init_clmul: + .align 16 + gcm_gmult_clmul: + .cfi_startproc ++.byte 243,15,30,250 + .L_gmult_clmul: + movdqu (%rdi),%xmm0 + movdqa .Lbswap_mask(%rip),%xmm5 +@@ -956,6 +959,7 @@ gcm_gmult_clmul: + .align 32 + gcm_ghash_clmul: + .cfi_startproc ++.byte 243,15,30,250 + .L_ghash_clmul: + movdqa .Lbswap_mask(%rip),%xmm10 + +@@ -1450,6 +1454,7 @@ gcm_init_avx: + .align 32 + gcm_gmult_avx: + .cfi_startproc ++.byte 243,15,30,250 + jmp .L_gmult_clmul + .cfi_endproc + .size gcm_gmult_avx,.-gcm_gmult_avx +@@ -1458,6 +1463,7 @@ gcm_gmult_avx: + .align 32 + gcm_ghash_avx: + .cfi_startproc ++.byte 243,15,30,250 + vzeroupper + + vmovdqu (%rdi),%xmm10 +@@ -1884,5 +1890,26 @@ gcm_ghash_avx: + + .byte 71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + .align 64 ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha1-ssse3-x86.s b/lib/accelerated/x86/elf/sha1-ssse3-x86.s +index 8bfbcb6..57b6ba5 100644 +--- a/lib/accelerated/x86/elf/sha1-ssse3-x86.s ++++ b/lib/accelerated/x86/elf/sha1-ssse3-x86.s +@@ -43,6 +43,7 @@ + .align 16 + sha1_block_data_order: + .L_sha1_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -1417,4 +1418,21 @@ sha1_block_data_order: + .byte 89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112 + .byte 114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + ++ .section ".note.gnu.property", "a" ++ .p2align 2 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 2 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 2 ++4: ++ + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s +index d85d9ff..623aa69 100644 +--- a/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s ++++ b/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s +@@ -5487,5 +5487,26 @@ K_XX_XX: + .byte 0xf,0xe,0xd,0xc,0xb,0xa,0x9,0x8,0x7,0x6,0x5,0x4,0x3,0x2,0x1,0x0 + .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + .align 64 ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha256-ssse3-x86.s b/lib/accelerated/x86/elf/sha256-ssse3-x86.s +index 8d9aaa4..6d16b91 100644 +--- a/lib/accelerated/x86/elf/sha256-ssse3-x86.s ++++ b/lib/accelerated/x86/elf/sha256-ssse3-x86.s +@@ -43,6 +43,7 @@ + .align 16 + sha256_block_data_order: + .L_sha256_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -3384,4 +3385,21 @@ sha256_block_data_order: + ret + .size sha256_block_data_order,.-.L_sha256_block_data_order_begin + ++ .section ".note.gnu.property", "a" ++ .p2align 2 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 2 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 2 ++4: ++ + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s +index 874062e..813aeb2 100644 +--- a/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s ++++ b/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s +@@ -5493,5 +5493,26 @@ sha256_block_data_order_avx2: + .byte 0xf3,0xc3 + .cfi_endproc + .size sha256_block_data_order_avx2,.-sha256_block_data_order_avx2 ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha512-ssse3-x86.s b/lib/accelerated/x86/elf/sha512-ssse3-x86.s +index 481c777..afca4ea 100644 +--- a/lib/accelerated/x86/elf/sha512-ssse3-x86.s ++++ b/lib/accelerated/x86/elf/sha512-ssse3-x86.s +@@ -43,6 +43,7 @@ + .align 16 + sha512_block_data_order: + .L_sha512_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -602,4 +603,21 @@ sha512_block_data_order: + .byte 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 + .byte 62,0 + ++ .section ".note.gnu.property", "a" ++ .p2align 2 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 2 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 2 ++4: ++ + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s +index 039b1d7..bad63fd 100644 +--- a/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s ++++ b/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s +@@ -5498,5 +5498,26 @@ sha512_block_data_order_avx2: + .byte 0xf3,0xc3 + .cfi_endproc + .size sha512_block_data_order_avx2,.-sha512_block_data_order_avx2 ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +-- +2.41.0 + diff --git a/gnutls-3.7.2-no-explicit-init.patch b/gnutls-3.7.2-no-explicit-init.patch index 6424174..0dfae7c 100644 --- a/gnutls-3.7.2-no-explicit-init.patch +++ b/gnutls-3.7.2-no-explicit-init.patch @@ -1,24 +1,25 @@ -From 36a92d984020df16296784a7ad613c9693469d23 Mon Sep 17 00:00:00 2001 +From c7f4ce40eaecafdefbf4db0ac2d3665bc0c41b33 Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Tue, 21 Dec 2021 16:28:09 +0100 -Subject: [PATCH 1/2] Remove GNUTLS_NO_EXPLICIT_INIT compatibility +Date: Tue, 21 Nov 2023 14:13:38 +0900 +Subject: [PATCH] gnutls-3.7.2-no-explicit-init.patch Signed-off-by: rpm-build --- - lib/global.c | 8 -------- - 1 file changed, 8 deletions(-) + lib/global.c | 9 --------- + 1 file changed, 9 deletions(-) diff --git a/lib/global.c b/lib/global.c -index 3731418..1384045 100644 +index 924ec94..3baa202 100644 --- a/lib/global.c +++ b/lib/global.c -@@ -500,14 +500,6 @@ static void _CONSTRUCTOR lib_init(void) +@@ -510,15 +510,6 @@ static void _CONSTRUCTOR lib_init(void) return; } - e = secure_getenv("GNUTLS_NO_EXPLICIT_INIT"); - if (e != NULL) { -- _gnutls_debug_log("GNUTLS_NO_EXPLICIT_INIT is deprecated; use GNUTLS_NO_IMPLICIT_INIT\n"); +- _gnutls_debug_log( +- "GNUTLS_NO_EXPLICIT_INIT is deprecated; use GNUTLS_NO_IMPLICIT_INIT\n"); - ret = atoi(e); - if (ret == 1) - return; @@ -26,7 +27,7 @@ index 3731418..1384045 100644 - ret = _gnutls_global_init(1); if (ret < 0) { - fprintf(stderr, "Error in GnuTLS initialization: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error in GnuTLS initialization: %s\n", -- -2.31.1 +2.41.0 diff --git a/gnutls-3.7.3-allowlist-api.patch b/gnutls-3.7.3-allowlist-api.patch deleted file mode 100644 index 1019858..0000000 --- a/gnutls-3.7.3-allowlist-api.patch +++ /dev/null @@ -1,2440 +0,0 @@ -From 495ad3d82aff125f237f370a70882b97843edb6f Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Mon, 14 Feb 2022 12:44:57 +0100 -Subject: [PATCH 1/8] lib/priority: split up update_system_wide_priority_string - -This is done in preparation for deferring priority string evaluation. - -Signed-off-by: Alexander Sosedkin ---- - lib/priority.c | 77 ++++++++++++++++++++++++++++++-------------------- - 1 file changed, 47 insertions(+), 30 deletions(-) - -diff --git a/lib/priority.c b/lib/priority.c -index e7698ba7eb..755729da18 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -1735,110 +1735,127 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co - return 1; - } - --static int --update_system_wide_priority_string(void) -+static int /* not locking system_wide_config */ -+construct_system_wide_priority_string(gnutls_buffer_st* buf) - { -- gnutls_buffer_st buf; - int ret; - size_t i; - -- _gnutls_buffer_init(&buf); -+ _gnutls_buffer_init(buf); - -- ret = _gnutls_buffer_append_str(&buf, "NONE"); -+ ret = _gnutls_buffer_append_str(buf, "NONE"); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - - for (i = 0; system_wide_config.kxs[i] != 0; i++) { -- ret = _gnutls_buffer_append_str(&buf, ":+"); -+ ret = _gnutls_buffer_append_str(buf, ":+"); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - -- ret = _gnutls_buffer_append_str(&buf, -+ ret = _gnutls_buffer_append_str(buf, - gnutls_kx_get_name(system_wide_config.kxs[i])); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - } - - for (i = 0; system_wide_config.groups[i] != 0; i++) { -- ret = _gnutls_buffer_append_str(&buf, ":+GROUP-"); -+ ret = _gnutls_buffer_append_str(buf, ":+GROUP-"); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - -- ret = _gnutls_buffer_append_str(&buf, -+ ret = _gnutls_buffer_append_str(buf, - gnutls_group_get_name(system_wide_config.groups[i])); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - } - - for (i = 0; system_wide_config.ciphers[i] != 0; i++) { -- ret = _gnutls_buffer_append_str(&buf, ":+"); -+ ret = _gnutls_buffer_append_str(buf, ":+"); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - -- ret = _gnutls_buffer_append_str(&buf, -+ ret = _gnutls_buffer_append_str(buf, - gnutls_cipher_get_name(system_wide_config.ciphers[i])); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - } - - for (i = 0; system_wide_config.macs[i] != 0; i++) { -- ret = _gnutls_buffer_append_str(&buf, ":+"); -+ ret = _gnutls_buffer_append_str(buf, ":+"); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - -- ret = _gnutls_buffer_append_str(&buf, -+ ret = _gnutls_buffer_append_str(buf, - gnutls_mac_get_name(system_wide_config.macs[i])); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - } - - for (i = 0; system_wide_config.sigs[i] != 0; i++) { -- ret = _gnutls_buffer_append_str(&buf, ":+SIGN-"); -+ ret = _gnutls_buffer_append_str(buf, ":+SIGN-"); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - -- ret = _gnutls_buffer_append_str(&buf, -+ ret = _gnutls_buffer_append_str(buf, - gnutls_sign_get_name(system_wide_config.sigs[i])); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - } - - for (i = 0; system_wide_config.versions[i] != 0; i++) { -- ret = _gnutls_buffer_append_str(&buf, ":+VERS-"); -+ ret = _gnutls_buffer_append_str(buf, ":+VERS-"); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - -- ret = _gnutls_buffer_append_str(&buf, -+ ret = _gnutls_buffer_append_str(buf, - gnutls_protocol_get_name(system_wide_config.versions[i])); - if (ret < 0) { -- _gnutls_buffer_clear(&buf); -+ _gnutls_buffer_clear(buf); - return ret; - } - } -+ return 0; -+} -+ -+static int /* not locking system_wide_config */ -+update_system_wide_priority_string(void) -+{ -+ /* doesn't do locking, _gnutls_update_system_priorities does */ -+ gnutls_buffer_st buf; -+ int ret; -+ -+ ret = construct_system_wide_priority_string(&buf); -+ if (ret < 0) { -+ _gnutls_debug_log("cfg: unable to construct " -+ "system-wide priority string: %s", -+ gnutls_strerror(ret)); -+ _gnutls_buffer_clear(&buf); -+ return ret; -+ } - - gnutls_free(system_wide_config.priority_string); - system_wide_config.priority_string = gnutls_strdup((char *)buf.data); --- -2.34.1 - - -From a74633975e97e491e1e1cdf12416ce160699b703 Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Mon, 14 Feb 2022 13:48:37 +0100 -Subject: [PATCH 2/8] lib/priority: defer setting system-wide priority string - -Signed-off-by: Alexander Sosedkin ---- - lib/global.c | 2 +- - lib/global.h | 2 +- - lib/priority.c | 112 ++++++++++++++++++++++++++++--------------------- - 3 files changed, 66 insertions(+), 50 deletions(-) - -diff --git a/lib/global.c b/lib/global.c -index 65c0b81709..faa7f0afb2 100644 ---- a/lib/global.c -+++ b/lib/global.c -@@ -365,7 +365,7 @@ static int _gnutls_global_init(unsigned constructor) - _gnutls_fips_mode_reset_zombie(); - } - #endif -- _gnutls_load_system_priorities(); -+ _gnutls_prepare_to_load_system_priorities(); - _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); - ret = 0; - -diff --git a/lib/global.h b/lib/global.h -index e30187e7ad..16fde08b5c 100644 ---- a/lib/global.h -+++ b/lib/global.h -@@ -46,7 +46,7 @@ extern void gnutls_crypto_deinit(void); - extern void _gnutls_tpm_global_deinit(void); - extern void _gnutls_nss_keylog_deinit(void); - --extern void _gnutls_load_system_priorities(void); -+extern void _gnutls_prepare_to_load_system_priorities(void); - extern void _gnutls_unload_system_priorities(void); - - #endif /* GNUTLS_LIB_GLOBAL_H */ -diff --git a/lib/priority.c b/lib/priority.c -index 755729da18..4faf96fabf 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -1864,11 +1864,12 @@ update_system_wide_priority_string(void) - return 0; - } - --static int _gnutls_update_system_priorities(void) -+static int _gnutls_update_system_priorities(bool defer_system_wide) - { - int ret, err = 0; - struct stat sb; - FILE *fp; -+ gnutls_buffer_st buf; - struct ini_ctx ctx; - - ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock); -@@ -1883,10 +1884,12 @@ static int _gnutls_update_system_priorities(void) - } - - if (system_priority_file_loaded && -- sb.st_mtime == system_priority_last_mod) { -+ system_priority_last_mod == sb.st_mtime) { - _gnutls_debug_log("cfg: system priority %s has not changed\n", - system_priority_file); -- goto out; -+ if (system_wide_config.priority_string) { -+ goto out; /* nothing to do */ -+ } - } - - (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -@@ -1896,54 +1899,71 @@ static int _gnutls_update_system_priorities(void) - return gnutls_assert_val(ret); - } - -- /* Another thread has successfully updated the system wide config (with -- * the same modification time as checked above), while upgrading to -- * write lock; no need to reload. -+ /* Another thread could have successfully re-read system-wide config, -+ * skip re-reading if the mtime it has used is exactly the same. - */ -- if (system_priority_file_loaded && -- system_priority_last_mod == sb.st_mtime) { -- goto out; -+ if (system_priority_file_loaded) { -+ system_priority_file_loaded = -+ (system_priority_last_mod == sb.st_mtime); - } - -- system_priority_file_loaded = 0; -- _name_val_array_clear(&system_wide_config.priority_strings); -+ if (!system_priority_file_loaded) { -+ _name_val_array_clear(&system_wide_config.priority_strings); - -- gnutls_free(system_wide_config.priority_string); -- system_wide_config.priority_string = NULL; -+ gnutls_free(system_wide_config.priority_string); -+ system_wide_config.priority_string = NULL; - -- fp = fopen(system_priority_file, "re"); -- if (fp == NULL) { -- _gnutls_debug_log("cfg: unable to open: %s: %d\n", -- system_priority_file, errno); -- goto out; -- } -- /* Parsing the configuration file needs to be done in 2 phases: first -- * parsing the [global] section and then the other sections, because the -- * [global] section modifies the parsing behavior. -- */ -- memset(&ctx, 0, sizeof(ctx)); -- err = ini_parse_file(fp, global_ini_handler, &ctx); -- if (!err) { -- if (fseek(fp, 0L, SEEK_SET) < 0) { -- _gnutls_debug_log("cfg: unable to rewind: %s\n", -- system_priority_file); -- if (fail_on_invalid_config) -- exit(1); -+ fp = fopen(system_priority_file, "re"); -+ if (fp == NULL) { -+ _gnutls_debug_log("cfg: unable to open: %s: %d\n", -+ system_priority_file, errno); -+ goto out; - } -- err = ini_parse_file(fp, cfg_ini_handler, &ctx); -- } -- fclose(fp); -- if (err) { -+ /* Parsing the configuration file needs to be done in 2 phases: -+ * first parsing the [global] section -+ * and then the other sections, -+ * because the [global] section modifies the parsing behavior. -+ */ -+ memset(&ctx, 0, sizeof(ctx)); -+ err = ini_parse_file(fp, global_ini_handler, &ctx); -+ if (!err) { -+ if (fseek(fp, 0L, SEEK_SET) < 0) { -+ _gnutls_debug_log("cfg: unable to rewind: %s\n", -+ system_priority_file); -+ if (fail_on_invalid_config) -+ exit(1); -+ } -+ err = ini_parse_file(fp, cfg_ini_handler, &ctx); -+ } -+ fclose(fp); -+ if (err) { -+ ini_ctx_deinit(&ctx); -+ _gnutls_debug_log("cfg: unable to parse: %s: %d\n", -+ system_priority_file, err); -+ goto out; -+ } -+ cfg_apply(&system_wide_config, &ctx); - ini_ctx_deinit(&ctx); -- _gnutls_debug_log("cfg: unable to parse: %s: %d\n", -- system_priority_file, err); -- goto out; -+ _gnutls_debug_log("cfg: loaded system config %s mtime %lld\n", -+ system_priority_file, -+ (unsigned long long)sb.st_mtime); -+ - } -- cfg_apply(&system_wide_config, &ctx); -- ini_ctx_deinit(&ctx); - - if (system_wide_config.allowlisting) { -- ret = update_system_wide_priority_string(); -+ if (defer_system_wide) { -+ /* try constructing a priority string, -+ * but don't apply it yet, at this point -+ * we're only interested in whether we can */ -+ ret = construct_system_wide_priority_string(&buf); -+ _gnutls_buffer_clear(&buf); -+ _gnutls_debug_log("cfg: deferred setting " -+ "system-wide priority string\n"); -+ } else { -+ ret = update_system_wide_priority_string(); -+ _gnutls_debug_log("cfg: finalized " -+ "system-wide priority string\n"); -+ } - if (ret < 0) { - _gnutls_debug_log("cfg: unable to build priority string: %s\n", - gnutls_strerror(ret)); -@@ -1953,10 +1973,6 @@ static int _gnutls_update_system_priorities(void) - } - } - -- _gnutls_debug_log("cfg: loaded system priority %s mtime %lld\n", -- system_priority_file, -- (unsigned long long)sb.st_mtime); -- - system_priority_file_loaded = 1; - system_priority_last_mod = sb.st_mtime; - -@@ -1970,7 +1986,7 @@ static int _gnutls_update_system_priorities(void) - return ret; - } - --void _gnutls_load_system_priorities(void) -+void _gnutls_prepare_to_load_system_priorities(void) - { - const char *p; - int ret; -@@ -1983,7 +1999,7 @@ void _gnutls_load_system_priorities(void) - if (p != NULL && p[0] == '1' && p[1] == 0) - fail_on_invalid_config = 1; - -- ret = _gnutls_update_system_priorities(); -+ ret = _gnutls_update_system_priorities(true /* defer_system_wide */); - if (ret < 0) { - _gnutls_debug_log("failed to update system priorities: %s\n", - gnutls_strerror(ret)); -@@ -2050,7 +2066,7 @@ char *_gnutls_resolve_priorities(const char* priorities) - /* Always try to refresh the cached data, to allow it to be - * updated without restarting all applications. - */ -- ret = _gnutls_update_system_priorities(); -+ ret = _gnutls_update_system_priorities(false /* defer_system_wide */); - if (ret < 0) { - _gnutls_debug_log("failed to update system priorities: %s\n", - gnutls_strerror(ret)); --- -2.34.1 - - -From 52d5c8627165ff9bc0e99564b772f178ad1f80dd Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Mon, 21 Feb 2022 18:19:25 +0100 -Subject: [PATCH 3/8] lib/algorithms: add UB warnings on late allowlisting API - invocations - -Signed-off-by: Alexander Sosedkin ---- - lib/algorithms/ecc.c | 3 +++ - lib/algorithms/mac.c | 3 +++ - lib/algorithms/protocols.c | 3 +++ - lib/algorithms/sign.c | 6 ++++++ - 4 files changed, 15 insertions(+) - -diff --git a/lib/algorithms/ecc.c b/lib/algorithms/ecc.c -index 736e5dd07f..52ae1db0e4 100644 ---- a/lib/algorithms/ecc.c -+++ b/lib/algorithms/ecc.c -@@ -389,6 +389,9 @@ void _gnutls_ecc_curve_mark_disabled_all(void) - * enabled through the allowlisting mode in the configuration file, or - * when the setting is modified with a prior call to this function. - * -+ * This function must be called prior to any session priority setting functions; -+ * otherwise the behavior is undefined. -+ * - * Returns: 0 on success or negative error code otherwise. - * - * Since: 3.7.3 -diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c -index a2c66e76bb..166d51d552 100644 ---- a/lib/algorithms/mac.c -+++ b/lib/algorithms/mac.c -@@ -332,6 +332,9 @@ void _gnutls_digest_mark_insecure_all(void) - * through the allowlisting mode in the configuration file, or when - * the setting is modified with a prior call to this function. - * -+ * This function must be called prior to any session priority setting functions; -+ * otherwise the behavior is undefined. -+ * - * Since: 3.7.3 - */ - int -diff --git a/lib/algorithms/protocols.c b/lib/algorithms/protocols.c -index b0f3e0bc30..64c86eba3c 100644 ---- a/lib/algorithms/protocols.c -+++ b/lib/algorithms/protocols.c -@@ -237,6 +237,9 @@ void _gnutls_version_mark_revertible_all(void) - * enabled through the allowlisting mode in the configuration file, or - * when the setting is modified with a prior call to this function. - * -+ * This function must be called prior to any session priority setting functions; -+ * otherwise the behavior is undefined. -+ * - * Returns: 0 on success or negative error code otherwise. - * - * Since: 3.7.3 -diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c -index 543bd19bb5..06abdb4cf8 100644 ---- a/lib/algorithms/sign.c -+++ b/lib/algorithms/sign.c -@@ -516,6 +516,9 @@ void _gnutls_sign_mark_insecure_all(hash_security_level_t level) - * use in certificates. Use gnutls_sign_set_secure_for_certs() to - * mark it secure as well for certificates. - * -+ * This function must be called prior to any session priority setting functions; -+ * otherwise the behavior is undefined. -+ * - * Since: 3.7.3 - */ - int -@@ -560,6 +563,9 @@ gnutls_sign_set_secure(gnutls_sign_algorithm_t sign, - * for the use in certificates. Use gnutls_sign_set_secure() to mark - * it insecure for any uses. - * -+ * This function must be called prior to any session priority setting functions; -+ * otherwise the behavior is undefined. -+ * - * Since: 3.7.3 - */ - int --- -2.34.1 - - -From 52067e1e5b16c30b2f3ce6488a4f72d19d906721 Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Mon, 14 Feb 2022 18:00:25 +0100 -Subject: [PATCH 4/8] lib/priority: move sigalgs filtering to - set_ciphersuite_list - -Signed-off-by: Alexander Sosedkin ---- - lib/priority.c | 25 +++++++------------------ - 1 file changed, 7 insertions(+), 18 deletions(-) - -diff --git a/lib/priority.c b/lib/priority.c -index 4faf96fabf..9775040410 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -1140,9 +1140,6 @@ cfg_apply(struct cfg *cfg, struct ini_ctx *ctx) - } - - if (cfg->allowlisting) { -- unsigned tls_sig_sem = 0; -- size_t j; -- - _gnutls_digest_mark_insecure_all(); - for (i = 0; i < ctx->hashes_size; i++) { - int ret = gnutls_digest_set_secure(ctx->hashes[i], 1); -@@ -1156,6 +1153,7 @@ cfg_apply(struct cfg *cfg, struct ini_ctx *ctx) - if (unlikely(ret < 0)) { - return ret; - } -+ cfg->sigs[i] = ctx->sigs[i]; - } - for (i = 0; i < ctx->sigs_for_cert_size; i++) { - int ret = gnutls_sign_set_secure_for_certs(ctx->sigs_for_cert[i], -@@ -1165,13 +1163,13 @@ cfg_apply(struct cfg *cfg, struct ini_ctx *ctx) - } - } - _gnutls_version_mark_revertible_all(); -- for (i = 0, j = 0; i < ctx->versions_size; i++) { -- const version_entry_st *vers; -- vers = version_to_entry(ctx->versions[i]); -- if (vers && vers->supported) { -- tls_sig_sem |= vers->tls_sig_sem; -- cfg->versions[j++] = vers->id; -+ for (i = 0; i < ctx->versions_size; i++) { -+ int ret; -+ ret = gnutls_protocol_set_enabled(ctx->versions[i], 1); -+ if (unlikely(ret < 0)) { -+ return gnutls_assert_val(ret); - } -+ cfg->versions[i] = ctx->versions[i]; - } - _gnutls_ecc_curve_mark_disabled_all(); - for (i = 0; i < ctx->curves_size; i++) { -@@ -1180,15 +1178,6 @@ cfg_apply(struct cfg *cfg, struct ini_ctx *ctx) - return ret; - } - } -- for (i = 0, j = 0; i < ctx->sigs_size; i++) { -- const gnutls_sign_entry_st *se; -- -- se = _gnutls_sign_to_entry(ctx->sigs[i]); -- if (se != NULL && se->aid.tls_sem & tls_sig_sem && -- _gnutls_sign_is_secure2(se, 0)) { -- cfg->sigs[j++] = se->id; -- } -- } - } else { - for (i = 0; i < ctx->hashes_size; i++) { - int ret = _gnutls_digest_mark_insecure(ctx->hashes[i]); --- -2.34.1 - - -From fa056709aaa974360d5e5dd8ceb52089b4da7858 Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Tue, 15 Feb 2022 14:41:53 +0100 -Subject: [PATCH 5/8] lib/config_int.h: split struct cfg off lib/priority.c - -Signed-off-by: Alexander Sosedkin ---- - lib/Makefile.am | 3 +- - lib/config_int.h | 84 ++++++++++++++++++++++++++++++++++++++++++++++++ - lib/priority.c | 48 +-------------------------- - 3 files changed, 87 insertions(+), 48 deletions(-) - create mode 100644 lib/config_int.h - -diff --git a/lib/Makefile.am b/lib/Makefile.am -index 35df35ee8d..5b540db142 100644 ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -134,7 +134,8 @@ HFILES = abstract_int.h debug.h cipher.h \ - srp.h auth/srp_kx.h auth/srp_passwd.h \ - file.h supplemental.h crypto.h random.h system.h\ - locks.h mbuffers.h ecc.h pin.h fips.h \ -- priority_options.h secrets.h stek.h cert-cred.h -+ priority_options.h secrets.h stek.h cert-cred.h \ -+ config_int.h - - if ENABLE_PKCS11 - HFILES += pkcs11_int.h pkcs11x.h -diff --git a/lib/config_int.h b/lib/config_int.h -new file mode 100644 -index 0000000000..733536bb98 ---- /dev/null -+++ b/lib/config_int.h -@@ -0,0 +1,84 @@ -+/* -+ * Copyright (C) 2004-2015 Free Software Foundation, Inc. -+ * Copyright (C) 2015-2022 Red Hat, Inc. -+ * -+ * Author: Nikos Mavrogiannopoulos -+ * -+ * This file is part of GnuTLS. -+ * -+ * The GnuTLS is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ * -+ */ -+ -+/* Code split off from priority.c, `struct cfg` and some operations on it */ -+ -+#ifndef GNUTLS_LIB_CONFIG_INT_H -+#define GNUTLS_LIB_CONFIG_INT_H -+ -+/* -+ * struct cfg -+ */ -+ -+struct cfg { -+ bool allowlisting; -+ -+ name_val_array_t priority_strings; -+ char *priority_string; -+ char *default_priority_string; -+ gnutls_certificate_verification_profiles_t verification_profile; -+ -+ gnutls_cipher_algorithm_t ciphers[MAX_ALGOS+1]; -+ gnutls_mac_algorithm_t macs[MAX_ALGOS+1]; -+ gnutls_group_t groups[MAX_ALGOS+1]; -+ gnutls_kx_algorithm_t kxs[MAX_ALGOS+1]; -+ gnutls_sign_algorithm_t sigs[MAX_ALGOS+1]; -+ gnutls_protocol_t versions[MAX_ALGOS+1]; -+}; -+ -+/* -+ * deinit / partial duplication. no initialization, must be zero-initialized -+ */ -+ -+static inline void -+cfg_deinit(struct cfg *cfg) -+{ -+ if (cfg->priority_strings) { -+ _name_val_array_clear(&cfg->priority_strings); -+ } -+ gnutls_free(cfg->priority_string); -+ gnutls_free(cfg->default_priority_string); -+} -+ -+static inline void -+cfg_steal(struct cfg *dst, struct cfg *src) -+{ -+ dst->verification_profile = src->verification_profile; -+ -+ dst->priority_strings = src->priority_strings; -+ src->priority_strings = NULL; -+ -+ dst->priority_string = src->priority_string; -+ src->priority_string = NULL; -+ -+ dst->default_priority_string = src->default_priority_string; -+ src->default_priority_string = NULL; -+ -+ dst->allowlisting = src->allowlisting; -+ memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers)); -+ memcpy(dst->macs, src->macs, sizeof(src->macs)); -+ memcpy(dst->groups, src->groups, sizeof(src->groups)); -+ memcpy(dst->kxs, src->kxs, sizeof(src->kxs)); -+} -+ -+#endif /* GNUTLS_LIB_CONFIG_INT_H */ -diff --git a/lib/priority.c b/lib/priority.c -index 9775040410..80b737b938 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -42,6 +42,7 @@ - #include "locks.h" - #include "profiles.h" - #include "name_val_array.h" -+#include "config_int.h" - - #define MAX_ELEMENTS GNUTLS_MAX_ALGORITHM_NUM - -@@ -1008,32 +1009,6 @@ static void dummy_func(gnutls_priority_t c) - - #include - --struct cfg { -- bool allowlisting; -- -- name_val_array_t priority_strings; -- char *priority_string; -- char *default_priority_string; -- gnutls_certificate_verification_profiles_t verification_profile; -- -- gnutls_cipher_algorithm_t ciphers[MAX_ALGOS+1]; -- gnutls_mac_algorithm_t macs[MAX_ALGOS+1]; -- gnutls_group_t groups[MAX_ALGOS+1]; -- gnutls_kx_algorithm_t kxs[MAX_ALGOS+1]; -- gnutls_sign_algorithm_t sigs[MAX_ALGOS+1]; -- gnutls_protocol_t versions[MAX_ALGOS+1]; --}; -- --static inline void --cfg_deinit(struct cfg *cfg) --{ -- if (cfg->priority_strings) { -- _name_val_array_clear(&cfg->priority_strings); -- } -- gnutls_free(cfg->priority_string); -- gnutls_free(cfg->default_priority_string); --} -- - /* Lock for reading and writing system_wide_config */ - GNUTLS_RWLOCK(system_wide_config_rwlock); - static struct cfg system_wide_config; -@@ -1107,27 +1082,6 @@ ini_ctx_deinit(struct ini_ctx *ctx) - gnutls_free(ctx->curves); - } - --static inline void --cfg_steal(struct cfg *dst, struct cfg *src) --{ -- dst->verification_profile = src->verification_profile; -- -- dst->priority_strings = src->priority_strings; -- src->priority_strings = NULL; -- -- dst->priority_string = src->priority_string; -- src->priority_string = NULL; -- -- dst->default_priority_string = src->default_priority_string; -- src->default_priority_string = NULL; -- -- dst->allowlisting = src->allowlisting; -- memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers)); -- memcpy(dst->macs, src->macs, sizeof(src->macs)); -- memcpy(dst->groups, src->groups, sizeof(src->groups)); -- memcpy(dst->kxs, src->kxs, sizeof(src->kxs)); --} -- - static inline int - cfg_apply(struct cfg *cfg, struct ini_ctx *ctx) - { --- -2.34.1 - - -From 9600788ef81bd424de8c9fcf053bcb717dd50c92 Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Tue, 15 Feb 2022 16:26:52 +0100 -Subject: [PATCH 6/8] lib/priority: extract parts of cfg_apply into - cfg_*_set_array* - -Signed-off-by: Alexander Sosedkin ---- - lib/config_int.h | 151 ++++++++++++++++++++++++++++++++++++++++++++++- - lib/priority.c | 68 +++++++++------------ - 2 files changed, 179 insertions(+), 40 deletions(-) - -diff --git a/lib/config_int.h b/lib/config_int.h -index 733536bb98..be8c71e414 100644 ---- a/lib/config_int.h -+++ b/lib/config_int.h -@@ -44,6 +44,10 @@ struct cfg { - gnutls_kx_algorithm_t kxs[MAX_ALGOS+1]; - gnutls_sign_algorithm_t sigs[MAX_ALGOS+1]; - gnutls_protocol_t versions[MAX_ALGOS+1]; -+ -+ gnutls_digest_algorithm_t hashes[MAX_ALGOS+1]; -+ gnutls_ecc_curve_t ecc_curves[MAX_ALGOS+1]; -+ gnutls_sign_algorithm_t sigs_for_cert[MAX_ALGOS+1]; - }; - - /* -@@ -79,6 +83,151 @@ cfg_steal(struct cfg *dst, struct cfg *src) - memcpy(dst->macs, src->macs, sizeof(src->macs)); - memcpy(dst->groups, src->groups, sizeof(src->groups)); - memcpy(dst->kxs, src->kxs, sizeof(src->kxs)); -+ memcpy(dst->hashes, src->hashes, sizeof(src->hashes)); -+ memcpy(dst->ecc_curves, src->ecc_curves, sizeof(src->ecc_curves)); -+ memcpy(dst->sigs, src->sigs, sizeof(src->sigs)); -+ memcpy(dst->sigs_for_cert, src->sigs_for_cert, -+ sizeof(src->sigs_for_cert)); -+} -+ -+/* -+ * synchronizing changes from struct cfg to global `lib/algorithms` arrays -+ */ -+ -+/* global side-effect! modifies `flags` in `hash_algorithms[]` */ -+static inline int /* allowlisting-only */ -+_cfg_hashes_remark(struct cfg* cfg) -+{ -+ size_t i; -+ _gnutls_digest_mark_insecure_all(); -+ for (i = 0; cfg->hashes[i] != 0; i++) { -+ int ret = gnutls_digest_set_secure(cfg->hashes[i], 1); -+ if (unlikely(ret < 0)) { -+ return gnutls_assert_val(ret); -+ } -+ } -+ return 0; -+} -+ -+/* global side-effect! modifies `flags` in `sign_algorithms[]` */ -+static inline int /* allowlisting-only */ -+_cfg_sigs_remark(struct cfg* cfg) -+{ -+ size_t i; -+ _gnutls_sign_mark_insecure_all(_INSECURE); -+ for (i = 0; cfg->sigs[i] != 0; i++) { -+ int ret = gnutls_sign_set_secure(cfg->sigs[i], 1); -+ if (unlikely(ret < 0)) { -+ return gnutls_assert_val(ret); -+ } -+ } -+ for (i = 0; cfg->sigs_for_cert[i] != 0; i++) { -+ int ret = gnutls_sign_set_secure_for_certs( -+ cfg->sigs_for_cert[i], 1 -+ ); -+ if (unlikely(ret < 0)) { -+ return gnutls_assert_val(ret); -+ } -+ } -+ return 0; -+} -+ -+/* global side-effect! modifies `supported` in `sup_versions[]` */ -+static inline int /* allowlisting-only */ -+_cfg_versions_remark(struct cfg* cfg) -+{ -+ size_t i; -+ _gnutls_version_mark_revertible_all(); -+ for (i = 0; cfg->versions[i] != 0; i++) { -+ int ret = gnutls_protocol_set_enabled(cfg->versions[i], 1); -+ if (unlikely(ret < 0)) { -+ return gnutls_assert_val(ret); -+ } -+ } -+ return 0; -+} -+ -+/* global side-effect! modifies `supported` in `ecc_curves[]` */ -+static inline int /* allowlisting-only */ -+_cfg_ecc_curves_remark(struct cfg* cfg) -+{ -+ size_t i; -+ _gnutls_ecc_curve_mark_disabled_all(); -+ for (i = 0; cfg->ecc_curves[i] != 0; i++) { -+ int ret = gnutls_ecc_curve_set_enabled(cfg->ecc_curves[i], 1); -+ if (unlikely(ret < 0)) { -+ return gnutls_assert_val(ret); -+ } -+ } -+ return 0; -+} -+ -+/* -+ * setting arrays of struct cfg: from other arrays -+ */ -+ -+static inline int /* allowlisting-only */ -+cfg_hashes_set_array(struct cfg* cfg, -+ gnutls_digest_algorithm_t* src, size_t len) -+{ -+ if (unlikely(len >= MAX_ALGOS)) { -+ return gnutls_assert_val(GNUTLS_A_INTERNAL_ERROR); -+ } -+ if (len) { -+ memcpy(cfg->hashes, -+ src, sizeof(gnutls_digest_algorithm_t) * len); -+ } -+ cfg->hashes[len] = 0; -+ return _cfg_hashes_remark(cfg); -+} -+ -+static inline int /* allowlisting-only */ -+cfg_sigs_set_arrays(struct cfg* cfg, -+ gnutls_sign_algorithm_t* src, size_t len, -+ gnutls_sign_algorithm_t* src_for_cert, size_t len_for_cert) -+{ -+ if (unlikely(len >= MAX_ALGOS)) { -+ return gnutls_assert_val(GNUTLS_A_INTERNAL_ERROR); -+ } -+ if (unlikely(len_for_cert >= MAX_ALGOS)) { -+ return gnutls_assert_val(GNUTLS_A_INTERNAL_ERROR); -+ } -+ if (len) { -+ memcpy(cfg->sigs, src, sizeof(gnutls_sign_algorithm_t) * len); -+ } -+ if (len_for_cert) { -+ memcpy(cfg->sigs_for_cert, src_for_cert, -+ sizeof(gnutls_sign_algorithm_t) * len_for_cert); -+ } -+ cfg->sigs[len] = 0; -+ cfg->sigs_for_cert[len_for_cert] = 0; -+ return _cfg_sigs_remark(cfg); -+} -+ -+static inline int /* allowlisting-only */ -+cfg_versions_set_array(struct cfg* cfg, gnutls_protocol_t* src, size_t len) -+{ -+ if (unlikely(len >= MAX_ALGOS)) { -+ return gnutls_assert_val(GNUTLS_A_INTERNAL_ERROR); -+ } -+ if (len) { -+ memcpy(cfg->versions, src, sizeof(gnutls_protocol_t) * len); -+ } -+ cfg->versions[len] = 0; -+ return _cfg_versions_remark(cfg); -+} -+ -+static inline int /* allowlisting-only */ -+cfg_ecc_curves_set_array(struct cfg* cfg, gnutls_ecc_curve_t* src, size_t len) -+{ -+ if (unlikely(len >= MAX_ALGOS)) { -+ return gnutls_assert_val(GNUTLS_A_INTERNAL_ERROR); -+ } -+ if (len) { -+ memcpy(cfg->ecc_curves, src, sizeof(gnutls_ecc_curve_t) * len); -+ } -+ cfg->ecc_curves[len] = 0; -+ return _cfg_ecc_curves_remark(cfg); - } - --#endif /* GNUTLS_LIB_CONFIG_INT_H */ -+#endif /* GNUTLS_LIB_CONFIG_INT_H */ -diff --git a/lib/priority.c b/lib/priority.c -index 80b737b938..8d8428e1da 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -1086,6 +1086,7 @@ static inline int - cfg_apply(struct cfg *cfg, struct ini_ctx *ctx) - { - size_t i; -+ int ret; - - cfg_steal(cfg, &ctx->cfg); - -@@ -1094,72 +1095,61 @@ cfg_apply(struct cfg *cfg, struct ini_ctx *ctx) - } - - if (cfg->allowlisting) { -- _gnutls_digest_mark_insecure_all(); -- for (i = 0; i < ctx->hashes_size; i++) { -- int ret = gnutls_digest_set_secure(ctx->hashes[i], 1); -- if (unlikely(ret < 0)) { -- return ret; -- } -- } -- _gnutls_sign_mark_insecure_all(_INSECURE); -- for (i = 0; i < ctx->sigs_size; i++) { -- int ret = gnutls_sign_set_secure(ctx->sigs[i], 1); -- if (unlikely(ret < 0)) { -- return ret; -- } -- cfg->sigs[i] = ctx->sigs[i]; -+ /* also updates `flags` of global `hash_algorithms[]` */ -+ ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size); -+ if (unlikely(ret < 0)) { -+ return gnutls_assert_val(ret); - } -- for (i = 0; i < ctx->sigs_for_cert_size; i++) { -- int ret = gnutls_sign_set_secure_for_certs(ctx->sigs_for_cert[i], -- 1); -- if (unlikely(ret < 0)) { -- return ret; -- } -+ /* also updates `flags` of global `sign_algorithms[]` */ -+ ret = cfg_sigs_set_arrays(cfg, ctx->sigs, ctx->sigs_size, -+ ctx->sigs_for_cert, -+ ctx->sigs_for_cert_size); -+ if (unlikely(ret < 0)) { -+ return gnutls_assert_val(ret); - } -- _gnutls_version_mark_revertible_all(); -- for (i = 0; i < ctx->versions_size; i++) { -- int ret; -- ret = gnutls_protocol_set_enabled(ctx->versions[i], 1); -- if (unlikely(ret < 0)) { -- return gnutls_assert_val(ret); -- } -- cfg->versions[i] = ctx->versions[i]; -+ /* also updates `supported` field of global `sup_versions[]` */ -+ ret = cfg_versions_set_array(cfg, -+ ctx->versions, ctx->versions_size); -+ if (unlikely(ret < 0)) { -+ return gnutls_assert_val(ret); - } -- _gnutls_ecc_curve_mark_disabled_all(); -- for (i = 0; i < ctx->curves_size; i++) { -- int ret = gnutls_ecc_curve_set_enabled(ctx->curves[i], 1); -- if (unlikely(ret < 0)) { -- return ret; -- } -+ /* also updates `supported` field of global `ecc_curves[]` */ -+ ret = cfg_ecc_curves_set_array(cfg, -+ ctx->curves, ctx->curves_size); -+ if (unlikely(ret < 0)) { -+ return gnutls_assert_val(ret); - } - } else { -+ /* updates same global arrays as above, but doesn't store -+ * the algorithms into the `struct cfg` as allowlisting does. -+ * blocklisting doesn't allow relaxing the restrictions */ - for (i = 0; i < ctx->hashes_size; i++) { -- int ret = _gnutls_digest_mark_insecure(ctx->hashes[i]); -+ ret = _gnutls_digest_mark_insecure(ctx->hashes[i]); - if (unlikely(ret < 0)) { - return ret; - } - } - for (i = 0; i < ctx->sigs_size; i++) { -- int ret = _gnutls_sign_mark_insecure(ctx->sigs[i], -+ ret = _gnutls_sign_mark_insecure(ctx->sigs[i], - _INSECURE); - if (unlikely(ret < 0)) { - return ret; - } - } - for (i = 0; i < ctx->sigs_for_cert_size; i++) { -- int ret = _gnutls_sign_mark_insecure(ctx->sigs_for_cert[i], _INSECURE_FOR_CERTS); -+ ret = _gnutls_sign_mark_insecure(ctx->sigs_for_cert[i], _INSECURE_FOR_CERTS); - if (unlikely(ret < 0)) { - return ret; - } - } - for (i = 0; i < ctx->versions_size; i++) { -- int ret = _gnutls_version_mark_disabled(ctx->versions[i]); -+ ret = _gnutls_version_mark_disabled(ctx->versions[i]); - if (unlikely(ret < 0)) { - return ret; - } - } - for (i = 0; i < ctx->curves_size; i++) { -- int ret = _gnutls_ecc_curve_mark_disabled(ctx->curves[i]); -+ ret = _gnutls_ecc_curve_mark_disabled(ctx->curves[i]); - if (unlikely(ret < 0)) { - return ret; - } --- -2.34.1 - - -From 1767ced4c0abf9d372d334a749b87fd00cd8ab5d Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Wed, 16 Feb 2022 14:28:18 +0100 -Subject: [PATCH 7/8] plumb allowlisting API through the config, restrict usage - to early times - -Signed-off-by: Alexander Sosedkin ---- - lib/algorithms.h | 7 +- - lib/algorithms/ecc.c | 20 +-- - lib/algorithms/mac.c | 18 +- - lib/algorithms/protocols.c | 47 +++-- - lib/algorithms/sign.c | 78 +-------- - lib/config_int.h | 156 ++++++++++++++++- - lib/global.h | 1 + - lib/priority.c | 259 +++++++++++++++++++++++++++- - tests/protocol-set-allowlist.c | 47 +++-- - tests/protocol-set-allowlist.sh | 296 +++++++++++++++++++++----------- - 10 files changed, 663 insertions(+), 266 deletions(-) - -diff --git a/lib/algorithms.h b/lib/algorithms.h -index da72403fba..2c33a7210f 100644 ---- a/lib/algorithms.h -+++ b/lib/algorithms.h -@@ -354,13 +354,18 @@ const gnutls_protocol_t *_gnutls_protocol_list(void); - int _gnutls_version_mark_disabled(gnutls_protocol_t version); - gnutls_protocol_t _gnutls_protocol_get_id_if_supported(const char *name); - -+int _gnutls_digest_set_secure(gnutls_digest_algorithm_t dig, unsigned int secure); -+int _gnutls_sign_set_secure(gnutls_sign_algorithm_t sign, hash_security_level_t slevel); -+int _gnutls_protocol_set_enabled(gnutls_protocol_t version, unsigned int enabled); -+int _gnutls_ecc_curve_set_enabled(gnutls_ecc_curve_t curve, unsigned int enabled); -+ - /* these functions are for revertible settings, meaning that algorithms marked - * as disabled/insecure with mark_*_all functions can be re-enabled with - * mark_{enabled,secure} functions */ - void _gnutls_ecc_curve_mark_disabled_all(void); -+void _gnutls_version_mark_disabled_all(void); - void _gnutls_sign_mark_insecure_all(hash_security_level_t level); - void _gnutls_digest_mark_insecure_all(void); --void _gnutls_version_mark_revertible_all(void); - - #define GNUTLS_SIGN_FLAG_TLS13_OK 1 /* if it is ok to use under TLS1.3 */ - #define GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE (1 << 1) /* reverse order of bytes in CrtVrfy signature */ -diff --git a/lib/algorithms/ecc.c b/lib/algorithms/ecc.c -index 52ae1db0e4..303a42612f 100644 ---- a/lib/algorithms/ecc.c -+++ b/lib/algorithms/ecc.c -@@ -379,26 +379,8 @@ void _gnutls_ecc_curve_mark_disabled_all(void) - } - } - --/** -- * gnutls_ecc_curve_set_enabled: -- * @curve: is an ECC curve -- * @enabled: whether to enable the curve -- * -- * Modify the previous system wide setting that marked @curve as -- * enabled or disabled. This only has effect when the curve is -- * enabled through the allowlisting mode in the configuration file, or -- * when the setting is modified with a prior call to this function. -- * -- * This function must be called prior to any session priority setting functions; -- * otherwise the behavior is undefined. -- * -- * Returns: 0 on success or negative error code otherwise. -- * -- * Since: 3.7.3 -- */ - int --gnutls_ecc_curve_set_enabled(gnutls_ecc_curve_t curve, -- unsigned int enabled) -+_gnutls_ecc_curve_set_enabled(gnutls_ecc_curve_t curve, unsigned int enabled) - { - gnutls_ecc_curve_entry_st *p; - -diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c -index 166d51d552..47fbc226bd 100644 ---- a/lib/algorithms/mac.c -+++ b/lib/algorithms/mac.c -@@ -322,24 +322,8 @@ void _gnutls_digest_mark_insecure_all(void) - #endif - } - --/** -- * gnutls_digest_set_secure: -- * @dig: is a digest algorithm -- * @secure: whether to mark the digest algorithm secure -- * -- * Modify the previous system wide setting that marked @dig as secure -- * or insecure. This only has effect when the algorithm is enabled -- * through the allowlisting mode in the configuration file, or when -- * the setting is modified with a prior call to this function. -- * -- * This function must be called prior to any session priority setting functions; -- * otherwise the behavior is undefined. -- * -- * Since: 3.7.3 -- */ - int --gnutls_digest_set_secure(gnutls_digest_algorithm_t dig, -- unsigned int secure) -+_gnutls_digest_set_secure(gnutls_digest_algorithm_t dig, unsigned int secure) - { - #ifndef DISABLE_SYSTEM_CONFIG - mac_entry_st *p; -diff --git a/lib/algorithms/protocols.c b/lib/algorithms/protocols.c -index 64c86eba3c..5a88123470 100644 ---- a/lib/algorithms/protocols.c -+++ b/lib/algorithms/protocols.c -@@ -192,10 +192,11 @@ static int - version_is_valid_for_session(gnutls_session_t session, - const version_entry_st *v) - { -- if (v->supported && v->transport == session->internals.transport) { -- return 1; -- } -- return 0; -+ if (!v->supported && !(v->supported_revertible && _gnutls_allowlisting_mode())) -+ return 0; -+ if (v->transport != session->internals.transport) -+ return 0; -+ return 1; - } - - /* This is only called by cfg_apply in priority.c, in blocklisting mode. */ -@@ -215,37 +216,20 @@ int _gnutls_version_mark_disabled(gnutls_protocol_t version) - } - - /* This is only called by cfg_apply in priority.c, in allowlisting mode. */ --void _gnutls_version_mark_revertible_all(void) -+void _gnutls_version_mark_disabled_all(void) - { - #ifndef DISABLE_SYSTEM_CONFIG - version_entry_st *p; - - for (p = sup_versions; p->name != NULL; p++) { -+ p->supported = false; - p->supported_revertible = true; - } -- - #endif - } - --/** -- * gnutls_protocol_set_enabled: -- * @version: is a (gnutls) version number -- * @enabled: whether to enable the protocol -- * -- * Mark the previous system wide setting that marked @version as -- * enabled or disabled. This only has effect when the version is -- * enabled through the allowlisting mode in the configuration file, or -- * when the setting is modified with a prior call to this function. -- * -- * This function must be called prior to any session priority setting functions; -- * otherwise the behavior is undefined. -- * -- * Returns: 0 on success or negative error code otherwise. -- * -- * Since: 3.7.3 -- */ - int --gnutls_protocol_set_enabled(gnutls_protocol_t version, -+_gnutls_protocol_set_enabled(gnutls_protocol_t version, - unsigned int enabled) - { - #ifndef DISABLE_SYSTEM_CONFIG -@@ -331,7 +315,10 @@ const version_entry_st *_gnutls_version_max(gnutls_session_t session) - if (p->obsolete != 0) - break; - #endif -- if (!p->supported || p->transport != session->internals.transport) -+ if (!p->supported && !(p->supported_revertible && _gnutls_allowlisting_mode())) -+ break; -+ -+ if (p->transport != session->internals.transport) - break; - - if (p->tls13_sem && (session->internals.flags & INT_FLAG_NO_TLS13)) -@@ -386,7 +373,10 @@ int _gnutls_write_supported_versions(gnutls_session_t session, uint8_t *buffer, - if (p->obsolete != 0) - break; - -- if (!p->supported || p->transport != session->internals.transport) -+ if (!p->supported && !(p->supported_revertible && _gnutls_allowlisting_mode())) -+ break; -+ -+ if (p->transport != session->internals.transport) - break; - - if (p->only_extension) -@@ -569,7 +559,10 @@ _gnutls_nversion_is_supported(gnutls_session_t session, - if (p->tls13_sem && (session->internals.flags & INT_FLAG_NO_TLS13)) - return 0; - -- if (!p->supported || p->transport != session->internals.transport) -+ if (!p->supported && !(p->supported_revertible && _gnutls_allowlisting_mode())) -+ return 0; -+ -+ if (p->transport != session->internals.transport) - return 0; - - version = p->id; -diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c -index 06abdb4cf8..26816feef5 100644 ---- a/lib/algorithms/sign.c -+++ b/lib/algorithms/sign.c -@@ -502,28 +502,9 @@ void _gnutls_sign_mark_insecure_all(hash_security_level_t level) - #endif - } - --/** -- * gnutls_sign_set_secure: -- * @sign: the sign algorithm -- * @secure: whether to mark the sign algorithm secure -- * -- * Modify the previous system wide setting that marked @sign as secure -- * or insecure. This only has effect when the algorithm is marked as -- * secure through the allowlisting mode in the configuration file, or -- * when the setting is modified with a prior call to this function. -- * -- * Even when @secure is true, @sign is not marked as secure for the -- * use in certificates. Use gnutls_sign_set_secure_for_certs() to -- * mark it secure as well for certificates. -- * -- * This function must be called prior to any session priority setting functions; -- * otherwise the behavior is undefined. -- * -- * Since: 3.7.3 -- */ - int --gnutls_sign_set_secure(gnutls_sign_algorithm_t sign, -- unsigned int secure) -+_gnutls_sign_set_secure(gnutls_sign_algorithm_t sign, -+ hash_security_level_t slevel) - { - #ifndef DISABLE_SYSTEM_CONFIG - gnutls_sign_entry_st *p; -@@ -533,60 +514,7 @@ gnutls_sign_set_secure(gnutls_sign_algorithm_t sign, - if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) { - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - } -- if (secure) { -- if (p->slevel > _INSECURE_FOR_CERTS) { -- p->slevel = _INSECURE_FOR_CERTS; -- } -- } else { -- p->slevel = _INSECURE; -- } -- return 0; -- } -- } --#endif -- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); --} -- --/** -- * gnutls_sign_set_secure_for_certs: -- * @sign: the sign algorithm -- * @secure: whether to mark the sign algorithm secure for certificates -- * -- * Modify the previous system wide setting that marked @sign as secure -- * or insecure for the use in certificates. This only has effect when -- * the algorithm is marked as secure through the allowlisting mode in -- * the configuration file, or when the setting is modified with a -- * prior call to this function. -- * -- * When @secure is true, @sign is marked as secure for any use unlike -- * gnutls_sign_set_secure(). Otherwise, it is marked as insecure only -- * for the use in certificates. Use gnutls_sign_set_secure() to mark -- * it insecure for any uses. -- * -- * This function must be called prior to any session priority setting functions; -- * otherwise the behavior is undefined. -- * -- * Since: 3.7.3 -- */ --int --gnutls_sign_set_secure_for_certs(gnutls_sign_algorithm_t sign, -- unsigned int secure) --{ --#ifndef DISABLE_SYSTEM_CONFIG -- gnutls_sign_entry_st *p; -- -- for(p = sign_algorithms; p->name != NULL; p++) { -- if (p->id && p->id == sign) { -- if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) { -- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -- } -- if (secure) { -- p->slevel = _SECURE; -- } else { -- if (p->slevel < _INSECURE_FOR_CERTS) { -- p->slevel = _INSECURE_FOR_CERTS; -- } -- } -+ p->slevel = slevel; - return 0; - } - } -diff --git a/lib/config_int.h b/lib/config_int.h -index be8c71e414..df39f2bf83 100644 ---- a/lib/config_int.h -+++ b/lib/config_int.h -@@ -101,7 +101,7 @@ _cfg_hashes_remark(struct cfg* cfg) - size_t i; - _gnutls_digest_mark_insecure_all(); - for (i = 0; cfg->hashes[i] != 0; i++) { -- int ret = gnutls_digest_set_secure(cfg->hashes[i], 1); -+ int ret = _gnutls_digest_set_secure(cfg->hashes[i], 1); - if (unlikely(ret < 0)) { - return gnutls_assert_val(ret); - } -@@ -116,15 +116,15 @@ _cfg_sigs_remark(struct cfg* cfg) - size_t i; - _gnutls_sign_mark_insecure_all(_INSECURE); - for (i = 0; cfg->sigs[i] != 0; i++) { -- int ret = gnutls_sign_set_secure(cfg->sigs[i], 1); -+ int ret = _gnutls_sign_set_secure(cfg->sigs[i], -+ _INSECURE_FOR_CERTS); - if (unlikely(ret < 0)) { - return gnutls_assert_val(ret); - } - } - for (i = 0; cfg->sigs_for_cert[i] != 0; i++) { -- int ret = gnutls_sign_set_secure_for_certs( -- cfg->sigs_for_cert[i], 1 -- ); -+ int ret = _gnutls_sign_set_secure(cfg->sigs_for_cert[i], -+ _SECURE); - if (unlikely(ret < 0)) { - return gnutls_assert_val(ret); - } -@@ -137,9 +137,9 @@ static inline int /* allowlisting-only */ - _cfg_versions_remark(struct cfg* cfg) - { - size_t i; -- _gnutls_version_mark_revertible_all(); -+ _gnutls_version_mark_disabled_all(); - for (i = 0; cfg->versions[i] != 0; i++) { -- int ret = gnutls_protocol_set_enabled(cfg->versions[i], 1); -+ int ret = _gnutls_protocol_set_enabled(cfg->versions[i], 1); - if (unlikely(ret < 0)) { - return gnutls_assert_val(ret); - } -@@ -154,7 +154,7 @@ _cfg_ecc_curves_remark(struct cfg* cfg) - size_t i; - _gnutls_ecc_curve_mark_disabled_all(); - for (i = 0; cfg->ecc_curves[i] != 0; i++) { -- int ret = gnutls_ecc_curve_set_enabled(cfg->ecc_curves[i], 1); -+ int ret = _gnutls_ecc_curve_set_enabled(cfg->ecc_curves[i], 1); - if (unlikely(ret < 0)) { - return gnutls_assert_val(ret); - } -@@ -168,7 +168,7 @@ _cfg_ecc_curves_remark(struct cfg* cfg) - - static inline int /* allowlisting-only */ - cfg_hashes_set_array(struct cfg* cfg, -- gnutls_digest_algorithm_t* src, size_t len) -+ gnutls_digest_algorithm_t* src, size_t len) - { - if (unlikely(len >= MAX_ALGOS)) { - return gnutls_assert_val(GNUTLS_A_INTERNAL_ERROR); -@@ -230,4 +230,142 @@ cfg_ecc_curves_set_array(struct cfg* cfg, gnutls_ecc_curve_t* src, size_t len) - return _cfg_ecc_curves_remark(cfg); - } - -+/* -+ * appending to arrays of struct cfg -+ */ -+ -+/* polymorphic way to DRY this operation. other possible approaches: -+ * 1. just unmacro (long) -+ * 2. cast to ints and write a function operating on ints -+ * (hacky, every call is +4 lines, needs a portable static assert) -+ * 3. macro whole functions, not just this operation (harder to find/read) -+ */ -+#define APPEND_TO_NULL_TERMINATED_ARRAY(dst, element) \ -+ do { \ -+ size_t i; \ -+ for (i = 0; dst[i] != 0; i++) { \ -+ if (dst[i] == element) { \ -+ return 0; \ -+ } \ -+ } \ -+ if (unlikely(i >= MAX_ALGOS)) { \ -+ return gnutls_assert_val(GNUTLS_A_INTERNAL_ERROR); \ -+ } \ -+ dst[i] = element; \ -+ dst[i + 1] = 0; \ -+ } while (0) -+ -+static inline int /* allowlisting-only */ -+cfg_hashes_add(struct cfg *cfg, gnutls_digest_algorithm_t dig) -+{ -+ _gnutls_debug_log("cfg: enabling digest algorithm %s\n", -+ gnutls_digest_get_name(dig)); -+ APPEND_TO_NULL_TERMINATED_ARRAY(cfg->hashes, dig); -+ return _cfg_hashes_remark(cfg); -+} -+ -+static inline int /* allowlisting-only */ -+cfg_sigs_add(struct cfg *cfg, gnutls_sign_algorithm_t sig) -+{ -+ _gnutls_debug_log("cfg: enabling signature algorithm " -+ "(for non-certificate usage) " -+ "%s\n", gnutls_sign_get_name(sig)); -+ APPEND_TO_NULL_TERMINATED_ARRAY(cfg->sigs, sig); -+ return _cfg_sigs_remark(cfg); -+} -+ -+static inline int /* allowlisting-only */ -+cfg_sigs_for_cert_add(struct cfg *cfg, gnutls_sign_algorithm_t sig) -+{ -+ _gnutls_debug_log("cfg: enabling signature algorithm" -+ "(for certificate usage) " -+ "%s\n", gnutls_sign_get_name(sig)); -+ APPEND_TO_NULL_TERMINATED_ARRAY(cfg->sigs_for_cert, sig); -+ return _cfg_sigs_remark(cfg); -+} -+ -+static inline int /* allowlisting-only */ -+cfg_versions_add(struct cfg *cfg, gnutls_protocol_t prot) -+{ -+ _gnutls_debug_log("cfg: enabling version %s\n", -+ gnutls_protocol_get_name(prot)); -+ APPEND_TO_NULL_TERMINATED_ARRAY(cfg->versions, prot); -+ return _cfg_versions_remark(cfg); -+} -+ -+static inline int /* allowlisting-only */ -+cfg_ecc_curves_add(struct cfg *cfg, gnutls_ecc_curve_t curve) -+{ -+ _gnutls_debug_log("cfg: enabling curve %s\n", -+ gnutls_ecc_curve_get_name(curve)); -+ APPEND_TO_NULL_TERMINATED_ARRAY(cfg->ecc_curves, curve); -+ return _cfg_ecc_curves_remark(cfg); -+} -+ -+#undef APPEND_TO_NULL_TERMINATED_ARRAY -+ -+/* -+ * removing from arrays of struct cfg -+ */ -+ -+/* polymorphic way to DRY this removal, see APPEND_TO_NULL_TERMINATED_ARRAY */ -+#define REMOVE_FROM_NULL_TERMINATED_ARRAY(dst, element) \ -+ do { \ -+ size_t i, j; \ -+ for (i = 0; dst[i] != 0; i++) { \ -+ if (dst[i] == element) { \ -+ for (j = i; dst[j] != 0; j++) { \ -+ dst[j] = dst[j + 1]; \ -+ } \ -+ } \ -+ } \ -+ } while (0) -+ -+static inline int /* allowlisting-only */ -+cfg_hashes_remove(struct cfg *cfg, gnutls_digest_algorithm_t dig) -+{ -+ _gnutls_debug_log("cfg: disabling digest algorithm %s\n", -+ gnutls_digest_get_name(dig)); -+ REMOVE_FROM_NULL_TERMINATED_ARRAY(cfg->hashes, dig); -+ return _cfg_hashes_remark(cfg); -+} -+ -+static inline int /* allowlisting-only */ -+cfg_sigs_remove(struct cfg *cfg, gnutls_sign_algorithm_t sig) -+{ -+ _gnutls_debug_log("cfg: disabling signature algorithm " -+ "(for non-certificate usage) " -+ "%s\n", gnutls_sign_get_name(sig)); -+ REMOVE_FROM_NULL_TERMINATED_ARRAY(cfg->sigs, sig); -+ return _cfg_sigs_remark(cfg); -+} -+ -+static inline int /* allowlisting-only */ -+cfg_sigs_for_cert_remove(struct cfg *cfg, gnutls_sign_algorithm_t sig) -+{ -+ _gnutls_debug_log("cfg: disabling signature algorithm" -+ "(for certificate usage) " -+ "%s\n", gnutls_sign_get_name(sig)); -+ REMOVE_FROM_NULL_TERMINATED_ARRAY(cfg->sigs_for_cert, sig); -+ return _cfg_sigs_remark(cfg); -+} -+ -+static inline int /* allowlisting-only */ -+cfg_versions_remove(struct cfg *cfg, gnutls_protocol_t prot) -+{ -+ _gnutls_debug_log("cfg: disabling version %s\n", -+ gnutls_protocol_get_name(prot)); -+ REMOVE_FROM_NULL_TERMINATED_ARRAY(cfg->versions, prot); -+ return _cfg_versions_remark(cfg); -+} -+ -+static inline int /* allowlisting-only */ -+cfg_ecc_curves_remove(struct cfg *cfg, gnutls_ecc_curve_t curve) -+{ -+ _gnutls_debug_log("cfg: disabling curve %s\n", -+ gnutls_ecc_curve_get_name(curve)); -+ REMOVE_FROM_NULL_TERMINATED_ARRAY(cfg->ecc_curves, curve); -+ return _cfg_ecc_curves_remark(cfg); -+} -+ - #endif /* GNUTLS_LIB_CONFIG_INT_H */ -diff --git a/lib/global.h b/lib/global.h -index 16fde08b5c..6bd70df8e3 100644 ---- a/lib/global.h -+++ b/lib/global.h -@@ -48,5 +48,6 @@ extern void _gnutls_nss_keylog_deinit(void); - - extern void _gnutls_prepare_to_load_system_priorities(void); - extern void _gnutls_unload_system_priorities(void); -+extern bool _gnutls_allowlisting_mode(void); - - #endif /* GNUTLS_LIB_GLOBAL_H */ -diff --git a/lib/priority.c b/lib/priority.c -index 8d8428e1da..c187284024 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -1023,6 +1023,11 @@ static unsigned system_priority_file_loaded = 0; - #define OVERRIDES_SECTION "overrides" - #define MAX_ALGO_NAME 2048 - -+bool _gnutls_allowlisting_mode(void) -+{ -+ return system_wide_config.allowlisting; -+} -+ - static void _clear_default_system_priority(void) - { - gnutls_free(system_wide_config.default_priority_string); -@@ -2215,7 +2220,9 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) - /* disable TLS versions which are added but are unsupported */ - for (i = j = 0; i < priority_cache->protocol.num_priorities; i++) { - vers = version_to_entry(priority_cache->protocol.priorities[i]); -- if (!vers || vers->supported) -+ if (!vers || vers->supported || -+ (system_wide_config.allowlisting && \ -+ vers->supported_revertible)) - priority_cache->protocol.priorities[j++] = priority_cache->protocol.priorities[i]; - } - priority_cache->protocol.num_priorities = j; -@@ -3393,3 +3400,253 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags) - } - return NULL; - } -+ -+/* -+ * high-level interface for overriding configuration files -+ */ -+ -+static inline int /* not locking system_wide_config */ -+system_wide_config_is_malleable(void) { -+ if (!system_wide_config.allowlisting) { -+ _gnutls_debug_log("allowlisting is not enabled!\n"); -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ if (system_wide_config.priority_string) { -+ _gnutls_debug_log("priority strings have already been " -+ "initialized!\n"); -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ return 1; -+} -+ -+/** -+ * gnutls_digest_set_secure: -+ * @dig: is a digest algorithm -+ * @secure: whether to mark the digest algorithm secure -+ * -+ * Modify the previous system wide setting that marked @dig as secure -+ * or insecure. This only has effect when the algorithm is enabled -+ * through the allowlisting mode in the configuration file, or when -+ * the setting is modified with a prior call to this function. -+ * -+ * Since: 3.7.3 -+ */ -+int -+gnutls_digest_set_secure(gnutls_digest_algorithm_t dig, unsigned int secure) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ int ret; -+ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock); -+ if (ret < 0) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return gnutls_assert_val(ret); -+ } -+ ret = system_wide_config_is_malleable(); -+ if (ret != 1) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return gnutls_assert_val(ret); -+ } -+ -+ if (secure) { -+ ret = cfg_hashes_add(&system_wide_config, dig); -+ } else { -+ ret = cfg_hashes_remove(&system_wide_config, dig); -+ } -+ -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return ret; -+#else -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+#endif -+} -+ -+/** -+ * gnutls_sign_set_secure: -+ * @sign: the sign algorithm -+ * @secure: whether to mark the sign algorithm secure -+ * -+ * Modify the previous system wide setting that marked @sign as secure -+ * or insecure. This only has effect when the algorithm is marked as -+ * secure through the allowlisting mode in the configuration file, or -+ * when the setting is modified with a prior call to this function. -+ * -+ * Even when @secure is true, @sign is not marked as secure for the -+ * use in certificates. Use gnutls_sign_set_secure_for_certs() to -+ * mark it secure as well for certificates. -+ * -+ * Since: 3.7.3 -+ */ -+int -+gnutls_sign_set_secure(gnutls_sign_algorithm_t sign, unsigned int secure) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ int ret; -+ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock); -+ if (ret < 0) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return gnutls_assert_val(ret); -+ } -+ ret = system_wide_config_is_malleable(); -+ if (ret != 1) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return gnutls_assert_val(ret); -+ } -+ -+ if (secure) { -+ ret = cfg_sigs_add(&system_wide_config, sign); -+ } else { -+ ret = cfg_sigs_remove(&system_wide_config, sign); -+ if (ret < 0) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return ret; -+ } -+ /* irregularity, distrusting also means distrusting for certs */ -+ ret = cfg_sigs_for_cert_remove(&system_wide_config, sign); -+ } -+ -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return ret; -+#else -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+#endif -+} -+ -+/** -+ * gnutls_sign_set_secure_for_certs: -+ * @sign: the sign algorithm -+ * @secure: whether to mark the sign algorithm secure for certificates -+ * -+ * Modify the previous system wide setting that marked @sign as secure -+ * or insecure for the use in certificates. This only has effect when -+ * the algorithm is marked as secure through the allowlisting mode in -+ * the configuration file, or when the setting is modified with a -+ * prior call to this function. -+ * -+ * When @secure is true, @sign is marked as secure for any use unlike -+ * gnutls_sign_set_secure(). Otherwise, it is marked as insecure only -+ * for the use in certificates. Use gnutls_sign_set_secure() to mark -+ * it insecure for any uses. -+ * -+ * Since: 3.7.3 -+ */ -+int -+gnutls_sign_set_secure_for_certs(gnutls_sign_algorithm_t sign, -+ unsigned int secure) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ int ret; -+ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock); -+ if (ret < 0) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return gnutls_assert_val(ret); -+ } -+ ret = system_wide_config_is_malleable(); -+ if (ret != 1) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return gnutls_assert_val(ret); -+ } -+ -+ if (secure) { -+ /* irregularity, trusting for certs means trusting in general */ -+ ret = cfg_sigs_add(&system_wide_config, sign); -+ if (ret < 0) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return ret; -+ } -+ ret = cfg_sigs_for_cert_add(&system_wide_config, sign); -+ } else { -+ ret = cfg_sigs_for_cert_remove(&system_wide_config, sign); -+ } -+ -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return ret; -+#else -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+#endif -+} -+ -+/** -+ * gnutls_protocol_set_enabled: -+ * @version: is a (gnutls) version number -+ * @enabled: whether to enable the protocol -+ * -+ * Mark the previous system wide setting that marked @version as -+ * enabled or disabled. This only has effect when the version is -+ * enabled through the allowlisting mode in the configuration file, or -+ * when the setting is modified with a prior call to this function. -+ * -+ * Returns: 0 on success or negative error code otherwise. -+ * -+ * Since: 3.7.3 -+ */ -+int /* allowlisting-only */ /* not thread-safe */ -+gnutls_protocol_set_enabled(gnutls_protocol_t version, unsigned int enabled) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ int ret; -+ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock); -+ if (ret < 0) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return gnutls_assert_val(ret); -+ } -+ ret = system_wide_config_is_malleable(); -+ if (ret != 1) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return gnutls_assert_val(ret); -+ } -+ -+ if (enabled) { -+ ret = cfg_versions_add(&system_wide_config, version); -+ } else { -+ ret = cfg_versions_remove(&system_wide_config, version); -+ } -+ -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return ret; -+#else -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+#endif -+} -+ -+/** -+ * gnutls_ecc_curve_set_enabled: -+ * @curve: is an ECC curve -+ * @enabled: whether to enable the curve -+ * -+ * Modify the previous system wide setting that marked @curve as -+ * enabled or disabled. This only has effect when the curve is -+ * enabled through the allowlisting mode in the configuration file, or -+ * when the setting is modified with a prior call to this function. -+ * -+ * Returns: 0 on success or negative error code otherwise. -+ * -+ * Since: 3.7.3 -+ */ -+int -+gnutls_ecc_curve_set_enabled(gnutls_ecc_curve_t curve, unsigned int enabled) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ int ret; -+ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock); -+ if (ret < 0) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return gnutls_assert_val(ret); -+ } -+ ret = system_wide_config_is_malleable(); -+ if (ret != 1) { -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return gnutls_assert_val(ret); -+ } -+ -+ if (enabled) { -+ ret = cfg_ecc_curves_add(&system_wide_config, curve); -+ } else { -+ ret = cfg_ecc_curves_remove(&system_wide_config, curve); -+ } -+ -+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); -+ return ret; -+#else -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+#endif -+} -diff --git a/tests/protocol-set-allowlist.c b/tests/protocol-set-allowlist.c -index 754e4d12d1..744d70b315 100644 ---- a/tests/protocol-set-allowlist.c -+++ b/tests/protocol-set-allowlist.c -@@ -37,15 +37,21 @@ - * This is not a test by itself. - * This is a helper for the real test in protocol-set-allowlist.sh. - * It executes sequences of commands like: -- * > connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -- * > protocol_set_disabled TLS1.2 -> OK -- * > connect -> bad priority: (actually, any arrow-less text can go here) -+ * > protocol_set_disabled TLS1.2 -+ * > protocol_set_enabled TLS1.1 -+ * > connect -+ * > protocol_set_enabled TLS1.2 -+ * > protocol_set_disabled TLS1.1 -+ * > connect -> connection established - * where `connect` connects to $TEST_SERVER_PORT using $TEST_SERVER_CA, - * and gnutls_protocol_set_enabled simply call the underlying API. - * leaving the outer test to check return code and output: -- * connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) - * protocol_set_disabled TLS1.2 -> OK -- * connect -> bad priority: No or insufficient priorities were set. -+ * protocol_set_enabled TLS1.1 -> OK -+ * connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) -+ * protocol_set_enabled TLS1.2 -> INVALID_REQUEST -+ * protocol_set_disabled TLS1.1 -> INVALID_REQUEST -+ * connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) - */ - - #define _assert(cond, format, ...) if (!(cond)) \ -@@ -58,6 +64,7 @@ void test_echo_server(gnutls_session_t session); - void cmd_connect(const char* ca_file, unsigned port); - void cmd_protocol_set_disabled(const char* name); - void cmd_protocol_set_enabled(const char* name); -+void cmd_reinit(void); - const char* unprefix(const char* s, const char* prefix); - - -@@ -167,15 +174,32 @@ void cmd_connect(const char* ca_file, unsigned port) - - void cmd_protocol_set_disabled(const char* name) - { -- _check(gnutls_protocol_set_enabled(parse_protocol(name), 0) >= 0); -- printf("protocol_set_disabled %s -> OK\n", name); -+ int ret; -+ ret = gnutls_protocol_set_enabled(parse_protocol(name), 0); -+ printf("protocol_set_disabled %s -> %s\n", name, -+ ret == 0 ? "OK" : -+ ret == GNUTLS_E_INVALID_REQUEST ? "INVALID_REQUEST" : -+ gnutls_strerror(ret)); - } - - - void cmd_protocol_set_enabled(const char* name) - { -- _check(gnutls_protocol_set_enabled(parse_protocol(name), 1) >= 0); -- printf("protocol_set_enabled %s -> OK\n", name); -+ int ret; -+ ret = gnutls_protocol_set_enabled(parse_protocol(name), 1); -+ printf("protocol_set_enabled %s -> %s\n", name, -+ ret == 0 ? "OK" : -+ ret == GNUTLS_E_INVALID_REQUEST ? "INVALID_REQUEST" : -+ gnutls_strerror(ret)); -+} -+ -+ -+void cmd_reinit(void) -+{ -+ int ret; -+ gnutls_global_deinit(); -+ ret = gnutls_global_init(); -+ printf("reinit -> %s\n", ret == 0 ? "OK" : gnutls_strerror(ret)); - } - - -@@ -204,8 +228,6 @@ void doit(void) - _assert(port_str, "TEST_SERVER_PORT is not set"); - port = parse_port(port_str); - -- _check(gnutls_global_init() >= 0); -- - while (!feof(stdin)) { - memset(cmd_buf, '\0', MAX_CMD_LEN + 1); - fgets(cmd_buf, MAX_CMD_LEN, stdin); -@@ -220,6 +242,8 @@ void doit(void) - cmd_protocol_set_disabled(p); - else if ((p = unprefix(cmd_buf, "> protocol_set_enabled "))) - cmd_protocol_set_enabled(p); -+ else if (!strcmp(cmd_buf, "> reinit")) -+ cmd_reinit(); - else if ((p = unprefix(cmd_buf, "> "))) - _fail("Unknown command `%s`\n", p); - else -@@ -227,6 +251,5 @@ void doit(void) - cmd_buf); - } - -- gnutls_global_deinit(); - exit(0); - } -diff --git a/tests/protocol-set-allowlist.sh b/tests/protocol-set-allowlist.sh -index 907f37562f..ee2fe649bd 100755 ---- a/tests/protocol-set-allowlist.sh -+++ b/tests/protocol-set-allowlist.sh -@@ -25,6 +25,7 @@ - # from within the shell wrapper protocol-set-allowlist.sh - # The shell part of it feeds commands into a C helper - # and compares its output to the reference output. -+# Commands are derived from the reference output. - - : ${srcdir=.} - : ${builddir=.} -@@ -161,6 +162,9 @@ fi - ### Harness for the actual tests - - test_with_helper() { -+ echo '#' -+ echo "# $1" -+ echo '#' - ${CAT} > "$TMPFILE_EXPECTED_LOG" - ${SED} 's/\(.*\) -> .*/> \1/' "${TMPFILE_EXPECTED_LOG}" \ - > "${TMPFILE_INPUT_SCRIPT}" -@@ -197,152 +201,234 @@ launch_server --echo --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" \ - SERVER_PID=$! - wait_server ${SERVER_PID} - --# ["gnutls_protocol_set_enabled can disable, TLS"] --# With a configuration file allowlisting a specific TLS protocol version (1.2), --# gnutls_protocol_set_enabled can disable it. --test_with_helper < connection established: (TLS1.2)-(RSA)-(AES-128-GCM) --protocol_set_disabled TLS1.2 -> OK --connect -> bad priority: No or insufficient priorities were set. - EOF - --# ["gnutls_protocol_set_enabled disables revertibly, TLS"] --# consecutive gnutls_protocol_set_enabled can make connection possible --# (with a different session handle). --test_with_helper < connection established: (TLS1.2)-(RSA)-(AES-128-GCM) --protocol_set_disabled TLS1.2 -> OK --connect -> bad priority: No or insufficient priorities were set. --protocol_set_enabled TLS1.2 -> OK -+protocol_set_disabled TLS1.2 -> INVALID_REQUEST - connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) - EOF - --# Just a random long-ish scenario --test_with_helper < connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -+test_with_helper 'disabling TLS 1.2 leaves us with no versions' < OK - connect -> bad priority: No or insufficient priorities were set. --protocol_set_enabled TLS1.3 -> OK -+protocol_set_enabled TLS1.2 -> INVALID_REQUEST - connect -> bad priority: No or insufficient priorities were set. --protocol_set_disabled TLS1.3 -> OK -+EOF -+ -+test_with_helper \ -+ 'disabling is revertible if done before the first gnutls_init' << EOF -+protocol_set_disabled TLS1.2 -> OK - protocol_set_enabled TLS1.2 -> OK - connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -+protocol_set_disabled TLS1.2 -> INVALID_REQUEST -+protocol_set_enabled TLS1.2 -> INVALID_REQUEST -+connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) - EOF - --# !!! CURRENTLY NOT WORKING AS EXPECTED !!! --# Insufficient priority vs handshake failed --#test_with_helper < OK -+#connect -> bad priority: No or insufficient priorities were set. -+#reinit -> OK -+#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -+#EOF -+ -+# Reinit after restricting algorithms has problems with FIPS self-tests -+#test_with_helper \ -+# 'library reinitialization allows new API again, but resets changes' \ -+# < OK - #connect -> bad priority: No or insufficient priorities were set. --#protocol_set_enabled TLS1.3 -> OK --#connect -> handshake failed: A packet with illegal or unsupported version was received. -+#protocol_set_enabled TLS1.2 -> INVALID_REQUEST -+#connect -> bad priority: No or insufficient priorities were set. -+#reinit -> OK -+#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -+#protocol_set_disabled TLS1.2 -> INVALID_REQUEST -+#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -+#reinit -> OK -+#protocol_set_disabled TLS1.2 -> OK -+#protocol_set_enabled TLS1.2 -> OK -+#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -+#protocol_set_disabled TLS1.2 -> INVALID_REQUEST - #EOF - -+test_with_helper 'Insufficient priority vs handshake failed: 1/2' < OK -+connect -> bad priority: No or insufficient priorities were set. -+EOF -+ -+test_with_helper 'Insufficient priority vs handshake failed: 2/2' < OK -+protocol_set_enabled TLS1.3 -> OK -+connect -> handshake failed: A TLS fatal alert has been received. -+EOF -+# TLS 1.3 does some masquerading as TLS 1.2, I guess, so it's not -+# handshake failed: A packet with illegal or unsupported version was received. -+ - terminate_proc ${SERVER_PID} - - ### Tests against a NORMAL server (all three TLS versions enabled) - - eval "${GETPORT}" - # server is launched without allowlisting config file in effect --launch_server -d9 --echo --priority NORMAL \ -+launch_server --echo --priority NORMAL \ - --x509keyfile "${TMPFILE_KEY}" --x509certfile "${TMPFILE_CERT}" - SERVER_PID=$! - wait_server ${SERVER_PID} - --# !!! CURRENTLY NOT WORKING AS EXPECTED !!! --# smoke-test enabling with protocol_set --#test_with_helper < connection established: (TLS1.2)-(RSA)-(AES-128-GCM) --#protocol_set_enabled TLS1.3 -> OK --#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) --#EOF -+# sanity-test -+test_with_helper 'sanity test against liberal server' < connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -+EOF - --# !!! CURRENTLY NOT WORKING AS EXPECTED !!! --# ["gnutls_protocol_set_enabled enables, TLS"] --# with a configuration file not allowlisting a specific TLS protocol version, --# enabling that version with gnutls_protocol_set_enabled --# allows connecting to a server accepting this TLS protocol version alone --#test_with_helper < connection established: (TLS1.2)-(RSA)-(AES-128-GCM) --#protocol_set_enabled TLS1.3 -> OK --#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) --#EOF -+test_with_helper 'smoke-test enabling' < OK -+connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) -+EOF - --# !!! CURRENTLY NOT WORKING AS EXPECTED !!! --# ["gnutls_protocol_set_enabled enables revertibly, TLS"] --# consecutive gnutls_protocol_set --# can prevent the client from connecting (with a different session handle) --#test_with_helper < connection established: (TLS1.2)-(RSA)-(AES-128-GCM) --#protocol_set_enabled TLS1.1 -> OK --#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) --#protocol_set_disabled TLS1.2 -> OK --#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) --#protocol_set_disabled TLS1.1 -> OK --#connect -> bad priority: No or insufficient priorities were set. --#EOF --# Alternative one --#test_with_helper < connection established: (TLS1.2)-(RSA)-(AES-128-GCM) --#protocol_set_enabled TLS1.3 -> OK --#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) --#protocol_set_disabled TLS1.3 -> OK --#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) --#EOF -+test_with_helper 'going down to TLS1.1' < OK -+protocol_set_disabled TLS1.2 -> OK -+connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) -+EOF - --# !!! CURRENTLY NOT WORKING AS EXPECTED !!! --# ["gnutls_protocol_set_disabled disables selectively, TLS"] --# gnutls_protocol_set_disabled with a specific version --# doesn't disable other previously enabled version. --# ["gnutls_protocol_set_enabled enables selectively, TLS"] --# gnutls_protocol_set_enabled enabling a specific version --# doesn't enable other previously disabled version. --#test_with_helper < connection established: (TLS1.2)-(RSA)-(AES-128-GCM) --#protocol_set_enabled TLS1.3 -> OK --#protocol_set_enabled TLS1.2 -> OK --#protocol_set_enabled TLS1.1 -> OK --#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) --#protocol_set_disabled TLS1.3 -> OK --#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) --#protocol_set_disabled TLS1.2 -> OK --#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) --#protocol_set_disabled TLS1.1 -> OK --#connect -> bad priority: No or insufficient priorities were set. --#protocol_set_enabled TLS1.1 -> OK --#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) --#protocol_set_enabled TLS1.2 -> OK --#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) --#protocol_set_enabled TLS1.3 -> OK --#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) --#EOF -+test_with_helper 'going up to TLS 1.3' < OK -+connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) -+EOF -+ -+test_with_helper 'useless toggles' < OK -+protocol_set_disabled TLS1.2 -> OK -+protocol_set_enabled TLS1.2 -> OK -+protocol_set_enabled TLS1.1 -> OK -+protocol_set_enabled TLS1.1 -> OK -+protocol_set_enabled TLS1.3 -> OK -+protocol_set_disabled TLS1.1 -> OK -+protocol_set_disabled TLS1.3 -> OK -+connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -+EOF -+ -+test_with_helper 'disable does not overdisable: 1/2' < OK -+protocol_set_enabled TLS1.2 -> OK -+protocol_set_enabled TLS1.1 -> OK -+protocol_set_disabled TLS1.3 -> OK -+protocol_set_disabled TLS1.1 -> OK -+connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -+EOF -+ -+test_with_helper 'disable does not overdisable: 2/2' < OK -+protocol_set_enabled TLS1.2 -> OK -+protocol_set_enabled TLS1.1 -> OK -+protocol_set_disabled TLS1.3 -> OK -+protocol_set_disabled TLS1.2 -> OK -+connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) -+EOF - - terminate_proc ${SERVER_PID} - --### Tests against a TLS 1.1 & 1.3 server (1.2 disabled) -+#### Tests against a TLS 1.3 server -+# -+eval "${GETPORT}" -+# server is launched without allowlisting config file in effect -+launch_server --echo \ -+ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3" \ -+ --x509keyfile "${TMPFILE_KEY}" --x509certfile "${TMPFILE_CERT}" -+SERVER_PID=$! -+wait_server ${SERVER_PID} -+ -+test_with_helper 'sanity negative' < handshake failed: A TLS fatal alert has been received. -+protocol_set_enabled TLS1.3 -> INVALID_REQUEST -+protocol_set_enabled TLS1.1 -> INVALID_REQUEST -+protocol_set_disabled TLS1.2 -> INVALID_REQUEST -+connect -> handshake failed: A TLS fatal alert has been received. -+EOF -+ -+test_with_helper 'enable 1.3' < OK -+connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) -+EOF -+ -+test_with_helper 'enable 1.3 only' < OK -+protocol_set_enabled TLS1.3 -> OK -+connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) -+EOF -+ -+test_with_helper 'enable 1.1' < OK -+connect -> handshake failed: A TLS fatal alert has been received. -+EOF - -+# A special case according to a comment in set_ciphersuite_list: -+# > we require TLS1.2 to be enabled if TLS1.3 is asked for, and -+# > a pre-TLS1.2 protocol is there; that is because servers which -+# > do not support TLS1.3 will negotiate TLS1.2 if seen a TLS1.3 handshake -+test_with_helper 'enable 1.1 and 1.3 only - does not work as you expect' < OK -+protocol_set_disabled TLS1.2 -> OK -+protocol_set_enabled TLS1.1 -> OK -+connect -> handshake failed: A packet with illegal or unsupported version was received. -+EOF -+ -+test_with_helper 'enable 1.1 and 1.3' < OK -+protocol_set_enabled TLS1.1 -> OK -+connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) -+EOF -+ -+test_with_helper 'enable 1.1 and 1.3, different order' < OK -+protocol_set_enabled TLS1.3 -> OK -+connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) -+EOF -+ -+terminate_proc ${SERVER_PID} -+ -+#### Tests against a TLS 1.1 + TLS 1.2 server -+# - eval "${GETPORT}" - # server is launched without allowlisting config file in effect --launch_server -d9 --echo \ -- --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.3" \ -+launch_server --echo \ -+ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2" \ - --x509keyfile "${TMPFILE_KEY}" --x509certfile "${TMPFILE_CERT}" - SERVER_PID=$! - wait_server ${SERVER_PID} - --# !!! CURRENTLY NOT WORKING AS EXPECTED !!! --#test_with_helper < handshake failed: A packet with illegal or unsupported version was received. --#protocol_set_enabled TLS1.1 -> OK --#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) --#protocol_set_enabled TLS1.3 -> OK --#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) --#protocol_set_disabled TLS1.3 -> OK --#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) --#protocol_set_disabled TLS1.1 -> OK --#connect -> handshake failed: A packet with illegal or unsupported version was received. --#protocol_set_disabled TLS1.2 -> OK --#connect -> bad priority: No or insufficient priorities were set. --#EOF -+test_with_helper 'sanity 1.2' < connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -+EOF -+ -+test_with_helper 'enable 1.1' < OK -+connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM) -+EOF -+ -+test_with_helper 'enable 1.1 only' < OK -+protocol_set_disabled TLS1.2 -> OK -+connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) -+EOF -+ -+test_with_helper 'enable 1.1 and 1.3 only' < OK -+protocol_set_disabled TLS1.2 -> OK -+protocol_set_enabled TLS1.1 -> OK -+connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) -+EOF -+ -+test_with_helper 'enable 1.1 and 1.3 only, different order' < OK -+protocol_set_disabled TLS1.2 -> OK -+protocol_set_enabled TLS1.3 -> OK -+connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1) -+EOF - - terminate_proc ${SERVER_PID} - --- -2.34.1 - - -From ebcf38f6ac4dce0fe62bdd43114cb7415eee8d16 Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Wed, 16 Feb 2022 14:36:48 +0100 -Subject: [PATCH 8/8] update documentation on allowlisting API - -(in a separate commit so that it's easier to compare) - -Signed-off-by: Alexander Sosedkin ---- - lib/priority.c | 69 +++++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 54 insertions(+), 15 deletions(-) - -diff --git a/lib/priority.c b/lib/priority.c -index c187284024..4e9d2d9cc4 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -3466,14 +3466,25 @@ gnutls_digest_set_secure(gnutls_digest_algorithm_t dig, unsigned int secure) - * @secure: whether to mark the sign algorithm secure - * - * Modify the previous system wide setting that marked @sign as secure -- * or insecure. This only has effect when the algorithm is marked as -- * secure through the allowlisting mode in the configuration file, or -- * when the setting is modified with a prior call to this function. -+ * or insecure. Calling this function is allowed -+ * only if allowlisting mode is set in the configuration file, -+ * and only if the system-wide TLS priority string -+ * has not been initialized yet. -+ * The intended usage is to provide applications with a way -+ * to expressly deviate from the distribution or site defaults -+ * inherited from the configuration file. -+ * The modification is composable with further modifications -+ * performed through the priority string mechanism. -+ * -+ * This function is not thread-safe and is intended to be called -+ * in the main thread at the beginning of the process execution. - * - * Even when @secure is true, @sign is not marked as secure for the - * use in certificates. Use gnutls_sign_set_secure_for_certs() to - * mark it secure as well for certificates. - * -+ * Returns: 0 on success or negative error code otherwise. -+ * - * Since: 3.7.3 - */ - int -@@ -3517,16 +3528,26 @@ gnutls_sign_set_secure(gnutls_sign_algorithm_t sign, unsigned int secure) - * @secure: whether to mark the sign algorithm secure for certificates - * - * Modify the previous system wide setting that marked @sign as secure -- * or insecure for the use in certificates. This only has effect when -- * the algorithm is marked as secure through the allowlisting mode in -- * the configuration file, or when the setting is modified with a -- * prior call to this function. -- * -+ * or insecure for the use in certificates. Calling this fuction is allowed -+ * only if allowlisting mode is set in the configuration file, -+ * and only if the system-wide TLS priority string -+ * has not been initialized yet. -+ * The intended usage is to provide applications with a way -+ * to expressly deviate from the distribution or site defaults -+ * inherited from the configuration file. -+ * The modification is composable with further modifications -+ * performed through the priority string mechanism. -+ * -+ * This function is not thread-safe and is intended to be called -+ * in the main thread at the beginning of the process execution. -+ - * When @secure is true, @sign is marked as secure for any use unlike - * gnutls_sign_set_secure(). Otherwise, it is marked as insecure only - * for the use in certificates. Use gnutls_sign_set_secure() to mark - * it insecure for any uses. - * -+ * Returns: 0 on success or negative error code otherwise. -+ * - * Since: 3.7.3 - */ - int -@@ -3570,10 +3591,19 @@ gnutls_sign_set_secure_for_certs(gnutls_sign_algorithm_t sign, - * @version: is a (gnutls) version number - * @enabled: whether to enable the protocol - * -- * Mark the previous system wide setting that marked @version as -- * enabled or disabled. This only has effect when the version is -- * enabled through the allowlisting mode in the configuration file, or -- * when the setting is modified with a prior call to this function. -+ * Control the previous system-wide setting that marked @version as -+ * enabled or disabled. Calling this fuction is allowed -+ * only if allowlisting mode is set in the configuration file, -+ * and only if the system-wide TLS priority string -+ * has not been initialized yet. -+ * The intended usage is to provide applications with a way -+ * to expressly deviate from the distribution or site defaults -+ * inherited from the configuration file. -+ * The modification is composable with further modifications -+ * performed through the priority string mechanism. -+ * -+ * This function is not thread-safe and is intended to be called -+ * in the main thread at the beginning of the process execution. - * - * Returns: 0 on success or negative error code otherwise. - * -@@ -3614,9 +3644,18 @@ gnutls_protocol_set_enabled(gnutls_protocol_t version, unsigned int enabled) - * @enabled: whether to enable the curve - * - * Modify the previous system wide setting that marked @curve as -- * enabled or disabled. This only has effect when the curve is -- * enabled through the allowlisting mode in the configuration file, or -- * when the setting is modified with a prior call to this function. -+ * enabled or disabled. Calling this fuction is allowed -+ * only if allowlisting mode is set in the configuration file, -+ * and only if the system-wide TLS priority string -+ * has not been initialized yet. -+ * The intended usage is to provide applications with a way -+ * to expressly deviate from the distribution or site defaults -+ * inherited from the configuration file. -+ * The modification is composable with further modifications -+ * performed through the priority string mechanism. -+ * -+ * This function is not thread-safe and is intended to be called -+ * in the main thread at the beginning of the process execution. - * - * Returns: 0 on success or negative error code otherwise. - * --- -2.34.1 - diff --git a/gnutls-3.7.3-fips-pkcs12.patch b/gnutls-3.7.3-fips-pkcs12.patch deleted file mode 100644 index 45a8194..0000000 --- a/gnutls-3.7.3-fips-pkcs12.patch +++ /dev/null @@ -1,471 +0,0 @@ -From 7d8d8feb502ddb20a0d115fa3f63403c849a7168 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 10 Feb 2022 16:43:08 +0100 -Subject: [PATCH 1/2] pkcs12: mark MAC generation and verification as FIPS - non-approved - -Signed-off-by: Daiki Ueno ---- - lib/x509/pkcs12.c | 39 +++++++++++++++++++++++++--- - tests/pkcs12_encode.c | 59 +++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 94 insertions(+), 4 deletions(-) - -diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c -index a8f7d8f956..11b9da3ac9 100644 ---- a/lib/x509/pkcs12.c -+++ b/lib/x509/pkcs12.c -@@ -286,13 +286,26 @@ gnutls_pkcs12_export(gnutls_pkcs12_t pkcs12, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) - { -+ int ret; -+ - if (pkcs12 == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - -- return _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12, -- output_data, output_data_size); -+ ret = _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12, -+ output_data, output_data_size); -+ -+ if (ret < 0) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ } else { -+ /* PKCS#12 export is always non-approved, because the MAC -+ * calculation involves non-approved KDF (PKCS#12 KDF) and -+ * without MAC the protection is insufficient. -+ */ -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED); -+ } -+ return ret; - } - - /** -@@ -317,13 +330,25 @@ int - gnutls_pkcs12_export2(gnutls_pkcs12_t pkcs12, - gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) - { -+ int ret; -+ - if (pkcs12 == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - -- return _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12, -- out); -+ ret = _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12, -+ out); -+ if (ret < 0) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ } else { -+ /* PKCS#12 export is always non-approved, because the MAC -+ * calculation involves non-approved KDF (PKCS#12 KDF) and -+ * without MAC the protection is insufficient. -+ */ -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED); -+ } -+ return ret; - } - - static int oid2bag(const char *oid) -@@ -1025,9 +1050,12 @@ int gnutls_pkcs12_generate_mac2(gnutls_pkcs12_t pkcs12, gnutls_mac_algorithm_t m - goto cleanup; - } - -+ /* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */ -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED); - return 0; - - cleanup: -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); - _gnutls_free_datum(&tmp); - return result; - } -@@ -1203,8 +1231,11 @@ pkcs12_try_gost: - goto cleanup; - } - -+ /* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */ -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED); - result = 0; - cleanup: -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); - _gnutls_free_datum(&tmp); - _gnutls_free_datum(&salt); - return result; -diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c -index 3b0e84ef13..b8f7d17267 100644 ---- a/tests/pkcs12_encode.c -+++ b/tests/pkcs12_encode.c -@@ -70,6 +70,29 @@ static void tls_log_func(int level, const char *str) - fprintf(stderr, "|<%d>| %s", level, str); - } - -+#define FIPS_PUSH_CONTEXT() do { \ -+ if (gnutls_fips140_mode_enabled()) { \ -+ ret = gnutls_fips140_push_context(fips_context); \ -+ if (ret < 0) { \ -+ fail("gnutls_fips140_push_context failed\n"); \ -+ } \ -+ } \ -+} while (0) -+ -+#define FIPS_POP_CONTEXT(state) do { \ -+ if (gnutls_fips140_mode_enabled()) { \ -+ ret = gnutls_fips140_pop_context(); \ -+ if (ret < 0) { \ -+ fail("gnutls_fips140_context_pop failed\n"); \ -+ } \ -+ fips_state = gnutls_fips140_get_operation_state(fips_context); \ -+ if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ -+ fail("operation state is not " # state " (%d)\n", \ -+ fips_state); \ -+ } \ -+ } \ -+} while (0) -+ - void doit(void) - { - gnutls_pkcs12_t pkcs12; -@@ -82,6 +105,8 @@ void doit(void) - char outbuf[10240]; - size_t size; - unsigned tests, i; -+ gnutls_fips140_context_t fips_context; -+ gnutls_fips140_operation_state_t fips_state; - - ret = global_init(); - if (ret < 0) { -@@ -93,6 +118,11 @@ void doit(void) - if (debug) - gnutls_global_set_log_level(4711); - -+ ret = gnutls_fips140_context_init(&fips_context); -+ if (ret < 0) { -+ fail("Cannot initialize FIPS context\n"); -+ } -+ - /* Read certs. */ - ret = gnutls_x509_crt_init(&client); - if (ret < 0) { -@@ -196,6 +226,8 @@ void doit(void) - gnutls_pkcs12_bag_deinit(bag); - } - -+ FIPS_PUSH_CONTEXT(); -+ - /* MAC the structure, export and print. */ - ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA1, "pass"); - if (ret < 0) { -@@ -203,36 +235,60 @@ void doit(void) - exit(1); - } - -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ FIPS_PUSH_CONTEXT(); -+ - ret = gnutls_pkcs12_verify_mac(pkcs12, "pass"); - if (ret < 0) { - fprintf(stderr, "verify_mac: %s (%d)\n", gnutls_strerror(ret), ret); - exit(1); - } - -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ FIPS_PUSH_CONTEXT(); -+ - ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA256, "passwd"); - if (ret < 0) { - fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret); - exit(1); - } - -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ FIPS_PUSH_CONTEXT(); -+ - ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd"); - if (ret < 0) { - fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret); - exit(1); - } - -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ FIPS_PUSH_CONTEXT(); -+ - ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA512, "passwd1"); - if (ret < 0) { - fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret); - exit(1); - } - -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ FIPS_PUSH_CONTEXT(); -+ - ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd1"); - if (ret < 0) { - fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret); - exit(1); - } - -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ FIPS_PUSH_CONTEXT(); -+ - size = sizeof(outbuf); - ret = - gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf, -@@ -242,10 +298,13 @@ void doit(void) - exit(1); - } - -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ - if (debug) - fwrite(outbuf, size, 1, stdout); - - /* Cleanup. */ -+ gnutls_fips140_context_deinit(fips_context); - gnutls_pkcs12_deinit(pkcs12); - gnutls_x509_crt_deinit(client); - gnutls_x509_crt_deinit(ca); --- -2.34.1 - - -From e7f9267342bc2231149a640163c82b63c86f1dfd Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 10 Feb 2022 17:35:13 +0100 -Subject: [PATCH 2/2] _gnutls_pkcs_raw_{decrypt,encrypt}_data: use public - crypto API - -These functions previously used the internal crypto -API (_gnutls_cipher_*) which does not have algorithm checks for FIPS. - -This change switches the code to use the public crypto -API (gnutls_cipher_*) to trigger proper state transitions under FIPS -mode. - -Signed-off-by: Daiki Ueno ---- - lib/x509/pkcs7-crypt.c | 36 +++++++++++----------------- - tests/pkcs12_encode.c | 54 +++++++++++++++++++++++++++--------------- - 2 files changed, 49 insertions(+), 41 deletions(-) - -diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c -index 4cce52ecf0..2dc5bc4df0 100644 ---- a/lib/x509/pkcs7-crypt.c -+++ b/lib/x509/pkcs7-crypt.c -@@ -1130,8 +1130,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn, - gnutls_datum_t enc = { NULL, 0 }; - uint8_t *key = NULL; - gnutls_datum_t dkey, d_iv; -- cipher_hd_st ch; -- int ch_init = 0; -+ gnutls_cipher_hd_t ch = NULL; - int key_size, ret; - unsigned int pass_len = 0; - const struct pkcs_cipher_schema_st *p; -@@ -1237,8 +1236,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn, - d_iv.data = (uint8_t *) enc_params->iv; - d_iv.size = enc_params->iv_size; - -- ret = -- _gnutls_cipher_init(&ch, ce, &dkey, &d_iv, 0); -+ ret = gnutls_cipher_init(&ch, ce->id, &dkey, &d_iv); - - gnutls_free(key); - -@@ -1247,9 +1245,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn, - goto error; - } - -- ch_init = 1; -- -- ret = _gnutls_cipher_decrypt(&ch, enc.data, enc.size); -+ ret = gnutls_cipher_decrypt(ch, enc.data, enc.size); - if (ret < 0) { - gnutls_assert(); - ret = GNUTLS_E_DECRYPTION_FAILED; -@@ -1281,7 +1277,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn, - decrypted_data->size = enc.size; - } - -- _gnutls_cipher_deinit(&ch); -+ gnutls_cipher_deinit(ch); - - ret = 0; - -@@ -1294,8 +1290,9 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn, - gnutls_free(password); - gnutls_free(enc.data); - gnutls_free(key); -- if (ch_init != 0) -- _gnutls_cipher_deinit(&ch); -+ if (ch) { -+ gnutls_cipher_deinit(ch); -+ } - return ret; - } - -@@ -1725,8 +1722,7 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain, - int data_size; - uint8_t *data = NULL; - gnutls_datum_t d_iv; -- cipher_hd_st ch; -- int ch_init = 0; -+ gnutls_cipher_hd_t ch = NULL; - uint8_t pad, pad_size; - const cipher_entry_st *ce; - -@@ -1756,18 +1752,13 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain, - - d_iv.data = (uint8_t *) enc_params->iv; - d_iv.size = enc_params->iv_size; -- result = -- _gnutls_cipher_init(&ch, cipher_to_entry(enc_params->cipher), -- key, &d_iv, 1); -- -+ result = gnutls_cipher_init(&ch, enc_params->cipher, key, &d_iv); - if (result < 0) { - gnutls_assert(); - goto error; - } - -- ch_init = 1; -- -- result = _gnutls_cipher_encrypt(&ch, data, data_size); -+ result = gnutls_cipher_encrypt(ch, data, data_size); - if (result < 0) { - gnutls_assert(); - goto error; -@@ -1776,13 +1767,14 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain, - encrypted->data = data; - encrypted->size = data_size; - -- _gnutls_cipher_deinit(&ch); -+ gnutls_cipher_deinit(ch); - - return 0; - - error: - gnutls_free(data); -- if (ch_init != 0) -- _gnutls_cipher_deinit(&ch); -+ if (ch) { -+ gnutls_cipher_deinit(ch); -+ } - return result; - } -diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c -index b8f7d17267..78f6f41b48 100644 ---- a/tests/pkcs12_encode.c -+++ b/tests/pkcs12_encode.c -@@ -104,9 +104,17 @@ void doit(void) - int ret, indx; - char outbuf[10240]; - size_t size; -- unsigned tests, i; -+ unsigned i; - gnutls_fips140_context_t fips_context; - gnutls_fips140_operation_state_t fips_state; -+ size_t n_tests = 0; -+ struct tests { -+ const char *name; -+ gnutls_x509_crt_t crt; -+ const char *friendly_name; -+ unsigned bag_encrypt_flags; -+ int bag_encrypt_expected; -+ } tests[2]; - - ret = global_init(); - if (ret < 0) { -@@ -157,21 +165,34 @@ void doit(void) - exit(1); - } - -- /* Generate and add PKCS#12 cert bags. */ -- if (!gnutls_fips140_mode_enabled()) { -- tests = 2; /* include RC2 */ -+ tests[n_tests].name = "3DES"; -+ tests[n_tests].crt = client; -+ tests[n_tests].friendly_name = "client"; -+ tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS8_USE_PKCS12_3DES; -+ tests[n_tests].bag_encrypt_expected = 0; -+ n_tests++; -+ -+ tests[n_tests].name = "RC2-40"; -+ tests[n_tests].crt = ca; -+ tests[n_tests].friendly_name = "ca"; -+ tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS_USE_PKCS12_RC2_40; -+ if (gnutls_fips140_mode_enabled()) { -+ tests[n_tests].bag_encrypt_expected = -+ GNUTLS_E_UNWANTED_ALGORITHM; - } else { -- tests = 1; -+ tests[n_tests].bag_encrypt_expected = 0; - } -+ n_tests++; - -- for (i = 0; i < tests; i++) { -+ /* Generate and add PKCS#12 cert bags. */ -+ for (i = 0; i < n_tests; i++) { - ret = gnutls_pkcs12_bag_init(&bag); - if (ret < 0) { - fprintf(stderr, "bag_init: %s (%d)\n", gnutls_strerror(ret), ret); - exit(1); - } - -- ret = gnutls_pkcs12_bag_set_crt(bag, i == 0 ? client : ca); -+ ret = gnutls_pkcs12_bag_set_crt(bag, tests[i].crt); - if (ret < 0) { - fprintf(stderr, "set_crt: %s (%d)\n", gnutls_strerror(ret), ret); - exit(1); -@@ -180,16 +201,14 @@ void doit(void) - indx = ret; - - ret = gnutls_pkcs12_bag_set_friendly_name(bag, indx, -- i == -- 0 ? "client" : -- "ca"); -+ tests[i].friendly_name); - if (ret < 0) { - fprintf(stderr, "set_friendly_name: %s (%d)\n", gnutls_strerror(ret), ret); - exit(1); - } - - size = sizeof(key_id_buf); -- ret = gnutls_x509_crt_get_key_id(i == 0 ? client : ca, 0, -+ ret = gnutls_x509_crt_get_key_id(tests[i].crt, 0, - key_id_buf, &size); - if (ret < 0) { - fprintf(stderr, "get_key_id: %s (%d)\n", gnutls_strerror(ret), ret); -@@ -206,14 +225,11 @@ void doit(void) - } - - ret = gnutls_pkcs12_bag_encrypt(bag, "pass", -- i == -- 0 ? -- GNUTLS_PKCS8_USE_PKCS12_3DES -- : -- GNUTLS_PKCS_USE_PKCS12_RC2_40); -- if (ret < 0) { -- fprintf(stderr, "bag_encrypt: %d: %s", ret, -- i == 0 ? "3DES" : "RC2-40"); -+ tests[i].bag_encrypt_flags); -+ if (ret != tests[i].bag_encrypt_expected) { -+ fprintf(stderr, "bag_encrypt: returned %d, expected %d: %s", ret, -+ tests[i].bag_encrypt_expected, -+ tests[i].name); - exit(1); - } - --- -2.34.1 - diff --git a/gnutls-3.7.3-fips-rsa-keygen.patch b/gnutls-3.7.3-fips-rsa-keygen.patch deleted file mode 100644 index f99ddc1..0000000 --- a/gnutls-3.7.3-fips-rsa-keygen.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 9f5a60c1fe576f82bcd5c7998b2ca2b0d60e8e4f Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 27 Jan 2022 18:17:43 +0100 -Subject: [PATCH 1/2] rsa_generate_fips186_4_keypair: accept a few more modulus - sizes - -While _rsa_generate_fips186_4_keypair was modified to accept modulus -sizes other than 2048 and 3076, rsa_generate_fips186_4_keypair, which -calls that function, was not updated to accept such modulus sizes. - -Spotted by Alexander Sosedkin. - -Signed-off-by: Daiki Ueno ---- - lib/nettle/int/rsa-keygen-fips186.c | 67 ++++++++++++++++------------- - 1 file changed, 36 insertions(+), 31 deletions(-) - -diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c -index 5b221a030a..c6f7e675af 100644 ---- a/lib/nettle/int/rsa-keygen-fips186.c -+++ b/lib/nettle/int/rsa-keygen-fips186.c -@@ -27,6 +27,7 @@ - #include "config.h" - #endif - -+#include - #include - #include - #include -@@ -248,6 +249,33 @@ cleanup: - return ret; - } - -+/* Return the pre-defined seed length for modulus size, or 0 when the -+ * modulus size is unsupported. -+ */ -+static inline unsigned -+seed_length_for_modulus_size(unsigned modulus_size) -+{ -+ switch (modulus_size) { -+ case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ -+ return 14 * 2; -+ case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ -+ return 16 * 2; -+ case 4096: /* SP 800-56B rev 2 Appendix D */ -+ return 19 * 2; -+ case 6144: /* SP 800-56B rev 2 Appendix D */ -+ return 22 * 2; -+ case 7680: /* FIPS 140-2 IG 7.5 */ -+ return 24 * 2; -+ case 8192: /* SP 800-56B rev 2 Appendix D */ -+ return 25 * 2; -+ case 15360: /* FIPS 140-2 IG 7.5 */ -+ return 32 * 2; -+ default: -+ return 0; -+ } -+ -+} -+ - /* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4. - * - * The hash function used is SHA384. -@@ -266,33 +294,15 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, - int ret; - struct dss_params_validation_seeds cert; - unsigned l = n_size / 2; -+ unsigned s = seed_length_for_modulus_size(n_size); - -- switch (n_size) { -- case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ -- FIPS_RULE(seed_length != 14 * 2, 0, "seed length other than 28 bytes\n"); -- break; -- case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ -- FIPS_RULE(seed_length != 16 * 2, 0, "seed length other than 32 bytes\n"); -- break; -- case 4096: /* SP 800-56B rev 2 Appendix D */ -- FIPS_RULE(seed_length != 19 * 2, 0, "seed length other than 38 bytes\n"); -- break; -- case 6144: /* SP 800-56B rev 2 Appendix D */ -- FIPS_RULE(seed_length != 22 * 2, 0, "seed length other than 44 bytes\n"); -- break; -- case 7680: /* FIPS 140-2 IG 7.5 */ -- FIPS_RULE(seed_length != 24 * 2, 0, "seed length other than 48 bytes\n"); -- break; -- case 8192: /* SP 800-56B rev 2 Appendix D */ -- FIPS_RULE(seed_length != 25 * 2, 0, "seed length other than 50 bytes\n"); -- break; -- case 15360: /* FIPS 140-2 IG 7.5 */ -- FIPS_RULE(seed_length != 32 * 2, 0, "seed length other than 64 bytes\n"); -- break; -- default: -+ if (!s) { - FIPS_RULE(false, 0, "unsupported modulus size\n"); - } - -+ FIPS_RULE(seed_length != s, 0, -+ "seed length other than %u bytes\n", s); -+ - if (!mpz_tstbit(pub->e, 0)) { - _gnutls_debug_log("Unacceptable e (it is even)\n"); - return 0; -@@ -405,10 +415,6 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, - return ret; - } - --/* Not entirely accurate but a good precision -- */ --#define SEED_LENGTH(bits) (_gnutls_pk_bits_to_subgroup_bits(bits)/8) -- - /* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4. - * - * The hash function used is SHA384. -@@ -429,11 +435,10 @@ rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, - unsigned seed_length; - int ret; - -- FIPS_RULE(n_size != 2048 && n_size != 3072, 0, "size of prime of other than 2048 or 3072\n"); -+ seed_length = seed_length_for_modulus_size(n_size); -+ FIPS_RULE(!seed_length, 0, "unsupported modulus size\n"); - -- seed_length = SEED_LENGTH(n_size); -- if (seed_length > sizeof(seed)) -- return 0; -+ assert(seed_length <= sizeof(seed)); - - random(random_ctx, seed_length, seed); - --- -2.34.1 - - -From 46ae6160489151034bca19aa6c40ba0df6b53bcc Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 1 Feb 2022 15:19:52 +0100 -Subject: [PATCH 2/2] certtool --generate-privkey: update warnings on RSA key - sizes - -Signed-off-by: Daiki Ueno ---- - src/certtool.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/src/certtool.c b/src/certtool.c -index c128500614..71d4aff13e 100644 ---- a/src/certtool.c -+++ b/src/certtool.c -@@ -206,8 +206,12 @@ generate_private_key_int(common_info_st * cinfo) - "Note that DSA keys with size over 1024 may cause incompatibility problems when used with earlier than TLS 1.2 versions.\n\n"); - - if ((HAVE_OPT(SEED) || provable) && GNUTLS_PK_IS_RSA(key_type)) { -- if (bits != 2048 && bits != 3072) { -- fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to 2048 and 3072 bits\n"); -+ /* Keep in sync with seed_length_for_modulus_size in -+ * lib/nettle/int/rsa-keygen-fips186.c. */ -+ if (bits != 2048 && bits != 3072 && bits != 4096 && -+ bits != 6144 && bits != 7680 && bits != 8192 && -+ bits != 15360) { -+ fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to be of known lengths (2048, 3072, etc)\n"); - } - } - -@@ -225,7 +229,15 @@ generate_private_key_int(common_info_st * cinfo) - kdata[kdata_size++].size = cinfo->seed_size; - - if (GNUTLS_PK_IS_RSA(key_type)) { -- if ((bits == 3072 && cinfo->seed_size != 32) || (bits == 2048 && cinfo->seed_size != 28)) { -+ /* Keep in sync with seed_length_for_modulus_size in -+ * lib/nettle/int/rsa-keygen-fips186.c. */ -+ if ((bits == 2048 && cinfo->seed_size != 28) || -+ (bits == 3072 && cinfo->seed_size != 32) || -+ (bits == 4096 && cinfo->seed_size != 38) || -+ (bits == 6144 && cinfo->seed_size != 44) || -+ (bits == 7680 && cinfo->seed_size != 48) || -+ (bits == 8192 && cinfo->seed_size != 50) || -+ (bits == 15360 && cinfo->seed_size != 64)) { - fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)cinfo->seed_size); - } - } else if (key_type == GNUTLS_PK_DSA) { --- -2.34.1 - diff --git a/gnutls-3.7.3-fix-tests-in-fips.patch b/gnutls-3.7.3-fix-tests-in-fips.patch deleted file mode 100644 index a5c8bee..0000000 --- a/gnutls-3.7.3-fix-tests-in-fips.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 2c33761787f6530cf3984310a5f3b7dd05a7b375 Mon Sep 17 00:00:00 2001 -From: Zoltan Fridrich -Date: Thu, 17 Feb 2022 11:46:29 +0100 -Subject: [PATCH] Disable some tests in fips mode - -Signed-off-by: Zoltan Fridrich ---- - tests/pkcs11/pkcs11-eddsa-privkey-test.c | 5 +++++ - tests/pkcs11/tls-neg-pkcs11-key.c | 8 +++++++- - 2 files changed, 12 insertions(+), 1 deletion(-) - -diff --git a/tests/pkcs11/pkcs11-eddsa-privkey-test.c b/tests/pkcs11/pkcs11-eddsa-privkey-test.c -index 44515da3f..ebbfe5278 100644 ---- a/tests/pkcs11/pkcs11-eddsa-privkey-test.c -+++ b/tests/pkcs11/pkcs11-eddsa-privkey-test.c -@@ -107,6 +107,11 @@ void doit(void) - fail("%d: %s\n", ret, gnutls_strerror(ret)); - } - -+ if (gnutls_fips140_mode_enabled()) { -+ gnutls_global_deinit(); -+ return; -+ } -+ - gnutls_pkcs11_set_pin_function(pin_func, NULL); - gnutls_global_set_log_function(tls_log_func); - if (debug) -diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c -index fc7c3dc4e..5cc1ae6e2 100644 ---- a/tests/pkcs11/tls-neg-pkcs11-key.c -+++ b/tests/pkcs11/tls-neg-pkcs11-key.c -@@ -268,6 +268,7 @@ typedef struct test_st { - int exp_serv_err; - int needs_eddsa; - int needs_decryption; -+ int nofips; - unsigned requires_pkcs11_pss; - } test_st; - -@@ -340,6 +341,7 @@ static const test_st tests[] = { - .cert = &server_ca3_eddsa_cert, - .key = &server_ca3_eddsa_key, - .exp_kx = GNUTLS_KX_ECDHE_RSA, -+ .nofips = 1 - }, - {.name = "tls1.3: ecc key", - .pk = GNUTLS_PK_ECDSA, -@@ -392,7 +394,8 @@ static const test_st tests[] = { - .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA", - .cert = &server_ca3_eddsa_cert, - .key = &server_ca3_eddsa_key, -- .exp_kx = GNUTLS_KX_ECDHE_RSA -+ .exp_kx = GNUTLS_KX_ECDHE_RSA, -+ .nofips = 1 - } - }; - -@@ -448,6 +451,9 @@ void doit(void) - have_eddsa = verify_eddsa_presence(); - - for (i=0;i -Date: Mon, 21 Feb 2022 16:28:49 +0100 -Subject: [PATCH] priority: compile out GOST algorithms IDs if they are - disabled - -When compiled with --disable-gost, gnutls-cli --priority NORMAL --list -still prints GOST algorithms for ciphers, MACs, and signatures. This -change adds compile time checks to suppress them. - -Signed-off-by: Daiki Ueno ---- - lib/priority.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/lib/priority.c b/lib/priority.c -index 54d7b1bb45..0c7ac65d7b 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -309,7 +309,9 @@ static const int _kx_priority_secure[] = { - static const int* kx_priority_secure = _kx_priority_secure; - - static const int _kx_priority_gost[] = { -+#ifdef ENABLE_GOST - GNUTLS_KX_VKO_GOST_12, -+#endif - 0, - }; - static const int* kx_priority_gost = _kx_priority_gost; -@@ -507,9 +509,10 @@ static const int _sign_priority_secure192[] = { - static const int* sign_priority_secure192 = _sign_priority_secure192; - - static const int _sign_priority_gost[] = { -+#ifdef ENABLE_GOST - GNUTLS_SIGN_GOST_256, - GNUTLS_SIGN_GOST_512, -- -+#endif - 0 - }; - static const int* sign_priority_gost = _sign_priority_gost; -@@ -531,13 +534,17 @@ static const int *cipher_priority_normal = _cipher_priority_normal_default; - static const int *mac_priority_normal = mac_priority_normal_default; - - static const int _cipher_priority_gost[] = { -+#ifdef ENABLE_GOST - GNUTLS_CIPHER_GOST28147_TC26Z_CNT, -+#endif - 0 - }; - static const int *cipher_priority_gost = _cipher_priority_gost; - - static const int _mac_priority_gost[] = { -+#ifdef ENABLE_GOST - GNUTLS_MAC_GOST28147_TC26Z_IMIT, -+#endif - 0 - }; - static const int *mac_priority_gost = _mac_priority_gost; --- -2.34.1 - -From f2bb30f68922d72f8bed29cc8b2a065087a0969f Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 22 Feb 2022 17:09:46 +0100 -Subject: [PATCH] algorithms: ensure _list() exclude non-existing algorithms - -This aligns the behavior of _list() function for sign/pk to the one -for cipher/mac: the former previously returned all the algorithms -defined, while the latter returns only algorithms compiled in. - -Signed-off-by: Daiki Ueno ---- - lib/algorithms/publickey.c | 8 +++- - lib/algorithms/sign.c | 4 +- - lib/crypto-backend.h | 2 + - lib/nettle/pk.c | 86 ++++++++++++++++++++++++++++++++++++++ - lib/pk.h | 2 + - 5 files changed, 99 insertions(+), 3 deletions(-) - -diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c -index b4cd6b1df0..caf53972ab 100644 ---- a/lib/algorithms/publickey.c -+++ b/lib/algorithms/publickey.c -@@ -24,6 +24,7 @@ - #include - #include "errors.h" - #include -+#include "pk.h" - - - /* KX mappings to PK algorithms */ -@@ -203,8 +204,11 @@ const gnutls_pk_algorithm_t *gnutls_pk_list(void) - int i = 0; - - GNUTLS_PK_LOOP( -- if (p->id != GNUTLS_PK_UNKNOWN && supported_pks[i > 0 ? (i - 1) : 0] != p->id) -- supported_pks[i++] = p->id -+ if (p->id != GNUTLS_PK_UNKNOWN && -+ supported_pks[i > 0 ? (i - 1) : 0] != p->id && -+ _gnutls_pk_exists(p->id)) { -+ supported_pks[i++] = p->id; -+ } - ); - supported_pks[i++] = 0; - } -diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c -index 06abdb4cf8..4a5aaa75e1 100644 ---- a/lib/algorithms/sign.c -+++ b/lib/algorithms/sign.c -@@ -27,6 +27,7 @@ - #include - #include - #include "c-strcase.h" -+#include "pk.h" - - /* signature algorithms; - */ -@@ -631,7 +632,8 @@ const gnutls_sign_algorithm_t *gnutls_sign_list(void) - - GNUTLS_SIGN_LOOP( - /* list all algorithms, but not duplicates */ -- if (supported_sign[i] != p->id) { -+ if (supported_sign[i] != p->id && -+ _gnutls_pk_sign_exists(p->id)) { - assert(i+1 < MAX_ALGOS); - supported_sign[i++] = p->id; - supported_sign[i+1] = 0; -diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h -index 9874033221..f0f68c337e 100644 ---- a/lib/crypto-backend.h -+++ b/lib/crypto-backend.h -@@ -418,6 +418,8 @@ typedef struct gnutls_crypto_pk { - unsigned int flags); - - int (*curve_exists) (gnutls_ecc_curve_t); /* true/false */ -+ int (*pk_exists) (gnutls_pk_algorithm_t); /* true/false */ -+ int (*sign_exists) (gnutls_sign_algorithm_t); /* true/false */ - } gnutls_crypto_pk_st; - - /* priority: infinity for backend algorithms, 90 for kernel -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index a146568266..eba246f0b3 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -1883,6 +1883,90 @@ static int _wrap_nettle_pk_curve_exists(gnutls_ecc_curve_t curve) - } - } - -+static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk) -+{ -+ switch (pk) { -+ case GNUTLS_PK_RSA: -+ case GNUTLS_PK_DSA: -+ case GNUTLS_PK_DH: -+ case GNUTLS_PK_ECDSA: -+ case GNUTLS_PK_ECDH_X25519: -+ case GNUTLS_PK_RSA_PSS: -+ case GNUTLS_PK_EDDSA_ED25519: -+#if ENABLE_GOST -+ case GNUTLS_PK_GOST_01: -+ case GNUTLS_PK_GOST_12_256: -+ case GNUTLS_PK_GOST_12_512: -+#endif -+ case GNUTLS_PK_ECDH_X448: -+ case GNUTLS_PK_EDDSA_ED448: -+ return 1; -+ default: -+ return 0; -+ } -+} -+ -+static int _wrap_nettle_pk_sign_exists(gnutls_sign_algorithm_t sign) -+{ -+ switch (sign) { -+ case GNUTLS_SIGN_RSA_SHA1: -+ case GNUTLS_SIGN_DSA_SHA1: -+ case GNUTLS_SIGN_RSA_MD5: -+ case GNUTLS_SIGN_RSA_MD2: -+ case GNUTLS_SIGN_RSA_RMD160: -+ case GNUTLS_SIGN_RSA_SHA256: -+ case GNUTLS_SIGN_RSA_SHA384: -+ case GNUTLS_SIGN_RSA_SHA512: -+ case GNUTLS_SIGN_RSA_SHA224: -+ case GNUTLS_SIGN_DSA_SHA224: -+ case GNUTLS_SIGN_DSA_SHA256: -+ case GNUTLS_SIGN_ECDSA_SHA1: -+ case GNUTLS_SIGN_ECDSA_SHA224: -+ case GNUTLS_SIGN_ECDSA_SHA256: -+ case GNUTLS_SIGN_ECDSA_SHA384: -+ case GNUTLS_SIGN_ECDSA_SHA512: -+ case GNUTLS_SIGN_DSA_SHA384: -+ case GNUTLS_SIGN_DSA_SHA512: -+ case GNUTLS_SIGN_ECDSA_SHA3_224: -+ case GNUTLS_SIGN_ECDSA_SHA3_256: -+ case GNUTLS_SIGN_ECDSA_SHA3_384: -+ case GNUTLS_SIGN_ECDSA_SHA3_512: -+ -+ case GNUTLS_SIGN_DSA_SHA3_224: -+ case GNUTLS_SIGN_DSA_SHA3_256: -+ case GNUTLS_SIGN_DSA_SHA3_384: -+ case GNUTLS_SIGN_DSA_SHA3_512: -+ case GNUTLS_SIGN_RSA_SHA3_224: -+ case GNUTLS_SIGN_RSA_SHA3_256: -+ case GNUTLS_SIGN_RSA_SHA3_384: -+ case GNUTLS_SIGN_RSA_SHA3_512: -+ -+ case GNUTLS_SIGN_RSA_PSS_SHA256: -+ case GNUTLS_SIGN_RSA_PSS_SHA384: -+ case GNUTLS_SIGN_RSA_PSS_SHA512: -+ case GNUTLS_SIGN_EDDSA_ED25519: -+ case GNUTLS_SIGN_RSA_RAW: -+ -+ case GNUTLS_SIGN_ECDSA_SECP256R1_SHA256: -+ case GNUTLS_SIGN_ECDSA_SECP384R1_SHA384: -+ case GNUTLS_SIGN_ECDSA_SECP521R1_SHA512: -+ -+ case GNUTLS_SIGN_RSA_PSS_RSAE_SHA256: -+ case GNUTLS_SIGN_RSA_PSS_RSAE_SHA384: -+ case GNUTLS_SIGN_RSA_PSS_RSAE_SHA512: -+ -+#if ENABLE_GOST -+ case GNUTLS_SIGN_GOST_94: -+ case GNUTLS_SIGN_GOST_256: -+ case GNUTLS_SIGN_GOST_512: -+#endif -+ case GNUTLS_SIGN_EDDSA_ED448: -+ return 1; -+ default: -+ return 0; -+ } -+} -+ - /* Generates algorithm's parameters. That is: - * For DSA: p, q, and g are generated. - * For RSA: nothing -@@ -3872,4 +3956,6 @@ gnutls_crypto_pk_st _gnutls_pk_ops = { - .pk_fixup_private_params = wrap_nettle_pk_fixup, - .derive = _wrap_nettle_pk_derive, - .curve_exists = _wrap_nettle_pk_curve_exists, -+ .pk_exists = _wrap_nettle_pk_exists, -+ .sign_exists = _wrap_nettle_pk_sign_exists - }; -diff --git a/lib/pk.h b/lib/pk.h -index cc61e08cef..7f3c9995da 100644 ---- a/lib/pk.h -+++ b/lib/pk.h -@@ -40,6 +40,8 @@ extern gnutls_crypto_pk_st _gnutls_pk_ops; - #define _gnutls_pk_generate_params( algo, bits, priv) _gnutls_pk_ops.generate_params( algo, bits, priv) - #define _gnutls_pk_hash_algorithm( pk, sig, params, hash) _gnutls_pk_ops.hash_algorithm(pk, sig, params, hash) - #define _gnutls_pk_curve_exists( curve) _gnutls_pk_ops.curve_exists(curve) -+#define _gnutls_pk_exists(algo) _gnutls_pk_ops.pk_exists(algo) -+#define _gnutls_pk_sign_exists(algo) _gnutls_pk_ops.sign_exists(algo) - - inline static int - _gnutls_pk_fixup(gnutls_pk_algorithm_t algo, gnutls_direction_t direction, --- -2.34.1 - diff --git a/gnutls-3.7.3-ktls-stub.patch b/gnutls-3.7.3-ktls-stub.patch deleted file mode 100644 index 4d3dace..0000000 --- a/gnutls-3.7.3-ktls-stub.patch +++ /dev/null @@ -1,33 +0,0 @@ -From a97a93e23483aafc3508adee8e6399a2302e0fbc Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 15 Feb 2022 17:38:20 +0100 -Subject: [PATCH] gnutls_transport_is_ktls_enabled: fix return value of stub - -Signed-off-by: Daiki Ueno ---- - lib/system/ktls.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index 7e3cb875ed..f156f08ab2 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -422,12 +422,11 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, - - #else //ENABLE_KTLS - gnutls_transport_ktls_enable_flags_t --gnutls_transport_is_ktls_enabled(gnutls_session_t session){ -- return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); -+gnutls_transport_is_ktls_enabled(gnutls_session_t session) { -+ return 0; - } - --void _gnutls_ktls_enable(gnutls_session_t session){ -- return; -+void _gnutls_ktls_enable(gnutls_session_t session) { - } - - int _gnutls_ktls_set_keys(gnutls_session_t session) { --- -2.34.1 - diff --git a/gnutls-3.7.3-libtss2-dlopen.patch b/gnutls-3.7.3-libtss2-dlopen.patch deleted file mode 100644 index b4cf45b..0000000 --- a/gnutls-3.7.3-libtss2-dlopen.patch +++ /dev/null @@ -1,719 +0,0 @@ -From f5e5ab910b8b1d69f962ca033d1295c3e1e1e131 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 23 Feb 2022 19:48:52 +0100 -Subject: [PATCH] tpm2: dynamically load tss2 libraries as needed - -libtss2-esys links to OpenSSL or mbed TLS for cryptography, which may -cause packaging issues. This instead dlopen's tss2 libraries as -needed so non-TPM applications continue working without loading -multiple crypto libraries. - -Signed-off-by: Daiki Ueno ---- - configure.ac | 11 +- - lib/Makefile.am | 6 +- - lib/tpm2.c | 2 +- - lib/tpm2.h | 2 +- - lib/tpm2_esys.c | 273 ++++++++++++++++++++++++++++++++++++-------- - tests/Makefile.am | 3 +- - tests/sanity-lib.sh | 40 +++++++ - tests/tpm2.sh | 14 ++- - 8 files changed, 296 insertions(+), 55 deletions(-) - create mode 100644 tests/sanity-lib.sh - -diff --git a/configure.ac b/configure.ac -index 53c3aefca1..721ff208f0 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -882,6 +882,8 @@ AM_CONDITIONAL(P11KIT_0_23_11_API, $PKG_CONFIG --atleast-version=0.23.11 p11-kit - - AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no") - -+need_ltlibdl=no -+ - AC_ARG_WITH(tpm2, - AS_HELP_STRING([--without-tpm2], - [Disable TPM2 support.]), -@@ -892,6 +894,7 @@ if test "$with_tpm2" != "no"; then - if test "$have_tpm2" = "yes"; then - tss2lib="tss2-esys tss2-mu tss2-tctildr" - AC_DEFINE([HAVE_TSS2], 1, [Have TSS2]) -+ need_ltlibdl=yes - elif test "$with_tpm2" = "yes"; then - AC_MSG_ERROR([[ - *** -@@ -920,7 +923,8 @@ if test "$with_tpm" != "no"; then - AC_SUBST([TSS_LIBS], [-ltspi]) - AC_SUBST([TSS_CFLAGS], []) - AC_DEFINE([HAVE_TROUSERS], 1, [Enable TPM]) -- with_tpm=yes], -+ with_tpm=yes, -+ need_ltlibdl=yes], - [AC_MSG_RESULT(no) - AC_MSG_WARN([[ - *** -@@ -957,6 +961,9 @@ fi - AC_DEFINE_UNQUOTED([TROUSERS_LIB], ["$ac_trousers_lib"], [the location of the trousers library]) - AC_SUBST(TROUSERS_LIB) - -+ -+AM_CONDITIONAL(NEED_LTLIBDL, test "$need_ltlibdl" = yes) -+ - # For minitasn1. - AC_CHECK_SIZEOF(unsigned long int, 4) - AC_CHECK_SIZEOF(unsigned int, 4) -@@ -1312,7 +1319,7 @@ AC_MSG_NOTICE([External hardware support: - Random gen. variant: $rnd_variant - PKCS#11 support: $with_p11_kit - TPM support: $with_tpm -- TPM2 support: $have_tpm2 -+ TPM2 support: $with_tpm2 - KTLS support: $enable_ktls - ]) - -diff --git a/lib/Makefile.am b/lib/Makefile.am -index 35df35ee8d..e61ee1b6ae 100644 ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -44,7 +44,7 @@ AM_CPPFLAGS = \ - -I$(srcdir)/x509 \ - $(LIBTASN1_CFLAGS) \ - $(P11_KIT_CFLAGS) \ -- $(TPM2_CFLAGS) -+ $(TSS2_CFLAGS) - - if !HAVE_LIBUNISTRING - SUBDIRS += unistring -@@ -156,7 +156,7 @@ libgnutls_la_LIBADD = ../gl/libgnu.la x509/libgnutls_x509.la \ - auth/libgnutls_auth.la algorithms/libgnutls_alg.la \ - extras/libgnutls_extras.la - thirdparty_libadd = $(LTLIBZ) $(LTLIBINTL) $(LIBSOCKET) $(LTLIBNSL) \ -- $(P11_KIT_LIBS) $(LIB_SELECT) $(TSS2_LIBS) $(GNUTLS_LIBS_PRIVATE) -+ $(P11_KIT_LIBS) $(LIB_SELECT) $(GNUTLS_LIBS_PRIVATE) - - if HAVE_LIBIDN2 - thirdparty_libadd += $(LIBIDN2_LIBS) -@@ -203,7 +203,7 @@ all-local: $(hmac_files) - CLEANFILES = $(hmac_files) - endif - --if ENABLE_TROUSERS -+if NEED_LTLIBDL - thirdparty_libadd += $(LTLIBDL) - endif - -diff --git a/lib/tpm2.c b/lib/tpm2.c -index 076cc7f407..750eadc777 100644 ---- a/lib/tpm2.c -+++ b/lib/tpm2.c -@@ -297,5 +297,5 @@ int _gnutls_load_tpm2_key(gnutls_privkey_t pkey, const gnutls_datum_t *fdata) - - void _gnutls_tpm2_deinit(void) - { -- tpm2_tcti_deinit(); -+ tpm2_esys_deinit(); - } -diff --git a/lib/tpm2.h b/lib/tpm2.h -index e40dc01df7..7966e2d811 100644 ---- a/lib/tpm2.h -+++ b/lib/tpm2.h -@@ -37,7 +37,7 @@ struct tpm2_info_st; - - struct tpm2_info_st *tpm2_info_init(struct pin_info_st *pin); - --void tpm2_tcti_deinit(void); -+void tpm2_esys_deinit(void); - - void release_tpm2_ctx(struct tpm2_info_st *info); - -diff --git a/lib/tpm2_esys.c b/lib/tpm2_esys.c -index 93e54413ba..4000c1b76e 100644 ---- a/lib/tpm2_esys.c -+++ b/lib/tpm2_esys.c -@@ -72,6 +72,170 @@ - #include - #include - -+#include -+ -+/* We don't want to link to libtss2-esys, as it brings in other -+ * crypto libraries. Instead, only dlopen it as needed. -+ */ -+ -+static void *_gnutls_tss2_esys_dlhandle; -+static void *_gnutls_tss2_mu_dlhandle; -+static void *_gnutls_tss2_tctildr_dlhandle; -+ -+static TSS2_RC -+(*_gnutls_tss2_Esys_GetCapability)(ESYS_CONTEXT *esysContext, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ TPM2_CAP capability, -+ UINT32 property, -+ UINT32 propertyCount, -+ TPMI_YES_NO *moreData, -+ TPMS_CAPABILITY_DATA **capabilityData); -+static void (*_gnutls_tss2_Esys_Free)(void *__ptr); -+static TSS2_RC (*_gnutls_tss2_Esys_TR_SetAuth)(ESYS_CONTEXT *esysContext, -+ ESYS_TR handle, -+ TPM2B_AUTH const *authValue); -+static TSS2_RC -+(*_gnutls_tss2_Esys_CreatePrimary)(ESYS_CONTEXT *esysContext, -+ ESYS_TR primaryHandle, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ const TPM2B_SENSITIVE_CREATE *inSensitive, -+ const TPM2B_PUBLIC *inPublic, -+ const TPM2B_DATA *outsideInfo, -+ const TPML_PCR_SELECTION *creationPCR, -+ ESYS_TR *objectHandle, -+ TPM2B_PUBLIC **outPublic, -+ TPM2B_CREATION_DATA **creationData, -+ TPM2B_DIGEST **creationHash, -+ TPMT_TK_CREATION **creationTicket); -+static TSS2_RC (*_gnutls_tss2_Esys_Initialize)(ESYS_CONTEXT **esys_context, -+ TSS2_TCTI_CONTEXT *tcti, -+ TSS2_ABI_VERSION *abiVersion); -+static TSS2_RC (*_gnutls_tss2_Esys_Startup)(ESYS_CONTEXT *esysContext, -+ TPM2_SU startupType); -+static TSS2_RC (*_gnutls_tss2_Esys_TR_FromTPMPublic)(ESYS_CONTEXT *esysContext, -+ TPM2_HANDLE tpm_handle, -+ ESYS_TR optionalSession1, -+ ESYS_TR optionalSession2, -+ ESYS_TR optionalSession3, -+ ESYS_TR *object); -+static TSS2_RC (*_gnutls_tss2_Esys_ReadPublic)(ESYS_CONTEXT *esysContext, -+ ESYS_TR objectHandle, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ TPM2B_PUBLIC **outPublic, -+ TPM2B_NAME **name, -+ TPM2B_NAME **qualifiedName); -+static TSS2_RC (*_gnutls_tss2_Esys_Load)(ESYS_CONTEXT *esysContext, -+ ESYS_TR parentHandle, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ const TPM2B_PRIVATE *inPrivate, -+ const TPM2B_PUBLIC *inPublic, -+ ESYS_TR *objectHandle); -+static TSS2_RC (*_gnutls_tss2_Esys_FlushContext)(ESYS_CONTEXT *esysContext, -+ ESYS_TR flushHandle); -+static void (*_gnutls_tss2_Esys_Finalize)(ESYS_CONTEXT **context); -+static TSS2_RC -+(*_gnutls_tss2_Esys_RSA_Decrypt)(ESYS_CONTEXT *esysContext, -+ ESYS_TR keyHandle, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ const TPM2B_PUBLIC_KEY_RSA *cipherText, -+ const TPMT_RSA_DECRYPT *inScheme, -+ const TPM2B_DATA *label, -+ TPM2B_PUBLIC_KEY_RSA **message); -+static TSS2_RC (*_gnutls_tss2_Esys_Sign)(ESYS_CONTEXT *esysContext, -+ ESYS_TR keyHandle, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ const TPM2B_DIGEST *digest, -+ const TPMT_SIG_SCHEME *inScheme, -+ const TPMT_TK_HASHCHECK *validation, -+ TPMT_SIGNATURE **signature); -+ -+static TSS2_RC -+(*_gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal)(uint8_t const buffer[], -+ size_t buffer_size, -+ size_t *offset, -+ TPM2B_PRIVATE *dest); -+static TSS2_RC -+(*_gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal)(uint8_t const buffer[], -+ size_t buffer_size, -+ size_t *offset, -+ TPM2B_PUBLIC *dest); -+ -+static TSS2_RC -+(*_gnutls_tss2_Tss2_TctiLdr_Initialize)(const char *nameConf, -+ TSS2_TCTI_CONTEXT **context); -+static void (*_gnutls_tss2_Tss2_TctiLdr_Finalize)(TSS2_TCTI_CONTEXT **context); -+ -+#define DLSYM_TSS2(sys, sym) \ -+ _gnutls_tss2_##sym = dlsym(_gnutls_tss2_##sys##_dlhandle, #sym); \ -+ if (!_gnutls_tss2_##sym) { \ -+ return -1; \ -+ } -+ -+static int -+init_tss2_funcs(void) -+{ -+ if (!_gnutls_tss2_esys_dlhandle) { -+ _gnutls_tss2_esys_dlhandle = -+ dlopen("libtss2-esys.so.0", RTLD_NOW | RTLD_GLOBAL); -+ if (!_gnutls_tss2_esys_dlhandle) { -+ _gnutls_debug_log("tpm2: unable to dlopen libtss2-esys\n"); -+ return -1; -+ } -+ } -+ -+ DLSYM_TSS2(esys, Esys_GetCapability) -+ DLSYM_TSS2(esys, Esys_Free) -+ DLSYM_TSS2(esys, Esys_TR_SetAuth) -+ DLSYM_TSS2(esys, Esys_CreatePrimary) -+ DLSYM_TSS2(esys, Esys_Initialize) -+ DLSYM_TSS2(esys, Esys_Startup) -+ DLSYM_TSS2(esys, Esys_TR_FromTPMPublic) -+ DLSYM_TSS2(esys, Esys_ReadPublic) -+ DLSYM_TSS2(esys, Esys_Load) -+ DLSYM_TSS2(esys, Esys_FlushContext) -+ DLSYM_TSS2(esys, Esys_Finalize) -+ DLSYM_TSS2(esys, Esys_RSA_Decrypt) -+ DLSYM_TSS2(esys, Esys_Sign) -+ -+ if (!_gnutls_tss2_mu_dlhandle) { -+ _gnutls_tss2_mu_dlhandle = -+ dlopen("libtss2-mu.so.0", RTLD_NOW | RTLD_GLOBAL); -+ if (!_gnutls_tss2_mu_dlhandle) { -+ _gnutls_debug_log("tpm2: unable to dlopen libtss2-mu\n"); -+ return -1; -+ } -+ } -+ -+ DLSYM_TSS2(mu, Tss2_MU_TPM2B_PRIVATE_Unmarshal) -+ DLSYM_TSS2(mu, Tss2_MU_TPM2B_PUBLIC_Unmarshal) -+ -+ if (!_gnutls_tss2_tctildr_dlhandle) { -+ _gnutls_tss2_tctildr_dlhandle = -+ dlopen("libtss2-tctildr.so.0", RTLD_NOW | RTLD_GLOBAL); -+ if (!_gnutls_tss2_tctildr_dlhandle) { -+ _gnutls_debug_log("tpm2: unable to dlopen libtss2-tctildr\n"); -+ return -1; -+ } -+ } -+ -+ DLSYM_TSS2(tctildr, Tss2_TctiLdr_Initialize) -+ DLSYM_TSS2(tctildr, Tss2_TctiLdr_Finalize) -+ -+ return 0; -+} -+ - struct tpm2_info_st { - TPM2B_PUBLIC pub; - TPM2B_PRIVATE priv; -@@ -227,10 +391,10 @@ get_primary_template(ESYS_CONTEXT *ctx) - UINT32 i; - TSS2_RC rc; - -- rc = Esys_GetCapability (ctx, -- ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, -- TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS, -- NULL, &capability_data); -+ rc = _gnutls_tss2_Esys_GetCapability(ctx, -+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, -+ TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS, -+ NULL, &capability_data); - if (rc) { - _gnutls_debug_log("tpm2: Esys_GetCapability failed: 0x%x\n", rc); - return NULL; -@@ -239,7 +403,7 @@ get_primary_template(ESYS_CONTEXT *ctx) - for (i = 0; i < capability_data->data.algorithms.count; i++) { - if (capability_data->data.algorithms.algProperties[i].alg == - TPM2_ALG_ECC) { -- Esys_Free(capability_data); -+ _gnutls_tss2_Esys_Free(capability_data); - return &primary_template_ecc; - } - } -@@ -247,12 +411,12 @@ get_primary_template(ESYS_CONTEXT *ctx) - for (i = 0; i < capability_data->data.algorithms.count; i++) { - if (capability_data->data.algorithms.algProperties[i].alg == - TPM2_ALG_RSA) { -- Esys_Free(capability_data); -+ _gnutls_tss2_Esys_Free(capability_data); - return &primary_template_rsa; - } - } - -- Esys_Free(capability_data); -+ _gnutls_tss2_Esys_Free(capability_data); - _gnutls_debug_log("tpm2: unable to find primary template\n"); - return NULL; - } -@@ -320,7 +484,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info, - install_tpm_passphrase(&info->ownerauth, pass); - info->need_ownerauth = false; - } -- rc = Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth); -+ rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth); - if (rc) { - _gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc); - return gnutls_assert_val(GNUTLS_E_TPM_ERROR); -@@ -329,7 +493,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info, - if (!primary_template) { - return gnutls_assert_val(GNUTLS_E_TPM_ERROR); - } -- rc = Esys_CreatePrimary(ctx, hierarchy, -+ rc = _gnutls_tss2_Esys_CreatePrimary(ctx, hierarchy, - ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, - &primary_sensitive, - primary_template, -@@ -359,14 +523,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, - - _gnutls_debug_log("tpm2: establishing connection with TPM\n"); - -- rc = Esys_Initialize(ctx, tcti_ctx, NULL); -+ rc = _gnutls_tss2_Esys_Initialize(ctx, tcti_ctx, NULL); - if (rc) { - gnutls_assert(); - _gnutls_debug_log("tpm2: Esys_Initialize failed: 0x%x\n", rc); - goto error; - } - -- rc = Esys_Startup(*ctx, TPM2_SU_CLEAR); -+ rc = _gnutls_tss2_Esys_Startup(*ctx, TPM2_SU_CLEAR); - if (rc == TPM2_RC_INITIALIZE) { - _gnutls_debug_log("tpm2: was already started up thus false positive failing in tpm2tss log\n"); - } else if (rc) { -@@ -381,7 +545,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, - goto error; - } - } else { -- rc = Esys_TR_FromTPMPublic(*ctx, info->parent, -+ rc = _gnutls_tss2_Esys_TR_FromTPMPublic(*ctx, info->parent, - ESYS_TR_NONE, - ESYS_TR_NONE, - ESYS_TR_NONE, -@@ -399,7 +563,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, - if (!info->did_ownerauth && !info->ownerauth.size) { - TPM2B_PUBLIC *pub = NULL; - -- rc = Esys_ReadPublic(*ctx, parent_handle, -+ rc = _gnutls_tss2_Esys_ReadPublic(*ctx, parent_handle, - ESYS_TR_NONE, - ESYS_TR_NONE, - ESYS_TR_NONE, -@@ -408,7 +572,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, - !(pub->publicArea.objectAttributes & TPMA_OBJECT_NODA)) { - info->need_ownerauth = true; - } -- Esys_Free(pub); -+ _gnutls_tss2_Esys_Free(pub); - } - reauth: - if (info->need_ownerauth) { -@@ -420,7 +584,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, - install_tpm_passphrase(&info->ownerauth, pass); - info->need_ownerauth = false; - } -- rc = Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth); -+ rc = _gnutls_tss2_Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth); - if (rc) { - gnutls_assert(); - _gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", -@@ -432,7 +596,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, - _gnutls_debug_log("tpm2: loading TPM2 key blob, parent handle 0x%x\n", - parent_handle); - -- rc = Esys_Load(*ctx, parent_handle, -+ rc = _gnutls_tss2_Esys_Load(*ctx, parent_handle, - ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, - &info->priv, &info->pub, - key_handle); -@@ -450,7 +614,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, - info->did_ownerauth = true; - - if (parent_is_generated(info->parent)) { -- rc = Esys_FlushContext(*ctx, parent_handle); -+ rc = _gnutls_tss2_Esys_FlushContext(*ctx, parent_handle); - if (rc) { - _gnutls_debug_log("tpm2: Esys_FlushContext for generated primary failed: 0x%x\n", - rc); -@@ -461,14 +625,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, - return 0; - error: - if (parent_is_generated(info->parent) && parent_handle != ESYS_TR_NONE) { -- Esys_FlushContext(*ctx, parent_handle); -+ _gnutls_tss2_Esys_FlushContext(*ctx, parent_handle); - } - if (*key_handle != ESYS_TR_NONE) { -- Esys_FlushContext(*ctx, *key_handle); -+ _gnutls_tss2_Esys_FlushContext(*ctx, *key_handle); - } - *key_handle = ESYS_TR_NONE; - -- Esys_Finalize(ctx); -+ _gnutls_tss2_Esys_Finalize(ctx); - return GNUTLS_E_TPM_ERROR; - } - -@@ -488,7 +652,7 @@ auth_tpm2_key(struct tpm2_info_st *info, ESYS_CONTEXT *ctx, ESYS_TR key_handle) - info->need_userauth = false; - } - -- rc = Esys_TR_SetAuth(ctx, key_handle, &info->userauth); -+ rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, key_handle, &info->userauth); - if (rc) { - _gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc); - return gnutls_assert_val(GNUTLS_E_TPM_ERROR); -@@ -574,7 +738,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, - goto out; - } - -- rc = Esys_RSA_Decrypt(ectx, key_handle, -+ rc = _gnutls_tss2_Esys_RSA_Decrypt(ectx, key_handle, - ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, - &digest, &in_scheme, &label, &tsig); - if (rc_is_key_auth_failed(rc)) { -@@ -591,14 +755,14 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, - - ret = _gnutls_set_datum(sig, tsig->buffer, tsig->size); - out: -- Esys_Free(tsig); -+ _gnutls_tss2_Esys_Free(tsig); - - if (key_handle != ESYS_TR_NONE) { -- Esys_FlushContext(ectx, key_handle); -+ _gnutls_tss2_Esys_FlushContext(ectx, key_handle); - } - - if (ectx) { -- Esys_Finalize(&ectx); -+ _gnutls_tss2_Esys_Finalize(&ectx); - } - - return ret; -@@ -661,7 +825,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, - goto out; - } - -- rc = Esys_Sign(ectx, key_handle, -+ rc = _gnutls_tss2_Esys_Sign(ectx, key_handle, - ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, - &digest, &in_scheme, &validation, - &tsig); -@@ -682,31 +846,23 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, - - ret = gnutls_encode_rs_value(sig, &sig_r, &sig_s); - out: -- Esys_Free(tsig); -+ _gnutls_tss2_Esys_Free(tsig); - - if (key_handle != ESYS_TR_NONE) { -- Esys_FlushContext(ectx, key_handle); -+ _gnutls_tss2_Esys_FlushContext(ectx, key_handle); - } - - if (ectx) { -- Esys_Finalize(&ectx); -+ _gnutls_tss2_Esys_Finalize(&ectx); - } - - return ret; - } - --GNUTLS_ONCE(tcti_once); -- --void --tpm2_tcti_deinit(void) --{ -- if (tcti_ctx) { -- Tss2_TctiLdr_Finalize(&tcti_ctx); -- } --} -+GNUTLS_ONCE(tpm2_esys_once); - - static void --tcti_once_init(void) -+tpm2_esys_once_init(void) - { - const char *tcti; - const char * const tcti_vars[] = { -@@ -718,6 +874,11 @@ tcti_once_init(void) - size_t i; - TSS2_RC rc; - -+ if (init_tss2_funcs() < 0) { -+ _gnutls_debug_log("tpm2: unable to initialize TSS2 functions\n"); -+ return; -+ } -+ - for (i = 0; i < sizeof(tcti_vars) / sizeof(tcti_vars[0]); i++) { - tcti = secure_getenv(tcti_vars[i]); - if (tcti && *tcti != '\0') { -@@ -727,7 +888,7 @@ tcti_once_init(void) - } - } - if (tcti && *tcti != '\0') { -- rc = Tss2_TctiLdr_Initialize(tcti, &tcti_ctx); -+ rc = _gnutls_tss2_Tss2_TctiLdr_Initialize(tcti, &tcti_ctx); - if (rc) { - _gnutls_debug_log("tpm2: TSS2_TctiLdr_Initialize failed: 0x%x\n", - rc); -@@ -735,13 +896,35 @@ tcti_once_init(void) - } - } - -+/* called by the global destructor through _gnutls_tpm2_deinit */ -+void -+tpm2_esys_deinit(void) -+{ -+ if (tcti_ctx) { -+ _gnutls_tss2_Tss2_TctiLdr_Finalize(&tcti_ctx); -+ tcti_ctx = NULL; -+ } -+ if (_gnutls_tss2_esys_dlhandle) { -+ dlclose(_gnutls_tss2_esys_dlhandle); -+ _gnutls_tss2_esys_dlhandle = NULL; -+ } -+ if (_gnutls_tss2_mu_dlhandle) { -+ dlclose(_gnutls_tss2_mu_dlhandle); -+ _gnutls_tss2_mu_dlhandle = NULL; -+ } -+ if (_gnutls_tss2_tctildr_dlhandle) { -+ dlclose(_gnutls_tss2_tctildr_dlhandle); -+ _gnutls_tss2_tctildr_dlhandle = NULL; -+ } -+} -+ - int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey, - unsigned int parent, bool emptyauth, - gnutls_datum_t *privdata, gnutls_datum_t *pubdata) - { - TSS2_RC rc; - -- (void)gnutls_once(&tcti_once, tcti_once_init); -+ (void)gnutls_once(&tpm2_esys_once, tpm2_esys_once_init); - - if (!tcti_ctx) { - return gnutls_assert_val(GNUTLS_E_TPM_ERROR); -@@ -757,16 +940,16 @@ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey, - - info->parent = parent; - -- rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL, -- &info->priv); -+ rc = _gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL, -+ &info->priv); - if (rc) { - _gnutls_debug_log("tpm2: failed to import private key data: 0x%x\n", - rc); - return gnutls_assert_val(GNUTLS_E_TPM_ERROR); - } - -- rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL, -- &info->pub); -+ rc = _gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL, -+ &info->pub); - if (rc) { - _gnutls_debug_log("tpm2: failed to import public key data: 0x%x\n", - rc); -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 529f1cc077..64ce470a02 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -515,7 +515,8 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start - psktool.sh ocsp-tests/ocsp-load-chain.sh gnutls-cli-save-data.sh gnutls-cli-debug.sh \ - sni-resume.sh ocsp-tests/ocsptool.sh cert-reencoding.sh pkcs7-cat.sh long-crl.sh \ - serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh \ -- server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh -+ server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh \ -+ sanity-lib.sh - - if !DISABLE_SYSTEM_CONFIG - dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \ -diff --git a/tests/sanity-lib.sh b/tests/sanity-lib.sh -new file mode 100644 -index 0000000000..1e3612781b ---- /dev/null -+++ b/tests/sanity-lib.sh -@@ -0,0 +1,40 @@ -+#!/bin/sh -+ -+# Copyright (C) 2022 Red Hat, Inc. -+# -+# Author: Daiki Ueno -+# -+# This file is part of GnuTLS. -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU Lesser General Public License -+# along with this program. If not, see -+ -+: ${top_builddir=..} -+: ${CLI_DEBUG=../src/gnutls-cli-debug${EXEEXT}} -+: ${LDD=ldd} -+: ${LIBTOOL=libtool} -+ -+if ! test -x "${CLI_DEBUG}"; then -+ exit 77 -+fi -+ -+# ldd.sh doesn't check recursive dependencies -+${LDD} --version >/dev/null || exit 77 -+ -+# We use gnutls-cli-debug, as it has the fewest dependencies among our -+# commands (e.g., gnutls-cli pulls in OpenSSL through libunbound). -+if ${LIBTOOL} --mode=execute ${LDD} ${CLI_DEBUG} | \ -+ grep '^[[:space:]]*\(libcrypto\.\|libssl\.\|libgcrypt\.\)'; then -+ echo "gnutls-cli-debug links to other crypto library" -+ exit 1 -+fi -diff --git a/tests/tpm2.sh b/tests/tpm2.sh -index 854986c552..6f8e44c64b 100755 ---- a/tests/tpm2.sh -+++ b/tests/tpm2.sh -@@ -21,8 +21,6 @@ - # along with GnuTLS; if not, write to the Free Software Foundation, - # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - --set +e -- - : ${srcdir=.} - : ${CERTTOOL=../src/certtool${EXEEXT}} - KEYPEMFILE=tpmkey.$$.key.pem -@@ -192,6 +190,10 @@ run_tests() - - echo " - Generating ${KEYPEMFILE}" - tpm2tss-genkey -a ${kalg} -o ${OPASS} ${KEYPEMFILE} -+ if [ $? -ne 0 ]; then -+ echo "unable to generate key" -+ return 1 -+ fi - cat ${KEYPEMFILE} - - echo " - Generating certificate based on key" -@@ -200,6 +202,10 @@ run_tests() - "${CERTTOOL}" --generate-self-signed -d 3 \ - --load-privkey "${KEYPEMFILE}" \ - --template "${srcdir}/cert-tests/templates/template-test.tmpl" -+ if [ $? -ne 0 ]; then -+ echo "unable to generate certificate" -+ return 1 -+ fi - - if test "${kalg}" = "rsa";then - echo " - Generating RSA-PSS certificate based on key" -@@ -207,6 +213,10 @@ run_tests() - --load-privkey "${KEYPEMFILE}" \ - --sign-params rsa-pss \ - --template "${srcdir}/cert-tests/templates/template-test.tmpl" -+ if [ $? -ne 0 ]; then -+ echo "unable to generate certificate" -+ return 1 -+ fi - fi - - stop_swtpm --- -2.34.1 - diff --git a/gnutls-3.7.3-max-algos.patch b/gnutls-3.7.3-max-algos.patch deleted file mode 100644 index d283ceb..0000000 --- a/gnutls-3.7.3-max-algos.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b5a2cbce49d94a04a68acbbc31caaa0c5d7b3321 Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Fri, 18 Feb 2022 11:05:15 +0100 -Subject: [PATCH] bump GNUTLS_MAX_ALGORITHM_NUM / MAX_ALGOS - -Fedora 36 LEGACY crypto-policy uses allowlisting format -and is long enough to blow past the 64 priority string -elements mark, causing, effectively, priority string truncation. - -Signed-off-by: Alexander Sosedkin ---- - lib/includes/gnutls/gnutls.h.in | 2 +- - lib/priority.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in -index 6359a0edb6..16140c8787 100644 ---- a/lib/includes/gnutls/gnutls.h.in -+++ b/lib/includes/gnutls/gnutls.h.in -@@ -408,7 +408,7 @@ typedef enum { - /* exported for other gnutls headers. This is the maximum number of - * algorithms (ciphers, kx or macs). - */ --#define GNUTLS_MAX_ALGORITHM_NUM 64 -+#define GNUTLS_MAX_ALGORITHM_NUM 128 - #define GNUTLS_MAX_SESSION_ID_SIZE 32 - - -diff --git a/lib/priority.c b/lib/priority.c -index 54d7b1bb45..e7698ba7eb 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -43,7 +43,7 @@ - #include "profiles.h" - #include "name_val_array.h" - --#define MAX_ELEMENTS 64 -+#define MAX_ELEMENTS GNUTLS_MAX_ALGORITHM_NUM - - #define ENABLE_PROFILE(c, profile) do { \ - c->additional_verify_flags &= 0x00ffffff; \ --- -2.34.1 - diff --git a/gnutls-3.7.6-aes-gcm-pt-limit.patch b/gnutls-3.7.6-aes-gcm-pt-limit.patch deleted file mode 100644 index dd32866..0000000 --- a/gnutls-3.7.6-aes-gcm-pt-limit.patch +++ /dev/null @@ -1,720 +0,0 @@ -From 2f61f102169e4d6652c9b82246353cd276366809 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 27 Jun 2022 11:14:50 +0900 -Subject: [PATCH] cipher: limit plaintext length supplied to AES-GCM - -According to SP800-38D 5.2.1.1, input data length of AES-GCM -encryption function must be less than or equal to 2^39-256 bits. - -Signed-off-by: Daiki Ueno ---- - NEWS | 3 + - lib/accelerated/aarch64/aes-aarch64.h | 15 ++++ - lib/accelerated/aarch64/aes-gcm-aarch64.c | 9 +++ - lib/accelerated/x86/aes-gcm-padlock.c | 29 ++++--- - lib/accelerated/x86/aes-gcm-x86-aesni.c | 30 +++++--- - lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c | 9 +++ - lib/accelerated/x86/aes-gcm-x86-pclmul.c | 9 +++ - lib/accelerated/x86/aes-gcm-x86-ssse3.c | 30 +++++--- - lib/accelerated/x86/aes-x86.h | 15 ++++ - lib/nettle/cipher.c | 41 ++++++++++ - tests/slow/cipher-api-test.c | 79 ++++++++++++++++++++ - 11 files changed, 240 insertions(+), 29 deletions(-) - -diff --git a/lib/accelerated/aarch64/aes-aarch64.h b/lib/accelerated/aarch64/aes-aarch64.h -index 692d8620d7..0e64f4ed8d 100644 ---- a/lib/accelerated/aarch64/aes-aarch64.h -+++ b/lib/accelerated/aarch64/aes-aarch64.h -@@ -20,6 +20,21 @@ typedef struct { - if (s != 16 && s != 24 && s != 32) \ - return GNUTLS_E_INVALID_REQUEST - -+#include -+#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32) -+static inline int -+record_aes_gcm_encrypt_size(size_t *counter, size_t size) { -+ size_t sum; -+ -+ if (!INT_ADD_OK(*counter, size, &sum) || -+ sum > AES_GCM_ENCRYPT_MAX_BYTES) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ *counter = sum; -+ -+ return 0; -+} -+ - int aes_v8_set_encrypt_key(const unsigned char *userKey, int bits, AES_KEY *key); - int aes_v8_set_decrypt_key(const unsigned char *userKey, int bits, AES_KEY *key); - void aes_v8_cbc_encrypt(const unsigned char *in, unsigned char *out, -diff --git a/lib/accelerated/aarch64/aes-gcm-aarch64.c b/lib/accelerated/aarch64/aes-gcm-aarch64.c -index 901bd9f60f..be1e69c784 100644 ---- a/lib/accelerated/aarch64/aes-gcm-aarch64.c -+++ b/lib/accelerated/aarch64/aes-gcm-aarch64.c -@@ -62,6 +62,7 @@ struct aes_gcm_ctx { - struct gcm128_context gcm; - unsigned finished; - unsigned auth_finished; -+ size_t rekey_counter; - }; - - void gcm_init_v8(u128 Htable[16], const uint64_t Xi[2]); -@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize) - ctx->gcm.H.u[1] = bswap_64(ctx->gcm.H.u[1]); - - gcm_init_v8(ctx->gcm.Htable, ctx->gcm.H.u); -+ ctx->rekey_counter = 0; - - return 0; - } -@@ -141,6 +143,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size) - ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2; - ctx->finished = 0; - ctx->auth_finished = 0; -+ ctx->rekey_counter = 0; - return 0; - } - -@@ -229,6 +232,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size, - int exp_blocks = blocks * GCM_BLOCK_SIZE; - int rest = src_size - (exp_blocks); - uint32_t counter; -+ int ret; - - if (unlikely(ctx->finished)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -@@ -236,6 +240,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size, - if (unlikely(length < src_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size); -+ if (ret < 0) { -+ return gnutls_assert_val(ret); -+ } -+ - if (blocks > 0) { - ctr32_encrypt_blocks(src, dst, - blocks, -diff --git a/lib/accelerated/x86/aes-gcm-padlock.c b/lib/accelerated/x86/aes-gcm-padlock.c -index a9c7441d65..739883ab1b 100644 ---- a/lib/accelerated/x86/aes-gcm-padlock.c -+++ b/lib/accelerated/x86/aes-gcm-padlock.c -@@ -43,7 +43,10 @@ - * Actually padlock doesn't include GCM mode. We just use - * the ECB part of padlock and nettle for everything else. - */ --struct gcm_padlock_aes_ctx GCM_CTX(struct padlock_ctx); -+struct gcm_padlock_aes_ctx { -+ struct GCM_CTX(struct padlock_ctx) inner; -+ size_t rekey_counter; -+}; - - static void padlock_aes_encrypt(const void *_ctx, - size_t length, uint8_t * dst, -@@ -78,7 +81,7 @@ static void padlock_aes256_set_encrypt_key(struct padlock_ctx *_ctx, - - static void aes_gcm_deinit(void *_ctx) - { -- struct padlock_ctx *ctx = _ctx; -+ struct gcm_padlock_aes_ctx *ctx = _ctx; - - zeroize_temp_key(ctx, sizeof(*ctx)); - gnutls_free(ctx); -@@ -108,14 +111,15 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t keysize) - struct gcm_padlock_aes_ctx *ctx = _ctx; - - if (keysize == 16) { -- GCM_SET_KEY(ctx, padlock_aes128_set_encrypt_key, padlock_aes_encrypt, -+ GCM_SET_KEY(&ctx->inner, padlock_aes128_set_encrypt_key, padlock_aes_encrypt, - key); - } else if (keysize == 32) { -- GCM_SET_KEY(ctx, padlock_aes256_set_encrypt_key, padlock_aes_encrypt, -+ GCM_SET_KEY(&ctx->inner, padlock_aes256_set_encrypt_key, padlock_aes_encrypt, - key); - } else - return GNUTLS_E_INVALID_REQUEST; - -+ ctx->rekey_counter = 0; - return 0; - } - -@@ -126,8 +130,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size) - if (iv_size != GCM_BLOCK_SIZE - 4) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - -- GCM_SET_IV(ctx, iv_size, iv); -+ GCM_SET_IV(&ctx->inner, iv_size, iv); - -+ ctx->rekey_counter = 0; - return 0; - } - -@@ -136,11 +141,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size, - void *dst, size_t length) - { - struct gcm_padlock_aes_ctx *ctx = _ctx; -+ int ret; - - if (unlikely(length < src_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -- GCM_ENCRYPT(ctx, padlock_aes_encrypt, src_size, dst, src); -+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size); -+ if (ret < 0) { -+ return gnutls_assert_val(ret); -+ } -+ -+ GCM_ENCRYPT(&ctx->inner, padlock_aes_encrypt, src_size, dst, src); - - return 0; - } -@@ -154,7 +165,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size, - if (unlikely(dst_size < src_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -- GCM_DECRYPT(ctx, padlock_aes_encrypt, src_size, dst, src); -+ GCM_DECRYPT(&ctx->inner, padlock_aes_encrypt, src_size, dst, src); - return 0; - } - -@@ -162,7 +173,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size) - { - struct gcm_padlock_aes_ctx *ctx = _ctx; - -- GCM_UPDATE(ctx, src_size, src); -+ GCM_UPDATE(&ctx->inner, src_size, src); - - return 0; - } -@@ -171,7 +182,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize) - { - struct gcm_padlock_aes_ctx *ctx = _ctx; - -- GCM_DIGEST(ctx, padlock_aes_encrypt, tagsize, tag); -+ GCM_DIGEST(&ctx->inner, padlock_aes_encrypt, tagsize, tag); - } - - #include "aes-gcm-aead.h" -diff --git a/lib/accelerated/x86/aes-gcm-x86-aesni.c b/lib/accelerated/x86/aes-gcm-x86-aesni.c -index b0edaebfba..3be63ddd97 100644 ---- a/lib/accelerated/x86/aes-gcm-x86-aesni.c -+++ b/lib/accelerated/x86/aes-gcm-x86-aesni.c -@@ -36,12 +36,14 @@ - #include - #include - #include --#include - - /* GCM mode - * It is used when the CPU doesn't include the PCLMUL instructions. - */ --struct gcm_x86_aes_ctx GCM_CTX(AES_KEY); -+struct gcm_x86_aes_ctx { -+ struct GCM_CTX(AES_KEY) inner; -+ size_t rekey_counter; -+}; - - static void x86_aes_encrypt(const void *_ctx, - size_t length, uint8_t * dst, -@@ -101,17 +103,18 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t length) - struct gcm_x86_aes_ctx *ctx = _ctx; - - if (length == 16) { -- GCM_SET_KEY(ctx, x86_aes128_set_encrypt_key, x86_aes_encrypt, -+ GCM_SET_KEY(&ctx->inner, x86_aes128_set_encrypt_key, x86_aes_encrypt, - key); - } else if (length == 24) { -- GCM_SET_KEY(ctx, x86_aes192_set_encrypt_key, x86_aes_encrypt, -+ GCM_SET_KEY(&ctx->inner, x86_aes192_set_encrypt_key, x86_aes_encrypt, - key); - } else if (length == 32) { -- GCM_SET_KEY(ctx, x86_aes256_set_encrypt_key, x86_aes_encrypt, -+ GCM_SET_KEY(&ctx->inner, x86_aes256_set_encrypt_key, x86_aes_encrypt, - key); - } else - return GNUTLS_E_INVALID_REQUEST; - -+ ctx->rekey_counter = 0; - return 0; - } - -@@ -122,8 +125,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size) - if (iv_size != GCM_BLOCK_SIZE - 4) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - -- GCM_SET_IV(ctx, iv_size, iv); -+ GCM_SET_IV(&ctx->inner, iv_size, iv); - -+ ctx->rekey_counter = 0; - return 0; - } - -@@ -132,11 +136,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size, - void *dst, size_t length) - { - struct gcm_x86_aes_ctx *ctx = _ctx; -+ int ret; - - if (unlikely(length < src_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -- GCM_ENCRYPT(ctx, x86_aes_encrypt, src_size, dst, src); -+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size); -+ if (ret < 0) { -+ return gnutls_assert_val(ret); -+ } -+ -+ GCM_ENCRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src); - - return 0; - } -@@ -150,7 +160,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size, - if (unlikely(dst_size < src_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -- GCM_DECRYPT(ctx, x86_aes_encrypt, src_size, dst, src); -+ GCM_DECRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src); - return 0; - } - -@@ -158,7 +168,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size) - { - struct gcm_x86_aes_ctx *ctx = _ctx; - -- GCM_UPDATE(ctx, src_size, src); -+ GCM_UPDATE(&ctx->inner, src_size, src); - - return 0; - } -@@ -167,7 +177,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize) - { - struct gcm_x86_aes_ctx *ctx = _ctx; - -- GCM_DIGEST(ctx, x86_aes_encrypt, tagsize, tag); -+ GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tagsize, tag); - } - - static void aes_gcm_deinit(void *_ctx) -diff --git a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c -index 21aef94440..fbefe432f4 100644 ---- a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c -+++ b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c -@@ -61,6 +61,7 @@ struct aes_gcm_ctx { - struct gcm128_context gcm; - unsigned finished; - unsigned auth_finished; -+ size_t rekey_counter; - }; - - void gcm_init_avx(u128 Htable[16], const uint64_t Xi[2]); -@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize) - - gcm_init_avx(ctx->gcm.Htable, ctx->gcm.H.u); - -+ ctx->rekey_counter = 0; - return 0; - } - -@@ -140,6 +142,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size) - ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2; - ctx->finished = 0; - ctx->auth_finished = 0; -+ ctx->rekey_counter = 0; - return 0; - } - -@@ -184,6 +187,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size, - int exp_blocks = blocks * GCM_BLOCK_SIZE; - int rest = src_size - (exp_blocks); - uint32_t counter; -+ int ret; - - if (unlikely(ctx->finished)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -@@ -191,6 +195,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size, - if (unlikely(length < src_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size); -+ if (ret < 0) { -+ return gnutls_assert_val(ret); -+ } -+ - if (blocks > 0) { - aesni_ctr32_encrypt_blocks(src, dst, - blocks, -diff --git a/lib/accelerated/x86/aes-gcm-x86-pclmul.c b/lib/accelerated/x86/aes-gcm-x86-pclmul.c -index e6b4990cbf..5385acbb6b 100644 ---- a/lib/accelerated/x86/aes-gcm-x86-pclmul.c -+++ b/lib/accelerated/x86/aes-gcm-x86-pclmul.c -@@ -60,6 +60,7 @@ struct aes_gcm_ctx { - struct gcm128_context gcm; - unsigned finished; - unsigned auth_finished; -+ size_t rekey_counter; - }; - - void gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]); -@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize) - - gcm_init_clmul(ctx->gcm.Htable, ctx->gcm.H.u); - -+ ctx->rekey_counter = 0; - return 0; - } - -@@ -140,6 +142,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size) - ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2; - ctx->finished = 0; - ctx->auth_finished = 0; -+ ctx->rekey_counter = 0; - return 0; - } - -@@ -184,6 +187,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size, - int exp_blocks = blocks * GCM_BLOCK_SIZE; - int rest = src_size - (exp_blocks); - uint32_t counter; -+ int ret; - - if (unlikely(ctx->finished)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -@@ -191,6 +195,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size, - if (unlikely(length < src_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size); -+ if (ret < 0) { -+ return gnutls_assert_val(ret); -+ } -+ - if (blocks > 0) { - aesni_ctr32_encrypt_blocks(src, dst, - blocks, -diff --git a/lib/accelerated/x86/aes-gcm-x86-ssse3.c b/lib/accelerated/x86/aes-gcm-x86-ssse3.c -index 7a2ac50869..f074cb1096 100644 ---- a/lib/accelerated/x86/aes-gcm-x86-ssse3.c -+++ b/lib/accelerated/x86/aes-gcm-x86-ssse3.c -@@ -36,13 +36,15 @@ - #include - #include - #include --#include - #include - - /* GCM mode - * It is used when the CPU doesn't include the PCLMUL instructions. - */ --struct gcm_x86_aes_ctx GCM_CTX(AES_KEY); -+struct gcm_x86_aes_ctx { -+ struct GCM_CTX(AES_KEY) inner; -+ size_t rekey_counter; -+}; - - static void x86_aes_encrypt(const void *_ctx, - size_t length, uint8_t * dst, -@@ -110,17 +112,18 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t keysize) - struct gcm_x86_aes_ctx *ctx = _ctx; - - if (keysize == 16) { -- GCM_SET_KEY(ctx, x86_aes_128_set_encrypt_key, x86_aes_encrypt, -+ GCM_SET_KEY(&ctx->inner, x86_aes_128_set_encrypt_key, x86_aes_encrypt, - key); - } else if (keysize == 24) { -- GCM_SET_KEY(ctx, x86_aes_192_set_encrypt_key, x86_aes_encrypt, -+ GCM_SET_KEY(&ctx->inner, x86_aes_192_set_encrypt_key, x86_aes_encrypt, - key); - } else if (keysize == 32) { -- GCM_SET_KEY(ctx, x86_aes_256_set_encrypt_key, x86_aes_encrypt, -+ GCM_SET_KEY(&ctx->inner, x86_aes_256_set_encrypt_key, x86_aes_encrypt, - key); - } else - return GNUTLS_E_INVALID_REQUEST; - -+ ctx->rekey_counter = 0; - return 0; - } - -@@ -131,8 +134,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size) - if (iv_size != GCM_BLOCK_SIZE - 4) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - -- GCM_SET_IV(ctx, iv_size, iv); -+ GCM_SET_IV(&ctx->inner, iv_size, iv); - -+ ctx->rekey_counter = 0; - return 0; - } - -@@ -141,11 +145,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size, - void *dst, size_t length) - { - struct gcm_x86_aes_ctx *ctx = _ctx; -+ int ret; - - if (unlikely(length < src_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -- GCM_ENCRYPT(ctx, x86_aes_encrypt, src_size, dst, src); -+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size); -+ if (ret < 0) { -+ return gnutls_assert_val(ret); -+ } -+ -+ GCM_ENCRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src); - - return 0; - } -@@ -159,7 +169,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size, - if (unlikely(dst_size < src_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -- GCM_DECRYPT(ctx, x86_aes_encrypt, src_size, dst, src); -+ GCM_DECRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src); - return 0; - } - -@@ -167,7 +177,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size) - { - struct gcm_x86_aes_ctx *ctx = _ctx; - -- GCM_UPDATE(ctx, src_size, src); -+ GCM_UPDATE(&ctx->inner, src_size, src); - - return 0; - } -@@ -176,7 +186,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize) - { - struct gcm_x86_aes_ctx *ctx = _ctx; - -- GCM_DIGEST(ctx, x86_aes_encrypt, tagsize, tag); -+ GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tagsize, tag); - } - - static void aes_gcm_deinit(void *_ctx) -diff --git a/lib/accelerated/x86/aes-x86.h b/lib/accelerated/x86/aes-x86.h -index 023b5f7be6..349d3d5d9c 100644 ---- a/lib/accelerated/x86/aes-x86.h -+++ b/lib/accelerated/x86/aes-x86.h -@@ -22,6 +22,21 @@ typedef struct { - if (s != 16 && s != 24 && s != 32) \ - return GNUTLS_E_INVALID_REQUEST - -+#include -+#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32) -+static inline int -+record_aes_gcm_encrypt_size(size_t *counter, size_t size) { -+ size_t sum; -+ -+ if (!INT_ADD_OK(*counter, size, &sum) || -+ sum > AES_GCM_ENCRYPT_MAX_BYTES) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ *counter = sum; -+ -+ return 0; -+} -+ - void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out, - size_t len, const AES_KEY * key, int enc); - -diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c -index ab4c46d2d0..b41862d1ea 100644 ---- a/lib/nettle/cipher.c -+++ b/lib/nettle/cipher.c -@@ -63,6 +63,7 @@ - #include - #include - #include -+#include - - struct nettle_cipher_ctx; - -@@ -120,8 +121,23 @@ struct nettle_cipher_ctx { - unsigned iv_size; - - bool enc; -+ size_t rekey_counter; - }; - -+#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32) -+static inline int -+record_aes_gcm_encrypt_size(size_t *counter, size_t size) { -+ size_t sum; -+ -+ if (!INT_ADD_OK(*counter, size, &sum) || -+ sum > AES_GCM_ENCRYPT_MAX_BYTES) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ *counter = sum; -+ -+ return 0; -+} -+ - static void - _stream_encrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst, - const uint8_t * src) -@@ -1133,6 +1149,16 @@ wrap_nettle_cipher_setkey(void *_ctx, const void *key, size_t keysize) - else - ctx->cipher->set_decrypt_key(ctx->ctx_ptr, key); - -+ switch (ctx->cipher->algo) { -+ case GNUTLS_CIPHER_AES_128_GCM: -+ case GNUTLS_CIPHER_AES_192_GCM: -+ case GNUTLS_CIPHER_AES_256_GCM: -+ ctx->rekey_counter = 0; -+ break; -+ default: -+ break; -+ } -+ - return 0; - } - -@@ -1147,6 +1173,7 @@ wrap_nettle_cipher_setiv(void *_ctx, const void *iv, size_t iv_size) - case GNUTLS_CIPHER_AES_192_GCM: - case GNUTLS_CIPHER_AES_256_GCM: - FIPS_RULE(iv_size < GCM_IV_SIZE, GNUTLS_E_INVALID_REQUEST, "access to short GCM nonce size\n"); -+ ctx->rekey_counter = 0; - break; - case GNUTLS_CIPHER_SALSA20_256: - case GNUTLS_CIPHER_ESTREAM_SALSA20_256: -@@ -1207,10 +1234,24 @@ wrap_nettle_cipher_encrypt(void *_ctx, const void *plain, size_t plain_size, - void *encr, size_t encr_size) - { - struct nettle_cipher_ctx *ctx = _ctx; -+ int ret; - - if (unlikely(ctx->cipher->encrypt == NULL)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - -+ switch (ctx->cipher->algo) { -+ case GNUTLS_CIPHER_AES_128_GCM: -+ case GNUTLS_CIPHER_AES_192_GCM: -+ case GNUTLS_CIPHER_AES_256_GCM: -+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, plain_size); -+ if (ret < 0) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ break; -+ default: -+ break; -+ } -+ - ctx->cipher->encrypt(ctx, plain_size, encr, plain); - - return 0; -diff --git a/tests/slow/cipher-api-test.c b/tests/slow/cipher-api-test.c -index fc880bcc9f..1d267ce312 100644 ---- a/tests/slow/cipher-api-test.c -+++ b/tests/slow/cipher-api-test.c -@@ -21,6 +21,7 @@ - */ - - #include -+#include - #include - #include - #include -@@ -48,6 +49,11 @@ int main(int argc, char **argv) - #include - #include - -+#define AES_GCM_ENCRYPT_PLAINTEXT_MAX ((1ULL << 36) - 32) -+#if SIZE_MAX >= AES_GCM_ENCRYPT_PLAINTEXT_MAX -+#define TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE 1 -+#endif -+ - static void tls_log_func(int level, const char *str) - { - fprintf(stderr, "<%d>| %s", level, str); -@@ -401,6 +407,74 @@ static void test_aead_invalid_short_decrypt(int algo) - return; - } - -+#ifdef TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE -+/* Test whether an invalid call to gnutls_cipher_encrypt() with too -+ * long message is caught */ -+static void test_aead_invalid_too_long_encrypt(int algo) -+{ -+ int ret; -+ gnutls_cipher_hd_t ch; -+ uint8_t key16[64]; -+ uint8_t iv16[32]; -+ uint8_t data[128]; -+ gnutls_datum_t key, iv; -+ -+ if (algo != GNUTLS_CIPHER_AES_128_GCM && -+ algo != GNUTLS_CIPHER_AES_192_GCM && -+ algo != GNUTLS_CIPHER_AES_256_GCM) { -+ return; -+ } -+ -+ key.data = key16; -+ key.size = gnutls_cipher_get_key_size(algo); -+ assert(key.size <= sizeof(key16)); -+ -+ iv.data = iv16; -+ iv.size = gnutls_cipher_get_iv_size(algo); -+ assert(iv.size <= sizeof(iv16)); -+ -+ memset(iv.data, 0xff, iv.size); -+ memset(key.data, 0xfe, key.size); -+ memset(data, 0xfa, sizeof(data)); -+ -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(4711); -+ -+ ret = global_init(); -+ if (ret < 0) { -+ fail("Cannot initialize library\n"); /*errcode 1 */ -+ } -+ -+ ret = gnutls_cipher_init(&ch, algo, &key, &iv); -+ if (ret < 0) -+ fail("gnutls_cipher_init failed\n"); /*errcode 1 */ -+ -+ /* Test exceeding AES-GCM plaintext limit */ -+ ret = gnutls_cipher_encrypt(ch, data, sizeof(data)); -+ if (ret < 0) -+ fail("could not encrypt data\n"); -+ -+ /* A few blocks larger than AES_GCM_ENCRYPT_PLAINTEXT_MAX combined with -+ * the previous call. Use NULL for PLAINTEXT so the access to the first -+ * block always results in page fault (in case the limit is not -+ * enforced). -+ */ -+ ret = gnutls_cipher_encrypt(ch, NULL, AES_GCM_ENCRYPT_PLAINTEXT_MAX); -+ if (ret >= 0) -+ fail("succeeded in encrypting too long data\n"); -+ if (ret != GNUTLS_E_INVALID_REQUEST) -+ fail("wrong kind of error on encrypting too long data," -+ "%s instead of GNUTLS_E_INVALID_REQUEST\n", -+ gnutls_strerror_name(ret)); -+ -+ gnutls_cipher_deinit(ch); -+ -+ gnutls_global_deinit(); -+ return; -+} -+#endif -+ - static void check_status(int status) - { - if (WEXITSTATUS(status) != 0 || -@@ -464,6 +538,11 @@ void start(const char *name, int algo, unsigned aead) - - success("trying %s: test_aead_invalid_short_decrypt\n", name); - fork_subtest(test_aead_invalid_short_decrypt, algo); -+ -+#if TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE -+ success("trying %s: test_aead_invalid_too_long_encrypt\n", name); -+ fork_subtest(test_aead_invalid_too_long_encrypt, algo); -+#endif - } - } - --- -2.37.1 - diff --git a/gnutls-3.7.6-cpuid-fixes.patch b/gnutls-3.7.6-cpuid-fixes.patch deleted file mode 100644 index a77c84d..0000000 --- a/gnutls-3.7.6-cpuid-fixes.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 8ff391fa011e02c88b0d099061ca62e88ab68011 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 15 Aug 2022 09:39:18 +0900 -Subject: [PATCH] accelerated: clear AVX bits if it cannot be queried through - XSAVE -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The algorithm to detect AVX is described in 14.3 of "Intel® 64 and IA-32 -Architectures Software Developer’s Manual". - -GnuTLS previously only followed that algorithm when registering the -crypto backend, while the CRYPTOGAMS derived SHA code assembly expects -that the extension bits are propagated to _gnutls_x86_cpuid_s. - -Signed-off-by: Daiki Ueno ---- - lib/accelerated/x86/x86-common.c | 49 +++++++++++++++++++++++++------- - 1 file changed, 38 insertions(+), 11 deletions(-) - -diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c -index 7ddaa594e6..b7a88ddeca 100644 ---- a/lib/accelerated/x86/x86-common.c -+++ b/lib/accelerated/x86/x86-common.c -@@ -81,6 +81,26 @@ unsigned int _gnutls_x86_cpuid_s[4]; - # define bit_AVX 0x10000000 - #endif - -+#ifndef bit_AVX2 -+# define bit_AVX2 0x00000020 -+#endif -+ -+#ifndef bit_AVX512F -+# define bit_AVX512F 0x00010000 -+#endif -+ -+#ifndef bit_AVX512IFMA -+# define bit_AVX512IFMA 0x00200000 -+#endif -+ -+#ifndef bit_AVX512BW -+# define bit_AVX512BW 0x40000000 -+#endif -+ -+#ifndef bit_AVX512VL -+# define bit_AVX512VL 0x80000000 -+#endif -+ - #ifndef bit_OSXSAVE - # define bit_OSXSAVE 0x8000000 - #endif -@@ -89,10 +109,6 @@ unsigned int _gnutls_x86_cpuid_s[4]; - # define bit_MOVBE 0x00400000 - #endif - --#ifndef OSXSAVE_MASK --# define OSXSAVE_MASK (bit_OSXSAVE|bit_MOVBE) --#endif -- - #define bit_PADLOCK (0x3 << 6) - #define bit_PADLOCK_PHE (0x3 << 10) - #define bit_PADLOCK_PHE_SHA512 (0x3 << 25) -@@ -148,7 +164,7 @@ static unsigned check_4th_gen_intel_features(unsigned ecx) - { - uint32_t xcr0; - -- if ((ecx & OSXSAVE_MASK) != OSXSAVE_MASK) -+ if ((ecx & bit_OSXSAVE) != bit_OSXSAVE) - return 0; - - #if defined(_MSC_VER) && !defined(__clang__) -@@ -190,8 +206,9 @@ static void capabilities_to_intel_cpuid(unsigned capabilities) - } - - if (capabilities & INTEL_AVX) { -- if ((a[1] & bit_AVX) && check_4th_gen_intel_features(a[1])) { -- _gnutls_x86_cpuid_s[1] |= bit_AVX|OSXSAVE_MASK; -+ if ((a[1] & bit_AVX) && (a[1] & bit_MOVBE) && -+ check_4th_gen_intel_features(a[1])) { -+ _gnutls_x86_cpuid_s[1] |= bit_AVX|bit_MOVBE; - } else { - _gnutls_debug_log - ("AVX acceleration requested but not available\n"); -@@ -236,10 +253,7 @@ static unsigned check_sha(void) - #ifdef ASM_X86_64 - static unsigned check_avx_movbe(void) - { -- if (check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1]) == 0) -- return 0; -- -- return ((_gnutls_x86_cpuid_s[1] & bit_AVX)); -+ return (_gnutls_x86_cpuid_s[1] & (bit_AVX|bit_MOVBE)) == (bit_AVX|bit_MOVBE); - } - - static unsigned check_pclmul(void) -@@ -884,6 +898,19 @@ void register_x86_intel_crypto(unsigned capabilities) - if (capabilities == 0) { - if (!read_cpuid_vals(_gnutls_x86_cpuid_s)) - return; -+ if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) { -+ _gnutls_x86_cpuid_s[1] &= ~bit_AVX; -+ -+ /* Clear AVX2 bits as well, according to what -+ * OpenSSL does. Should we clear -+ * bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER, -+ * and bit_AVX512CD? */ -+ _gnutls_x86_cpuid_s[2] &= ~(bit_AVX2| -+ bit_AVX512F| -+ bit_AVX512IFMA| -+ bit_AVX512BW| -+ bit_AVX512BW); -+ } - } else { - capabilities_to_intel_cpuid(capabilities); - } --- -2.37.2 - diff --git a/gnutls-3.7.6-drbg-reseed.patch b/gnutls-3.7.6-drbg-reseed.patch index 8fd5f58..a8e88e4 100644 --- a/gnutls-3.7.6-drbg-reseed.patch +++ b/gnutls-3.7.6-drbg-reseed.patch @@ -1,6 +1,6 @@ -From 3035e884b3abc68bcebff5adec5bd8819bbc6d7b Mon Sep 17 00:00:00 2001 +From 968de8a9779788a853a4c0cd75beda779cb15f52 Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Fri, 5 Aug 2022 16:16:42 +0900 +Date: Thu, 16 Nov 2023 17:09:58 +0900 Subject: [PATCH] gnutls-3.7.6-drbg-reseed.patch Signed-off-by: rpm-build @@ -9,21 +9,21 @@ Signed-off-by: rpm-build 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/nettle/sysrng-linux.c b/lib/nettle/sysrng-linux.c -index 6b3971c..dae9061 100644 +index 25d74fe..8b9cc46 100644 --- a/lib/nettle/sysrng-linux.c +++ b/lib/nettle/sysrng-linux.c @@ -31,6 +31,9 @@ - # include - # include - # include -+# include "fips.h" + #include "num.h" + #include + #include "rnd-common.h" ++#include "fips.h" +#else -+# define _gnutls_fips_mode_enabled() 0 ++#define _gnutls_fips_mode_enabled() 0 #endif #include -@@ -103,7 +106,12 @@ static int force_getrandom(void *buf, size_t buflen, unsigned int flags) - static int _rnd_get_system_entropy_getrandom(void* _rnd, size_t size) +@@ -104,7 +107,12 @@ static int force_getrandom(void *buf, size_t buflen, unsigned int flags) + static int _rnd_get_system_entropy_getrandom(void *_rnd, size_t size) { int ret; - ret = force_getrandom(_rnd, size, 0); @@ -37,5 +37,5 @@ index 6b3971c..dae9061 100644 int e = errno; gnutls_assert(); -- -2.37.1 +2.41.0 diff --git a/gnutls-3.7.6-fips-ccm-taglen.patch b/gnutls-3.7.6-fips-ccm-taglen.patch deleted file mode 100644 index 2ec015b..0000000 --- a/gnutls-3.7.6-fips-ccm-taglen.patch +++ /dev/null @@ -1,331 +0,0 @@ -From 26b2caef673aba8bfd10db3b1b8117f941c18e58 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 21 Oct 2022 15:48:39 +0900 -Subject: [PATCH] cipher: add restriction on CCM tag length under FIPS mode - -This change prohibits any use of tag length other than 4, 6, 8, 10, -12, 14, and 16 bytes in CCM used under FIPS mode, in accordance with -SP800-38C A.1. While use of tag lengths smaller than 8 bytes is not -recommended, we simply allow 4 and 6 bytes tags for now. - -Signed-off-by: Daiki Ueno ---- - lib/accelerated/aarch64/aes-ccm-aarch64.c | 39 ++++++++++ - lib/accelerated/x86/aes-ccm-x86-aesni.c | 39 ++++++++++ - lib/nettle/cipher.c | 55 ++++++++++++++ - tests/fips-test.c | 87 ++++++++++++++++++++++- - 4 files changed, 218 insertions(+), 2 deletions(-) - -diff --git a/lib/accelerated/aarch64/aes-ccm-aarch64.c b/lib/accelerated/aarch64/aes-ccm-aarch64.c -index a2ba259e99..b415d4ddfb 100644 ---- a/lib/accelerated/aarch64/aes-ccm-aarch64.c -+++ b/lib/accelerated/aarch64/aes-ccm-aarch64.c -@@ -36,6 +36,7 @@ - #include - #include - #include -+#include - - typedef struct ccm_aarch64_aes_ctx { - AES_KEY key; -@@ -103,6 +104,25 @@ aes_ccm_aead_encrypt(void *_ctx, - if (unlikely(encr_size < plain_size + tag_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -+ /* SP800-38C A.1 says Tlen must be a multiple of 16 between 32 -+ * and 128. -+ */ -+ switch (tag_size) { -+ case 4: case 6: -+ /* SP800-38C B.2 says Tlen smaller than 64 should not be used -+ * under sufficient restriction. We simply allow those for now. -+ */ -+ FALLTHROUGH; -+ case 8: case 10: case 12: case 14: case 16: -+ break; -+ default: -+ if (_gnutls_fips_mode_enabled()) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ break; -+ } -+ - ccm_encrypt_message(&ctx->key, aarch64_aes_encrypt, - nonce_size, nonce, - auth_size, auth, -@@ -129,6 +149,25 @@ aes_ccm_aead_decrypt(void *_ctx, - if (unlikely(plain_size < encr_size - tag_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -+ /* SP800-38C A.1 says Tlen must be a multiple of 16 between 32 -+ * and 128. -+ */ -+ switch (tag_size) { -+ case 4: case 6: -+ /* SP800-38C B.2 says Tlen smaller than 64 should not be used -+ * under sufficient restriction. We simply allow those for now. -+ */ -+ FALLTHROUGH; -+ case 8: case 10: case 12: case 14: case 16: -+ break; -+ default: -+ if (_gnutls_fips_mode_enabled()) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ break; -+ } -+ - ret = ccm_decrypt_message(&ctx->key, aarch64_aes_encrypt, - nonce_size, nonce, - auth_size, auth, -diff --git a/lib/accelerated/x86/aes-ccm-x86-aesni.c b/lib/accelerated/x86/aes-ccm-x86-aesni.c -index 701c0f992a..9ebbdd7b2a 100644 ---- a/lib/accelerated/x86/aes-ccm-x86-aesni.c -+++ b/lib/accelerated/x86/aes-ccm-x86-aesni.c -@@ -37,6 +37,7 @@ - #include - #include - #include -+#include - - typedef struct ccm_x86_aes_ctx { - AES_KEY key; -@@ -95,6 +96,25 @@ aes_ccm_aead_encrypt(void *_ctx, - if (unlikely(encr_size < plain_size + tag_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -+ /* SP800-38C A.1 says Tlen must be a multiple of 16 between 32 -+ * and 128. -+ */ -+ switch (tag_size) { -+ case 4: case 6: -+ /* SP800-38C B.2 says Tlen smaller than 64 should not be used -+ * under sufficient restriction. We simply allow those for now. -+ */ -+ FALLTHROUGH; -+ case 8: case 10: case 12: case 14: case 16: -+ break; -+ default: -+ if (_gnutls_fips_mode_enabled()) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ break; -+ } -+ - ccm_encrypt_message(&ctx->key, x86_aes_encrypt, - nonce_size, nonce, - auth_size, auth, -@@ -121,6 +141,25 @@ aes_ccm_aead_decrypt(void *_ctx, - if (unlikely(plain_size < encr_size - tag_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -+ /* SP800-38C A.1 says Tlen must be a multiple of 16 between 32 -+ * and 128. -+ */ -+ switch (tag_size) { -+ case 4: case 6: -+ /* SP800-38C B.2 says Tlen smaller than 64 should not be used -+ * under sufficient restriction. We simply allow those for now. -+ */ -+ FALLTHROUGH; -+ case 8: case 10: case 12: case 14: case 16: -+ break; -+ default: -+ if (_gnutls_fips_mode_enabled()) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ break; -+ } -+ - ret = ccm_decrypt_message(&ctx->key, x86_aes_encrypt, - nonce_size, nonce, - auth_size, auth, -diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c -index 9c2ce19e7e..8c23d11252 100644 ---- a/lib/nettle/cipher.c -+++ b/lib/nettle/cipher.c -@@ -1253,6 +1253,34 @@ wrap_nettle_cipher_aead_encrypt(void *_ctx, - ctx->cipher->tag(ctx->ctx_ptr, tag_size, ((uint8_t*)encr) + plain_size); - } else { - /* CCM-style cipher */ -+ -+ switch (ctx->cipher->algo) { -+ case GNUTLS_CIPHER_AES_128_CCM: -+ case GNUTLS_CIPHER_AES_256_CCM: -+ /* SP800-38C A.1 says Tlen must be a multiple of 16 -+ * between 32 and 128. -+ */ -+ switch (tag_size) { -+ case 4: case 6: -+ /* SP800-38C B.2 says Tlen smaller than 64 -+ * should not be used under sufficient -+ * restriction. We simply allow those for now. -+ */ -+ FALLTHROUGH; -+ case 8: case 10: case 12: case 14: case 16: -+ break; -+ default: -+ if (_gnutls_fips_mode_enabled()) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ break; -+ } -+ break; -+ default: -+ break; -+ } -+ - ctx->cipher->aead_encrypt(ctx, - nonce_size, nonce, - auth_size, auth, -@@ -1302,6 +1330,33 @@ wrap_nettle_cipher_aead_decrypt(void *_ctx, - if (unlikely(plain_size < encr_size)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -+ switch (ctx->cipher->algo) { -+ case GNUTLS_CIPHER_AES_128_CCM: -+ case GNUTLS_CIPHER_AES_256_CCM: -+ /* SP800-38C A.1 says Tlen must be a multiple of 16 -+ * between 32 and 128. -+ */ -+ switch (tag_size) { -+ case 4: case 6: -+ /* SP800-38C B.2 says Tlen smaller than 64 -+ * should not be used under sufficient -+ * restriction. We simply allow those for now. -+ */ -+ FALLTHROUGH; -+ case 8: case 10: case 12: case 14: case 16: -+ break; -+ default: -+ if (_gnutls_fips_mode_enabled()) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ break; -+ } -+ break; -+ default: -+ break; -+ } -+ - ret = ctx->cipher->aead_decrypt(ctx, - nonce_size, nonce, - auth_size, auth, -diff --git a/tests/fips-test.c b/tests/fips-test.c -index f7556d7bbb..c43503fba0 100644 ---- a/tests/fips-test.c -+++ b/tests/fips-test.c -@@ -1,4 +1,5 @@ - #include -+#include - #include - #include - #include -@@ -213,14 +214,96 @@ test_cipher_disallowed(gnutls_cipher_algorithm_t cipher) - FIPS_POP_CONTEXT(ERROR); - } - -+static void -+test_ccm_cipher(gnutls_cipher_algorithm_t cipher, size_t tag_length, -+ bool expect_encryption_fail, -+ gnutls_fips140_operation_state_t expected_state) -+{ -+ int ret; -+ unsigned key_size = gnutls_cipher_get_key_size(cipher); -+ gnutls_aead_cipher_hd_t h; -+ gnutls_datum_t key = { key_data, key_size }; -+ unsigned char buffer[256]; -+ size_t length; -+ gnutls_memset(key_data, 0, key_size); -+ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_aead_cipher_init(&h, cipher, &key); -+ if (ret < 0) { -+ fail("gnutls_aead_cipher_init failed for %s\n", -+ gnutls_cipher_get_name(cipher)); -+ } -+ FIPS_POP_CONTEXT(APPROVED); -+ -+ fips_push_context(fips_context); -+ memset(buffer, 0, sizeof(buffer)); -+ length = sizeof(buffer); -+ ret = gnutls_aead_cipher_encrypt(h, iv_data, -+ gnutls_cipher_get_iv_size(cipher), -+ NULL, 0, tag_length, -+ buffer, length - tag_length, -+ buffer, &length); -+ if (expect_encryption_fail) { -+ if (ret != GNUTLS_E_INVALID_REQUEST) { -+ fail("gnutls_aead_cipher_encrypt(%s) returned %d " -+ "while %d is expected\n", -+ gnutls_cipher_get_name(cipher), -+ ret, GNUTLS_E_INVALID_REQUEST); -+ } -+ } else if (ret < 0) { -+ fail("gnutls_aead_cipher_encrypt failed for %s\n", -+ gnutls_cipher_get_name(cipher)); -+ } -+ fips_pop_context(fips_context, expected_state); -+ -+ fips_push_context(fips_context); -+ length = sizeof(buffer); -+ ret = gnutls_aead_cipher_decrypt(h, iv_data, -+ gnutls_cipher_get_iv_size(cipher), -+ NULL, 0, tag_length, -+ buffer, length, -+ buffer, &length); -+ if (expect_encryption_fail) { -+ if (ret != GNUTLS_E_INVALID_REQUEST) { -+ fail("gnutls_aead_cipher_decrypt(%s) returned %d " -+ "while %d is expected\n", -+ gnutls_cipher_get_name(cipher), -+ ret, GNUTLS_E_INVALID_REQUEST); -+ } -+ } else if (ret < 0) { -+ fail("gnutls_aead_cipher_decrypt failed for %s\n", -+ gnutls_cipher_get_name(cipher)); -+ } -+ fips_pop_context(fips_context, expected_state); -+ -+ gnutls_aead_cipher_deinit(h); -+} -+ - static inline void - test_ciphers(void) - { -+ size_t i; -+ - test_cipher_approved(GNUTLS_CIPHER_AES_128_CBC); - test_cipher_approved(GNUTLS_CIPHER_AES_192_CBC); - test_cipher_approved(GNUTLS_CIPHER_AES_256_CBC); -- test_aead_cipher_approved(GNUTLS_CIPHER_AES_128_CCM); -- test_aead_cipher_approved(GNUTLS_CIPHER_AES_256_CCM); -+ -+ /* Check for all allowed Tlen */ -+ for (i = 4; i <= 16; i += 2) { -+ test_ccm_cipher(GNUTLS_CIPHER_AES_128_CCM, i, -+ false, GNUTLS_FIPS140_OP_APPROVED); -+ test_ccm_cipher(GNUTLS_CIPHER_AES_256_CCM, i, -+ false, GNUTLS_FIPS140_OP_APPROVED); -+ } -+ test_ccm_cipher(GNUTLS_CIPHER_AES_128_CCM, 3, -+ true, GNUTLS_FIPS140_OP_ERROR); -+ test_ccm_cipher(GNUTLS_CIPHER_AES_256_CCM, 3, -+ true, GNUTLS_FIPS140_OP_ERROR); -+ test_ccm_cipher(GNUTLS_CIPHER_AES_128_CCM, 5, -+ true, GNUTLS_FIPS140_OP_ERROR); -+ test_ccm_cipher(GNUTLS_CIPHER_AES_256_CCM, 5, -+ true, GNUTLS_FIPS140_OP_ERROR); -+ - test_aead_cipher_approved(GNUTLS_CIPHER_AES_128_CCM_8); - test_aead_cipher_approved(GNUTLS_CIPHER_AES_256_CCM_8); - test_cipher_approved(GNUTLS_CIPHER_AES_128_CFB8); --- -2.38.1 - diff --git a/gnutls-3.7.6-fips-ecdsa-hash-check.patch b/gnutls-3.7.6-fips-ecdsa-hash-check.patch deleted file mode 100644 index 9280bb3..0000000 --- a/gnutls-3.7.6-fips-ecdsa-hash-check.patch +++ /dev/null @@ -1,427 +0,0 @@ -From 171b934a8c054e98b110892cae4130e1db64e656 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Thu, 29 Sep 2022 21:28:19 +0900 -Subject: [PATCH] gnutls-3.7.6-fips-ecdsa-hash-check.patch - ---- - lib/crypto-backend.h | 12 ++-- - lib/nettle/pk.c | 33 +++++----- - lib/privkey.c | 42 ++++++++---- - lib/pubkey.c | 5 +- - tests/fips-test.c | 150 ++++++++++++++++++++++++++++++++++++++++++- - 5 files changed, 205 insertions(+), 37 deletions(-) - -diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h -index f0f68c3..4dd1ae2 100644 ---- a/lib/crypto-backend.h -+++ b/lib/crypto-backend.h -@@ -247,11 +247,13 @@ typedef enum { - GNUTLS_PK_FLAG_RSA_PSS_FIXED_SALT_LENGTH = 4 - } gnutls_pk_flag_t; - --#define FIX_SIGN_PARAMS(params, flags, dig) do { \ -- if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { \ -- (params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE; \ -- (params).dsa_dig = (dig); \ -- } \ -+#define FIX_SIGN_PARAMS(params, flags, dig) do { \ -+ if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { \ -+ (params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE; \ -+ } \ -+ if ((params).pk == GNUTLS_PK_DSA || (params).pk == GNUTLS_PK_ECDSA) { \ -+ (params).dsa_dig = (dig); \ -+ } \ - } while (0) - - void gnutls_pk_params_release(gnutls_pk_params_st * p); -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index f38016b..c098e2a 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -1104,8 +1104,16 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - me = _gnutls_dsa_q_to_hash(pk_params, - &hash_len); - -+ if (hash_len > vdata->size) { -+ gnutls_assert(); -+ _gnutls_debug_log -+ ("Security level of algorithm requires hash %s(%d) or better\n", -+ _gnutls_mac_get_name(me), hash_len); -+ hash_len = vdata->size; -+ } -+ - /* Only SHA-2 is allowed in FIPS 140-3 */ -- switch (me->id) { -+ switch (DIG_TO_MAC(sign_params->dsa_dig)) { - case GNUTLS_MAC_SHA256: - case GNUTLS_MAC_SHA384: - case GNUTLS_MAC_SHA512: -@@ -1115,14 +1123,6 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - not_approved = true; - } - -- if (hash_len > vdata->size) { -- gnutls_assert(); -- _gnutls_debug_log -- ("Security level of algorithm requires hash %s(%d) or better\n", -- _gnutls_mac_get_name(me), hash_len); -- hash_len = vdata->size; -- } -- - mpz_init(k); - if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST || - (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) { -@@ -1545,7 +1545,6 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, - struct dsa_signature sig; - int curve_id = pk_params->curve; - const struct ecc_curve *curve; -- const mac_entry_st *me; - - curve = get_supported_nist_curve(curve_id); - if (curve == NULL) { -@@ -1571,11 +1570,14 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, - memcpy(sig.r, tmp[0], SIZEOF_MPZT); - memcpy(sig.s, tmp[1], SIZEOF_MPZT); - -- me = _gnutls_dsa_q_to_hash(pk_params, &hash_len); -+ (void)_gnutls_dsa_q_to_hash(pk_params, &hash_len); -+ -+ if (hash_len > vdata->size) -+ hash_len = vdata->size; - - /* SHA-1 is allowed for SigVer in FIPS 140-3 in legacy - * mode */ -- switch (me->id) { -+ switch (DIG_TO_MAC(sign_params->dsa_dig)) { - case GNUTLS_MAC_SHA1: - case GNUTLS_MAC_SHA256: - case GNUTLS_MAC_SHA384: -@@ -1586,9 +1588,6 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, - not_approved = true; - } - -- if (hash_len > vdata->size) -- hash_len = vdata->size; -- - ret = - ecdsa_verify(&pub, hash_len, vdata->data, - &sig); -@@ -2390,8 +2389,10 @@ static int pct_test(gnutls_pk_algorithm_t algo, const gnutls_pk_params_st* param - - if (algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_EC) { - unsigned hash_len; -+ const mac_entry_st *me; - -- _gnutls_dsa_q_to_hash(params, &hash_len); -+ me = _gnutls_dsa_q_to_hash(params, &hash_len); -+ spki.dsa_dig = MAC_TO_DIG(me->id); - gen_data = gnutls_malloc(hash_len); - gnutls_rnd(GNUTLS_RND_NONCE, gen_data, hash_len); - -diff --git a/lib/privkey.c b/lib/privkey.c -index 0b77443..2069fc0 100644 ---- a/lib/privkey.c -+++ b/lib/privkey.c -@@ -1251,27 +1251,36 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer, - se = _gnutls_sign_to_entry(GNUTLS_SIGN_RSA_RAW); - } else { - se = _gnutls_sign_to_entry(algo); -- if (unlikely(se == NULL)) -- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -- -+ if (unlikely(se == NULL)) { -+ ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ goto cleanup; -+ } - } - - ret = _gnutls_privkey_get_spki_params(signer, ¶ms); - if (ret < 0) { - gnutls_assert(); -- return ret; -+ goto cleanup; - } - - ret = _gnutls_privkey_update_spki_params(signer, se->pk, se->hash, - flags, ¶ms); - if (ret < 0) { - gnutls_assert(); -- return ret; -+ goto cleanup; - } - - FIX_SIGN_PARAMS(params, flags, se->hash); - -- return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms); -+ ret = privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms); -+ -+ cleanup: -+ if (ret < 0) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ } else { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED); -+ } -+ return ret; - } - - int -@@ -1366,14 +1375,14 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer, - ret = _gnutls_privkey_get_spki_params(signer, ¶ms); - if (ret < 0) { - gnutls_assert(); -- return ret; -+ goto cleanup; - } - - ret = _gnutls_privkey_update_spki_params(signer, signer->pk_algorithm, - hash_algo, flags, ¶ms); - if (ret < 0) { - gnutls_assert(); -- return ret; -+ goto cleanup; - } - - /* legacy callers of this API could use a hash algorithm of 0 (unknown) -@@ -1391,13 +1400,22 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer, - se = _gnutls_pk_to_sign_entry(params.pk, hash_algo); - } - -- if (unlikely(se == NULL)) -- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ if (unlikely(se == NULL)) { -+ ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ goto cleanup; -+ } - - FIX_SIGN_PARAMS(params, flags, hash_algo); - -- return privkey_sign_prehashed(signer, se, -- hash_data, signature, ¶ms); -+ ret = privkey_sign_prehashed(signer, se, -+ hash_data, signature, ¶ms); -+ cleanup: -+ if (ret < 0) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ } else { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED); -+ } -+ return ret; - } - - static int -diff --git a/lib/pubkey.c b/lib/pubkey.c -index eba1f5b..35126f3 100644 ---- a/lib/pubkey.c -+++ b/lib/pubkey.c -@@ -1985,7 +1985,7 @@ gnutls_pubkey_import_dsa_raw(gnutls_pubkey_t key, - * parameters (if any) with the signature algorithm */ - static - int fixup_spki_params(const gnutls_pk_params_st *key_params, const gnutls_sign_entry_st *se, -- const mac_entry_st *me, gnutls_x509_spki_st *params) -+ const mac_entry_st *me, gnutls_x509_spki_st *params) - { - unsigned bits; - -@@ -2018,6 +2018,9 @@ int fixup_spki_params(const gnutls_pk_params_st *key_params, const gnutls_sign_e - - if (params->rsa_pss_dig != se->hash) - return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR); -+ } else if (params->pk == GNUTLS_PK_DSA || -+ params->pk == GNUTLS_PK_ECDSA) { -+ params->dsa_dig = se->hash; - } - - return 0; -diff --git a/tests/fips-test.c b/tests/fips-test.c -index 788f4ab..ec0f4b4 100644 ---- a/tests/fips-test.c -+++ b/tests/fips-test.c -@@ -80,8 +80,22 @@ static const gnutls_datum_t rsa2342_sha1_sig = { - .size = sizeof(rsa2342_sha1_sig_data), - }; - -+static const uint8_t ecc256_sha1_sig_data[] = { -+ 0x30, 0x45, 0x02, 0x21, 0x00, 0x9a, 0x28, 0xc9, 0xbf, 0xc8, 0x70, 0x4f, -+ 0x27, 0x2d, 0xe1, 0x66, 0xc4, 0xa5, 0xc6, 0xf2, 0xdc, 0x33, 0xb9, 0x41, -+ 0xdf, 0x78, 0x98, 0x8a, 0x22, 0x4d, 0x29, 0x37, 0xa0, 0x0f, 0x6f, 0xd4, -+ 0xed, 0x02, 0x20, 0x0b, 0x15, 0xca, 0x30, 0x09, 0x2d, 0x55, 0x44, 0xb4, -+ 0x1d, 0x3f, 0x48, 0x7a, 0xc3, 0xd1, 0x2a, 0xc1, 0x0e, 0x47, 0xfa, 0xe6, -+ 0xe9, 0x0f, 0x03, 0xe2, 0x01, 0x4e, 0xe4, 0x73, 0x37, 0xa7, 0x90, -+}; -+ -+static const gnutls_datum_t ecc256_sha1_sig = { -+ .data = (unsigned char *)ecc256_sha1_sig_data, -+ .size = sizeof(ecc256_sha1_sig_data), -+}; -+ - static void --rsa_import_keypair(gnutls_privkey_t *privkey, gnutls_pubkey_t *pubkey, -+import_keypair(gnutls_privkey_t *privkey, gnutls_pubkey_t *pubkey, - const char *filename) - { - const char *srcdir; -@@ -274,6 +288,8 @@ void doit(void) - gnutls_datum_t signature; - unsigned int bits; - uint8_t hmac[64]; -+ uint8_t hash[64]; -+ gnutls_datum_t hashed_data; - uint8_t pbkdf2[64]; - gnutls_datum_t temp_key = { NULL, 0 }; - -@@ -473,7 +489,7 @@ void doit(void) - - /* Import 2432-bit RSA key; not a security function */ - FIPS_PUSH_CONTEXT(); -- rsa_import_keypair(&privkey, &pubkey, "rsa-2432.pem"); -+ import_keypair(&privkey, &pubkey, "rsa-2432.pem"); - FIPS_POP_CONTEXT(INITIAL); - - /* Create a signature with 2432-bit RSA and SHA256; approved */ -@@ -519,7 +535,7 @@ void doit(void) - - /* Import 512-bit RSA key; not a security function */ - FIPS_PUSH_CONTEXT(); -- rsa_import_keypair(&privkey, &pubkey, "rsa-512.pem"); -+ import_keypair(&privkey, &pubkey, "rsa-512.pem"); - FIPS_POP_CONTEXT(INITIAL); - - /* Create a signature with 512-bit RSA and SHA256; not approved */ -@@ -543,6 +559,134 @@ void doit(void) - gnutls_pubkey_deinit(pubkey); - gnutls_privkey_deinit(privkey); - -+ /* Import ECDSA key; not a security function */ -+ FIPS_PUSH_CONTEXT(); -+ import_keypair(&privkey, &pubkey, "ecc256.pem"); -+ FIPS_POP_CONTEXT(INITIAL); -+ -+ /* Create a signature with ECDSA and SHA256; approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_privkey_sign_data2(privkey, GNUTLS_SIGN_ECDSA_SHA256, 0, -+ &data, &signature); -+ if (ret < 0) { -+ fail("gnutls_privkey_sign_data2 failed\n"); -+ } -+ FIPS_POP_CONTEXT(APPROVED); -+ -+ /* Verify a signature with ECDSA and SHA256; approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_ECDSA_SHA256, 0, -+ &data, &signature); -+ if (ret < 0) { -+ fail("gnutls_pubkey_verify_data2 failed\n"); -+ } -+ FIPS_POP_CONTEXT(APPROVED); -+ gnutls_free(signature.data); -+ -+ /* Create a signature with ECDSA and SHA256 (old API); approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0, -+ &data, &signature); -+ if (ret < 0) { -+ fail("gnutls_privkey_sign_data failed\n"); -+ } -+ FIPS_POP_CONTEXT(APPROVED); -+ -+ /* Create a SHA256 hashed data for 2-pass signature API; not a -+ * crypto operation */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_hash_fast(GNUTLS_DIG_SHA256, data.data, data.size, hash); -+ if (ret < 0) { -+ fail("gnutls_hash_fast failed\n"); -+ } -+ hashed_data.data = hash; -+ hashed_data.size = 32; -+ FIPS_POP_CONTEXT(INITIAL); -+ -+ /* Create a signature with ECDSA and SHA256 (2-pass API); not-approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_privkey_sign_hash2(privkey, GNUTLS_SIGN_ECDSA_SHA256, 0, -+ &hashed_data, &signature); -+ if (ret < 0) { -+ fail("gnutls_privkey_sign_hash2 failed\n"); -+ } -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ gnutls_free(signature.data); -+ -+ /* Create a signature with ECDSA and SHA256 (2-pass old API); not-approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_privkey_sign_hash(privkey, GNUTLS_DIG_SHA256, 0, -+ &hashed_data, &signature); -+ if (ret < 0) { -+ fail("gnutls_privkey_sign_hash failed\n"); -+ } -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ gnutls_free(signature.data); -+ -+ /* Create a signature with ECDSA and SHA-1; not approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_privkey_sign_data2(privkey, GNUTLS_SIGN_ECDSA_SHA1, 0, -+ &data, &signature); -+ if (ret < 0) { -+ fail("gnutls_privkey_sign_data2 failed\n"); -+ } -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ /* Verify a signature created with ECDSA and SHA-1; approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_ECDSA_SHA1, -+ GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, &data, -+ &ecc256_sha1_sig); -+ if (ret < 0) { -+ fail("gnutls_pubkey_verify_data2 failed\n"); -+ } -+ FIPS_POP_CONTEXT(APPROVED); -+ gnutls_free(signature.data); -+ -+ /* Create a signature with ECDSA and SHA-1 (old API); not approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, -+ &data, &signature); -+ if (ret < 0) { -+ fail("gnutls_privkey_sign_data failed\n"); -+ } -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ gnutls_free(signature.data); -+ -+ /* Create a SHA1 hashed data for 2-pass signature API; not a -+ * crypto operation */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, data.data, data.size, hash); -+ if (ret < 0) { -+ fail("gnutls_hash_fast failed\n"); -+ } -+ hashed_data.data = hash; -+ hashed_data.size = 20; -+ FIPS_POP_CONTEXT(INITIAL); -+ -+ /* Create a signature with ECDSA and SHA1 (2-pass API); not-approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_privkey_sign_hash2(privkey, GNUTLS_SIGN_ECDSA_SHA1, 0, -+ &hashed_data, &signature); -+ if (ret < 0) { -+ fail("gnutls_privkey_sign_hash2 failed\n"); -+ } -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ gnutls_free(signature.data); -+ -+ /* Create a signature with ECDSA and SHA1 (2-pass old API); not-approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_privkey_sign_hash(privkey, GNUTLS_DIG_SHA1, 0, -+ &hashed_data, &signature); -+ if (ret < 0) { -+ fail("gnutls_privkey_sign_hash failed\n"); -+ } -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ gnutls_free(signature.data); -+ -+ gnutls_pubkey_deinit(pubkey); -+ gnutls_privkey_deinit(privkey); -+ - /* Test RND functions */ - FIPS_PUSH_CONTEXT(); - ret = gnutls_rnd(GNUTLS_RND_RANDOM, key16, sizeof(key16)); --- -2.37.3 - diff --git a/gnutls-3.7.6-fips-ems.patch b/gnutls-3.7.6-fips-ems.patch deleted file mode 100644 index f844f12..0000000 --- a/gnutls-3.7.6-fips-ems.patch +++ /dev/null @@ -1,805 +0,0 @@ -From 4751e1e2d4012404af9bc52535aa73ac88bc7bea Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Thu, 13 Jul 2023 16:14:08 +0200 -Subject: [PATCH] gnutls-3.7.6-fips-ems.patch - ---- - doc/cha-gtls-app.texi | 5 + - lib/gnutls_int.h | 6 + - lib/handshake.c | 35 ++++- - lib/nettle/int/tls1-prf.c | 19 +++ - lib/priority.c | 41 +++++ - lib/priority_options.gperf | 1 + - tests/Makefile.am | 4 +- - tests/multi-alerts.c | 8 + - tests/no-extensions.c | 7 + - .../ocsp-tests/ocsp-must-staple-connection.sh | 60 +++---- - tests/rehandshake-ext-secret.c | 8 + - tests/resume.c | 26 ++- - tests/status-request.c | 8 +- - tests/system-override-session-hash.sh | 144 +++++++++++++++++ - tests/tls-force-ems.c | 148 ++++++++++++++++++ - 15 files changed, 477 insertions(+), 43 deletions(-) - create mode 100755 tests/system-override-session-hash.sh - create mode 100644 tests/tls-force-ems.c - -diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi -index bd44478..57e7d50 100644 ---- a/doc/cha-gtls-app.texi -+++ b/doc/cha-gtls-app.texi -@@ -1547,6 +1547,11 @@ This is implied by the PFS keyword. - will prevent the advertizing the TLS extended master secret (session hash) - extension. - -+@item %FORCE_SESSION_HASH @tab -+negotiate the TLS extended master secret (session hash) extension. -+Specifying both %NO_SESSION_HASH and %FORCE_SESSION_HASH is not -+supported, and the behavior is undefined. -+ - @item %SERVER_PRECEDENCE @tab - The ciphersuite will be selected according to server priorities - and not the client's. -diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h -index 8c7bdaa..c6bf154 100644 ---- a/lib/gnutls_int.h -+++ b/lib/gnutls_int.h -@@ -926,6 +926,11 @@ typedef struct sign_algo_list_st { - - #include "atomic.h" - -+typedef enum ext_master_secret_t { -+ EMS_REQUEST, -+ EMS_REQUIRE -+} ext_master_secret_t; -+ - /* For the external api */ - struct gnutls_priority_st { - priority_st protocol; -@@ -965,6 +970,7 @@ struct gnutls_priority_st { - bool force_etm; - unsigned int additional_verify_flags; - bool tls13_compat_mode; -+ ext_master_secret_t force_ext_master_secret; - - /* TLS_FALLBACK_SCSV */ - bool fallback; -diff --git a/lib/handshake.c b/lib/handshake.c -index 21edc5e..1e33b84 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -875,6 +875,15 @@ read_client_hello(gnutls_session_t session, uint8_t * data, - if (_gnutls_version_priority(session, vers->id) < 0) - return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); - -+ /* check if EMS is required */ -+ if (!vers->tls13_sem && vers->id != GNUTLS_SSL3 && -+ vers->id != GNUTLS_DTLS0_9 && -+ session->internals.priorities->force_ext_master_secret == -+ EMS_REQUIRE && -+ !session->security_parameters.ext_master_secret) { -+ return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY); -+ } -+ - _gnutls_handshake_log("HSK[%p]: Selected version %s\n", session, vers->name); - - /* select appropriate compression method */ -@@ -2062,11 +2071,27 @@ read_server_hello(gnutls_session_t session, - if (ret < 0) - return gnutls_assert_val(ret); - -- /* check if EtM is required */ -- if (!vers->tls13_sem && session->internals.priorities->force_etm && !session->security_parameters.etm) { -- const cipher_entry_st *cipher = cipher_to_entry(session->security_parameters.cs->block_algorithm); -- if (_gnutls_cipher_type(cipher) == CIPHER_BLOCK) -- return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); -+ if (!vers->tls13_sem) { -+ /* check if EtM is required */ -+ if (session->internals.priorities->force_etm && -+ !session->security_parameters.etm) { -+ const cipher_entry_st *cipher = -+ cipher_to_entry(session->security_parameters. -+ cs->block_algorithm); -+ if (_gnutls_cipher_type(cipher) == CIPHER_BLOCK) -+ return -+ gnutls_assert_val -+ (GNUTLS_E_UNWANTED_ALGORITHM); -+ } -+ -+ /* check if EMS is required */ -+ if (vers->id != GNUTLS_SSL3 && vers->id != GNUTLS_DTLS0_9 && -+ session->internals.priorities->force_ext_master_secret == -+ EMS_REQUIRE && -+ !session->security_parameters.ext_master_secret) { -+ return -+ gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY); -+ } - } - - -diff --git a/lib/nettle/int/tls1-prf.c b/lib/nettle/int/tls1-prf.c -index 19ca5d3..fd9b5a4 100644 ---- a/lib/nettle/int/tls1-prf.c -+++ b/lib/nettle/int/tls1-prf.c -@@ -28,6 +28,7 @@ - #endif - - #include -+#include "fips.h" - - #include - #include -@@ -152,8 +153,26 @@ tls12_prf(void *mac_ctx, - size_t seed_size, const uint8_t *seed, - size_t length, uint8_t *dst) - { -+#define MASTER_SECRET "master secret" -+#define MASTER_SECRET_SIZE (sizeof(MASTER_SECRET) - 1) -+ - P_hash(mac_ctx, update, digest, digest_size, - seed_size, seed, label_size, label, length, dst); - -+ /* Since May 16, 2023, the use of extended master secret is -+ * mandatory according to FIPS 140-3 IG D.Q. Instead of -+ * allowing the "extended master secret" label specifically, -+ * we mark the use of non-EMS label, i.e., "master secret" as -+ * non-approved, because it is still useful to call the -+ * gnutls_prf_raw function with arbitrary label, e.g., in -+ * self-tests. -+ */ -+ if (label_size == MASTER_SECRET_SIZE && -+ memcmp(label, MASTER_SECRET, MASTER_SECRET_SIZE) == 0) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED); -+ } else { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED); -+ } -+ - return 1; - } -diff --git a/lib/priority.c b/lib/priority.c -index d163d81..4adf4c7 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -906,6 +906,12 @@ static void enable_no_ext_master_secret(gnutls_priority_t c) - { - c->_no_ext_master_secret = 1; - } -+ -+static void enable_force_ext_master_secret(gnutls_priority_t c) -+{ -+ c->force_ext_master_secret = EMS_REQUIRE; -+} -+ - static void enable_no_etm(gnutls_priority_t c) - { - c->_no_etm = 1; -@@ -1040,6 +1046,9 @@ struct cfg { - gnutls_kx_algorithm_t kxs[MAX_ALGOS+1]; - gnutls_sign_algorithm_t sigs[MAX_ALGOS+1]; - gnutls_protocol_t versions[MAX_ALGOS+1]; -+ -+ ext_master_secret_t force_ext_master_secret; -+ bool force_ext_master_secret_set; - }; - - static inline void -@@ -1141,6 +1150,8 @@ cfg_steal(struct cfg *dst, struct cfg *src) - - dst->allowlisting = src->allowlisting; - dst->ktls_enabled = src->ktls_enabled; -+ dst->force_ext_master_secret = src->force_ext_master_secret; -+ dst->force_ext_master_secret_set = src->force_ext_master_secret_set; - memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers)); - memcpy(dst->macs, src->macs, sizeof(src->macs)); - memcpy(dst->groups, src->groups, sizeof(src->groups)); -@@ -1748,6 +1759,21 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co - } - cfg->kxs[i] = algo; - cfg->kxs[i+1] = 0; -+ } else if (c_strcasecmp(name, "tls-session-hash") == 0) { -+ if (c_strcasecmp(value, "request") == 0) { -+ cfg->force_ext_master_secret = EMS_REQUEST; -+ cfg->force_ext_master_secret_set = true; -+ } else if (c_strcasecmp(value, "require") == 0) { -+ cfg->force_ext_master_secret = EMS_REQUIRE; -+ cfg->force_ext_master_secret_set = true; -+ } else { -+ _gnutls_debug_log( -+ "cfg: unknown value for %s: %s\n", name, -+ value); -+ if (fail_on_invalid_config) -+ return 0; -+ goto exit; -+ } - } else { - _gnutls_debug_log("unknown parameter %s\n", name); - if (fail_on_invalid_config) -@@ -2744,6 +2770,12 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, - (*priority_cache)->min_record_version = 1; - gnutls_atomic_init(&(*priority_cache)->usage_cnt); - -+ if (_gnutls_fips_mode_enabled()) { -+ (*priority_cache)->force_ext_master_secret = EMS_REQUIRE; -+ } else { -+ (*priority_cache)->force_ext_master_secret = EMS_REQUEST; -+ } -+ - if (system_wide_config.allowlisting && !priorities) { - priorities = "@" LEVEL_SYSTEM; - } -@@ -2997,6 +3029,15 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, - goto error; - } - -+ /* This needs to be done after parsing modifiers, as -+ * tls-session-hash has precedence over modifiers. -+ */ -+ if (system_wide_config.force_ext_master_secret_set) { -+ (*priority_cache)->force_ext_master_secret = -+ system_wide_config.force_ext_master_secret; -+ (*priority_cache)->_no_ext_master_secret = false; -+ } -+ - ret = set_ciphersuite_list(*priority_cache); - if (ret < 0) { - if (err_pos) -diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf -index 5a041b7..5bb250a 100644 ---- a/lib/priority_options.gperf -+++ b/lib/priority_options.gperf -@@ -13,6 +13,7 @@ NO_TICKETS_TLS12, enable_no_tickets_tls12 - NO_ETM, enable_no_etm - FORCE_ETM, enable_force_etm - NO_SESSION_HASH, enable_no_ext_master_secret -+FORCE_SESSION_HASH, enable_force_ext_master_secret - STATELESS_COMPRESSION, dummy_func - VERIFY_ALLOW_BROKEN, enable_verify_allow_broken - VERIFY_ALLOW_SIGN_RSA_MD5, enable_verify_allow_rsa_md5 -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 23d309d..e5f7fa6 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -77,7 +77,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \ - testpkcs11-certs/client.key testpkcs11-certs/server.crt testpkcs11-certs/server-tmpl \ - testpkcs11-certs/ca.key testpkcs11-certs/client.crt testpkcs11-certs/client-tmpl testpkcs11-certs/server.key \ - crt_type-neg-common.c \ -- system-override-default-priority-string.bad.config system-override-default-priority-string.none.config system-override-default-priority-string.only-tls13.config \ -+ system-override-default-priority-string.bad.config system-override-default-priority-string.none.config system-override-default-priority-string.only-tls13.config system-override-session-hash.sh \ - client-secrets.h server-secrets.h - - AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) -@@ -234,7 +234,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei - set_x509_ocsp_multi_cli kdf-api keylog-func handshake-write \ - x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \ - x509-upnconstraint cipher-padding xts-key-check pkcs7-verify-double-free \ -- fips-rsa-sizes tls12-rehandshake-ticket -+ fips-rsa-sizes tls12-rehandshake-ticket tls-force-ems - - ctests += tls-channel-binding - -diff --git a/tests/multi-alerts.c b/tests/multi-alerts.c -index 84a412c..27be63b 100644 ---- a/tests/multi-alerts.c -+++ b/tests/multi-alerts.c -@@ -198,6 +198,14 @@ void doit(void) - int sockets[2]; - int err; - -+ /* This test does not work under FIPS, as extended master -+ * secret extension needs to be negotiated through extensions, -+ * but the fixture does not contain the extension. -+ */ -+ if (gnutls_fips140_mode_enabled()) { -+ exit(77); -+ } -+ - err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets); - if (err == -1) { - perror("socketpair"); -diff --git a/tests/no-extensions.c b/tests/no-extensions.c -index 3bd9d06..e5b9578 100644 ---- a/tests/no-extensions.c -+++ b/tests/no-extensions.c -@@ -205,6 +205,13 @@ void start(const char *prio, gnutls_protocol_t exp_version) - - void doit(void) - { -+ /* This test does not work under FIPS, as extended master -+ * secret extension needs to be negotiated through extensions. -+ */ -+ if (gnutls_fips140_mode_enabled()) { -+ exit(77); -+ } -+ - start("NORMAL:-VERS-ALL:+VERS-TLS1.0:%NO_EXTENSIONS", GNUTLS_TLS1_0); - start("NORMAL:-VERS-ALL:+VERS-TLS1.1:%NO_EXTENSIONS", GNUTLS_TLS1_1); - start("NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_EXTENSIONS", GNUTLS_TLS1_2); -diff --git a/tests/ocsp-tests/ocsp-must-staple-connection.sh b/tests/ocsp-tests/ocsp-must-staple-connection.sh -index 049491a..594e854 100755 ---- a/tests/ocsp-tests/ocsp-must-staple-connection.sh -+++ b/tests/ocsp-tests/ocsp-must-staple-connection.sh -@@ -402,39 +402,43 @@ kill "${TLS_SERVER_PID}" - wait "${TLS_SERVER_PID}" - unset TLS_SERVER_PID - --echo "=== Test 7: OSCP response error - client doesn't send status_request ===" -- --eval "${GETPORT}" --# Port for gnutls-serv --TLS_SERVER_PORT=$PORT --PORT=${TLS_SERVER_PORT} --launch_bare_server \ -- datefudge "${TESTDATE}" \ -- "${SERV}" --echo --disable-client-cert \ -- --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ -- --x509certfile="${SERVER_CERT_FILE}" \ -- --port="${TLS_SERVER_PORT}" \ -- --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors --TLS_SERVER_PID="${!}" --wait_server $TLS_SERVER_PID -+if test "${GNUTLS_FORCE_FIPS_MODE}" != 1; then -+ -+ echo "=== Test 7: OSCP response error - client doesn't send status_request ===" -+ -+ eval "${GETPORT}" -+ # Port for gnutls-serv -+ TLS_SERVER_PORT=$PORT -+ PORT=${TLS_SERVER_PORT} -+ launch_bare_server \ -+ datefudge "${TESTDATE}" \ -+ "${SERV}" --echo --disable-client-cert \ -+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ -+ --x509certfile="${SERVER_CERT_FILE}" \ -+ --port="${TLS_SERVER_PORT}" \ -+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors -+ TLS_SERVER_PID="${!}" -+ wait_server $TLS_SERVER_PID -+ -+ wait_for_port "${TLS_SERVER_PORT}" -+ -+ echo "test 123456" | \ -+ datefudge -s "${TESTDATE}" \ -+ "${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ -+ --port="${TLS_SERVER_PORT}" localhost -+ rc=$? - --wait_for_port "${TLS_SERVER_PORT}" -+ if test "${rc}" != "0"; then -+ echo "Connecting to server with valid certificate and OCSP error response failed" -+ exit ${rc} -+ fi - --echo "test 123456" | \ -- datefudge -s "${TESTDATE}" \ -- "${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ -- --port="${TLS_SERVER_PORT}" localhost --rc=$? -+ kill "${TLS_SERVER_PID}" -+ wait "${TLS_SERVER_PID}" -+ unset TLS_SERVER_PID - --if test "${rc}" != "0"; then -- echo "Connecting to server with valid certificate and OCSP error response failed" -- exit ${rc} - fi - --kill "${TLS_SERVER_PID}" --wait "${TLS_SERVER_PID}" --unset TLS_SERVER_PID -- - echo "=== Test 8: OSCP response error - client sends status_request, no TLS feature extension ===" - - eval "${GETPORT}" -diff --git a/tests/rehandshake-ext-secret.c b/tests/rehandshake-ext-secret.c -index 94279f0..8d68c9b 100644 ---- a/tests/rehandshake-ext-secret.c -+++ b/tests/rehandshake-ext-secret.c -@@ -142,6 +142,14 @@ static void try(unsigned onclient) - - void doit(void) - { -+ /* This test does not work with TLS 1.2 under FIPS, as -+ * extended master secret extension needs to be negotiated -+ * through extensions, while %NO_SESSION_HASH is set. -+ */ -+ if (gnutls_fips140_mode_enabled()) { -+ exit(77); -+ } -+ - try(0); - reset_buffers(); - try(1); -diff --git a/tests/resume.c b/tests/resume.c -index 93838c0..aa3c60c 100644 ---- a/tests/resume.c -+++ b/tests/resume.c -@@ -91,6 +91,7 @@ struct params_res { - int change_ciphersuite; - int early_start; - int no_early_start; -+ int no_fips; - }; - - pid_t child; -@@ -126,16 +127,18 @@ struct params_res resume_tests[] = { - .enable_session_ticket_client = ST_NONE, - .expect_resume = 0, - .first_no_ext_master = 0, -- .second_no_ext_master = 1}, -+ .second_no_ext_master = 1, -+ .no_fips = 1}, - {.desc = "try to resume from db (none -> ext master secret)", - .enable_db = 1, - .enable_session_ticket_server = ST_NONE, - .enable_session_ticket_client = ST_NONE, - .expect_resume = 0, - .first_no_ext_master = 1, -- .second_no_ext_master = 0}, --#endif --#if defined(TLS13) -+ .second_no_ext_master = 0, -+ .no_fips = 1}, -+# endif -+# if defined(TLS13) - /* only makes sense under TLS1.3 as negotiation involves a new - * handshake with different parameters */ - {.desc = "try to resume from session ticket (different cipher order)", -@@ -211,14 +214,17 @@ struct params_res resume_tests[] = { - .enable_session_ticket_client = ST_ALL, - .expect_resume = 0, - .first_no_ext_master = 0, -- .second_no_ext_master = 1}, -- {.desc = "try to resume from session ticket (none -> ext master secret)", -+ .second_no_ext_master = 1, -+ .no_fips = 1}, -+ {.desc = -+ "try to resume from session ticket (none -> ext master secret)", - .enable_db = 0, - .enable_session_ticket_server = ST_ALL, - .enable_session_ticket_client = ST_ALL, - .expect_resume = 0, - .first_no_ext_master = 1, -- .second_no_ext_master = 0}, -+ .second_no_ext_master = 0, -+ .no_fips = 1}, - {.desc = "try to resume from session ticket (server only)", - .enable_db = 0, - .enable_session_ticket_server = ST_ALL, -@@ -942,6 +948,12 @@ void doit(void) - int client_sds[SESSIONS], server_sds[SESSIONS]; - int j; - -+ if (resume_tests[i].no_fips && gnutls_fips140_mode_enabled()) { -+ success("skipping %s under FIPS mode\n", -+ resume_tests[i].desc); -+ continue; -+ } -+ - printf("%s\n", resume_tests[i].desc); - - for (j = 0; j < SESSIONS; j++) { -diff --git a/tests/status-request.c b/tests/status-request.c -index 07c7918..cd2cc54 100644 ---- a/tests/status-request.c -+++ b/tests/status-request.c -@@ -289,7 +289,13 @@ void start(const char *prio) - - void doit(void) - { -- start("NORMAL:-VERS-ALL:+VERS-TLS1.2"); -+ /* This test does not work with TLS 1.2 under FIPS, as -+ * extended master secret extension needs to be negotiated -+ * through extensions. -+ */ -+ if (!gnutls_fips140_mode_enabled()) { -+ start("NORMAL:-VERS-ALL:+VERS-TLS1.2"); -+ } - start("NORMAL:-VERS-ALL:+VERS-TLS1.3"); - start("NORMAL"); - } -diff --git a/tests/system-override-session-hash.sh b/tests/system-override-session-hash.sh -new file mode 100755 -index 0000000..97f11fa ---- /dev/null -+++ b/tests/system-override-session-hash.sh -@@ -0,0 +1,144 @@ -+#!/bin/sh -+ -+# Copyright (C) 2021 Red Hat, Inc. -+# -+# Author: Alexander Sosedkin -+# -+# This file is part of GnuTLS. -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GnuTLS. If not, see . -+ -+: ${srcdir=.} -+: ${SERV=../src/gnutls-serv${EXEEXT}} -+: ${CLI=../src/gnutls-cli${EXEEXT}} -+ -+if ! test -x "${SERV}"; then -+ exit 77 -+fi -+ -+if ! test -x "${CLI}"; then -+ exit 77 -+fi -+ -+${CLI} --fips140-mode -+if test $? = 0;then -+ echo "Cannot run this test in FIPS140 mode" -+ exit 77 -+fi -+ -+. "${srcdir}/scripts/common.sh" -+ -+testdir=`create_testdir cfg` -+ -+cat <<_EOF_ > "$testdir/request.cfg" -+[overrides] -+ -+tls-session-hash = request -+_EOF_ -+ -+cat <<_EOF_ > "$testdir/require.cfg" -+[overrides] -+ -+tls-session-hash = require -+_EOF_ -+ -+eval "${GETPORT}" -+ -+KEY=${srcdir}/../doc/credentials/x509/key-rsa-pss.pem -+CERT=${srcdir}/../doc/credentials/x509/cert-rsa-pss.pem -+CA=${srcdir}/../doc/credentials/x509/ca.pem -+ -+unset GNUTLS_SYSTEM_PRIORITY_FILE -+unset GNUTLS_DEBUG_LEVEL -+ -+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2" --x509keyfile ${KEY} --x509certfile ${CERT} -+PID=$! -+wait_server ${PID} -+ -+export GNUTLS_SYSTEM_PRIORITY_FILE="$testdir/request.cfg" -+export GNUTLS_DEBUG_LEVEL=3 -+ -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2" --verify-hostname=localhost --x509cafile ${CA} --logfile="$testdir/client.log" /dev/null || -+ fail "expected connection to succeed (1)" -+ -+# "tls-session-hash" has precedence over %FORCE_SESSION_HASH -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:%FORCE_SESSION_HASH" --verify-hostname=localhost --x509cafile ${CA} --logfile="$testdir/client.log" /dev/null || -+ fail "expected connection to succeed (2)" -+ -+echo kill ${PID} -+kill ${PID} -+wait -+ -+unset GNUTLS_SYSTEM_PRIORITY_FILE -+unset GNUTLS_DEBUG_LEVEL -+ -+export GNUTLS_SYSTEM_PRIORITY_FILE="$testdir/request.cfg" -+ -+# "tls-session-hash" has precedence over %FORCE_SESSION_HASH -+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:%FORCE_SESSION_HASH" --x509keyfile ${KEY} --x509certfile ${CERT} -+PID=$! -+wait_server ${PID} -+ -+export GNUTLS_DEBUG_LEVEL=3 -+ -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2" --verify-hostname=localhost --x509cafile ${CA} --logfile="$testdir/client.log" /dev/null || -+ fail ${PID} "expected connection to succeed (3)" -+ -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_SESSION_HASH" --verify-hostname=localhost --x509cafile ${CA} --logfile="$testdir/client.log" /dev/null || -+ fail ${PID} "expected connection to succeed (4)" -+ -+kill ${PID} -+wait -+ -+unset GNUTLS_SYSTEM_PRIORITY_FILE -+unset GNUTLS_DEBUG_LEVEL -+ -+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2" --x509keyfile ${KEY} --x509certfile ${CERT} -+PID=$! -+wait_server ${PID} -+ -+export GNUTLS_SYSTEM_PRIORITY_FILE="$testdir/require.cfg" -+export GNUTLS_DEBUG_LEVEL=3 -+ -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2" --verify-hostname=localhost --x509cafile ${CA} --logfile="$testdir/client.log" /dev/null || -+ fail ${PID} "expected connection to succeed (5)" -+ -+# "tls-session-hash" has precedence over %NO_SESSION_HASH -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_SESSION_HASH" --verify-hostname=localhost --x509cafile ${CA} --logfile="$testdir/client.log" /dev/null || -+ fail ${PID} "expected connection to succeed (6)" -+ -+kill ${PID} -+wait -+ -+unset GNUTLS_SYSTEM_PRIORITY_FILE -+unset GNUTLS_DEBUG_LEVEL -+ -+export GNUTLS_SYSTEM_PRIORITY_FILE="$testdir/require.cfg" -+ -+# "tls-session-hash" has precedence over %NO_SESSION_HASH -+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_SESSION_HASH" --x509keyfile ${KEY} --x509certfile ${CERT} -+PID=$! -+wait_server ${PID} -+ -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2" --verify-hostname=localhost --x509cafile ${CA} --logfile="$testdir/client.log" /dev/null || -+ fail ${PID} "expected connection to succeed (7)" -+ -+# "tls-session-hash" has precedence over %NO_SESSION_HASH -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_SESSION_HASH" --verify-hostname=localhost --x509cafile ${CA} --logfile="$testdir/client.log" /dev/null || -+ fail ${PID} "expected connection to succeed (8)" -+ -+kill ${PID} -+wait -+ -+rm -rf "$testdir" -diff --git a/tests/tls-force-ems.c b/tests/tls-force-ems.c -new file mode 100644 -index 0000000..35e7010 ---- /dev/null -+++ b/tests/tls-force-ems.c -@@ -0,0 +1,148 @@ -+/* -+ * Copyright (C) 2023 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ */ -+ -+#ifdef HAVE_CONFIG_H -+# include -+#endif -+ -+#include -+#include -+ -+#include "utils.h" -+#include "cert-common.h" -+#include "eagain-common.h" -+ -+/* This program tests whether forced extended master secret is -+ * negotiated as expected. -+ */ -+ -+const char *side; -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "%s|<%d>| %s", side, level, str); -+} -+ -+static void -+try(const char *name, const char *sprio, const char *cprio, int serr, int cerr) -+{ -+ int sret, cret; -+ gnutls_certificate_credentials_t scred, ccred; -+ gnutls_session_t server, client; -+ -+ success("Running %s\n", name); -+ -+ assert(gnutls_certificate_allocate_credentials(&scred) >= 0); -+ -+ assert(gnutls_certificate_set_x509_key_mem -+ (scred, &server_ca3_localhost_cert, -+ &server_ca3_key, GNUTLS_X509_FMT_PEM) >= 0); -+ -+ assert(gnutls_certificate_allocate_credentials(&ccred) >= 0); -+ -+ assert(gnutls_certificate_set_x509_trust_mem -+ (ccred, &ca3_cert, GNUTLS_X509_FMT_PEM) >= 0); -+ -+ assert(gnutls_init(&server, GNUTLS_SERVER) >= 0); -+ assert(gnutls_init(&client, GNUTLS_CLIENT) >= 0); -+ -+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred); -+ gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred); -+ -+ gnutls_transport_set_push_function(server, server_push); -+ gnutls_transport_set_pull_function(server, server_pull); -+ gnutls_transport_set_ptr(server, server); -+ assert(gnutls_priority_set_direct(server, sprio, 0) >= 0); -+ -+ gnutls_transport_set_push_function(client, client_push); -+ gnutls_transport_set_pull_function(client, client_pull); -+ gnutls_transport_set_ptr(client, client); -+ assert(gnutls_priority_set_direct(client, cprio, 0) >= 0); -+ -+ HANDSHAKE_EXPECT(client, server, cerr, serr); -+ -+ gnutls_deinit(server); -+ gnutls_deinit(client); -+ gnutls_certificate_free_credentials(scred); -+ gnutls_certificate_free_credentials(ccred); -+ -+ reset_buffers(); -+} -+ -+#define AES_GCM "NORMAL:-VERS-ALL:+VERS-TLS1.2" -+ -+void doit(void) -+{ -+ gnutls_fips140_context_t fips_context; -+ -+ global_init(); -+ -+ /* General init. */ -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(2); -+ -+ assert(gnutls_fips140_context_init(&fips_context) >= 0); -+ -+ /* Default: EMS is requested in non-FIPS mode, while it is -+ * required in FIPS mode. -+ */ -+ FIPS_PUSH_CONTEXT(); -+ try("default", AES_GCM, AES_GCM, 0, 0); -+ FIPS_POP_CONTEXT(APPROVED); -+ -+ FIPS_PUSH_CONTEXT(); -+ try("both force EMS", AES_GCM ":%FORCE_SESSION_HASH", -+ AES_GCM ":%FORCE_SESSION_HASH", 0, 0); -+ FIPS_POP_CONTEXT(APPROVED); -+ -+ if (gnutls_fips140_mode_enabled()) { -+ try("neither negotiates EMS", AES_GCM ":%NO_SESSION_HASH", -+ AES_GCM ":%NO_SESSION_HASH", GNUTLS_E_INSUFFICIENT_SECURITY, -+ GNUTLS_E_AGAIN); -+ } else { -+ try("neither negotiates EMS", AES_GCM ":%NO_SESSION_HASH", -+ AES_GCM ":%NO_SESSION_HASH", 0, 0); -+ } -+ /* Note that the error codes are swapped based on FIPS mode: -+ * in FIPS mode, the server doesn't send the extension which -+ * causes the client to not send the one either, and then the -+ * server doesn't like the situation. On the other hand, in -+ * non-FIPS mode, it's the client to decide to abort the -+ * connection. -+ */ -+ if (gnutls_fips140_mode_enabled()) { -+ try("server doesn't negotiate EMS, client forces EMS", -+ AES_GCM ":%NO_SESSION_HASH", AES_GCM ":%FORCE_SESSION_HASH", -+ GNUTLS_E_INSUFFICIENT_SECURITY, GNUTLS_E_AGAIN); -+ } else { -+ try("server doesn't negotiate EMS, client forces EMS", -+ AES_GCM ":%NO_SESSION_HASH", AES_GCM ":%FORCE_SESSION_HASH", -+ GNUTLS_E_AGAIN, GNUTLS_E_INSUFFICIENT_SECURITY); -+ } -+ try("server forces EMS, client doesn't negotiate EMS", -+ AES_GCM ":%FORCE_SESSION_HASH", AES_GCM ":%NO_SESSION_HASH", -+ GNUTLS_E_INSUFFICIENT_SECURITY, GNUTLS_E_AGAIN); -+ -+ gnutls_fips140_context_deinit(fips_context); -+ -+ gnutls_global_deinit(); -+} --- -2.41.0 - diff --git a/gnutls-3.7.6-fips-pkcs12-des-cbc.patch b/gnutls-3.7.6-fips-pkcs12-des-cbc.patch deleted file mode 100644 index 0061ea6..0000000 --- a/gnutls-3.7.6-fips-pkcs12-des-cbc.patch +++ /dev/null @@ -1,58 +0,0 @@ -From de09280b2a8314eb98ec9a2b84eebe3eec2f49bd Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 4 Aug 2022 16:37:51 +0900 -Subject: [PATCH] _gnutls_decrypt_pbes1_des_md5_data: use public crypto API - -This is a follow-up of e7f9267342bc2231149a640163c82b63c86f1dfd. In -the decryption code path with PBES1, algorithm checks for FIPS was not -applied, because it used internal functions that bypass those checks. - -Signed-off-by: Daiki Ueno ---- - lib/x509/privkey_pkcs8_pbes1.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/lib/x509/privkey_pkcs8_pbes1.c b/lib/x509/privkey_pkcs8_pbes1.c -index c296807974..983530e46a 100644 ---- a/lib/x509/privkey_pkcs8_pbes1.c -+++ b/lib/x509/privkey_pkcs8_pbes1.c -@@ -140,7 +140,7 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password, - { - int result; - gnutls_datum_t dkey, d_iv; -- cipher_hd_st ch; -+ gnutls_cipher_hd_t ch; - uint8_t key[16]; - const unsigned block_size = 8; - -@@ -158,16 +158,14 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password, - dkey.size = 8; - d_iv.data = &key[8]; - d_iv.size = 8; -- result = -- _gnutls_cipher_init(&ch, cipher_to_entry(GNUTLS_CIPHER_DES_CBC), -- &dkey, &d_iv, 0); -+ result = gnutls_cipher_init(&ch, GNUTLS_CIPHER_DES_CBC, &dkey, &d_iv); - if (result < 0) { - _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); - return gnutls_assert_val(result); - } - _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED); - -- result = _gnutls_cipher_decrypt(&ch, encrypted_data->data, encrypted_data->size); -+ result = gnutls_cipher_decrypt(ch, encrypted_data->data, encrypted_data->size); - if (result < 0) { - gnutls_assert(); - goto error; -@@ -184,7 +182,7 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password, - - result = 0; - error: -- _gnutls_cipher_deinit(&ch); -+ gnutls_cipher_deinit(ch); - - return result; - } --- -2.37.1 - diff --git a/gnutls-3.7.6-fips-rsa-key-sizes.patch b/gnutls-3.7.6-fips-rsa-key-sizes.patch deleted file mode 100644 index 1857591..0000000 --- a/gnutls-3.7.6-fips-rsa-key-sizes.patch +++ /dev/null @@ -1,476 +0,0 @@ -From 237695d30c9f716333cfa077554a6e1ae0d2c589 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Sat, 20 Aug 2022 09:52:08 +0900 -Subject: [PATCH] gnutls-3.7.6-fips-rsa-key-sizes.patch - ---- - lib/nettle/pk.c | 54 ++++--- - tests/Makefile.am | 3 +- - tests/fips-rsa-sizes.c | 328 +++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 361 insertions(+), 24 deletions(-) - create mode 100644 tests/fips-rsa-sizes.c - -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index eba246f..f38016b 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -1247,20 +1247,20 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - - _rsa_params_to_privkey(pk_params, &priv); - -- /* RSA key size should be 2048-bit or larger in FIPS -- * 140-3. In addition to this, only SHA-2 is allowed -- * for SigGen; it is checked in pk_prepare_hash lib/pk.c -- */ -- if (unlikely(priv.size < 256)) { -- not_approved = true; -- } -- - ret = _rsa_params_to_pubkey(pk_params, &pub); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - -+ /* RSA modulus size should be 2048-bit or larger in FIPS -+ * 140-3. In addition to this, only SHA-2 is allowed -+ * for SigGen; it is checked in pk_prepare_hash lib/pk.c -+ */ -+ if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) { -+ not_approved = true; -+ } -+ - mpz_init(s); - - if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -@@ -1298,22 +1298,22 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - - _rsa_params_to_privkey(pk_params, &priv); - -- /* RSA key size should be 2048-bit or larger in FIPS -+ ret = _rsa_params_to_pubkey(pk_params, &pub); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ -+ /* RSA modulus size should be 2048-bit or larger in FIPS - * 140-3. In addition to this, only SHA-2 is allowed - * for SigGen; however, Nettle only support SHA256, - * SHA384, and SHA512 for RSA-PSS (see - * _rsa_pss_sign_digest_tr in this file for details). - */ -- if (unlikely(priv.size < 256)) { -+ if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) { - not_approved = true; - } - -- ret = _rsa_params_to_pubkey(pk_params, &pub); -- if (ret < 0) { -- gnutls_assert(); -- goto cleanup; -- } -- - mpz_init(s); - - ret = -@@ -1643,6 +1643,7 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, - case GNUTLS_PK_RSA: - { - struct rsa_public_key pub; -+ size_t bits; - - ret = _rsa_params_to_pubkey(pk_params, &pub); - if (ret < 0) { -@@ -1650,12 +1651,19 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -- /* RSA key size should be 2048-bit or larger in FIPS -- * 140-3. In addition to this, only SHA-1 and SHA-2 are -- * allowed for SigVer; it is checked in -- * _pkcs1_rsa_verify_sig in lib/pubkey.c -+ bits = mpz_sizeinbase(pub.n, 2); -+ -+ /* In FIPS 140-3, RSA key size should be larger than -+ * 2048-bit or one of the known lengths (1024, 1280, -+ * 1536, 1792; i.e., multiple of 256-bits). -+ * -+ * In addition to this, only SHA-1 and SHA-2 are allowed -+ * for SigVer; it is checked in _pkcs1_rsa_verify_sig in -+ * lib/pubkey.c. - */ -- if (unlikely(pub.size < 256)) { -+ if (unlikely(bits < 2048 && -+ bits != 1024 && bits != 1280 && -+ bits != 1536 && bits != 1792)) { - not_approved = true; - } - -@@ -1701,13 +1709,13 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -- /* RSA key size should be 2048-bit or larger in FIPS -+ /* RSA modulus size should be 2048-bit or larger in FIPS - * 140-3. In addition to this, only SHA-1 and SHA-2 are - * allowed for SigVer, while Nettle only supports - * SHA256, SHA384, and SHA512 for RSA-PSS (see - * _rsa_pss_verify_digest in this file for the details). - */ -- if (unlikely(pub.size < 256)) { -+ if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) { - not_approved = true; - } - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 7a7a4af..dd21e45 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -233,7 +233,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei - tls13-without-timeout-func buffer status-request-revoked \ - set_x509_ocsp_multi_cli kdf-api keylog-func handshake-write \ - x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \ -- x509-upnconstraint pkcs7-verify-double-free -+ x509-upnconstraint pkcs7-verify-double-free \ -+ fips-rsa-sizes - - ctests += tls-channel-binding - -diff --git a/tests/fips-rsa-sizes.c b/tests/fips-rsa-sizes.c -new file mode 100644 -index 0000000..84b9aff ---- /dev/null -+++ b/tests/fips-rsa-sizes.c -@@ -0,0 +1,328 @@ -+/* -+ * Copyright (C) 2022 Red Hat, Inc. -+ * -+ * Author: Alexander Sosedkin -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with GnuTLS; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#define FIPS_PUSH_CONTEXT() do { \ -+ ret = gnutls_fips140_push_context(fips_context); \ -+ if (ret < 0) { \ -+ fail("gnutls_fips140_push_context failed\n"); \ -+ } \ -+} while (0) -+ -+#define FIPS_POP_CONTEXT(state) do { \ -+ ret = gnutls_fips140_pop_context(); \ -+ if (ret < 0) { \ -+ fail("gnutls_fips140_context_pop failed\n"); \ -+ } \ -+ fips_state = gnutls_fips140_get_operation_state(fips_context); \ -+ if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ -+ fail("operation state is not " # state " (%d)\n", \ -+ fips_state); \ -+ } \ -+} while (0) -+ -+ -+void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, -+ unsigned int size); -+void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, -+ unsigned int size); -+void sign_verify_successfully(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey); -+void sign_verify_unsuccessfully(gnutls_privkey_t privkey, -+ gnutls_pubkey_t pubkey); -+void nosign_verify(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey); -+ -+ -+void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, -+ unsigned int size) -+{ -+ int ret; -+ gnutls_x509_privkey_t xprivkey; -+ gnutls_fips140_context_t fips_context; -+ gnutls_fips140_operation_state_t fips_state; -+ assert(gnutls_fips140_context_init(&fips_context) == 0); -+ -+ fprintf(stderr, "%d-bit\n", size); -+ -+ /* x509 generation as well just because why not */ -+ FIPS_PUSH_CONTEXT(); -+ assert(gnutls_x509_privkey_init(&xprivkey) == 0); -+ ret = gnutls_x509_privkey_generate(xprivkey, GNUTLS_PK_RSA, size, 0); -+ if (ret != GNUTLS_E_SUCCESS) -+ fail("%d-bit x509_privkey_init (%d)\n", size, ret); -+ FIPS_POP_CONTEXT(APPROVED); -+ gnutls_x509_privkey_deinit(xprivkey); -+ -+ FIPS_PUSH_CONTEXT(); -+ assert(gnutls_privkey_init(privkey) == 0); -+ ret = gnutls_privkey_generate(*privkey, GNUTLS_PK_RSA, size, 0); -+ if (ret != GNUTLS_E_SUCCESS) -+ fail("%d-bit privkey_init (%d)\n", size, ret); -+ FIPS_POP_CONTEXT(APPROVED); -+ -+ assert(gnutls_pubkey_init(pubkey) == 0); -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_pubkey_import_privkey(*pubkey, *privkey, -+ GNUTLS_KEY_DIGITAL_SIGNATURE, 0); -+ if (ret != GNUTLS_E_SUCCESS) -+ fail("%d-bit pubkey_import_privkey (%d)\n", size, ret); -+ FIPS_POP_CONTEXT(INITIAL); -+ -+ gnutls_fips140_context_deinit(fips_context); -+} -+ -+ -+void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, -+ unsigned int size) -+{ -+ int ret; -+ gnutls_x509_privkey_t xprivkey; -+ gnutls_fips140_context_t fips_context; -+ gnutls_fips140_operation_state_t fips_state; -+ assert(gnutls_fips140_context_init(&fips_context) == 0); -+ -+ fprintf(stderr, "%d-bit\n", size); -+ -+ /* short x509 generation: ERROR, blocked */ -+ FIPS_PUSH_CONTEXT(); -+ assert(gnutls_x509_privkey_init(&xprivkey) == 0); -+ ret = gnutls_x509_privkey_generate(xprivkey, GNUTLS_PK_RSA, size, 0); -+ if (ret != GNUTLS_E_PK_GENERATION_ERROR) -+ fail("%d-bit x509_privkey_init (%d)\n", size, ret); -+ FIPS_POP_CONTEXT(ERROR); -+ gnutls_x509_privkey_deinit(xprivkey); -+ -+ /* short key generation: ERROR, blocked */ -+ FIPS_PUSH_CONTEXT(); -+ assert(gnutls_privkey_init(privkey) == 0); -+ ret = gnutls_privkey_generate(*privkey, GNUTLS_PK_RSA, size, 0); -+ if (ret != GNUTLS_E_PK_GENERATION_ERROR) -+ fail("%d-bit privkey_init (%d)\n", size, ret); -+ FIPS_POP_CONTEXT(ERROR); -+ gnutls_privkey_deinit(*privkey); -+ -+ /* Disable FIPS to generate them anyway */ -+ gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); -+ assert(gnutls_fips140_mode_enabled() == GNUTLS_FIPS140_LAX); -+ -+ assert(gnutls_x509_privkey_init(&xprivkey) == 0); -+ ret = gnutls_x509_privkey_generate(xprivkey, GNUTLS_PK_RSA, size, 0); -+ if (ret != GNUTLS_E_SUCCESS) -+ fail("%d-bit x509_privkey_init (%d)\n", size, ret); -+ gnutls_x509_privkey_deinit(xprivkey); -+ -+ assert(gnutls_privkey_init(privkey) == 0); -+ ret = gnutls_privkey_generate(*privkey, GNUTLS_PK_RSA, size, 0); -+ if (ret != GNUTLS_E_SUCCESS) -+ fail("%d-bit privkey_init (%d)\n", size, ret); -+ -+ assert(gnutls_pubkey_init(pubkey) == 0); -+ ret = gnutls_pubkey_import_privkey(*pubkey, *privkey, -+ GNUTLS_KEY_DIGITAL_SIGNATURE, 0); -+ if (ret != GNUTLS_E_SUCCESS) -+ fail("%d-bit pubkey_import_privkey (%d)\n", size, ret); -+ -+ gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, 0); -+ assert(gnutls_fips140_mode_enabled()); -+ -+ gnutls_fips140_context_deinit(fips_context); -+} -+ -+ -+void sign_verify_successfully(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) { -+ int ret; -+ gnutls_fips140_context_t fips_context; -+ gnutls_fips140_operation_state_t fips_state; -+ -+ gnutls_datum_t signature; -+ gnutls_datum_t plaintext = { -+ .data = (unsigned char* const) "Hello world!", -+ .size = 12 -+ }; -+ assert(gnutls_fips140_context_init(&fips_context) == 0); -+ -+ /* RSA sign: approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0, -+ &plaintext, &signature); -+ if (ret < 0) -+ fail("gnutls_privkey_sign_data failed\n"); -+ FIPS_POP_CONTEXT(APPROVED); -+ -+ /* RSA verify: approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA256, 0, -+ &plaintext, &signature); -+ if (ret < 0) -+ fail("gnutls_pubkey_verify_data2 failed\n"); -+ FIPS_POP_CONTEXT(APPROVED); -+ -+ gnutls_free(signature.data); -+ gnutls_fips140_context_deinit(fips_context); -+} -+ -+ -+void sign_verify_unsuccessfully(gnutls_privkey_t privkey, -+ gnutls_pubkey_t pubkey) { -+ int ret; -+ gnutls_fips140_context_t fips_context; -+ gnutls_fips140_operation_state_t fips_state; -+ -+ gnutls_datum_t signature; -+ gnutls_datum_t plaintext = { -+ .data = (unsigned char* const) "Hello world!", -+ .size = 12 -+ }; -+ assert(gnutls_fips140_context_init(&fips_context) == 0); -+ -+ /* small key RSA sign: not approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0, -+ &plaintext, &signature); -+ if (ret < 0) -+ fail("gnutls_privkey_sign_data failed\n"); -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ /* small key RSA verify: not approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA256, 0, -+ &plaintext, &signature); -+ if (ret < 0) -+ fail("gnutls_pubkey_verify_data2 failed\n"); -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ gnutls_free(signature.data); -+ gnutls_pubkey_deinit(pubkey); -+ gnutls_privkey_deinit(privkey); -+ gnutls_fips140_context_deinit(fips_context); -+} -+ -+ -+void nosign_verify(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) { -+ int ret; -+ gnutls_fips140_context_t fips_context; -+ gnutls_fips140_operation_state_t fips_state; -+ -+ gnutls_datum_t signature; -+ gnutls_datum_t plaintext = { -+ .data = (unsigned char* const) "Hello world!", -+ .size = 12 -+ }; -+ assert(gnutls_fips140_context_init(&fips_context) == 0); -+ -+ /* 1024, 1280, 1536, 1792 key RSA sign: not approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0, -+ &plaintext, &signature); -+ if (ret < 0) -+ fail("gnutls_privkey_sign_data failed\n"); -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ /* Disable FIPS to sign them anyway */ -+ gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); -+ assert(gnutls_fips140_mode_enabled() == GNUTLS_FIPS140_LAX); -+ -+ ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0, -+ &plaintext, &signature); -+ if (ret < 0) -+ fail("gnutls_privkey_sign_data failed\n"); -+ -+ gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, 0); -+ assert(gnutls_fips140_mode_enabled()); -+ -+ /* 1024, 1280, 1536, 1792 key RSA verify: approved (exception) */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA256, 0, -+ &plaintext, &signature); -+ if (ret < 0) -+ fail("gnutls_pubkey_verify_data2 failed\n"); -+ FIPS_POP_CONTEXT(APPROVED); -+ -+ gnutls_free(signature.data); -+ gnutls_pubkey_deinit(pubkey); -+ gnutls_privkey_deinit(privkey); -+ gnutls_fips140_context_deinit(fips_context); -+} -+ -+ -+void doit(void) -+{ -+ gnutls_fips140_context_t fips_context; -+ gnutls_privkey_t privkey; -+ gnutls_pubkey_t pubkey; -+ -+ if (gnutls_fips140_mode_enabled() == 0) { -+ success("We are not in FIPS140 mode\n"); -+ exit(77); /* SKIP */ -+ } -+ -+ assert(gnutls_fips140_context_init(&fips_context) == 0); -+ -+ /* 512-bit RSA: no generate, no sign, no verify */ -+ generate_unsuccessfully(&privkey, &pubkey, 512); -+ sign_verify_unsuccessfully(privkey, pubkey); -+ /* 512-bit RSA again (to be safer about going in and out of FIPS) */ -+ generate_unsuccessfully(&privkey, &pubkey, 512); -+ sign_verify_unsuccessfully(privkey, pubkey); -+ /* 600-bit RSA: no generate, no sign, no verify */ -+ generate_unsuccessfully(&privkey, &pubkey, 600); -+ sign_verify_unsuccessfully(privkey, pubkey); -+ -+ /* 768-bit RSA not-an-exception: nogenerate, nosign, verify */ -+ generate_unsuccessfully(&privkey, &pubkey, 768); -+ sign_verify_unsuccessfully(privkey, pubkey); -+ /* 1024-bit RSA exception: nogenerate, nosign, verify */ -+ generate_unsuccessfully(&privkey, &pubkey, 1024); -+ nosign_verify(privkey, pubkey); -+ /* 1280-bit RSA exception: nogenerate, nosign, verify */ -+ generate_unsuccessfully(&privkey, &pubkey, 1280); -+ nosign_verify(privkey, pubkey); -+ /* 1500-bit RSA not-an-exception: nogenerate, nosign, noverify */ -+ generate_unsuccessfully(&privkey, &pubkey, 1500); -+ sign_verify_unsuccessfully(privkey, pubkey); -+ /* 1536-bit RSA exception: nogenerate, nosign, verify */ -+ generate_unsuccessfully(&privkey, &pubkey, 1536); -+ nosign_verify(privkey, pubkey); -+ /* 1792-bit RSA exception: nogenerate, nosign, verify */ -+ generate_unsuccessfully(&privkey, &pubkey, 1792); -+ nosign_verify(privkey, pubkey); -+ /* 2000-bit RSA not-an-exception: nogenerate, nosign, noverify */ -+ generate_unsuccessfully(&privkey, &pubkey, 2000); -+ sign_verify_unsuccessfully(privkey, pubkey); -+ -+ /* 2048-bit RSA: generate, sign, verify */ -+ generate_successfully(&privkey, &pubkey, 2048); -+ sign_verify_successfully(privkey, pubkey); -+ /* 2432-bit RSA: nogenerate, sign, verify */ -+ generate_unsuccessfully(&privkey, &pubkey, 2432); -+ sign_verify_successfully(privkey, pubkey); -+ /* 3072-bit RSA: generate, sign, verify */ -+ generate_successfully(&privkey, &pubkey, 3072); -+ sign_verify_successfully(privkey, pubkey); -+ -+ gnutls_fips140_context_deinit(fips_context); -+} --- -2.37.2 - diff --git a/gnutls-3.7.6-fips-rsa-pss-saltlen.patch b/gnutls-3.7.6-fips-rsa-pss-saltlen.patch deleted file mode 100644 index a6af4d5..0000000 --- a/gnutls-3.7.6-fips-rsa-pss-saltlen.patch +++ /dev/null @@ -1,163 +0,0 @@ -From 3bd42dc88ff062bf9ede2b593e1ad1afa6f68f62 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 16 Nov 2022 23:02:13 +0900 -Subject: [PATCH] nettle: mark non-compliant RSA-PSS salt length to be - not-approved - -According to FIPS 186-5 5.4, the salt length must be in the range -between 0 and the hash length inclusive. While the use of those salt -lengths is still allowed for compatibility, it is reported as -non-approved operation through FIPS service indicator. - -Signed-off-by: Daiki Ueno ---- - lib/nettle/pk.c | 9 ++++++++ - tests/rsa-rsa-pss.c | 54 ++++++++++++++++++++++++++++++++++++--------- - 2 files changed, 53 insertions(+), 10 deletions(-) - -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index c098e2aa45..7732e90542 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -1316,6 +1316,15 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - - mpz_init(s); - -+ me = hash_to_entry(sign_params->rsa_pss_dig); -+ -+ /* According to FIPS 186-5 5.4, the salt length must be -+ * in the range between 0 and the hash length inclusive. -+ */ -+ if (sign_params->salt_size > _gnutls_mac_get_algo_len(me)) { -+ not_approved = true; -+ } -+ - ret = - _rsa_pss_sign_digest_tr(sign_params->rsa_pss_dig, - &pub, &priv, -diff --git a/tests/rsa-rsa-pss.c b/tests/rsa-rsa-pss.c -index 19a175b722..d7799c1961 100644 ---- a/tests/rsa-rsa-pss.c -+++ b/tests/rsa-rsa-pss.c -@@ -46,6 +46,8 @@ const gnutls_datum_t raw_data = { - 11 - }; - -+static gnutls_fips140_context_t fips_context; -+ - static void inv_sign_check(unsigned sigalgo, - gnutls_privkey_t privkey, int exp_error) - { -@@ -86,13 +88,16 @@ static void inv_encryption_check(gnutls_pk_algorithm_t algorithm, - - static void sign_verify_data(unsigned sigalgo, gnutls_privkey_t privkey, - unsigned int sign_flags, unsigned int verify_flags, -- int sign_exp_error, int verify_exp_error) -+ int sign_exp_error, int verify_exp_error, -+ gnutls_fips140_operation_state_t sign_exp_state) - { - int ret; - gnutls_datum_t signature = { NULL, 0 }; - -+ fips_push_context(fips_context); - ret = gnutls_privkey_sign_data2(privkey, sigalgo, sign_flags, - &raw_data, &signature); -+ fips_pop_context(fips_context, sign_exp_state); - if (ret != sign_exp_error) - fail("gnutls_x509_privkey_sign_data returned unexpected error: %s\n", - gnutls_strerror(ret)); -@@ -180,11 +185,16 @@ void doit(void) - if (debug) - gnutls_global_set_log_level(4711); - -+ assert(gnutls_fips140_context_init(&fips_context) >= 0); -+ - prepare_keys(&pkey_rsa_pss, &pkey_rsa, GNUTLS_DIG_SHA256, 32); - -- sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa_pss, 0, 0, 0, 0); -- sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa, 0, 0, 0, 0); -- sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa, 0, 0, 0, 0); -+ sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa_pss, 0, 0, 0, 0, -+ GNUTLS_FIPS140_OP_APPROVED); -+ sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa, 0, 0, 0, 0, -+ GNUTLS_FIPS140_OP_APPROVED); -+ sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa, 0, 0, 0, 0, -+ GNUTLS_FIPS140_OP_APPROVED); - - if (debug) - success("success signing with RSA-PSS-SHA256\n"); -@@ -213,41 +223,65 @@ void doit(void) - gnutls_privkey_deinit(pkey_rsa_pss); - gnutls_privkey_deinit(pkey_rsa); - -+ /* Restrict key to use salt length larger than hash output -+ * length (not approved in FIPS). -+ */ -+ prepare_keys(&pkey_rsa_pss, &pkey_rsa, GNUTLS_DIG_SHA256, 33); -+ -+ sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa_pss, 0, 0, 0, 0, -+ GNUTLS_FIPS140_OP_NOT_APPROVED); -+ -+ gnutls_privkey_deinit(pkey_rsa_pss); -+ gnutls_privkey_deinit(pkey_rsa); -+ - /* Use the mismatched salt length with the digest length */ - prepare_keys(&pkey_rsa_pss, &pkey_rsa, GNUTLS_DIG_SHA256, 48); - - sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa_pss, -- 0, 0, 0, 0); -+ 0, 0, 0, 0, GNUTLS_FIPS140_OP_NOT_APPROVED); - sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa_pss, - GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH, - 0, - GNUTLS_E_CONSTRAINT_ERROR, -- 0); -+ 0, -+ /* The error is caught before calling the actual -+ * signing operation. -+ */ -+ GNUTLS_FIPS140_OP_INITIAL); - sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa_pss, - 0, - GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH, - 0, -- GNUTLS_E_PK_SIG_VERIFY_FAILED); -+ GNUTLS_E_PK_SIG_VERIFY_FAILED, -+ GNUTLS_FIPS140_OP_NOT_APPROVED); - - assert(gnutls_x509_spki_init(&spki)>=0); - gnutls_x509_spki_set_rsa_pss_params(spki, GNUTLS_DIG_SHA256, 48); - assert(gnutls_privkey_set_spki(pkey_rsa, spki, 0)>=0); - -- sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa, 0, 0, 0, 0); -+ sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa, 0, 0, 0, 0, -+ GNUTLS_FIPS140_OP_NOT_APPROVED); - sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa, - GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH, - 0, - GNUTLS_E_CONSTRAINT_ERROR, -- 0); -+ 0, -+ /* The error is caught before calling the actual -+ * signing operation. -+ */ -+ GNUTLS_FIPS140_OP_INITIAL); - sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa, - 0, - GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH, - 0, -- GNUTLS_E_PK_SIG_VERIFY_FAILED); -+ GNUTLS_E_PK_SIG_VERIFY_FAILED, -+ GNUTLS_FIPS140_OP_NOT_APPROVED); - - gnutls_privkey_deinit(pkey_rsa_pss); - gnutls_privkey_deinit(pkey_rsa); - gnutls_x509_spki_deinit(spki); - -+ gnutls_fips140_context_deinit(fips_context); -+ - gnutls_global_deinit(); - } --- -2.38.1 - diff --git a/gnutls-3.7.6-fips-run-selftests.patch b/gnutls-3.7.6-fips-run-selftests.patch deleted file mode 100644 index d04a35d..0000000 --- a/gnutls-3.7.6-fips-run-selftests.patch +++ /dev/null @@ -1,640 +0,0 @@ -From 036fb360e5775f01ef25f5e712024a29930c462e Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 3 Jun 2022 15:43:00 +0900 -Subject: [PATCH] fips: provide function to manually run FIPS self-tests - -FIPS140-3 IG 10.3.E Periodic Self-Testing says: - - At security levels 1 and 2, acceptable means for initiating the - periodic self-tests include a provided service, resetting, rebooting - or power cycling. - -Neither resetting, rebooting, nor power-cycling is suitable because -those involve operations outside of the module. Therefore this patch -adds a new API to manually run the substance of FIPS140 self-tests. - -Suggeested by Richard Costa and Stephan Mueller in: -https://gitlab.com/gnutls/gnutls/-/issues/1364 - -Signed-off-by: Daiki Ueno ---- - NEWS | 5 ++ - devel/libgnutls.abignore | 2 + - devel/symbols.last | 2 + - doc/Makefile.am | 2 + - doc/manpages/Makefile.am | 1 + - lib/fips.c | 139 ++++++++++++++++---------------- - lib/global.c | 14 +++- - lib/includes/gnutls/gnutls.h.in | 2 + - lib/libgnutls.map | 8 ++ - tests/fips-test.c | 7 ++ - 10 files changed, 110 insertions(+), 72 deletions(-) - -diff --git a/NEWS b/NEWS -index 70dd8a12b5..389be8acaa 100644 ---- a/NEWS -+++ b/NEWS -@@ -5,6 +5,11 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. - Copyright (C) 2013-2019 Nikos Mavrogiannopoulos - See the end for copying conditions. - -+* Version 3.7.7 (unreleased) -+ -+** API and ABI modifications: -+gnutls_fips140_run_self_tests: New function -+ - * Version 3.7.6 (released 2022-05-27) - - ** libgnutls: Fixed invalid write when gnutls_realloc_zero() -diff --git a/doc/Makefile.am b/doc/Makefile.am -index d20a021d97..34ef43866c 100644 ---- a/doc/Makefile.am -+++ b/doc/Makefile.am -@@ -1096,6 +1096,8 @@ FUNCS += functions/gnutls_fips140_pop_context - FUNCS += functions/gnutls_fips140_pop_context.short - FUNCS += functions/gnutls_fips140_push_context - FUNCS += functions/gnutls_fips140_push_context.short -+FUNCS += functions/gnutls_fips140_run_self_tests -+FUNCS += functions/gnutls_fips140_run_self_tests.short - FUNCS += functions/gnutls_fips140_set_mode - FUNCS += functions/gnutls_fips140_set_mode.short - FUNCS += functions/gnutls_get_library_config -diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am -index d8c5f2854d..90906b0574 100644 ---- a/doc/manpages/Makefile.am -+++ b/doc/manpages/Makefile.am -@@ -380,6 +380,7 @@ APIMANS += gnutls_fips140_get_operation_state.3 - APIMANS += gnutls_fips140_mode_enabled.3 - APIMANS += gnutls_fips140_pop_context.3 - APIMANS += gnutls_fips140_push_context.3 -+APIMANS += gnutls_fips140_run_self_tests.3 - APIMANS += gnutls_fips140_set_mode.3 - APIMANS += gnutls_get_library_config.3 - APIMANS += gnutls_get_system_config_file.3 -diff --git a/lib/fips.c b/lib/fips.c -index e9c27f6df6..656d43e74a 100644 ---- a/lib/fips.c -+++ b/lib/fips.c -@@ -419,8 +419,6 @@ int _gnutls_fips_perform_self_checks1(void) - { - int ret; - -- _gnutls_switch_lib_state(LIB_STATE_SELFTEST); -- - /* Tests the FIPS algorithms used by nettle internally. - * In our case we test AES-CBC since nettle's AES is used by - * the DRBG-AES. -@@ -429,193 +427,153 @@ int _gnutls_fips_perform_self_checks1(void) - /* ciphers - one test per cipher */ - ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_128_CBC); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - return 0; -- --error: -- _gnutls_switch_lib_state(LIB_STATE_ERROR); -- _gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n"); -- -- return GNUTLS_E_SELF_TEST_ERROR; - } - - int _gnutls_fips_perform_self_checks2(void) - { - int ret; - -- _gnutls_switch_lib_state(LIB_STATE_SELFTEST); -- - /* Tests the FIPS algorithms */ - - /* ciphers - one test per cipher */ - ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_3DES_CBC); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_XTS); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CFB8); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - /* Digest tests */ - ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_224); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_256); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_384); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_512); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - /* MAC (includes message digest test) */ - ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA1); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA224); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA256); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA384); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA512); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_mac_self_test(0, GNUTLS_MAC_AES_CMAC_256); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - /* PK */ - ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_pk_self_test(0, GNUTLS_PK_DSA); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_pk_self_test(0, GNUTLS_PK_EC); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - ret = gnutls_pk_self_test(0, GNUTLS_PK_DH); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - /* HKDF */ - ret = gnutls_hkdf_self_test(0, GNUTLS_MAC_SHA256); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - /* PBKDF2 */ - ret = gnutls_pbkdf2_self_test(0, GNUTLS_MAC_SHA256); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - /* TLS-PRF */ - ret = gnutls_tlsprf_self_test(0, GNUTLS_MAC_SHA256); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - if (_gnutls_rnd_ops.self_test == NULL) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - /* this does not require rng initialization */ - ret = _gnutls_rnd_ops.self_test(); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - - if (_skip_integrity_checks == 0) { - ret = check_binary_integrity(); - if (ret < 0) { -- gnutls_assert(); -- goto error; -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); - } - } - - return 0; -- --error: -- _gnutls_switch_lib_state(LIB_STATE_ERROR); -- _gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n"); -- -- return GNUTLS_E_SELF_TEST_ERROR; - } - #endif - -@@ -894,3 +852,48 @@ _gnutls_switch_fips_state(gnutls_fips140_operation_state_t state) - (void)state; - #endif - } -+ -+/** -+ * gnutls_fips140_run_self_tests: -+ * -+ * Manually perform the second round of the FIPS140 self-tests, -+ * including: -+ * -+ * - Known answer tests (KAT) for the selected set of symmetric -+ * cipher, MAC, public key, KDF, and DRBG -+ * - Library integrity checks -+ * -+ * Upon failure with FIPS140 mode enabled, it makes the library -+ * unusable. This function is not thread-safe. -+ * -+ * Returns: 0 upon success, a negative error code otherwise -+ * -+ * Since: 3.7.7 -+ */ -+int -+gnutls_fips140_run_self_tests(void) -+{ -+#ifdef ENABLE_FIPS140 -+ int ret; -+ unsigned prev_lib_state; -+ -+ /* Temporarily switch to LIB_STATE_SELFTEST as some of the -+ * algorithms are implemented using special constructs in -+ * self-tests (such as deterministic variants) */ -+ prev_lib_state = _gnutls_get_lib_state(); -+ _gnutls_switch_lib_state(LIB_STATE_SELFTEST); -+ -+ ret = _gnutls_fips_perform_self_checks2(); -+ if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED && -+ ret < 0) { -+ _gnutls_switch_lib_state(LIB_STATE_ERROR); -+ _gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n"); -+ } else { -+ /* Restore the previous library state */ -+ _gnutls_switch_lib_state(prev_lib_state); -+ } -+ return ret; -+#else -+ return 0; -+#endif -+} -diff --git a/lib/global.c b/lib/global.c -index faa7f0afb2..1b372c15bd 100644 ---- a/lib/global.c -+++ b/lib/global.c -@@ -336,9 +336,12 @@ static int _gnutls_global_init(unsigned constructor) - - /* first round of self checks, these are done on the - * nettle algorithms which are used internally */ -+ _gnutls_switch_lib_state(LIB_STATE_SELFTEST); - ret = _gnutls_fips_perform_self_checks1(); -- if (res != 2) { -- if (ret < 0) { -+ if (ret < 0) { -+ _gnutls_switch_lib_state(LIB_STATE_ERROR); -+ _gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n"); -+ if (res != 2) { - gnutls_assert(); - goto out; - } -@@ -355,9 +358,12 @@ static int _gnutls_global_init(unsigned constructor) - * (e.g., AESNI overridden AES). They are after _gnutls_register_accel_crypto() - * intentionally */ - if (res != 0) { -+ _gnutls_switch_lib_state(LIB_STATE_SELFTEST); - ret = _gnutls_fips_perform_self_checks2(); -- if (res != 2) { -- if (ret < 0) { -+ if (ret < 0) { -+ _gnutls_switch_lib_state(LIB_STATE_ERROR); -+ _gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n"); -+ if (res != 2) { - gnutls_assert(); - goto out; - } -diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in -index f7fc5d114a..5840f331e9 100644 ---- a/lib/includes/gnutls/gnutls.h.in -+++ b/lib/includes/gnutls/gnutls.h.in -@@ -3416,6 +3416,8 @@ gnutls_fips140_get_operation_state(gnutls_fips140_context_t context); - int gnutls_fips140_push_context(gnutls_fips140_context_t context); - int gnutls_fips140_pop_context(void); - -+int gnutls_fips140_run_self_tests(void); -+ - /* Gnutls error codes. The mapping to a TLS alert is also shown in - * comments. - */ -diff --git a/lib/libgnutls.map b/lib/libgnutls.map -index 0241946c8a..f42d5f9fae 100644 ---- a/lib/libgnutls.map -+++ b/lib/libgnutls.map -@@ -1399,6 +1399,14 @@ GNUTLS_3_7_5 - *; - } GNUTLS_3_7_4; - -+GNUTLS_3_7_7 -+{ -+ global: -+ gnutls_fips140_run_self_tests; -+ local: -+ *; -+} GNUTLS_3_7_5; -+ - GNUTLS_FIPS140_3_4 { - global: - gnutls_cipher_self_test; -diff --git a/tests/fips-test.c b/tests/fips-test.c -index a6a283fa67..31a5e26111 100644 ---- a/tests/fips-test.c -+++ b/tests/fips-test.c -@@ -525,6 +525,13 @@ void doit(void) - } - - gnutls_fips140_context_deinit(fips_context); -+ -+ /* run self-tests manually */ -+ ret = gnutls_fips140_run_self_tests(); -+ if (ret < 0) { -+ fail("gnutls_fips140_run_self_tests failed\n"); -+ } -+ - gnutls_global_deinit(); - return; - } --- -2.36.1 - -From 354027c0c09db60d3083fa48ae791046d336957b Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Tue, 28 Jun 2022 17:22:36 +0200 -Subject: [PATCH] tests/fips-test: minor extension - -Signed-off-by: Alexander Sosedkin ---- - tests/fips-test.c | 36 +++++++++++++++++++++++++++--------- - 1 file changed, 27 insertions(+), 9 deletions(-) - -diff --git a/tests/fips-test.c b/tests/fips-test.c -index 31a5e26111..f9bd34586a 100644 ---- a/tests/fips-test.c -+++ b/tests/fips-test.c -@@ -427,34 +427,43 @@ void doit(void) - rsa_import_keypair(&privkey, &pubkey, "rsa-2432.pem"); - FIPS_POP_CONTEXT(INITIAL); - -- /* Create a signature with SHA256; approved */ -+ /* Create a signature with 2432-bit RSA and SHA256; approved */ - FIPS_PUSH_CONTEXT(); - ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0, - &data, &signature); - if (ret < 0) { - fail("gnutls_privkey_sign_data failed\n"); - } -- gnutls_free(signature.data); - FIPS_POP_CONTEXT(APPROVED); - -- /* Create a signature with SHA-1; not approved */ -+ /* Verify a signature with 2432-bit RSA and SHA256; approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA256, 0, -+ &data, &signature); -+ if (ret < 0) { -+ fail("gnutls_pubkey_verify_data2 failed\n"); -+ } -+ FIPS_POP_CONTEXT(APPROVED); -+ gnutls_free(signature.data); -+ -+ /* Create a signature with 2432-bit RSA and SHA-1; not approved */ - FIPS_PUSH_CONTEXT(); - ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, - &data, &signature); - if (ret < 0) { - fail("gnutls_privkey_sign_data failed\n"); - } -- gnutls_free(signature.data); - FIPS_POP_CONTEXT(NOT_APPROVED); - -- /* Verify a signature created with SHA-1; approved */ -+ /* Verify a signature created with 2432-bit RSA and SHA-1; approved */ - FIPS_PUSH_CONTEXT(); -- ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &data, -- &rsa2342_sha1_sig); -+ ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, -+ &data, &rsa2342_sha1_sig); - if (ret < 0) { - fail("gnutls_pubkey_verify_data2 failed\n"); - } - FIPS_POP_CONTEXT(APPROVED); -+ gnutls_free(signature.data); - gnutls_pubkey_deinit(pubkey); - gnutls_privkey_deinit(privkey); - -@@ -463,15 +472,24 @@ void doit(void) - rsa_import_keypair(&privkey, &pubkey, "rsa-512.pem"); - FIPS_POP_CONTEXT(INITIAL); - -- /* Create a signature; not approved */ -+ /* Create a signature with 512-bit RSA and SHA256; not approved */ - FIPS_PUSH_CONTEXT(); - ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0, - &data, &signature); - if (ret < 0) { - fail("gnutls_privkey_sign_data failed\n"); - } -- gnutls_free(signature.data); - FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ /* Verify a signature with 512-bit RSA and SHA256; not approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA256, 0, -+ &data, &signature); -+ if (ret < 0) { -+ fail("gnutls_pubkey_verify_data2 failed\n"); -+ } -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ gnutls_free(signature.data); - gnutls_pubkey_deinit(pubkey); - gnutls_privkey_deinit(privkey); - --- -2.37.3 - -From 5a745120148861d873f47c1428c8c6dcadcf109b Mon Sep 17 00:00:00 2001 -From: Richard Costa -Date: Sat, 9 Jul 2022 00:50:21 +0000 -Subject: [PATCH] Add self-test code inside a FIPS context - -Self-test code exercise lots of different FIPS-related code with -side-effects. So, in order to prevent it from losing information when -executing inside another context, we create an appropriated one. - -If the self-test fails, then the library is placed in error state, so it -doesn't matter for other contexts. - -Signed-off-by: Richard Maciel Costa ---- - lib/fips.c | 19 +++++++++++++++++++ - tests/fips-test.c | 20 ++++++++++++-------- - 2 files changed, 31 insertions(+), 8 deletions(-) - -diff --git a/lib/fips.c b/lib/fips.c -index 31a52a990f..7d143e608e 100644 ---- a/lib/fips.c -+++ b/lib/fips.c -@@ -902,6 +902,16 @@ gnutls_fips140_run_self_tests(void) - #ifdef ENABLE_FIPS140 - int ret; - unsigned prev_lib_state; -+ gnutls_fips140_context_t fips_context = NULL; -+ -+ /* Save the FIPS context, because self tests change it */ -+ if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED) { -+ if (gnutls_fips140_context_init(&fips_context) < 0 || -+ gnutls_fips140_push_context(fips_context) < 0) { -+ gnutls_fips140_context_deinit(fips_context); -+ fips_context = NULL; -+ } -+ } - - /* Temporarily switch to LIB_STATE_SELFTEST as some of the - * algorithms are implemented using special constructs in -@@ -918,6 +928,15 @@ gnutls_fips140_run_self_tests(void) - /* Restore the previous library state */ - _gnutls_switch_lib_state(prev_lib_state); - } -+ -+ /* Restore the previous FIPS context */ -+ if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED && fips_context) { -+ if (gnutls_fips140_pop_context() < 0) { -+ _gnutls_switch_lib_state(LIB_STATE_ERROR); -+ _gnutls_audit_log(NULL, "FIPS140-2 context restoration failed\n"); -+ } -+ gnutls_fips140_context_deinit(fips_context); -+ } - return ret; - #else - return 0; -diff --git a/tests/fips-test.c b/tests/fips-test.c -index f9bd34586a..475b739197 100644 ---- a/tests/fips-test.c -+++ b/tests/fips-test.c -@@ -457,8 +457,9 @@ void doit(void) - - /* Verify a signature created with 2432-bit RSA and SHA-1; approved */ - FIPS_PUSH_CONTEXT(); -- ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, -- &data, &rsa2342_sha1_sig); -+ ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, -+ GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, &data, -+ &rsa2342_sha1_sig); - if (ret < 0) { - fail("gnutls_pubkey_verify_data2 failed\n"); - } -@@ -501,6 +502,15 @@ void doit(void) - } - FIPS_POP_CONTEXT(APPROVED); - -+ /* run self-tests manually */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_rnd(GNUTLS_RND_RANDOM, key16, sizeof(key16)); -+ ret = gnutls_fips140_run_self_tests(); -+ if (ret < 0) { -+ fail("gnutls_fips140_run_self_tests failed\n"); -+ } -+ FIPS_POP_CONTEXT(APPROVED); -+ - /* Test when FIPS140 is set to error state */ - _gnutls_lib_simulate_error(); - -@@ -544,12 +554,6 @@ void doit(void) - - gnutls_fips140_context_deinit(fips_context); - -- /* run self-tests manually */ -- ret = gnutls_fips140_run_self_tests(); -- if (ret < 0) { -- fail("gnutls_fips140_run_self_tests failed\n"); -- } -- - gnutls_global_deinit(); - return; - } --- -2.37.3 - diff --git a/gnutls-3.7.6-fips-service-indicator-test-functions.patch b/gnutls-3.7.6-fips-service-indicator-test-functions.patch deleted file mode 100644 index 99bd913..0000000 --- a/gnutls-3.7.6-fips-service-indicator-test-functions.patch +++ /dev/null @@ -1,407 +0,0 @@ -From e8b35d31817d207d8b4b87ccf104d3b93aa446e0 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 17 Oct 2022 11:11:43 +0900 -Subject: [PATCH] tests: move FIPS service indicator functions to common file - -Signed-off-by: Daiki Ueno ---- - tests/dh-compute.c | 36 +++++--------------------- - tests/fips-rsa-sizes.c | 24 ----------------- - tests/fips-test.c | 27 +++----------------- - tests/kdf-api.c | 27 +------------------- - tests/pkcs12_encode.c | 24 ----------------- - tests/privkey-keygen.c | 24 ----------------- - tests/utils.h | 58 ++++++++++++++++++++++++++++++++++++++++++ - 7 files changed, 69 insertions(+), 151 deletions(-) - -diff --git a/tests/dh-compute.c b/tests/dh-compute.c -index 828fb05e9c..6c1d5328f6 100644 ---- a/tests/dh-compute.c -+++ b/tests/dh-compute.c -@@ -156,34 +156,10 @@ void doit(void) - { NULL } - }; - --#define FIPS_PUSH_CONTEXT() do { \ -- if (gnutls_fips140_mode_enabled()) { \ -- ret = gnutls_fips140_push_context(fips_context); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_push_context failed\n"); \ -- } \ -- } \ --} while (0) -- --#define FIPS_POP_CONTEXT(state) do { \ -- if (gnutls_fips140_mode_enabled()) { \ -- ret = gnutls_fips140_pop_context(); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_context_pop failed\n"); \ -- } \ -- fips_state = gnutls_fips140_get_operation_state(fips_context); \ -- if (fips_state != state) { \ -- fail("operation state is not %d (%d)\n", \ -- state, fips_state); \ -- } \ -- } \ --} while (0) -- - for (int i = 0; test_data[i].name != NULL; i++) { - gnutls_datum_t priv_key, pub_key; - gnutls_dh_params_t dh_params; - gnutls_fips140_context_t fips_context; -- gnutls_fips140_operation_state_t fips_state; - int ret; - - if (gnutls_fips140_mode_enabled()) { -@@ -193,24 +169,24 @@ void doit(void) - } - } - -- FIPS_PUSH_CONTEXT(); -+ fips_push_context(fips_context); - params(&dh_params, &test_data[i].prime, &test_data[i].q, - &test_data[i].generator); -- FIPS_POP_CONTEXT(GNUTLS_FIPS140_OP_INITIAL); -+ fips_pop_context(fips_context, GNUTLS_FIPS140_OP_INITIAL); - - success("%s genkey\n", test_data[i].name); - -- FIPS_PUSH_CONTEXT(); -+ fips_push_context(fips_context); - genkey(dh_params, &priv_key, &pub_key); -- FIPS_POP_CONTEXT(test_data[i].fips_state_genkey); -+ fips_pop_context(fips_context, test_data[i].fips_state_genkey); - - success("%s compute_key\n", test_data[i].name); - -- FIPS_PUSH_CONTEXT(); -+ fips_push_context(fips_context); - compute_key(test_data[i].name, dh_params, &priv_key, - &pub_key, &test_data[i].peer_key, - test_data[i].expected_error, NULL, 0); -- FIPS_POP_CONTEXT(test_data[i].fips_state_compute_key); -+ fips_pop_context(fips_context, test_data[i].fips_state_compute_key); - - gnutls_dh_params_deinit(dh_params); - gnutls_free(priv_key.data); -diff --git a/tests/fips-rsa-sizes.c b/tests/fips-rsa-sizes.c -index 84b9affabb..5feb284503 100644 ---- a/tests/fips-rsa-sizes.c -+++ b/tests/fips-rsa-sizes.c -@@ -27,25 +27,6 @@ - #include - #include - --#define FIPS_PUSH_CONTEXT() do { \ -- ret = gnutls_fips140_push_context(fips_context); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_push_context failed\n"); \ -- } \ --} while (0) -- --#define FIPS_POP_CONTEXT(state) do { \ -- ret = gnutls_fips140_pop_context(); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_context_pop failed\n"); \ -- } \ -- fips_state = gnutls_fips140_get_operation_state(fips_context); \ -- if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ -- fail("operation state is not " # state " (%d)\n", \ -- fips_state); \ -- } \ --} while (0) -- - - void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, - unsigned int size); -@@ -63,7 +44,6 @@ void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, - int ret; - gnutls_x509_privkey_t xprivkey; - gnutls_fips140_context_t fips_context; -- gnutls_fips140_operation_state_t fips_state; - assert(gnutls_fips140_context_init(&fips_context) == 0); - - fprintf(stderr, "%d-bit\n", size); -@@ -102,7 +82,6 @@ void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, - int ret; - gnutls_x509_privkey_t xprivkey; - gnutls_fips140_context_t fips_context; -- gnutls_fips140_operation_state_t fips_state; - assert(gnutls_fips140_context_init(&fips_context) == 0); - - fprintf(stderr, "%d-bit\n", size); -@@ -156,7 +135,6 @@ void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, - void sign_verify_successfully(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) { - int ret; - gnutls_fips140_context_t fips_context; -- gnutls_fips140_operation_state_t fips_state; - - gnutls_datum_t signature; - gnutls_datum_t plaintext = { -@@ -190,7 +168,6 @@ void sign_verify_unsuccessfully(gnutls_privkey_t privkey, - gnutls_pubkey_t pubkey) { - int ret; - gnutls_fips140_context_t fips_context; -- gnutls_fips140_operation_state_t fips_state; - - gnutls_datum_t signature; - gnutls_datum_t plaintext = { -@@ -225,7 +202,6 @@ void sign_verify_unsuccessfully(gnutls_privkey_t privkey, - void nosign_verify(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) { - int ret; - gnutls_fips140_context_t fips_context; -- gnutls_fips140_operation_state_t fips_state; - - gnutls_datum_t signature; - gnutls_datum_t plaintext = { -diff --git a/tests/fips-test.c b/tests/fips-test.c -index f789afb107..b0bae4ef9f 100644 ---- a/tests/fips-test.c -+++ b/tests/fips-test.c -@@ -12,25 +12,6 @@ - /* This does check the FIPS140 support. - */ - --#define FIPS_PUSH_CONTEXT() do { \ -- ret = gnutls_fips140_push_context(fips_context); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_push_context failed\n"); \ -- } \ --} while (0) -- --#define FIPS_POP_CONTEXT(state) do { \ -- ret = gnutls_fips140_pop_context(); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_context_pop failed\n"); \ -- } \ -- fips_state = gnutls_fips140_get_operation_state(fips_context); \ -- if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ -- fail("operation state is not " # state " (%d)\n", \ -- fips_state); \ -- } \ --} while (0) -- - void _gnutls_lib_simulate_error(void); - - static void tls_log_func(int level, const char *str) -@@ -40,10 +21,9 @@ static void tls_log_func(int level, const char *str) - - static uint8_t key16[16]; - static uint8_t iv16[16]; --uint8_t key_data[64]; --uint8_t iv_data[16]; --gnutls_fips140_context_t fips_context; --gnutls_fips140_operation_state_t fips_state; -+static uint8_t key_data[64]; -+static uint8_t iv_data[16]; -+static gnutls_fips140_context_t fips_context; - - static const gnutls_datum_t data = { .data = (unsigned char *)"foo", 3 }; - static const uint8_t rsa2342_sha1_sig_data[] = { -@@ -276,6 +256,7 @@ test_ciphers(void) - void doit(void) - { - int ret; -+ gnutls_fips140_operation_state_t fips_state; - unsigned int mode; - gnutls_cipher_hd_t ch; - gnutls_hmac_hd_t mh; -diff --git a/tests/kdf-api.c b/tests/kdf-api.c -index 9724502005..a28ce82a62 100644 ---- a/tests/kdf-api.c -+++ b/tests/kdf-api.c -@@ -33,30 +33,7 @@ - #define MAX_BUF 1024 - - static gnutls_fips140_context_t fips_context; --static gnutls_fips140_operation_state_t fips_state; -- --#define FIPS_PUSH_CONTEXT() do { \ -- if (gnutls_fips140_mode_enabled()) { \ -- ret = gnutls_fips140_push_context(fips_context); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_push_context failed\n"); \ -- } \ -- } \ --} while (0) -- --#define FIPS_POP_CONTEXT(state) do { \ -- if (gnutls_fips140_mode_enabled()) { \ -- ret = gnutls_fips140_pop_context(); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_context_pop failed\n"); \ -- } \ -- fips_state = gnutls_fips140_get_operation_state(fips_context); \ -- if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ -- fail("operation state is not " # state " (%d)\n", \ -- fips_state); \ -- } \ -- } \ --} while (0) -+ - - static void - test_hkdf(gnutls_mac_algorithm_t mac, -@@ -74,7 +51,6 @@ test_hkdf(gnutls_mac_algorithm_t mac, - gnutls_datum_t prk; - gnutls_datum_t okm; - uint8_t buf[MAX_BUF]; -- int ret; - - success("HKDF test with %s\n", gnutls_mac_get_name(mac)); - -@@ -144,7 +120,6 @@ test_pbkdf2(gnutls_mac_algorithm_t mac, - gnutls_datum_t salt; - gnutls_datum_t okm; - uint8_t buf[MAX_BUF]; -- int ret; - - success("PBKDF2 test with %s\n", gnutls_mac_get_name(mac)); - -diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c -index ea39f3d69e..dc55daccde 100644 ---- a/tests/pkcs12_encode.c -+++ b/tests/pkcs12_encode.c -@@ -70,29 +70,6 @@ static void tls_log_func(int level, const char *str) - fprintf(stderr, "|<%d>| %s", level, str); - } - --#define FIPS_PUSH_CONTEXT() do { \ -- if (gnutls_fips140_mode_enabled()) { \ -- ret = gnutls_fips140_push_context(fips_context); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_push_context failed\n"); \ -- } \ -- } \ --} while (0) -- --#define FIPS_POP_CONTEXT(state) do { \ -- if (gnutls_fips140_mode_enabled()) { \ -- ret = gnutls_fips140_pop_context(); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_context_pop failed\n"); \ -- } \ -- fips_state = gnutls_fips140_get_operation_state(fips_context); \ -- if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ -- fail("operation state is not " # state " (%d)\n", \ -- fips_state); \ -- } \ -- } \ --} while (0) -- - void doit(void) - { - gnutls_pkcs12_t pkcs12; -@@ -106,7 +83,6 @@ void doit(void) - size_t size; - unsigned i; - gnutls_fips140_context_t fips_context; -- gnutls_fips140_operation_state_t fips_state; - size_t n_tests = 0; - struct tests { - const char *name; -diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c -index 2766afee08..2531906d71 100644 ---- a/tests/privkey-keygen.c -+++ b/tests/privkey-keygen.c -@@ -119,30 +119,6 @@ void doit(void) - gnutls_x509_privkey_t pkey, dst; - int ret, algorithm, i; - gnutls_fips140_context_t fips_context; -- gnutls_fips140_operation_state_t fips_state; -- --#define FIPS_PUSH_CONTEXT() do { \ -- if (gnutls_fips140_mode_enabled()) { \ -- ret = gnutls_fips140_push_context(fips_context); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_push_context failed\n"); \ -- } \ -- } \ --} while (0) -- --#define FIPS_POP_CONTEXT(state) do { \ -- if (gnutls_fips140_mode_enabled()) { \ -- ret = gnutls_fips140_pop_context(); \ -- if (ret < 0) { \ -- fail("gnutls_fips140_context_pop failed\n"); \ -- } \ -- fips_state = gnutls_fips140_get_operation_state(fips_context); \ -- if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ -- fail("operation state is not " # state " (%d)\n", \ -- fips_state); \ -- } \ -- } \ --} while (0) - - ret = global_init(); - if (ret < 0) -diff --git a/tests/utils.h b/tests/utils.h -index d3a2ba8d16..4433a07057 100644 ---- a/tests/utils.h -+++ b/tests/utils.h -@@ -210,4 +210,62 @@ inline static unsigned int get_dtls_retransmit_timeout(void) { - return (unsigned int) ul; - } - -+static inline const char * -+fips_operation_state_to_string(gnutls_fips140_operation_state_t state) -+{ -+ switch (state) { -+ case GNUTLS_FIPS140_OP_INITIAL: -+ return "INITIAL"; -+ case GNUTLS_FIPS140_OP_APPROVED: -+ return "APPROVED"; -+ case GNUTLS_FIPS140_OP_NOT_APPROVED: -+ return "NOT_APPROVED"; -+ case GNUTLS_FIPS140_OP_ERROR: -+ return "ERROR"; -+ default: -+ /*NOTREACHED*/ -+ assert(0); -+ return NULL; -+ } -+} -+ -+static inline void -+fips_push_context(gnutls_fips140_context_t context) -+{ -+ if (gnutls_fips140_mode_enabled()) { -+ int ret; -+ -+ ret = gnutls_fips140_push_context(context); -+ if (ret < 0) { -+ fail("gnutls_fips140_push_context failed\n"); -+ } -+ } -+} -+ -+static inline void -+fips_pop_context(gnutls_fips140_context_t context, -+ gnutls_fips140_operation_state_t expected_state) -+{ -+ gnutls_fips140_operation_state_t state; -+ -+ if (gnutls_fips140_mode_enabled()) { -+ int ret; -+ -+ ret = gnutls_fips140_pop_context(); -+ if (ret < 0) { -+ fail("gnutls_fips140_context_pop failed\n"); -+ } -+ state = gnutls_fips140_get_operation_state(context); -+ if (state != expected_state) { -+ fail("operation state is not %s (%s)\n", -+ fips_operation_state_to_string(expected_state), -+ fips_operation_state_to_string(state)); -+ } -+ } -+} -+ -+/* To use those convenient macros, define fips_context variable. */ -+#define FIPS_PUSH_CONTEXT() fips_push_context(fips_context) -+#define FIPS_POP_CONTEXT(state) fips_pop_context(fips_context, GNUTLS_FIPS140_OP_ ## state) -+ - #endif /* GNUTLS_TESTS_UTILS_H */ --- -2.38.1 - diff --git a/gnutls-3.7.6-fips-sha1-sigver.patch b/gnutls-3.7.6-fips-sha1-sigver.patch index e5ba62a..e71b739 100644 --- a/gnutls-3.7.6-fips-sha1-sigver.patch +++ b/gnutls-3.7.6-fips-sha1-sigver.patch @@ -1,9 +1,9 @@ -From 00f62aac690ba55650c58fa125a3806a8a684214 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sat, 29 Jul 2023 13:21:37 +0900 -Subject: [PATCH] nettle: mark SHA-1 signature verification non-approved +From cc7473a9ea185e072ab1bae0903c77bd7d7cf5bc Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 20 Nov 2023 07:45:42 +0900 +Subject: [PATCH] gnutls-3.7.6-fips-sha1-sigver.patch -Signed-off-by: Daiki Ueno +Signed-off-by: rpm-build --- lib/nettle/pk.c | 13 +++++-------- lib/pubkey.c | 3 --- @@ -11,21 +11,21 @@ Signed-off-by: Daiki Ueno 3 files changed, 9 insertions(+), 15 deletions(-) diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index c098e2aa45..f0b8b6d707 100644 +index 4ddfcff..36a7c24 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c -@@ -1575,10 +1575,7 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, - if (hash_len > vdata->size) - hash_len = vdata->size; +@@ -1609,10 +1609,7 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, + if (hash_len > vdata->size) + hash_len = vdata->size; -- /* SHA-1 is allowed for SigVer in FIPS 140-3 in legacy +- /* SHA-1 is allowed for SigVer in FIPS 140-3 in legacy - * mode */ - switch (DIG_TO_MAC(sign_params->dsa_dig)) { -- case GNUTLS_MAC_SHA1: - case GNUTLS_MAC_SHA256: - case GNUTLS_MAC_SHA384: - case GNUTLS_MAC_SHA512: -@@ -1656,8 +1653,8 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, + switch (DIG_TO_MAC(sign_params->dsa_dig)) { +- case GNUTLS_MAC_SHA1: + case GNUTLS_MAC_SHA256: + case GNUTLS_MAC_SHA384: + case GNUTLS_MAC_SHA512: +@@ -1683,8 +1680,8 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, * 2048-bit or one of the known lengths (1024, 1280, * 1536, 1792; i.e., multiple of 256-bits). * @@ -35,11 +35,11 @@ index c098e2aa45..f0b8b6d707 100644 + * SigVer; it is checked in _pkcs1_rsa_verify_sig in * lib/pubkey.c. */ - if (unlikely(bits < 2048 && -@@ -1709,9 +1706,9 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, - } + if (unlikely(bits < 2048 && bits != 1024 && bits != 1280 && +@@ -1730,9 +1727,9 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, + } - /* RSA modulus size should be 2048-bit or larger in FIPS + /* RSA modulus size should be 2048-bit or larger in FIPS - * 140-3. In addition to this, only SHA-1 and SHA-2 are - * allowed for SigVer, while Nettle only supports - * SHA256, SHA384, and SHA512 for RSA-PSS (see @@ -48,12 +48,12 @@ index c098e2aa45..f0b8b6d707 100644 + * SHA384, and SHA512 for RSA-PSS (see * _rsa_pss_verify_digest in this file for the details). */ - if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) { + if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) { diff --git a/lib/pubkey.c b/lib/pubkey.c -index be1b045fa7..052707d5da 100644 +index 1139ad9..714806a 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c -@@ -2370,10 +2370,7 @@ _pkcs1_rsa_verify_sig(gnutls_pk_algorithm_t pk, +@@ -2452,10 +2452,7 @@ static int _pkcs1_rsa_verify_sig(gnutls_pk_algorithm_t pk, d.size = digest_size; if (pk == GNUTLS_PK_RSA) { @@ -65,10 +65,10 @@ index be1b045fa7..052707d5da 100644 case GNUTLS_MAC_SHA384: case GNUTLS_MAC_SHA512: diff --git a/tests/fips-test.c b/tests/fips-test.c -index f789afb107..3549b727b9 100644 +index 180da05..09120c1 100644 --- a/tests/fips-test.c +++ b/tests/fips-test.c -@@ -471,7 +471,7 @@ void doit(void) +@@ -596,7 +596,7 @@ void doit(void) } FIPS_POP_CONTEXT(NOT_APPROVED); @@ -76,8 +76,8 @@ index f789afb107..3549b727b9 100644 + /* Verify a signature created with 2432-bit RSA and SHA-1; not approved */ FIPS_PUSH_CONTEXT(); ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, - GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, &data, -@@ -479,7 +479,7 @@ void doit(void) + GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, +@@ -604,7 +604,7 @@ void doit(void) if (ret < 0) { fail("gnutls_pubkey_verify_data2 failed\n"); } @@ -86,7 +86,7 @@ index f789afb107..3549b727b9 100644 gnutls_free(signature.data); gnutls_pubkey_deinit(pubkey); gnutls_privkey_deinit(privkey); -@@ -583,7 +583,7 @@ void doit(void) +@@ -708,7 +708,7 @@ void doit(void) } FIPS_POP_CONTEXT(NOT_APPROVED); @@ -94,8 +94,8 @@ index f789afb107..3549b727b9 100644 + /* Verify a signature created with ECDSA and SHA-1; not approved */ FIPS_PUSH_CONTEXT(); ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_ECDSA_SHA1, - GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, &data, -@@ -591,7 +591,7 @@ void doit(void) + GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, +@@ -716,7 +716,7 @@ void doit(void) if (ret < 0) { fail("gnutls_pubkey_verify_data2 failed\n"); } diff --git a/gnutls-3.7.6-fips-symkey-limit.patch b/gnutls-3.7.6-fips-symkey-limit.patch deleted file mode 100644 index f9c7952..0000000 --- a/gnutls-3.7.6-fips-symkey-limit.patch +++ /dev/null @@ -1,310 +0,0 @@ -From f8a8961cfa176fc74c153cb6e1e68aff5e2d42f2 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 27 Sep 2022 10:52:19 +0900 -Subject: [PATCH] gnutls-3.7.6-fips-symkey-limit.patch - ---- - lib/crypto-api.c | 26 ++++++++++++++++++++++--- - tests/fips-test.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++ - tests/kdf-api.c | 9 ++++++++- - 3 files changed, 80 insertions(+), 4 deletions(-) - -diff --git a/lib/crypto-api.c b/lib/crypto-api.c -index b3e1eec..35200fb 100644 ---- a/lib/crypto-api.c -+++ b/lib/crypto-api.c -@@ -896,6 +896,7 @@ gnutls_hash_hd_t gnutls_hash_copy(gnutls_hash_hd_t handle) - int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size) - { - int ret; -+ bool not_approved = false; - - FAIL_IF_LIB_ERROR; - -@@ -912,17 +913,31 @@ int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size) - key->data = gnutls_malloc(key->size); - if (!key->data) { - gnutls_assert(); -- return GNUTLS_E_MEMORY_ERROR; -+ ret = GNUTLS_E_MEMORY_ERROR; -+ goto error; -+ } -+ -+ /* Key lengths of less than 112 bits are not approved */ -+ if (key_size < 14) { -+ not_approved = true; - } - - ret = gnutls_rnd(GNUTLS_RND_RANDOM, key->data, key->size); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(key); -- return ret; -+ goto error; - } - -- return 0; -+ error: -+ if (ret < 0) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ } else if (not_approved) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED); -+ } else { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED); -+ } -+ return ret; - } - - /* AEAD API */ -@@ -2058,6 +2073,11 @@ gnutls_pbkdf2(gnutls_mac_algorithm_t mac, - not_approved = true; - } - -+ /* Key lengths and output sizes of less than 112 bits are not approved */ -+ if (key->size < 14 || length < 14) { -+ not_approved = true; -+ } -+ - ret = _gnutls_kdf_ops.pbkdf2(mac, key->data, key->size, - salt->data, salt->size, iter_count, - output, length); -diff --git a/tests/fips-test.c b/tests/fips-test.c -index 31a5e26..27da414 100644 ---- a/tests/fips-test.c -+++ b/tests/fips-test.c -@@ -274,6 +274,8 @@ void doit(void) - gnutls_datum_t signature; - unsigned int bits; - uint8_t hmac[64]; -+ uint8_t pbkdf2[64]; -+ gnutls_datum_t temp_key = { NULL, 0 }; - - fprintf(stderr, - "Please note that if in FIPS140 mode, you need to assure the library's integrity prior to running this test\n"); -@@ -371,11 +373,58 @@ void doit(void) - } - FIPS_POP_CONTEXT(NOT_APPROVED); - -+ /* PBKDF2 with key equal to or longer than 112 bits: approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100, -+ &pbkdf2, sizeof(pbkdf2)); -+ if (ret < 0) { -+ fail("gnutls_pbkdf2 failed\n"); -+ } -+ FIPS_POP_CONTEXT(APPROVED); -+ -+ /* PBKDF2 with key shorter than 112 bits: not approved */ -+ FIPS_PUSH_CONTEXT(); -+ key.size = 13; -+ ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100, -+ &pbkdf2, sizeof(pbkdf2)); -+ if (ret < 0) { -+ fail("gnutls_pbkdf2 failed\n"); -+ } -+ key.size = sizeof(key16); -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ -+ /* PBKDF2 with output shorter than 112 bits: not approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100, -+ &pbkdf2, 13); -+ if (ret < 0) { -+ fail("gnutls_pbkdf2 failed\n"); -+ } -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ - ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16)); - if (ret < 0) { - fail("gnutls_rnd failed\n"); - } - -+ /* Symmetric key generation equal to or longer than 112 bits: approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_key_generate(&temp_key, 14); -+ if (ret < 0) { -+ fail("gnutls_key_generate failed\n"); -+ } -+ gnutls_free(temp_key.data); -+ FIPS_POP_CONTEXT(APPROVED); -+ -+ /* Symmetric key generation shorter than 112 bits: not approved */ -+ FIPS_PUSH_CONTEXT(); -+ ret = gnutls_key_generate(&temp_key, 13); -+ if (ret < 0) { -+ fail("gnutls_key_generate failed\n"); -+ } -+ gnutls_free(temp_key.data); -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ - ret = gnutls_pubkey_init(&pubkey); - if (ret < 0) { - fail("gnutls_pubkey_init failed\n"); -diff --git a/tests/kdf-api.c b/tests/kdf-api.c -index 25fbc6a..8a4677c 100644 ---- a/tests/kdf-api.c -+++ b/tests/kdf-api.c -@@ -89,6 +89,7 @@ test_hkdf(gnutls_mac_algorithm_t mac, - - FIPS_PUSH_CONTEXT(); - assert(gnutls_hkdf_extract(mac, &ikm, &salt, buf) >= 0); -+ /* HKDF outside of TLS usage is not approved */ - FIPS_POP_CONTEXT(NOT_APPROVED); - gnutls_free(ikm.data); - gnutls_free(salt.data); -@@ -110,6 +111,7 @@ test_hkdf(gnutls_mac_algorithm_t mac, - - FIPS_PUSH_CONTEXT(); - assert(gnutls_hkdf_expand(mac, &prk, &info, buf, length) >= 0); -+ /* HKDF outside of TLS usage is not approved */ - FIPS_POP_CONTEXT(NOT_APPROVED); - gnutls_free(info.data); - -@@ -151,7 +153,12 @@ test_pbkdf2(gnutls_mac_algorithm_t mac, - - FIPS_PUSH_CONTEXT(); - assert(gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length) >= 0); -- FIPS_POP_CONTEXT(APPROVED); -+ /* Key sizes and output sizes less than 112-bit are not approved. */ -+ if (ikm.size < 14 || length < 14) { -+ FIPS_POP_CONTEXT(NOT_APPROVED); -+ } else { -+ FIPS_POP_CONTEXT(APPROVED); -+ } - gnutls_free(ikm.data); - gnutls_free(salt.data); - --- -2.37.3 - -From 86eded166f77612c70201c0d85d3abe711edd77d Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 29 Sep 2022 21:19:26 +0900 -Subject: [PATCH] fips: only mark HMAC as approved in PBKDF2 - -As ACVP only allows HMAC used with PBKDF2[1], this change marks other -hash algorithms not-approved. - -1. https://pages.nist.gov/ACVP/draft-celi-acvp-pbkdf.html - -Signed-off-by: Daiki Ueno ---- - lib/crypto-api.c | 5 ++++- - lib/fips.h | 16 +++++++++++++++- - tests/kdf-api.c | 30 +++++++++++++++++++++++++++++- - 3 files changed, 48 insertions(+), 3 deletions(-) - -diff --git a/lib/crypto-api.c b/lib/crypto-api.c -index d3e601ab3a..9f7e18db11 100644 ---- a/lib/crypto-api.c -+++ b/lib/crypto-api.c -@@ -2229,7 +2229,10 @@ gnutls_pbkdf2(gnutls_mac_algorithm_t mac, - if (!is_mac_algo_allowed(mac)) { - _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); - return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); -- } else if (!is_mac_algo_approved_in_fips(mac)) { -+ } else if (!is_mac_algo_hmac_approved_in_fips(mac)) { -+ /* ACVP only allows HMAC used with PBKDF2: -+ * https://pages.nist.gov/ACVP/draft-celi-acvp-pbkdf.html -+ */ - not_approved = true; - } - -diff --git a/lib/fips.h b/lib/fips.h -index 3a74f254e7..bf61b36741 100644 ---- a/lib/fips.h -+++ b/lib/fips.h -@@ -76,7 +76,7 @@ void _gnutls_lib_simulate_error(void); - void _gnutls_lib_force_operational(void); - - inline static bool --is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo) -+is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo) - { - switch (algo) { - case GNUTLS_MAC_SHA1: -@@ -88,6 +88,20 @@ is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo) - case GNUTLS_MAC_SHA3_256: - case GNUTLS_MAC_SHA3_384: - case GNUTLS_MAC_SHA3_512: -+ return true; -+ default: -+ return false; -+ } -+} -+ -+inline static bool -+is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo) -+{ -+ if (is_mac_algo_hmac_approved_in_fips(algo)) { -+ return true; -+ } -+ -+ switch (algo) { - case GNUTLS_MAC_AES_CMAC_128: - case GNUTLS_MAC_AES_CMAC_256: - case GNUTLS_MAC_AES_GMAC_128: -diff --git a/tests/kdf-api.c b/tests/kdf-api.c -index 577cbf7a17..4feb22688b 100644 ---- a/tests/kdf-api.c -+++ b/tests/kdf-api.c -@@ -26,6 +26,7 @@ - #include - - #include -+#include - #include - - #include "utils.h" -@@ -133,6 +134,25 @@ test_hkdf(gnutls_mac_algorithm_t mac, - gnutls_free(hex.data); - } - -+inline static bool -+is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo) -+{ -+ switch (algo) { -+ case GNUTLS_MAC_SHA1: -+ case GNUTLS_MAC_SHA256: -+ case GNUTLS_MAC_SHA384: -+ case GNUTLS_MAC_SHA512: -+ case GNUTLS_MAC_SHA224: -+ case GNUTLS_MAC_SHA3_224: -+ case GNUTLS_MAC_SHA3_256: -+ case GNUTLS_MAC_SHA3_384: -+ case GNUTLS_MAC_SHA3_512: -+ return true; -+ default: -+ return false; -+ } -+} -+ - static void - test_pbkdf2(gnutls_mac_algorithm_t mac, - const char *ikm_hex, -@@ -161,7 +181,8 @@ test_pbkdf2(gnutls_mac_algorithm_t mac, - FIPS_PUSH_CONTEXT(); - assert(gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length) >= 0); - /* Key sizes and output sizes less than 112-bit are not approved. */ -- if (ikm.size < 14 || length < 14) { -+ if (ikm.size < 14 || length < 14 || -+ !is_mac_algo_hmac_approved_in_fips(mac)) { - FIPS_POP_CONTEXT(NOT_APPROVED); - } else { - FIPS_POP_CONTEXT(APPROVED); -@@ -208,5 +229,12 @@ doit(void) - 20, - "4b007901b765489abead49d926f721d065a429c1"); - -+ test_pbkdf2(GNUTLS_MAC_AES_CMAC_128, -+ "70617373776f726470617373776f7264", /* "passwordpassword" */ -+ "73616c74", /* "salt" */ -+ 4096, -+ 20, -+ "c4c112c6e1e3b8757640603dec78825ff87605a7"); -+ - gnutls_fips140_context_deinit(fips_context); - } --- -2.37.3 - diff --git a/gnutls-3.7.6-gmp-static.patch b/gnutls-3.7.6-gmp-static.patch index df74247..0b94c8d 100644 --- a/gnutls-3.7.6-gmp-static.patch +++ b/gnutls-3.7.6-gmp-static.patch @@ -1,3 +1,4 @@ +From 3c931abeb7e9bbf744cde83fbaaf3bb011107834 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 19 Aug 2022 12:32:27 +0900 Subject: [PATCH] build: allow GMP to be statically linked @@ -16,11 +17,18 @@ and libhogweed in Nettle is also linked to the static library of GMP. Signed-off-by: Daiki Ueno --- -diff --color -ruNp a/configure.ac b/configure.ac ---- a/configure.ac 2022-12-15 11:06:16.782726043 +0100 -+++ b/configure.ac 2022-12-15 11:08:35.603451427 +0100 -@@ -744,6 +744,8 @@ AC_CHECK_FUNCS(nettle_cmac_kuznyechik_up - LIBS=$save_LIBS + configure.ac | 14 +++++++++++++- + lib/fips.c | 18 +++++++++++++++++- + lib/fipshmac.c | 2 ++ + lib/global.c | 2 ++ + 4 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index f81d93edc0..b38583c554 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -786,6 +786,8 @@ LIBS=$save_LIBS + AM_CONDITIONAL([NEED_SIV_GCM], [test "$ac_cv_func_nettle_siv_gcm_encrypt_message" != yes]) # Check sonames of the linked libraries needed for FIPS selftests. +save_CFLAGS=$CFLAGS @@ -28,7 +36,7 @@ diff --color -ruNp a/configure.ac b/configure.ac save_LIBS=$LIBS LIBS="$LIBS $GMP_LIBS" AC_MSG_CHECKING([gmp soname]) -@@ -757,9 +759,14 @@ if test -z "$gmp_so"; then +@@ -799,9 +801,14 @@ if test -z "$gmp_so"; then gmp_so=none fi AC_MSG_RESULT($gmp_so) @@ -44,7 +52,7 @@ diff --color -ruNp a/configure.ac b/configure.ac save_LIBS=$LIBS LIBS="$LIBS $NETTLE_LIBS" AC_MSG_CHECKING([nettle soname]) -@@ -775,7 +782,11 @@ fi +@@ -817,7 +824,11 @@ fi AC_MSG_RESULT($nettle_so) AC_DEFINE_UNQUOTED([NETTLE_LIBRARY_SONAME], ["$nettle_so"], [The soname of nettle library]) LIBS=$save_LIBS @@ -56,7 +64,7 @@ diff --color -ruNp a/configure.ac b/configure.ac save_LIBS=$LIBS LIBS="$LIBS $HOGWEED_LIBS" AC_MSG_CHECKING([hogweed soname]) -@@ -791,6 +802,7 @@ fi +@@ -833,6 +844,7 @@ fi AC_MSG_RESULT($hogweed_so) AC_DEFINE_UNQUOTED([HOGWEED_LIBRARY_SONAME], ["$hogweed_so"], [The soname of hogweed library]) LIBS=$save_LIBS @@ -64,22 +72,23 @@ diff --color -ruNp a/configure.ac b/configure.ac gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"` AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library]) -diff --color -ruNp a/lib/fips.c b/lib/fips.c ---- a/lib/fips.c 2022-12-15 11:06:16.868727731 +0100 -+++ b/lib/fips.c 2022-12-15 11:12:42.744303409 +0100 -@@ -155,7 +155,11 @@ void _gnutls_fips_mode_reset_zombie(void +diff --git a/lib/fips.c b/lib/fips.c +index e337221267..c1859709da 100644 +--- a/lib/fips.c ++++ b/lib/fips.c +@@ -157,7 +157,11 @@ void _gnutls_fips_mode_reset_zombie(void) #define GNUTLS_LIBRARY_NAME GNUTLS_LIBRARY_SONAME #define NETTLE_LIBRARY_NAME NETTLE_LIBRARY_SONAME #define HOGWEED_LIBRARY_NAME HOGWEED_LIBRARY_SONAME + -+/* GMP can be statically linked */ ++/* GMP can be statically linked. */ +#ifdef GMP_LIBRARY_SONAME #define GMP_LIBRARY_NAME GMP_LIBRARY_SONAME +#endif #define HMAC_SIZE 32 #define HMAC_ALGO GNUTLS_MAC_SHA256 -@@ -173,7 +177,9 @@ struct hmac_file +@@ -173,14 +177,18 @@ struct hmac_file { struct hmac_entry gnutls; struct hmac_entry nettle; struct hmac_entry hogweed; @@ -88,8 +97,7 @@ diff --color -ruNp a/lib/fips.c b/lib/fips.c +#endif }; - struct lib_paths -@@ -181,7 +187,9 @@ struct lib_paths + struct lib_paths { char gnutls[GNUTLS_PATH_MAX]; char nettle[GNUTLS_PATH_MAX]; char hogweed[GNUTLS_PATH_MAX]; @@ -99,7 +107,7 @@ diff --color -ruNp a/lib/fips.c b/lib/fips.c }; /* -@@ -245,8 +253,10 @@ static int handler(void *user, const cha +@@ -244,8 +252,10 @@ static int handler(void *user, const char *section, const char *name, return lib_handler(&p->nettle, section, name, value); } else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) { return lib_handler(&p->hogweed, section, name, value); @@ -110,7 +118,7 @@ diff --color -ruNp a/lib/fips.c b/lib/fips.c } else { return 0; } -@@ -389,8 +399,10 @@ static int callback(struct dl_phdr_info +@@ -393,8 +403,10 @@ static int callback(struct dl_phdr_info *info, size_t size, void *data) _gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path); else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) _gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path); @@ -121,7 +129,7 @@ diff --color -ruNp a/lib/fips.c b/lib/fips.c return 0; } -@@ -411,10 +423,12 @@ static int load_lib_paths(struct lib_pat +@@ -415,10 +427,12 @@ static int load_lib_paths(struct lib_paths *paths) _gnutls_debug_log("Hogweed library path was not found\n"); return gnutls_assert_val(GNUTLS_E_FILE_ERROR); } @@ -134,22 +142,24 @@ diff --color -ruNp a/lib/fips.c b/lib/fips.c return GNUTLS_E_SUCCESS; } -@@ -467,9 +481,11 @@ static int check_binary_integrity(void) +@@ -471,9 +485,11 @@ static int check_binary_integrity(void) ret = check_lib_hmac(&hmac.hogweed, paths.hogweed); if (ret < 0) return ret; +- ret = check_lib_hmac(&hmac.gmp, paths.gmp); +#ifdef GMP_LIBRARY_SONAME - ret = check_lib_hmac(&hmac.gmp, paths.gmp); ++ ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init"); if (ret < 0) return ret; +#endif return 0; } -diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c ---- a/lib/fipshmac.c 2022-12-15 11:06:16.785726102 +0100 -+++ b/lib/fipshmac.c 2022-12-15 11:13:34.533320156 +0100 -@@ -107,8 +107,10 @@ static int callback(struct dl_phdr_info +diff --git a/lib/fipshmac.c b/lib/fipshmac.c +index 51f38f18e5..6a4883a131 100644 +--- a/lib/fipshmac.c ++++ b/lib/fipshmac.c +@@ -107,8 +107,10 @@ static int callback(struct dl_phdr_info *info, size_t size, void *data) return print_lib(path, soname); if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) return print_lib(path, soname); @@ -157,13 +167,14 @@ diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c if (!strcmp(soname, GMP_LIBRARY_SONAME)) return print_lib(path, soname); +#endif - return 0; + return 0; } -diff --color -ruNp a/lib/global.c b/lib/global.c ---- a/lib/global.c 2022-12-15 11:06:16.061711888 +0100 -+++ b/lib/global.c 2022-12-15 11:08:35.604451446 +0100 -@@ -540,7 +540,9 @@ static const struct gnutls_library_confi +diff --git a/lib/global.c b/lib/global.c +index 924ec945de..c197fd0e5f 100644 +--- a/lib/global.c ++++ b/lib/global.c +@@ -564,7 +564,9 @@ static const struct gnutls_library_config_st _gnutls_library_config[] = { { "libgnutls-soname", GNUTLS_LIBRARY_SONAME }, { "libnettle-soname", NETTLE_LIBRARY_SONAME }, { "libhogweed-soname", HOGWEED_LIBRARY_SONAME }, @@ -172,4 +183,7 @@ diff --color -ruNp a/lib/global.c b/lib/global.c +#endif { "hardware-features", HW_FEATURES }, { "tls-features", TLS_FEATURES }, - { NULL, NULL } + { "default-system-config", SYSTEM_PRIORITY_FILE }, +-- +2.41.0 + diff --git a/gnutls-3.7.6-ktls-disable-by-default.patch b/gnutls-3.7.6-ktls-disable-by-default.patch deleted file mode 100644 index 2a88eb3..0000000 --- a/gnutls-3.7.6-ktls-disable-by-default.patch +++ /dev/null @@ -1,124 +0,0 @@ -From f41151c8a218f255af08362b74cd6ee0dfd45c00 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?= - -Date: Tue, 14 Jun 2022 16:16:11 +0200 -Subject: [PATCH] KTLS: disable by default enable by config - -KTLS will be disabled by default when build with `--enable-ktls` to -enable it, use config file option `ktls = true` in [global] section. - -Signed-off-by: Frantisek Krenzelok ---- - doc/cha-config.texi | 18 ++++++++---------- - lib/gnutls_int.h | 2 +- - lib/handshake.c | 2 +- - lib/priority.c | 12 ++++++------ - 4 files changed, 16 insertions(+), 18 deletions(-) - -diff --git a/doc/cha-config.texi b/doc/cha-config.texi -index e550f2e4b1..eaab7fd799 100644 ---- a/doc/cha-config.texi -+++ b/doc/cha-config.texi -@@ -26,7 +26,7 @@ used can be queried using @funcref{gnutls_get_system_config_file}. - * Querying for disabled algorithms and protocols:: - * Overriding the parameter verification profile:: - * Overriding the default priority string:: --* Disabling system/acceleration protocols:: -+* Enabling/Disabling system/acceleration protocols:: - @end menu - - @node Application-specific priority strings -@@ -253,16 +253,14 @@ default-priority-string = SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3 - @end example - - --@node Disabling system/acceleration protocols --@section Disabling system/acceleration protocols --When system/acceleration protocol is enabled during build, it is usually --enabled by default. The following options can overwrite this behavior --system-wide. -+@node Enabling/Disabling system/acceleration protocols -+@section Enabling/Disabling system/acceleration protocols -+The following options can overwrite default behavior of protocols system-wide. - @example - [global] --ktls = false -+ktls = true - - @end example --@subsection Disabling KTLS --When GnuTLS is build with -–enable-ktls configuration, it uses KTLS by default. --This can be overwritten by setting @code{ktls = false} in @code{[global]} section. -+@subsection Enabling KTLS -+When GnuTLS is build with -–enable-ktls configuration, KTLS is disabled by default. -+This can be enabled by setting @code{ktls = true} in @code{[global]} section. -diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h -index 872188696b..8c7bdaa1db 100644 ---- a/lib/gnutls_int.h -+++ b/lib/gnutls_int.h -@@ -1649,6 +1649,6 @@ get_certificate_type(gnutls_session_t session, - - extern unsigned int _gnutls_global_version; - --bool _gnutls_config_is_ktls_disabled(void); -+bool _gnutls_config_is_ktls_enabled(void); - - #endif /* GNUTLS_LIB_GNUTLS_INT_H */ -diff --git a/lib/handshake.c b/lib/handshake.c -index f3edbbdacb..4dd457bf22 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -2815,7 +2815,7 @@ int gnutls_handshake(gnutls_session_t session) - - session->internals.ktls_enabled = 0; - #ifdef ENABLE_KTLS -- if (_gnutls_config_is_ktls_disabled() == false) -+ if (_gnutls_config_is_ktls_enabled() == true) - _gnutls_ktls_enable(session); - #endif - -diff --git a/lib/priority.c b/lib/priority.c -index 7279c03c88..d163d8169f 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -1027,7 +1027,7 @@ static void dummy_func(gnutls_priority_t c) - - struct cfg { - bool allowlisting; -- bool ktls_disabled; -+ bool ktls_enabled; - - name_val_array_t priority_strings; - char *priority_string; -@@ -1140,7 +1140,7 @@ cfg_steal(struct cfg *dst, struct cfg *src) - src->default_priority_string = NULL; - - dst->allowlisting = src->allowlisting; -- dst->ktls_disabled = src->ktls_disabled; -+ dst->ktls_enabled = src->ktls_enabled; - memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers)); - memcpy(dst->macs, src->macs, sizeof(src->macs)); - memcpy(dst->groups, src->groups, sizeof(src->groups)); -@@ -1268,8 +1268,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name, - } - } else if (c_strcasecmp(name, "ktls") == 0) { - p = clear_spaces(value, str); -- if (c_strcasecmp(p, "false") == 0) { -- cfg->ktls_disabled = true; -+ if (c_strcasecmp(p, "true") == 0) { -+ cfg->ktls_enabled = true; - } else { - _gnutls_debug_log("cfg: unknown ktls mode %s\n", - p); -@@ -3490,6 +3490,6 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags) - return NULL; - } - --bool _gnutls_config_is_ktls_disabled(void){ -- return system_wide_config.ktls_disabled; -+bool _gnutls_config_is_ktls_enabled(void){ -+ return system_wide_config.ktls_enabled; - } --- -2.36.1 - diff --git a/gnutls-3.7.6-ktls-fixes.patch b/gnutls-3.7.6-ktls-fixes.patch deleted file mode 100644 index 2bef420..0000000 --- a/gnutls-3.7.6-ktls-fixes.patch +++ /dev/null @@ -1,348 +0,0 @@ -From 7b700dbcd5907944a7dd2f74cd26ad8586cd4bac Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 28 Jun 2022 09:37:22 +0900 -Subject: [PATCH 1/3] tests: enable KTLS config while running gnutls_ktls test - -Signed-off-by: Daiki Ueno ---- - tests/Makefile.am | 9 +++++---- - tests/gnutls_ktls.c | 4 ++-- - tests/ktls.sh | 46 +++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 53 insertions(+), 6 deletions(-) - create mode 100755 tests/ktls.sh - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 4deeb6462b..cba67e8db8 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -441,10 +441,6 @@ ctests += x509self x509dn anonself pskself pskself2 dhepskself \ - resume-with-record-size-limit - endif - --if ENABLE_KTLS --ctests += gnutls_ktls --endif -- - ctests += record-sendfile - - gc_CPPFLAGS = $(AM_CPPFLAGS) \ -@@ -500,6 +496,11 @@ if ENABLE_TPM2 - dist_check_SCRIPTS += tpm2.sh - endif - -+if ENABLE_KTLS -+indirect_tests += gnutls_ktls -+dist_check_SCRIPTS += ktls.sh -+endif -+ - if !WINDOWS - - # -diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c -index 3966e2b10a..8f9c5fa36e 100644 ---- a/tests/gnutls_ktls.c -+++ b/tests/gnutls_ktls.c -@@ -84,7 +84,7 @@ static void client(int fd, const char *prio) - - ret = gnutls_transport_is_ktls_enabled(session); - if (!(ret & GNUTLS_KTLS_RECV)){ -- fail("client: KTLS was not properly inicialized\n"); -+ fail("client: KTLS was not properly initialized\n"); - goto end; - } - -@@ -208,7 +208,7 @@ static void server(int fd, const char *prio) - - ret = gnutls_transport_is_ktls_enabled(session); - if (!(ret & GNUTLS_KTLS_SEND)){ -- fail("server: KTLS was not properly inicialized\n"); -+ fail("server: KTLS was not properly initialized\n"); - goto end; - } - do { -diff --git a/tests/ktls.sh b/tests/ktls.sh -new file mode 100755 -index 0000000000..ba52bd5775 ---- /dev/null -+++ b/tests/ktls.sh -@@ -0,0 +1,46 @@ -+#!/bin/sh -+ -+# Copyright (C) 2022 Red Hat, Inc. -+# -+# Author: Daiki Ueno -+# -+# This file is part of GnuTLS. -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GnuTLS; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+: ${builddir=.} -+ -+. "$srcdir/scripts/common.sh" -+ -+if ! grep '^tls ' /proc/modules 2>1 >& /dev/null; then -+ exit 77 -+fi -+ -+testdir=`create_testdir ktls` -+ -+cfg="$testdir/config" -+ -+cat < "$cfg" -+[global] -+ktls = true -+EOF -+ -+GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \ -+GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \ -+"$builddir/gnutls_ktls" "$@" -+rc=$? -+ -+rm -rf "$testdir" -+exit $rc --- -2.36.1 - - -From 4a492462535a7f3a831685d3cf420b50ef219511 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 28 Jun 2022 10:23:33 +0900 -Subject: [PATCH 2/3] handshake: do not reset KTLS enablement in - gnutls_handshake - -As gnutls_handshake can be repeatedly called upon non-blocking setup, -we shouldn't try to call setsockopt for KTLS upon every call. - -Signed-off-by: Daiki Ueno ---- - lib/handshake.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/lib/handshake.c b/lib/handshake.c -index 4dd457bf22..3886306eb4 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -2813,12 +2813,6 @@ int gnutls_handshake(gnutls_session_t session) - const version_entry_st *vers = get_version(session); - int ret; - -- session->internals.ktls_enabled = 0; --#ifdef ENABLE_KTLS -- if (_gnutls_config_is_ktls_enabled() == true) -- _gnutls_ktls_enable(session); --#endif -- - if (unlikely(session->internals.initial_negotiation_completed)) { - if (vers->tls13_sem) { - if (session->security_parameters.entity == GNUTLS_CLIENT) { -@@ -2864,6 +2858,12 @@ int gnutls_handshake(gnutls_session_t session) - end->tv_nsec = - (start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL; - } -+ -+#ifdef ENABLE_KTLS -+ if (_gnutls_config_is_ktls_enabled()) { -+ _gnutls_ktls_enable(session); -+ } -+#endif - } - - if (session->internals.recv_state == RECV_STATE_FALSE_START) { --- -2.36.1 - - -From ce13208e13b5dec73993c583d4c64ab7714e4a7a Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 28 Jun 2022 10:53:55 +0900 -Subject: [PATCH 3/3] ktls: _gnutls_ktls_enable: fix GNUTLS_KTLS_SEND - calculation - -Previously, if the first setsockopt for GNUTLS_KTLS_RECV fails and the -same socket is used for both sending and receiving, GNUTLS_KTLS_SEND -was unconditionally set. This fixes the conditions and also adds more -logging. - -Signed-off-by: Daiki Ueno ---- - lib/system/ktls.c | 21 ++++++++++++++++----- - 1 file changed, 16 insertions(+), 5 deletions(-) - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index b9f7a73fb5..ddf27fac76 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -47,7 +47,7 @@ - gnutls_transport_ktls_enable_flags_t - gnutls_transport_is_ktls_enabled(gnutls_session_t session){ - if (unlikely(!session->internals.initial_negotiation_completed)){ -- _gnutls_debug_log("Initial negotiation is not yet complete"); -+ _gnutls_debug_log("Initial negotiation is not yet complete\n"); - return 0; - } - -@@ -57,16 +57,27 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session){ - void _gnutls_ktls_enable(gnutls_session_t session) - { - int sockin, sockout; -+ - gnutls_transport_get_int2(session, &sockin, &sockout); - -- if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) -+ if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) { - session->internals.ktls_enabled |= GNUTLS_KTLS_RECV; -+ if (sockin == sockout) { -+ session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; -+ } -+ } else { -+ _gnutls_record_log("Unable to set TCP_ULP for read socket: %d\n", -+ errno); -+ } - - if (sockin != sockout) { -- if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) -+ if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) { - session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; -- } else -- session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; -+ } else { -+ _gnutls_record_log("Unable to set TCP_ULP for write socket: %d\n", -+ errno); -+ } -+ } - } - - int _gnutls_ktls_set_keys(gnutls_session_t session) --- -2.36.1 - -From 2d3cba6bb21acb40141180298f3924c73c7de8f8 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 26 Jul 2022 11:38:41 +0900 -Subject: [PATCH 1/2] handshake: do not enable KTLS if custom pull/push - functions are set - -If gnutls_transport_set_pull_function or -gnutls_transport_set_push_function is used, we can't assume the -underlying transport handle is an FD. - -Signed-off-by: Daiki Ueno ---- - lib/handshake.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/lib/handshake.c b/lib/handshake.c -index 3886306eb4..cf025a84f6 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -2861,7 +2861,14 @@ int gnutls_handshake(gnutls_session_t session) - - #ifdef ENABLE_KTLS - if (_gnutls_config_is_ktls_enabled()) { -- _gnutls_ktls_enable(session); -+ if (session->internals.pull_func || -+ session->internals.push_func) { -+ _gnutls_audit_log(session, -+ "Not enabling KTLS with " -+ "custom pull/push function\n"); -+ } else { -+ _gnutls_ktls_enable(session); -+ } - } - #endif - } --- -2.37.1 - - -From f7160e4fb970b4ba6f96e85e21f8395eae735d95 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 26 Jul 2022 11:39:57 +0900 -Subject: [PATCH 2/2] socket: only set pull/push functions when --save-*-trace - is used - -This allows gnutls-cli to use KTLS for the transport, unless either ---save-client-trace or --save-server-trace is used. - -Signed-off-by: Daiki Ueno ---- - src/socket.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/src/socket.c b/src/socket.c -index 39f18dbe18..36ac292700 100644 ---- a/src/socket.c -+++ b/src/socket.c -@@ -586,16 +586,16 @@ socket_open2(socket_st * hd, const char *hostname, const char *service, - gnutls_session_set_data(hd->session, hd->rdata.data, hd->rdata.size); - } - -- if (server_trace) -+ if (client_trace || server_trace) { - hd->server_trace = server_trace; -- -- if (client_trace) - hd->client_trace = client_trace; -- -- gnutls_transport_set_push_function(hd->session, wrap_push); -- gnutls_transport_set_pull_function(hd->session, wrap_pull); -- gnutls_transport_set_pull_timeout_function(hd->session, wrap_pull_timeout_func); -- gnutls_transport_set_ptr(hd->session, hd); -+ gnutls_transport_set_push_function(hd->session, wrap_push); -+ gnutls_transport_set_pull_function(hd->session, wrap_pull); -+ gnutls_transport_set_pull_timeout_function(hd->session, wrap_pull_timeout_func); -+ gnutls_transport_set_ptr(hd->session, hd); -+ } else { -+ gnutls_transport_set_int(hd->session, hd->fd); -+ } - } - - if (!(flags & SOCKET_FLAG_RAW) && !(flags & SOCKET_FLAG_SKIP_INIT)) { --- -2.37.1 - -From a5b671fc9105cb5dbe6e6a1c0f39fa787d862076 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Fri, 29 Jul 2022 10:38:42 +0200 -Subject: [PATCH] KTLS: hotfix - -session->internals.pull_func is set to system_read during gnutls_init() -so check for user set pull/push function added in commit mentioned -bellow will never pass. - -source: 2d3cba6bb21acb40141180298f3924c73c7de8f8 - -Signed-off-by: Frantisek Krenzelok ---- - lib/handshake.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/handshake.c b/lib/handshake.c -index cf025a84f6..21edc5ece9 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -2861,7 +2861,8 @@ int gnutls_handshake(gnutls_session_t session) - - #ifdef ENABLE_KTLS - if (_gnutls_config_is_ktls_enabled()) { -- if (session->internals.pull_func || -+ if ((session->internals.pull_func && -+ session->internals.pull_func != system_read) || - session->internals.push_func) { - _gnutls_audit_log(session, - "Not enabling KTLS with " --- -2.37.1 - diff --git a/gnutls-3.7.6-pkcs7-verify.patch b/gnutls-3.7.6-pkcs7-verify.patch deleted file mode 100644 index 001a6a4..0000000 --- a/gnutls-3.7.6-pkcs7-verify.patch +++ /dev/null @@ -1,263 +0,0 @@ -From 57afc290cd3ce2e9752a0ce5cba41ecc78fdc1bd Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Sun, 31 Jul 2022 10:39:53 +0900 -Subject: [PATCH] gnutls-3.7.6-pkcs7-verify.patch - ---- - lib/x509/pkcs7.c | 3 +- - tests/Makefile.am | 2 +- - tests/pkcs7-verify-double-free.c | 215 +++++++++++++++++++++++++++++++ - 3 files changed, 218 insertions(+), 2 deletions(-) - create mode 100644 tests/pkcs7-verify-double-free.c - -diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c -index 1f35fab..d5be7f4 100644 ---- a/lib/x509/pkcs7.c -+++ b/lib/x509/pkcs7.c -@@ -1318,7 +1318,8 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl, - issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags); - - if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) { -- if (prev) gnutls_x509_crt_deinit(prev); -+ if (prev && prev != signer) -+ gnutls_x509_crt_deinit(prev); - prev = issuer; - break; - } -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 26e39fb..7a7a4af 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -233,7 +233,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei - tls13-without-timeout-func buffer status-request-revoked \ - set_x509_ocsp_multi_cli kdf-api keylog-func handshake-write \ - x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \ -- x509-upnconstraint -+ x509-upnconstraint pkcs7-verify-double-free - - ctests += tls-channel-binding - -diff --git a/tests/pkcs7-verify-double-free.c b/tests/pkcs7-verify-double-free.c -new file mode 100644 -index 0000000..fadf307 ---- /dev/null -+++ b/tests/pkcs7-verify-double-free.c -@@ -0,0 +1,215 @@ -+/* -+ * Copyright (C) 2022 Red Hat, Inc. -+ * -+ * Author: Zoltan Fridrich -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software: you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation, either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with GnuTLS. If not, see . -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+ -+#include "utils.h" -+ -+static char rca_pem[] = -+ "-----BEGIN CERTIFICATE-----\n" -+ "MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n" -+ "cGxlIENBMCAXDTE3MDcyMTE0NDMzNloYDzIyMjIwNzIxMTQ0MzM2WjAVMRMwEQYD\n" -+ "VQQKDApFeGFtcGxlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n" -+ "v8hnKPJ/IA0SQB/A/a0Uh+npZ67vsgIMrtTQo0r0kJkmkBz5323xO3DVuJfB3QmX\n" -+ "v9zvoeCQLuDvWar5Aixfxgm6s5Q+yPvJj9t3NebDrU+Y4+qyewBIJUF8EF/5iBPC\n" -+ "ZHONmzbfIRWvQWGGgb2CRcOHp2J7AY/QLB6LsWPaLjs/DHva28Q13JaTTHIpdu8v\n" -+ "t6vHr0nXf66DN4MvtoF3N+o+v3snJCMsfXOqASi4tbWR7gtOfCfiz9uBjh0W2Dut\n" -+ "/jclBQkJkLe6esNSM+f4YiOpctVDjmfj8yoHCp394vt0wFqhG38wsTFAyVP6qIcf\n" -+ "5zoSu9ovEt2cTkhnZHjiiwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n" -+ "DwEB/wQEAwIBBjAdBgNVHQ4EFgQUhjeO6Uc5imbjOl2I2ltVA27Hu9YwHwYDVR0j\n" -+ "BBgwFoAUhjeO6Uc5imbjOl2I2ltVA27Hu9YwDQYJKoZIhvcNAQELBQADggEBAD+r\n" -+ "i/7FsbG0OFKGF2+JOnth6NjJQcMfM8LiglqAuBUijrv7vltoZ0Z3FJH1Vi4OeMXn\n" -+ "l7X/9tWUve0uFl75MfjDrf0+lCEdYRY1LCba2BrUgpbbkLywVUdnbsvndehegCgS\n" -+ "jss2/zys3Hlo3ZaHlTMQ/NQ4nrxcxkjOvkZSEOqgxJTLpzm6pr7YUts4k6c6lNiB\n" -+ "FSiJiDzsJCmWR9C3fBbUlfDfTJYGN3JwqX270KchXDElo8gNoDnF7jBMpLFFSEKm\n" -+ "MyfbNLX/srh+CEfZaN/OZV4A3MQ0L8vQEp6M4CJhvRLIuMVabZ2coJ0AzystrOMU\n" -+ "LirBWjg89RoAjFQ7bTE=\n" -+ "-----END CERTIFICATE-----\n"; -+ -+static char ca_pem[] = -+ "-----BEGIN CERTIFICATE-----\n" -+ "MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n" -+ "cGxlIENBMCAXDTE3MDcyMTE0NDQzNFoYDzIyMjIwNzIxMTQ0NDM0WjAiMSAwHgYD\n" -+ "VQQKDBdFeGFtcGxlIGludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD\n" -+ "ggEPADCCAQoCggEBAKb9ACB8u//sP6MfNU1OsVw68xz3eTPLgKxS0vpqexm6iGVg\n" -+ "ug/o9uYRLzqiEukv/eyz9WzHmY7sqlOJjOFdv92+SaNg79Jc51WHPFXgea4/qyfr\n" -+ "4y14PGs0SNxm6T44sXurUs7cXydQVUgnq2VCaWFOTUdxXoAWkV8r8GaUoPD/klVz\n" -+ "RqxSZVETmX1XBKhsMnnov41kRwVph2C+VfUspsbaUZaz/o/S1/nokhXRACzKsMBr\n" -+ "obqiGxbY35uVzsmbAW5ErhQz98AWJL3Bub1fsEMXg6OEMmPH4AtX888dTIYZNw0E\n" -+ "bUIESspz1kjJQTtVQDHTprhwz16YiSVeUonlLgMCAwEAAaNjMGEwDwYDVR0TAQH/\n" -+ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPBjxDWjMhjXERirKF9O\n" -+ "o/5Cllc5MB8GA1UdIwQYMBaAFIY3julHOYpm4zpdiNpbVQNux7vWMA0GCSqGSIb3\n" -+ "DQEBCwUAA4IBAQCTm+vv3hBa6lL5IT+Fw8aTxQ2Ne7mZ5oyazhvXYwwfKNMX3SML\n" -+ "W2JdPaL64ZwbxxxYvW401o5Z0CEgru3YFrsqB/hEdl0Uf8UWWJmE1rRa+miTmbjt\n" -+ "lrLNCWdrs6CiwvsPITTHg7jevB4KyZYsTSxQFcyr3N3xF+6EmOTC4IkhPPnXYXcp\n" -+ "248ih+WOavSYoRvzgB/Dip1WnPYU2mfIV3O8JReRryngA0TzWCLPLUoWR3R4jwtC\n" -+ "+1uSLoqaenz3qv3F1WEbke37az9YJuXx/5D8CqFQiZ62TUUtI6fYd8mkMBM4Qfh6\n" -+ "NW9XrCkI9wlpL5K9HllhuW0BhKeJkuPpyQ2p\n" -+ "-----END CERTIFICATE-----\n"; -+ -+static char ee_pem[] = -+ "-----BEGIN CERTIFICATE-----\n" -+ "MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdFeGFt\n" -+ "cGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzdaGA8yMjIyMDcyMTE0\n" -+ "NDUzN1owFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEBBQAD\n" -+ "ggEPADCCAQoCggEBAMb1uuxppBFY+WVD45iyHUq7DkIJNNOI/JRaybVJfPktWq2E\n" -+ "eNe7XhV05KKnqZTbDO2iYqNHqGhZ8pz/IstDRTZP3z/q1vXTG0P9Gx28rEy5TaUY\n" -+ "QjtD+ZoFUQm0ORMDBjd8jikqtJ87hKeuOPMH4rzdydotMaPQSm7KLzHBGBr6gg7z\n" -+ "g1IxPWkhMyHapoMqqrhjwjzoTY97UIXpZTEoIA+KpEC8f9CciBtL0i1MPBjWozB6\n" -+ "Jma9q5iEwZXuRr3cnPYeIPlK2drgDZCMuSFcYiT8ApLw5OhKqY1m2EvfZ2ox2s9R\n" -+ "68/HzYdPi3kZwiNEtlBvMlpt5yKBJAflp76d7DkCAwEAAaNuMGwwCwYDVR0PBAQD\n" -+ "AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUc+Mi\n" -+ "kr8WMCk00SQo+P2iggp/oQkwHwYDVR0jBBgwFoAU8GPENaMyGNcRGKsoX06j/kKW\n" -+ "VzkwDQYJKoZIhvcNAQELBQADggEBAKU9+CUR0Jcfybd1+8Aqgh1RH96yQygnVuyt\n" -+ "Na9rFz4fM3ij9tGXDHXrkZw8bW1dWLU9quu8zeTxKxc3aiDIw739Alz0tukttDo7\n" -+ "dW7YqIb77zsIsWB9p7G9dlxT6ieUy+5IKk69BbeK8KR0vAciAG4KVQxPhuPy/LGX\n" -+ "PzqlJIJ4h61s3UOroReHPB1keLZgpORqrvtpClOmABH9TLFRJA/WFg8Q2XYB/p0x\n" -+ "l/pWiaoBC+8wK9cDoMUK5yOwXeuCLffCb+UlAD0+z/qxJ2pisE8E9X8rRKRrWI+i\n" -+ "G7LtJCEn86EQK8KuRlJxKgj8lClZhoULB0oL4jbblBuNow9WRmM=\n" -+ "-----END CERTIFICATE-----\n"; -+ -+static char msg_pem[] = -+ "-----BEGIN PKCS7-----\n" -+ "MIIK2QYJKoZIhvcNAQcCoIIKyjCCCsYCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\n" -+ "hvcNAQcBoIIJTzCCAwowggHyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwFTETMBEG\n" -+ "A1UECgwKRXhhbXBsZSBDQTAgFw0xNzA3MjExNDQzMjFaGA8yMjIyMDcyMTE0NDMy\n" -+ "MVowFTETMBEGA1UECgwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" -+ "ADCCAQoCggEBAL51eyE4j8wAKQKMGlO9HEY2iaGvsdPSJmidSdmCi1jnNK39Lx4Y\n" -+ "31h279hSHF5wtI6VM91HHfeLf1mjEZHlKrXXJQzBPLpbHWapD778drHBitOP8e56\n" -+ "fDMIfofLV4tkMk8690vPe4cJH1UHGspMyz6EQF9kPRaW80XtMV/6dalgL/9Esmaw\n" -+ "XBNPJAS1VutDuXQkJ/3/rWFLmkpYHHtGPjX782YRmT1s+VOVTsLqmKx0TEL8A381\n" -+ "bbElHPUAMjPcyWR5qqA8KWnS5Dwqk3LwI0AvuhQytCq0S7Xl4DXauvxwTRXv0UU7\n" -+ "W8r3MLAw9DnlnJiD/RFjw5rbGO3wMePk/qUCAwEAAaNjMGEwDwYDVR0TAQH/BAUw\n" -+ "AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIh2KRoKJoe2VtpOwWMkRAkR\n" -+ "mLWKMB8GA1UdIwQYMBaAFIh2KRoKJoe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEB\n" -+ "CwUAA4IBAQBovvlOjoy0MCT5U0eWfcPQQjY4Ssrn3IiPNlVkqSNo+FHX+2baTLVQ\n" -+ "5QTHxwXwzdIJiwtjFWDdGEQXqmuIvnFG+u/whGbeg6oQygfnQ5Y+q6epOxCsPgLQ\n" -+ "mKKEaF7mvh8DauUx4QSbYCNGCctOZuB1vlN9bJ3/5QbH+2pFPOfCr5CAyPDwHo6S\n" -+ "qO3yPcutRwT9xS7gXEHM9HhLp+DmdCGh4eVBPiFilyZm1d92lWxU8oxoSfXgzDT/\n" -+ "GCzlMykNZNs4JD9QmiRClP/3U0dQbOhah/Fda+N+L90xaqEgGcvwKKZa3pzo59pl\n" -+ "BbkcIP4YPyHeinwkgAn5UVJg9DOxNCS0MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG\n" -+ "9w0BAQsFADAVMRMwEQYDVQQKDApFeGFtcGxlIENBMCAXDTE3MDcyMTE0NDQxM1oY\n" -+ "DzIyMjIwNzIxMTQ0NDEzWjAiMSAwHgYDVQQKDBdFeGFtcGxlIGludGVybWVkaWF0\n" -+ "ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPFDEvDANwvhviu\n" -+ "pwXTvaKyxyX94jVu1wgAhIRyQBVRiMbrn8MEufLG8oA0vKd8s92gv/lWe1jFb2rn\n" -+ "91jMkZWsjWjiJFD6SzqFfBo+XxOGikEqO1MAf92UqavmSGlXVRG1Vy7T7dWibZP0\n" -+ "WODhHYWayR0Y6owSz5IqNfrHXzDME+lSJxHgRFI7pK+b0OgiVmvyXDKFPvyU6GrP\n" -+ "lxXDi/XbjyPvC5gpiwtTgm+s8KERwmdlfZUNjkh2PpHx1g1joijHT3wIvO/Pek1E\n" -+ "C+Xs6w3XxGgL6TTL7FDuv4AjZVX9KK66/yBhX3aN8bkqAg+hs9XNk3zzWC0XEFOS\n" -+ "Qoh2va0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n" -+ "HQYDVR0OBBYEFHwi/7dUWGjkMWJctOm7MCjjQj1cMB8GA1UdIwQYMBaAFIh2KRoK\n" -+ "Joe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEBCwUAA4IBAQCF6sHCBdYRwBwvfCve\n" -+ "og9cPnmPqZrG4AtmSvtoSsMvgvKb/4z3/gG8oPtTBkeRcAHoMoEp/oA+B2ylwIAc\n" -+ "S5U7jx+lYH/Pqih0X/OcOLbaMv8uzGSGQxk+L9LuuIT6E/THfRRIPEvkDkzC+/uk\n" -+ "7vUbG17bSEWeF0o/6sjzAY2aH1jnbCDyu0UC78GXkc6bZ5QlH98uLMDMrOmqcZjS\n" -+ "JFfvuRDQyKV5yBdBkYaobsIWSQDsgYxJzf/2y8c3r+HXqT+jhrXPWJ3btgMPxpu7\n" -+ "E8KmoFgp9EM+48oYlXJ66rk08/KjaVmgN7R+Hm3e2+MFT2kme4fBKalLjcazTe3x\n" -+ "0FisMIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdF\n" -+ "eGFtcGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzBaGA8yMjIyMDcy\n" -+ "MTE0NDUzMVowFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEB\n" -+ "BQADggEPADCCAQoCggEBAMjhSqhdD5RjmOm6W3hG7zkgKBP9whRN/SipcdEMlkgc\n" -+ "F/U3QMu66qIfKwheNdWalC1JLtruLDWP92ysa6Vw+CCG8aSax1AgB//RKQB7kgPA\n" -+ "9js9hi/oCdBmCv2HJxhWSLz+MVoxgzW4C7S9FenI+btxe/99Uw4nOw7kwjsYDLKr\n" -+ "tMw8myv7aCW/63CuBYGtohiZupM3RI3kKFcZots+KRPLlZpjv+I2h9xSln8VxKNb\n" -+ "XiMrYwGfHB7iX7ghe1TvFjKatEUhsqa7AvIq7nfe/cyq97f0ODQO814njgZtk5iQ\n" -+ "JVavXHdhTVaypt1HdAFMuHX5UATylHxx9tRCgSIijUsCAwEAAaNuMGwwCwYDVR0P\n" -+ "BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU\n" -+ "31+vHl4E/2Jpnwinbzf+d7usshcwHwYDVR0jBBgwFoAUfCL/t1RYaOQxYly06bsw\n" -+ "KONCPVwwDQYJKoZIhvcNAQELBQADggEBAAWe63DcNwmleQ3INFGDJZ/m2I/R/cBa\n" -+ "nnrxgR5Ey1ljHdA/x1z1JLTGmGVwqGExs5DNG9Q//Pmc9pZ1yPa8J4Xf8AvFcmkY\n" -+ "mWoH1HvW0xu/RF1UN5SAoD2PRQ+Vq4OSPD58IlEu/u4o1wZV7Wl91Cv6VNpiAb63\n" -+ "j9PA1YacOpOtcRqG59Vuj9HFm9f30ejHVo2+KJcpo290cR3Zg4fOm8mtjeMdt/QS\n" -+ "Atq+RqPAQ7yxqvEEv8zPIZj2kAOQm3mh/yYqBrR68lQUD/dBTP7ApIZkhUK3XK6U\n" -+ "nf9JvoF6Fn2+Cnqb//FLBgHSnoeqeQNwDLUXTsD02iYxHzJrhokSY4YxggFQMIIB\n" -+ "TAIBATAnMCIxIDAeBgNVBAoMF0V4YW1wbGUgaW50ZXJtZWRpYXRlIENBAgEBMAsG\n" -+ "CWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQATHg6wNsBcs/Ub1GQfKwTpKCk5\n" -+ "8QXuNnZ0u7b6mKgrSY2Gf47fpL2aRgaR+BAQncbctu5EH/IL38pWjaGtOhFAj/5q\n" -+ "7luVQW11kuyJN3Bd/dtLqawWOwMmAIEigw6X50l5ZHnEVzFfxt+RKTNhk4XWVtbi\n" -+ "2iIlITOplW0rnvxYAwCxKL9ocaB7etK8au7ixMxbFp75Ts4iLX8dhlAFdCuFCk8k\n" -+ "B8mi9HHuwr3QYRqMPW61hu1wBL3yB8eoZNOwPXb0gkIh6ZvgptxgQzm/cc+Iw9fP\n" -+ "QkR0fTM7ElJ5QZmSV98AUbZDHmDvpmcjcUxfSPMc3IoT8T300usRu7QHqKJi\n" -+ "-----END PKCS7-----\n"; -+ -+const gnutls_datum_t rca_datum = { (void *)rca_pem, sizeof(rca_pem) - 1 }; -+const gnutls_datum_t ca_datum = { (void *)ca_pem, sizeof(ca_pem) - 1 }; -+const gnutls_datum_t ee_datum = { (void *)ee_pem, sizeof(ee_pem) - 1 }; -+const gnutls_datum_t msg_datum = { (void *)msg_pem, sizeof(msg_pem) - 1 }; -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "%s |<%d>| %s", "err", level, str); -+} -+ -+#define CHECK(X)\ -+{\ -+ r = X;\ -+ if (r < 0)\ -+ fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\ -+}\ -+ -+void doit(void) -+{ -+ int r; -+ gnutls_x509_crt_t rca_cert = NULL; -+ gnutls_x509_crt_t ca_cert = NULL; -+ gnutls_x509_crt_t ee_cert = NULL; -+ gnutls_x509_trust_list_t tlist = NULL; -+ gnutls_pkcs7_t pkcs7 = NULL; -+ gnutls_datum_t data = { (unsigned char *)"xxx", 3 }; -+ -+ if (debug) { -+ gnutls_global_set_log_function(tls_log_func); -+ gnutls_global_set_log_level(4711); -+ } -+ -+ // Import certificates -+ CHECK(gnutls_x509_crt_init(&rca_cert)); -+ CHECK(gnutls_x509_crt_import(rca_cert, &rca_datum, GNUTLS_X509_FMT_PEM)); -+ CHECK(gnutls_x509_crt_init(&ca_cert)); -+ CHECK(gnutls_x509_crt_import(ca_cert, &ca_datum, GNUTLS_X509_FMT_PEM)); -+ CHECK(gnutls_x509_crt_init(&ee_cert)); -+ CHECK(gnutls_x509_crt_import(ee_cert, &ee_datum, GNUTLS_X509_FMT_PEM)); -+ -+ // Setup trust store -+ CHECK(gnutls_x509_trust_list_init(&tlist, 0)); -+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, rca_cert, "rca", 3, 0)); -+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ca_cert, "ca", 2, 0)); -+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ee_cert, "ee", 2, 0)); -+ -+ // Setup pkcs7 structure -+ CHECK(gnutls_pkcs7_init(&pkcs7)); -+ CHECK(gnutls_pkcs7_import(pkcs7, &msg_datum, GNUTLS_X509_FMT_PEM)); -+ -+ // Signature verification -+ gnutls_pkcs7_verify(pkcs7, tlist, NULL, 0, 0, &data, 0); -+ -+ gnutls_x509_crt_deinit(rca_cert); -+ gnutls_x509_crt_deinit(ca_cert); -+ gnutls_x509_crt_deinit(ee_cert); -+ gnutls_x509_trust_list_deinit(tlist, 0); -+ gnutls_pkcs7_deinit(pkcs7); -+} --- -2.37.1 - diff --git a/gnutls-3.7.7-aes-cbc-padding-support.patch b/gnutls-3.7.7-aes-cbc-padding-support.patch deleted file mode 100644 index 6273a0d..0000000 --- a/gnutls-3.7.7-aes-cbc-padding-support.patch +++ /dev/null @@ -1,433 +0,0 @@ -diff --color -ruNp a/doc/Makefile.am b/doc/Makefile.am ---- a/doc/Makefile.am 2022-11-15 14:14:10.632725399 +0100 -+++ b/doc/Makefile.am 2022-11-15 14:14:40.252300863 +0100 -@@ -575,6 +575,7 @@ ENUMS += enums/gnutls_certificate_verifi - ENUMS += enums/gnutls_certificate_verify_flags - ENUMS += enums/gnutls_channel_binding_t - ENUMS += enums/gnutls_cipher_algorithm_t -+ENUMS += enums/gnutls_cipher_flags_t - ENUMS += enums/gnutls_close_request_t - ENUMS += enums/gnutls_compression_method_t - ENUMS += enums/gnutls_credentials_type_t -@@ -882,12 +883,16 @@ FUNCS += functions/gnutls_cipher_decrypt - FUNCS += functions/gnutls_cipher_decrypt.short - FUNCS += functions/gnutls_cipher_decrypt2 - FUNCS += functions/gnutls_cipher_decrypt2.short -+FUNCS += functions/gnutls_cipher_decrypt3 -+FUNCS += functions/gnutls_cipher_decrypt3.short - FUNCS += functions/gnutls_cipher_deinit - FUNCS += functions/gnutls_cipher_deinit.short - FUNCS += functions/gnutls_cipher_encrypt - FUNCS += functions/gnutls_cipher_encrypt.short - FUNCS += functions/gnutls_cipher_encrypt2 - FUNCS += functions/gnutls_cipher_encrypt2.short -+FUNCS += functions/gnutls_cipher_encrypt3 -+FUNCS += functions/gnutls_cipher_encrypt3.short - FUNCS += functions/gnutls_cipher_get - FUNCS += functions/gnutls_cipher_get.short - FUNCS += functions/gnutls_cipher_get_block_size -diff --color -ruNp a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am ---- a/doc/manpages/Makefile.am 2022-11-15 14:14:10.634725438 +0100 -+++ b/doc/manpages/Makefile.am 2022-11-15 14:14:40.254300902 +0100 -@@ -273,9 +273,11 @@ APIMANS += gnutls_check_version.3 - APIMANS += gnutls_cipher_add_auth.3 - APIMANS += gnutls_cipher_decrypt.3 - APIMANS += gnutls_cipher_decrypt2.3 -+APIMANS += gnutls_cipher_decrypt3.3 - APIMANS += gnutls_cipher_deinit.3 - APIMANS += gnutls_cipher_encrypt.3 - APIMANS += gnutls_cipher_encrypt2.3 -+APIMANS += gnutls_cipher_encrypt3.3 - APIMANS += gnutls_cipher_get.3 - APIMANS += gnutls_cipher_get_block_size.3 - APIMANS += gnutls_cipher_get_id.3 -diff --color -ruNp a/lib/crypto-api.c b/lib/crypto-api.c ---- a/lib/crypto-api.c 2022-11-15 14:14:11.036733248 +0100 -+++ b/lib/crypto-api.c 2022-11-15 14:14:40.255300921 +0100 -@@ -413,6 +413,166 @@ gnutls_cipher_decrypt2(gnutls_cipher_hd_ - } - - /** -+ * gnutls_cipher_encrypt3: -+ * @handle: is a #gnutls_cipher_hd_t type -+ * @ptext: the data to encrypt -+ * @ptext_len: the length of data to encrypt -+ * @ctext: the encrypted data -+ * @ctext_len: the length of encrypted data (initially must hold the maximum available size) -+ * @flags: flags for padding -+ * -+ * This function will encrypt the given data using the algorithm -+ * specified by the context. For block ciphers, @ptext_len is -+ * typically a multiple of the block size. If not, the caller can -+ * instruct the function to pad the last block according to @flags. -+ * Currently, the only available padding scheme is -+ * %GNUTLS_CIPHER_PADDING_PKCS7. -+ * -+ * If @ctext is not %NULL, it must hold enough space to store -+ * resulting cipher text. To check the required size, this function -+ * can be called with @ctext set to %NULL. Then @ctext_len will be -+ * updated without performing actual encryption. -+ * -+ * Returns: Zero or a negative error code on error. -+ * -+ * Since: 3.7.7 -+ **/ -+int -+gnutls_cipher_encrypt3(gnutls_cipher_hd_t handle, -+ const void *ptext, size_t ptext_len, -+ void *ctext, size_t *ctext_len, -+ unsigned flags) -+{ -+ api_cipher_hd_st *h = handle; -+ const cipher_entry_st *e = h->ctx_enc.e; -+ int block_size = _gnutls_cipher_get_block_size(e); -+ int ret = 0; -+ -+ if (unlikely(ctext_len == NULL)) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ -+ if (_gnutls_cipher_type(e) == CIPHER_BLOCK && -+ (flags & GNUTLS_CIPHER_PADDING_PKCS7)) { -+ size_t n, r; -+ uint8_t last_block[MAX_CIPHER_BLOCK_SIZE]; -+ const uint8_t *p = ptext; -+ uint8_t *c = ctext; -+ -+ if (!INT_ADD_OK(ptext_len, block_size, &n)) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ -+ n = (n / block_size) * block_size; -+ -+ if (!ctext) { -+ *ctext_len = n; -+ return 0; -+ } -+ -+ if (*ctext_len < n) { -+ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); -+ } -+ -+ /* Encrypt up to the last complete block */ -+ r = ptext_len % block_size; -+ -+ ret = _gnutls_cipher_encrypt2(&h->ctx_enc, -+ ptext, ptext_len - r, -+ ctext, ptext_len - r); -+ if (ret < 0) { -+ goto error; -+ } -+ -+ /* Encrypt the last block with padding */ -+ gnutls_memset(last_block, block_size - r, sizeof(last_block)); -+ if (r > 0) { -+ memcpy(last_block, &p[ptext_len - r], r); -+ } -+ ret = _gnutls_cipher_encrypt2(&h->ctx_enc, -+ last_block, block_size, -+ &c[ptext_len - r], block_size); -+ if (ret < 0) { -+ goto error; -+ } -+ *ctext_len = n; -+ } else { -+ if (!ctext) { -+ *ctext_len = ptext_len; -+ return 0; -+ } -+ -+ ret = _gnutls_cipher_encrypt2(&h->ctx_enc, ptext, ptext_len, -+ ctext, *ctext_len); -+ if (ret < 0) { -+ goto error; -+ } -+ *ctext_len = ptext_len; -+ } -+ -+ error: -+ if (ret < 0) { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -+ } else { -+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED); -+ } -+ return ret; -+} -+ -+/** -+ * gnutls_cipher_decrypt3: -+ * @handle: is a #gnutls_cipher_hd_t type -+ * @ctext: the data to decrypt -+ * @ctext_len: the length of data to decrypt -+ * @ptext: the decrypted data -+ * @ptext_len: the available length for decrypted data -+ * @flags: flags for padding -+ * -+ * This function will decrypt the given data using the algorithm -+ * specified by the context. If @flags is specified, padding for the -+ * decrypted data will be removed accordingly and @ptext_len will be -+ * updated. -+ * -+ * Returns: Zero or a negative error code on error. -+ * -+ * Since: 3.7.7 -+ **/ -+int -+gnutls_cipher_decrypt3(gnutls_cipher_hd_t handle, -+ const void *ctext, size_t ctext_len, -+ void *ptext, size_t *ptext_len, -+ unsigned flags) -+{ -+ api_cipher_hd_st *h = handle; -+ int ret; -+ -+ ret = gnutls_cipher_decrypt2(handle, -+ ctext, ctext_len, -+ ptext, *ptext_len); -+ if (ret < 0) { -+ return ret; -+ } -+ -+ if (_gnutls_cipher_type(h->ctx_enc.e) == CIPHER_BLOCK && -+ (flags & GNUTLS_CIPHER_PADDING_PKCS7)) { -+ uint8_t *p = ptext; -+ uint8_t padding = p[*ptext_len - 1]; -+ if (!padding || padding > _gnutls_cipher_get_block_size(h->ctx_enc.e)) { -+ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); -+ } -+ /* Check that the prior bytes are all PADDING */ -+ for (size_t i = *ptext_len - padding; i < *ptext_len; i++) { -+ if (padding != p[*ptext_len - 1]) { -+ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); -+ } -+ } -+ *ptext_len -= padding; -+ } -+ -+ return 0; -+} -+ -+/** - * gnutls_cipher_deinit: - * @handle: is a #gnutls_cipher_hd_t type - * -diff --color -ruNp a/lib/includes/gnutls/crypto.h b/lib/includes/gnutls/crypto.h ---- a/lib/includes/gnutls/crypto.h 2022-05-10 13:57:43.000000000 +0200 -+++ b/lib/includes/gnutls/crypto.h 2022-11-15 14:14:40.256300941 +0100 -@@ -49,6 +49,28 @@ int gnutls_cipher_encrypt2(gnutls_cipher - const void *text, size_t textlen, - void *ciphertext, size_t ciphertextlen); - -+/** -+ * gnutls_cipher_flags_t: -+ * @GNUTLS_CIPHER_PADDING_PKCS7: Flag to indicate PKCS#7 padding -+ * -+ * Enumeration of flags to control block cipher padding, used by -+ * gnutls_cipher_encrypt3() and gnutls_cipher_decrypt3(). -+ * -+ * Since: 3.7.7 -+ */ -+typedef enum gnutls_cipher_flags_t { -+ GNUTLS_CIPHER_PADDING_PKCS7 = 1 -+} gnutls_cipher_flags_t; -+ -+int gnutls_cipher_encrypt3(gnutls_cipher_hd_t handle, -+ const void *ptext, size_t ptext_len, -+ void *ctext, size_t *ctext_len, -+ unsigned flags); -+int gnutls_cipher_decrypt3(gnutls_cipher_hd_t handle, -+ const void *ctext, size_t ctext_len, -+ void *ptext, size_t *ptext_len, -+ unsigned flags); -+ - void gnutls_cipher_set_iv(gnutls_cipher_hd_t handle, void *iv, - size_t ivlen); - -diff --color -ruNp a/lib/libgnutls.map b/lib/libgnutls.map ---- a/lib/libgnutls.map 2022-11-15 14:14:11.142735308 +0100 -+++ b/lib/libgnutls.map 2022-11-15 14:14:40.256300941 +0100 -@@ -1403,6 +1403,8 @@ GNUTLS_3_7_7 - { - global: - gnutls_fips140_run_self_tests; -+ gnutls_cipher_encrypt3; -+ gnutls_cipher_decrypt3; - local: - *; - } GNUTLS_3_7_5; -diff --color -ruNp a/tests/cipher-padding.c b/tests/cipher-padding.c ---- a/tests/cipher-padding.c 1970-01-01 01:00:00.000000000 +0100 -+++ b/tests/cipher-padding.c 2022-11-15 14:14:40.258300980 +0100 -@@ -0,0 +1,160 @@ -+/* -+ * Copyright (C) 2022 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * The GnuTLS is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ * -+ */ -+ -+#include -+ -+#include -+#include -+#include -+#include -+#include "utils.h" -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "<%d>| %s", level, str); -+} -+ -+#define CLAMP(x, b) (((x) + (b)) / (b)) * (b) -+ -+static void -+start(gnutls_cipher_algorithm_t algo, size_t plaintext_size, unsigned int flags) -+{ -+ int ret; -+ gnutls_cipher_hd_t ch; -+ uint8_t key16[64]; -+ uint8_t iv16[32]; -+ uint8_t plaintext[128]; -+ uint8_t ciphertext[128]; -+ size_t block_size; -+ size_t size; -+ gnutls_datum_t key, iv; -+ -+ success("%s %zu %u\n", -+ gnutls_cipher_get_name(algo), plaintext_size, flags); -+ -+ block_size = gnutls_cipher_get_block_size(algo); -+ -+ key.data = key16; -+ key.size = gnutls_cipher_get_key_size(algo); -+ assert(key.size <= sizeof(key16)); -+ -+ iv.data = iv16; -+ iv.size = gnutls_cipher_get_iv_size(algo); -+ assert(iv.size <= sizeof(iv16)); -+ -+ memset(iv.data, 0xff, iv.size); -+ memset(key.data, 0xfe, key.size); -+ memset(plaintext, 0xfa, sizeof(plaintext)); -+ -+ ret = gnutls_cipher_init(&ch, algo, &key, &iv); -+ if (ret < 0) { -+ fail("gnutls_cipher_init failed\n"); -+ } -+ -+ /* Check overflow if PKCS#7 is requested */ -+ if (flags & GNUTLS_CIPHER_PADDING_PKCS7) { -+ ret = gnutls_cipher_encrypt3(ch, -+ plaintext, SIZE_MAX, -+ NULL, &size, -+ flags); -+ if (ret != GNUTLS_E_INVALID_REQUEST) { -+ fail("gnutls_cipher_encrypt3 succeeded\n"); -+ } -+ } -+ -+ /* Get the ciphertext size */ -+ ret = gnutls_cipher_encrypt3(ch, -+ plaintext, plaintext_size, -+ NULL, &size, -+ flags); -+ if (ret < 0) { -+ fail("gnutls_cipher_encrypt3 failed\n"); -+ } -+ -+ if (flags & GNUTLS_CIPHER_PADDING_PKCS7) { -+ if (size <= plaintext_size) { -+ fail("no padding appended\n"); -+ } -+ if (size != CLAMP(plaintext_size, block_size)) { -+ fail("size does not match: %zu (expected %zu)\n", -+ size, CLAMP(plaintext_size, block_size)); -+ } -+ } else { -+ if (size != plaintext_size) { -+ fail("size does not match: %zu (expected %zu)\n", -+ size, plaintext_size); -+ } -+ } -+ -+ /* Encrypt with padding */ -+ ret = gnutls_cipher_encrypt3(ch, -+ plaintext, plaintext_size, -+ ciphertext, &size, -+ flags); -+ if (ret < 0) { -+ fail("gnutls_cipher_encrypt3 failed\n"); -+ } -+ -+ /* Decrypt with padding */ -+ ret = gnutls_cipher_decrypt3(ch, -+ ciphertext, size, -+ ciphertext, &size, -+ flags); -+ if (ret < 0) { -+ fail("gnutls_cipher_encrypt3 failed\n"); -+ } -+ -+ if (size != plaintext_size) { -+ fail("size does not match: %zu (expected %zu)\n", -+ size, plaintext_size); -+ } -+ -+ if (memcmp(ciphertext, plaintext, size) != 0) { -+ fail("plaintext does not match\n"); -+ } -+ -+ gnutls_cipher_deinit(ch); -+} -+ -+void doit(void) { -+ int ret; -+ -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) { -+ gnutls_global_set_log_level(4711); -+ } -+ -+ ret = global_init(); -+ if (ret < 0) { -+ fail("Cannot initialize library\n"); -+ } -+ -+ start(GNUTLS_CIPHER_AES_128_CBC, 0, GNUTLS_CIPHER_PADDING_PKCS7); -+ start(GNUTLS_CIPHER_AES_128_CBC, 11, GNUTLS_CIPHER_PADDING_PKCS7); -+ start(GNUTLS_CIPHER_AES_128_CBC, 77, GNUTLS_CIPHER_PADDING_PKCS7); -+ start(GNUTLS_CIPHER_AES_128_CBC, 80, GNUTLS_CIPHER_PADDING_PKCS7); -+ -+ start(GNUTLS_CIPHER_AES_128_CBC, 0, 0); -+ start(GNUTLS_CIPHER_AES_128_CBC, 80, 0); -+ -+ gnutls_global_deinit(); -+} -diff --color -ruNp a/tests/Makefile.am b/tests/Makefile.am ---- a/tests/Makefile.am 2022-11-15 14:14:11.144735347 +0100 -+++ b/tests/Makefile.am 2022-11-15 14:14:40.257300960 +0100 -@@ -233,7 +233,7 @@ ctests += mini-record-2 simple gnutls_hm - tls13-without-timeout-func buffer status-request-revoked \ - set_x509_ocsp_multi_cli kdf-api keylog-func handshake-write \ - x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \ -- x509-upnconstraint xts-key-check pkcs7-verify-double-free \ -+ x509-upnconstraint cipher-padding xts-key-check pkcs7-verify-double-free \ - fips-rsa-sizes tls12-rehandshake-ticket - - ctests += tls-channel-binding diff --git a/gnutls-3.7.8-clear-session-ticket.patch b/gnutls-3.7.8-clear-session-ticket.patch deleted file mode 100644 index 5c78c73..0000000 --- a/gnutls-3.7.8-clear-session-ticket.patch +++ /dev/null @@ -1,215 +0,0 @@ -diff --color -ruNp a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c ---- a/lib/ext/session_ticket.c 2022-05-10 13:55:00.000000000 +0200 -+++ b/lib/ext/session_ticket.c 2022-11-15 13:30:20.491830382 +0100 -@@ -624,6 +624,12 @@ gnutls_session_ticket_enable_server(gnut - return 0; - } - -+void -+_gnutls_session_ticket_disable_server(gnutls_session_t session) -+{ -+ session->internals.flags |= GNUTLS_NO_TICKETS; -+} -+ - /* - * Return zero if session tickets haven't been enabled. - */ -diff --color -ruNp a/lib/ext/session_ticket.h b/lib/ext/session_ticket.h ---- a/lib/ext/session_ticket.h 2022-02-22 15:34:48.000000000 +0100 -+++ b/lib/ext/session_ticket.h 2022-11-15 13:30:20.491830382 +0100 -@@ -36,5 +36,6 @@ int _gnutls_encrypt_session_ticket(gnutl - int _gnutls_decrypt_session_ticket(gnutls_session_t session, - const gnutls_datum_t *ticket_data, - gnutls_datum_t *state); -+void _gnutls_session_ticket_disable_server(gnutls_session_t session); - - #endif /* GNUTLS_LIB_EXT_SESSION_TICKET_H */ -diff --color -ruNp a/lib/libgnutls.map b/lib/libgnutls.map ---- a/lib/libgnutls.map 2022-11-15 13:12:57.781688194 +0100 -+++ b/lib/libgnutls.map 2022-11-15 13:30:20.492830401 +0100 -@@ -1510,4 +1510,6 @@ GNUTLS_PRIVATE_3_4 { - _gnutls_buffer_clear; - # needed by tests/cipher-alignment - _gnutls_crypto_register_cipher; -+ # needed by tests/tls12-rehandshake-cert-ticket -+ _gnutls_session_ticket_disable_server; - } GNUTLS_3_4; -diff --color -ruNp a/lib/state.c b/lib/state.c ---- a/lib/state.c 2022-05-16 17:10:08.000000000 +0200 -+++ b/lib/state.c 2022-11-15 13:30:20.493830420 +0100 -@@ -545,6 +545,7 @@ void _gnutls_handshake_internal_state_cl - session->internals.tfo.connect_addrlen = 0; - session->internals.tfo.connect_only = 0; - session->internals.early_data_received = 0; -+ session->internals.session_ticket_renew = 0; - } - - /** -diff --color -ruNp a/tests/Makefile.am b/tests/Makefile.am ---- a/tests/Makefile.am 2022-11-15 13:12:58.209696462 +0100 -+++ b/tests/Makefile.am 2022-11-15 13:30:20.494830440 +0100 -@@ -234,7 +234,7 @@ ctests += mini-record-2 simple gnutls_hm - set_x509_ocsp_multi_cli kdf-api keylog-func handshake-write \ - x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \ - x509-upnconstraint xts-key-check pkcs7-verify-double-free \ -- fips-rsa-sizes -+ fips-rsa-sizes tls12-rehandshake-ticket - - ctests += tls-channel-binding - -diff --color -ruNp a/tests/tls12-rehandshake-ticket.c b/tests/tls12-rehandshake-ticket.c ---- a/tests/tls12-rehandshake-ticket.c 1970-01-01 01:00:00.000000000 +0100 -+++ b/tests/tls12-rehandshake-ticket.c 2022-11-15 13:30:20.495830459 +0100 -@@ -0,0 +1,152 @@ -+/* -+ * Copyright (C) 2022 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include "cert-common.h" -+ -+#include "utils.h" -+#include "eagain-common.h" -+ -+const char *side = ""; -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "%s|<%d>| %s", side, level, str); -+} -+ -+#define MAX_BUF 1024 -+ -+void _gnutls_session_ticket_disable_server(gnutls_session_t session); -+ -+static void run(void) -+{ -+ char buffer[MAX_BUF + 1]; -+ /* Server stuff. */ -+ gnutls_certificate_credentials_t scred; -+ gnutls_session_t server; -+ gnutls_datum_t session_ticket_key = { NULL, 0 }; -+ int sret; -+ /* Client stuff. */ -+ gnutls_certificate_credentials_t ccred; -+ gnutls_session_t client; -+ int cret; -+ -+ /* General init. */ -+ global_init(); -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(9); -+ -+ /* Init server */ -+ assert(gnutls_certificate_allocate_credentials(&scred) >= 0); -+ assert(gnutls_certificate_set_x509_key_mem(scred, -+ &server_ca3_localhost_cert, -+ &server_ca3_key, -+ GNUTLS_X509_FMT_PEM) >= 0); -+ assert(gnutls_certificate_set_x509_trust_mem(scred, -+ &ca3_cert, -+ GNUTLS_X509_FMT_PEM) >= 0); -+ -+ assert(gnutls_init(&server, GNUTLS_SERVER) >= 0); -+ gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); -+ assert(gnutls_priority_set_direct(server, -+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2", -+ NULL) >= 0); -+ -+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred); -+ gnutls_transport_set_push_function(server, server_push); -+ gnutls_transport_set_pull_function(server, server_pull); -+ gnutls_transport_set_ptr(server, server); -+ -+ gnutls_session_ticket_key_generate(&session_ticket_key); -+ gnutls_session_ticket_enable_server(server, &session_ticket_key); -+ -+ /* Init client */ -+ assert(gnutls_certificate_allocate_credentials(&ccred) >= 0); -+ assert(gnutls_certificate_set_x509_key_mem -+ (ccred, &cli_ca3_cert_chain, &cli_ca3_key, GNUTLS_X509_FMT_PEM) >= 0); -+ assert(gnutls_certificate_set_x509_trust_mem -+ (ccred, &ca3_cert, GNUTLS_X509_FMT_PEM) >= 0); -+ -+ gnutls_init(&client, GNUTLS_CLIENT); -+ assert(gnutls_priority_set_direct(client, -+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2", -+ NULL) >= 0); -+ -+ assert(gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred) >= 0); -+ -+ gnutls_transport_set_push_function(client, client_push); -+ gnutls_transport_set_pull_function(client, client_pull); -+ gnutls_transport_set_ptr(client, client); -+ -+ HANDSHAKE(client, server); -+ -+ /* Server initiates rehandshake */ -+ switch_side("server"); -+ sret = gnutls_rehandshake(server); -+ if (sret < 0) { -+ fail("Error sending %d byte packet: %s\n", -+ (int)sizeof(buffer), gnutls_strerror(sret)); -+ } else if (debug) -+ success("server: starting rehandshake\n"); -+ -+ /* Stop sending session ticket */ -+ _gnutls_session_ticket_disable_server(server); -+ -+ /* Client gets notified with rehandshake */ -+ switch_side("client"); -+ do { -+ do { -+ cret = gnutls_record_recv(client, buffer, MAX_BUF); -+ } while (cret == GNUTLS_E_AGAIN || cret == GNUTLS_E_INTERRUPTED); -+ } while (cret > 0); -+ -+ if (cret != GNUTLS_E_REHANDSHAKE) { -+ fail("client: Error receiving rehandshake: %s\n", -+ gnutls_strerror(cret)); -+ } -+ -+ HANDSHAKE(client, server); -+ -+ gnutls_bye(client, GNUTLS_SHUT_WR); -+ gnutls_bye(server, GNUTLS_SHUT_WR); -+ -+ gnutls_deinit(client); -+ gnutls_deinit(server); -+ -+ gnutls_certificate_free_credentials(scred); -+ gnutls_certificate_free_credentials(ccred); -+ -+ gnutls_free(session_ticket_key.data); -+ -+ gnutls_global_deinit(); -+ reset_buffers(); -+} -+ -+void doit(void) -+{ -+ run(); -+} diff --git a/gnutls-3.7.8-fips-pct-dh.patch b/gnutls-3.7.8-fips-pct-dh.patch deleted file mode 100644 index c38132e..0000000 --- a/gnutls-3.7.8-fips-pct-dh.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 51b721b69fd08ef1c4c4989f5e12b643e170ff56 Mon Sep 17 00:00:00 2001 -From: Pedro Monreal -Date: Thu, 16 Feb 2023 17:02:38 +0100 -Subject: [PATCH] pk: extend pair-wise consistency to cover DH key generation - -Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise -Consistency check, even if we only support ephemeral DH, as it is -required by FIPS 140-3 IG 10.3.A. - -Signed-off-by: Pedro Monreal -Co-authored-by: Daiki Ueno ---- - lib/nettle/pk.c | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index d30bca594f..bd9c1b4c74 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -2642,6 +2642,35 @@ static int pct_test(gnutls_pk_algorithm_t algo, - } - break; - case GNUTLS_PK_DH: -+ { -+ mpz_t y; -+ -+ /* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance -+ * of Pair-wise Consistency check, even if we only -+ * support ephemeral DH, as it is required by FIPS -+ * 140-3 IG 10.3.A. -+ * -+ * Use the private key, x, along with the generator g -+ * and prime modulus p included in the domain -+ * parameters associated with the key pair to compute -+ * g^x mod p. Compare the result to the public key, y. -+ */ -+ mpz_init(y); -+ mpz_powm(y, -+ TOMPZ(params->params[DSA_G]), -+ TOMPZ(params->params[DSA_X]), -+ TOMPZ(params->params[DSA_P])); -+ if (unlikely -+ (mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) { -+ ret = -+ gnutls_assert_val -+ (GNUTLS_E_PK_GENERATION_ERROR); -+ mpz_clear(y); -+ goto cleanup; -+ } -+ mpz_clear(y); -+ break; -+ } - case GNUTLS_PK_ECDH_X25519: - case GNUTLS_PK_ECDH_X448: - ret = 0; --- -2.39.2 - diff --git a/gnutls-3.7.8-integrity-check.patch b/gnutls-3.7.8-integrity-check.patch deleted file mode 100644 index 8ff5fb0..0000000 --- a/gnutls-3.7.8-integrity-check.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff --color -ruNp a/lib/fips.c b/lib/fips.c ---- a/lib/fips.c 2022-11-15 16:10:56.183185457 +0100 -+++ b/lib/fips.c 2022-11-15 16:10:23.488530716 +0100 -@@ -360,11 +360,6 @@ static int check_lib_hmac(struct hmac_en - return gnutls_assert_val(ret); - } - -- if (strncmp(entry->path, path, GNUTLS_PATH_MAX)) { -- _gnutls_debug_log("Library path for %s does not match with HMAC file\n", lib); -- return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); -- } -- - _gnutls_debug_log("Loading: %s\n", path); - ret = gnutls_load_file(path, &data); - if (ret < 0) { -diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c ---- a/lib/fipshmac.c 2022-11-15 16:10:56.183185457 +0100 -+++ b/lib/fipshmac.c 2022-11-15 16:10:23.489530737 +0100 -@@ -102,20 +102,30 @@ static int get_hmac(const char *path, ch - static int print_lib_path(const char *path) - { - int ret; -+ char *real_path = NULL; - char hmac[HMAC_STR_SIZE]; - -- ret = get_hmac(path, hmac, sizeof(hmac)); -+ real_path = canonicalize_file_name(path); -+ if (real_path == NULL) { -+ fprintf(stderr, "Could not get realpath from %s\n", path); -+ ret = GNUTLS_E_FILE_ERROR; -+ goto cleanup; -+ } -+ -+ ret = get_hmac(real_path, hmac, sizeof(hmac)); - if (ret < 0) { - fprintf(stderr, "Could not calculate HMAC for %s: %s\n", -- last_component(path), gnutls_strerror(ret)); -- return ret; -+ last_component(real_path), gnutls_strerror(ret)); -+ goto cleanup; - } - - printf("[%s]\n", last_component(path)); -- printf("path = %s\n", path); -+ printf("path = %s\n", real_path); - printf("hmac = %s\n", hmac); - -- return 0; -+cleanup: -+ free(real_path); -+ return ret; - } - - static int print_lib_dl(const char *lib, const char *sym) diff --git a/gnutls-3.7.8-revert-hmac-name.patch b/gnutls-3.7.8-revert-hmac-name.patch deleted file mode 100644 index fa1a672..0000000 --- a/gnutls-3.7.8-revert-hmac-name.patch +++ /dev/null @@ -1,534 +0,0 @@ -diff --color -ruNp a/configure.ac b/configure.ac ---- a/configure.ac 2022-05-27 09:17:26.000000000 +0200 -+++ b/configure.ac 2022-12-15 11:00:18.830698584 +0100 -@@ -619,6 +619,8 @@ if [ test "$enable_fips" = "yes" ];then - if test "x$fips_module_version" != xnone; then - AC_DEFINE_UNQUOTED([FIPS_MODULE_VERSION], ["$fips_module_version"], [The FIPS140 module version]) - fi -+ -+ AC_CHECK_FUNCS(dl_iterate_phdr) - else - enable_fips=no - AC_MSG_WARN([[ -diff --color -ruNp a/lib/fips.c b/lib/fips.c ---- a/lib/fips.c 2022-12-15 10:59:57.460279029 +0100 -+++ b/lib/fips.c 2022-12-15 11:00:18.831698604 +0100 -@@ -23,9 +23,11 @@ - #include - #include - #include -+#include "dirname.h" - #include "errors.h" - #include "file.h" - #include "inih/ini.h" -+#include "str.h" - #include - #include - #include -@@ -34,6 +36,10 @@ - - #include "gthreads.h" - -+#ifdef HAVE_DL_ITERATE_PHDR -+#include -+#endif -+ - unsigned int _gnutls_lib_state = LIB_STATE_POWERON; - - struct gnutls_fips140_context_st { -@@ -153,7 +159,6 @@ void _gnutls_fips_mode_reset_zombie(void - - #define HMAC_SIZE 32 - #define HMAC_ALGO GNUTLS_MAC_SHA256 --#define HMAC_FILE_NAME ".gnutls.hmac" - #define HMAC_FORMAT_VERSION 1 - - struct hmac_entry -@@ -162,51 +167,32 @@ struct hmac_entry - uint8_t hmac[HMAC_SIZE]; - }; - --typedef struct -+struct hmac_file - { - int version; - struct hmac_entry gnutls; - struct hmac_entry nettle; - struct hmac_entry hogweed; - struct hmac_entry gmp; --} hmac_file; -+}; - --static int get_library_path(const char* lib, const char* symbol, char* path, size_t path_size) -+struct lib_paths - { -- int ret; -- void *dl, *sym; -- Dl_info info; -- -- dl = dlopen(lib, RTLD_LAZY); -- if (dl == NULL) -- return gnutls_assert_val(GNUTLS_E_FILE_ERROR); -- -- sym = dlsym(dl, symbol); -- if (sym == NULL) { -- ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR); -- goto cleanup; -- } -- -- ret = dladdr(sym, &info); -- if (ret == 0) { -- ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR); -- goto cleanup; -- } -- -- ret = snprintf(path, path_size, "%s", info.dli_fname); -- if ((size_t)ret >= path_size) { -- ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); -- goto cleanup; -- } -- -- ret = 0; --cleanup: -- dlclose(dl); -- return ret; --} -+ char gnutls[GNUTLS_PATH_MAX]; -+ char nettle[GNUTLS_PATH_MAX]; -+ char hogweed[GNUTLS_PATH_MAX]; -+ char gmp[GNUTLS_PATH_MAX]; -+}; - --/* Parses hmac data and copies hex value into dest. -+/* -+ * get_hmac: -+ * @dest: buffer for the hex value -+ * @value: hmac value -+ * -+ * Parses hmac data and copies hex value into dest. - * dest must point to at least HMAC_SIZE amount of memory -+ * -+ * Returns: 0 on success, a negative error code otherwise - */ - static int get_hmac(uint8_t *dest, const char *value) - { -@@ -245,7 +231,7 @@ lib_handler(struct hmac_entry *entry, - - static int handler(void *user, const char *section, const char *name, const char *value) - { -- hmac_file *p = (hmac_file *)user; -+ struct hmac_file *p = (struct hmac_file *)user; - - if (!strcmp(section, "global")) { - if (!strcmp(name, "format-version")) { -@@ -267,24 +253,29 @@ static int handler(void *user, const cha - return 1; - } - --static int get_hmac_path(char *mac_file, size_t mac_file_size) -+/* -+ * get_hmac_path: -+ * @mac_file: buffer where the hmac file path will be written to -+ * @mac_file_size: size of the mac_file buffer -+ * @gnutls_path: path to the gnutls library, used to deduce hmac file path -+ * -+ * Deduces hmac file path from the gnutls library path. -+ * -+ * Returns: 0 on success, a negative error code otherwise -+ */ -+static int get_hmac_path(char *mac_file, size_t mac_file_size, const char *gnutls_path) - { - int ret; - char *p; -- char file[GNUTLS_PATH_MAX]; - -- ret = get_library_path(GNUTLS_LIBRARY_NAME, "gnutls_global_init", -- file, sizeof(file)); -- if (ret < 0) -- return ret; -- -- p = strrchr(file, '/'); -+ p = strrchr(gnutls_path, '/'); - - if (p == NULL) -- ret = snprintf(mac_file, mac_file_size, HMAC_FILE_NAME); -+ ret = snprintf(mac_file, mac_file_size, ".%s.hmac", gnutls_path); - else -- ret = snprintf(mac_file, mac_file_size, -- "%.*s/"HMAC_FILE_NAME, (int)(p - file), file); -+ ret = snprintf(mac_file, mac_file_size, "%.*s/.%s.hmac", -+ (int)(p - gnutls_path), gnutls_path, p + 1); -+ - if ((size_t)ret >= mac_file_size) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -@@ -293,10 +284,11 @@ static int get_hmac_path(char *mac_file, - return GNUTLS_E_SUCCESS; - - if (p == NULL) -- ret = snprintf(mac_file, mac_file_size, "fipscheck/"HMAC_FILE_NAME); -+ ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac", gnutls_path); - else -- ret = snprintf(mac_file, mac_file_size, -- "%.*s/fipscheck/"HMAC_FILE_NAME, (int)(p - file), file); -+ ret = snprintf(mac_file, mac_file_size, "%.*s/fipscheck/.%s.hmac", -+ (int)(p - gnutls_path), gnutls_path, p + 1); -+ - if ((size_t)ret >= mac_file_size) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - -@@ -307,51 +299,52 @@ static int get_hmac_path(char *mac_file, - return GNUTLS_E_FILE_ERROR; - } - --static int load_hmac_file(hmac_file *p) -+/* -+ * load_hmac_file: -+ * @hmac_file: hmac file structure -+ * @hmac_path: path to the hmac file -+ * -+ * Loads the hmac file into the hmac file structure. -+ * -+ * Returns: 0 on success, a negative error code otherwise -+ */ -+static int load_hmac_file(struct hmac_file *hmac_file, const char *hmac_path) - { - int ret; - FILE *stream; -- char hmac_path[GNUTLS_PATH_MAX]; -- -- ret = get_hmac_path(hmac_path, sizeof(hmac_path)); -- if (ret < 0) -- return gnutls_assert_val(ret); - - stream = fopen(hmac_path, "r"); - if (stream == NULL) - return gnutls_assert_val(GNUTLS_E_FILE_ERROR); - -- gnutls_memset(p, 0, sizeof(*p)); -- ret = ini_parse_file(stream, handler, p); -+ gnutls_memset(hmac_file, 0, sizeof(*hmac_file)); -+ ret = ini_parse_file(stream, handler, hmac_file); - fclose(stream); - if (ret < 0) - return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); - -- if (p->version != HMAC_FORMAT_VERSION) -+ if (hmac_file->version != HMAC_FORMAT_VERSION) - return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); - - return 0; - } - --/* Run an HMAC using the key above on the library binary data. -- * Returns 0 on success and negative value on error. -+/* -+ * check_lib_hmac: -+ * @entry: hmac file entry -+ * @path: path to the library which hmac should be compared -+ * -+ * Verify that HMAC from hmac file entry matches HMAC of given library. -+ * -+ * Returns: 0 on successful HMAC verification, a negative error code otherwise - */ --static int check_lib_hmac(struct hmac_entry *entry, -- const char *lib, const char *sym) -+static int check_lib_hmac(struct hmac_entry *entry, const char *path) - { - int ret; - unsigned prev; -- char path[GNUTLS_PATH_MAX]; - uint8_t hmac[HMAC_SIZE]; - gnutls_datum_t data; - -- ret = get_library_path(lib, sym, path, sizeof(path)); -- if (ret < 0) { -- _gnutls_debug_log("Could not get lib path for %s: %s\n", -- lib, gnutls_strerror(ret)); -- return gnutls_assert_val(ret); -- } -- - _gnutls_debug_log("Loading: %s\n", path); - ret = gnutls_load_file(path, &data); - if (ret < 0) { -@@ -382,28 +375,99 @@ static int check_lib_hmac(struct hmac_en - return 0; - } - -+#ifdef HAVE_DL_ITERATE_PHDR -+ -+static int callback(struct dl_phdr_info *info, size_t size, void *data) -+{ -+ const char *path = info->dlpi_name; -+ const char *soname = last_component(path); -+ struct lib_paths *paths = (struct lib_paths *)data; -+ -+ if (!strcmp(soname, GNUTLS_LIBRARY_SONAME)) -+ _gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path); -+ else if (!strcmp(soname, NETTLE_LIBRARY_SONAME)) -+ _gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path); -+ else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) -+ _gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path); -+ else if (!strcmp(soname, GMP_LIBRARY_SONAME)) -+ _gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path); -+ return 0; -+} -+ -+static int load_lib_paths(struct lib_paths *paths) -+{ -+ memset(paths, 0, sizeof(*paths)); -+ dl_iterate_phdr(callback, paths); -+ -+ if (paths->gnutls[0] == '\0') { -+ _gnutls_debug_log("Gnutls library path was not found\n"); -+ return gnutls_assert_val(GNUTLS_E_FILE_ERROR); -+ } -+ if (paths->nettle[0] == '\0') { -+ _gnutls_debug_log("Nettle library path was not found\n"); -+ return gnutls_assert_val(GNUTLS_E_FILE_ERROR); -+ } -+ if (paths->hogweed[0] == '\0') { -+ _gnutls_debug_log("Hogweed library path was not found\n"); -+ return gnutls_assert_val(GNUTLS_E_FILE_ERROR); -+ } -+ if (paths->gmp[0] == '\0') { -+ _gnutls_debug_log("Gmp library path was not found\n"); -+ return gnutls_assert_val(GNUTLS_E_FILE_ERROR); -+ } -+ -+ return GNUTLS_E_SUCCESS; -+} -+ -+#else -+ -+static int load_lib_paths(struct lib_paths *paths) -+{ -+ (void)paths; -+ _gnutls_debug_log("Function dl_iterate_phdr is missing\n"); -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+} -+ -+#endif /* HAVE_DL_ITERATE_PHDR */ -+ - static int check_binary_integrity(void) - { - int ret; -- hmac_file file; -+ struct lib_paths paths; -+ struct hmac_file hmac; -+ char hmac_path[GNUTLS_PATH_MAX]; -+ -+ ret = load_lib_paths(&paths); -+ if (ret < 0) { -+ _gnutls_debug_log("Could not load library paths: %s\n", -+ gnutls_strerror(ret)); -+ return ret; -+ } -+ -+ ret = get_hmac_path(hmac_path, sizeof(hmac_path), paths.gnutls); -+ if (ret < 0) { -+ _gnutls_debug_log("Could not get hmac file path: %s\n", -+ gnutls_strerror(ret)); -+ return ret; -+ } - -- ret = load_hmac_file(&file); -+ ret = load_hmac_file(&hmac, hmac_path); - if (ret < 0) { - _gnutls_debug_log("Could not load hmac file: %s\n", - gnutls_strerror(ret)); - return ret; - } - -- ret = check_lib_hmac(&file.gnutls, GNUTLS_LIBRARY_NAME, "gnutls_global_init"); -+ ret = check_lib_hmac(&hmac.gnutls, paths.gnutls); - if (ret < 0) - return ret; -- ret = check_lib_hmac(&file.nettle, NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key"); -+ ret = check_lib_hmac(&hmac.nettle, paths.nettle); - if (ret < 0) - return ret; -- ret = check_lib_hmac(&file.hogweed, HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u"); -+ ret = check_lib_hmac(&hmac.hogweed, paths.hogweed); - if (ret < 0) - return ret; -- ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init"); -+ ret = check_lib_hmac(&hmac.gmp, paths.gmp); - if (ret < 0) - return ret; - -diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c ---- a/lib/fipshmac.c 2022-12-15 10:59:57.461279049 +0100 -+++ b/lib/fipshmac.c 2022-12-15 11:00:18.832698623 +0100 -@@ -22,12 +22,14 @@ - - #include "config.h" - --#include --#include --#include --#include - #include - #include -+ -+#ifdef HAVE_DL_ITERATE_PHDR -+ -+#include -+#include -+#include - #include "dirname.h" - #include "errors.h" - -@@ -36,40 +38,6 @@ - #define HMAC_ALGO GNUTLS_MAC_SHA256 - #define HMAC_STR_SIZE (2 * HMAC_SIZE + 1) - --static int get_path(const char *lib, const char *symbol, char *path, size_t path_size) --{ -- int ret; -- void *dl, *sym; -- Dl_info info; -- -- dl = dlopen(lib, RTLD_LAZY); -- if (dl == NULL) -- return gnutls_assert_val(GNUTLS_E_FILE_ERROR); -- -- sym = dlsym(dl, symbol); -- if (sym == NULL) { -- ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR); -- goto cleanup; -- } -- -- ret = dladdr(sym, &info); -- if (ret == 0) { -- ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR); -- goto cleanup; -- } -- -- ret = snprintf(path, path_size, "%s", info.dli_fname); -- if ((size_t)ret >= path_size) { -- ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); -- goto cleanup; -- } -- -- ret = 0; --cleanup: -- dlclose(dl); -- return ret; --} -- - static int get_hmac(const char *path, char *hmac, size_t hmac_size) - { - int ret; -@@ -99,7 +67,7 @@ static int get_hmac(const char *path, ch - return 0; - } - --static int print_lib_path(const char *path) -+static int print_lib(const char *path, const char *soname) - { - int ret; - char *real_path = NULL; -@@ -119,7 +87,7 @@ static int print_lib_path(const char *pa - goto cleanup; - } - -- printf("[%s]\n", last_component(path)); -+ printf("[%s]\n", soname); - printf("path = %s\n", real_path); - printf("hmac = %s\n", hmac); - -@@ -128,25 +96,24 @@ cleanup: - return ret; - } - --static int print_lib_dl(const char *lib, const char *sym) -+static int callback(struct dl_phdr_info *info, size_t size, void *data) - { -- int ret; -- char path[GNUTLS_PATH_MAX]; -- -- ret = get_path(lib, sym, path, sizeof(path)); -- if (ret < 0) { -- fprintf(stderr, "Could not get lib path for %s: %s\n", -- lib, gnutls_strerror(ret)); -- return ret; -- } -+ const char *path = info->dlpi_name; -+ const char *soname = last_component(path); - -- return print_lib_path(path); -+ if (!strcmp(soname, GNUTLS_LIBRARY_SONAME)) -+ return print_lib(data ? data : path, soname); -+ if (!strcmp(soname, NETTLE_LIBRARY_SONAME)) -+ return print_lib(path, soname); -+ if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) -+ return print_lib(path, soname); -+ if (!strcmp(soname, GMP_LIBRARY_SONAME)) -+ return print_lib(path, soname); -+ return 0; - } - - int main(int argc, char **argv) - { -- int ret; -- - if (argc != 1 && argc != 2) { - fprintf(stderr, "Usage: %s [gnutls_so_path]\n", last_component(argv[0])); - return EXIT_FAILURE; -@@ -155,24 +122,15 @@ int main(int argc, char **argv) - printf("[global]\n"); - printf("format-version = %d\n", FORMAT_VERSION); - -- if (argc == 2) -- ret = print_lib_path(argv[1]); -- else -- ret = print_lib_dl(GNUTLS_LIBRARY_SONAME, "gnutls_global_init"); -- if (ret < 0) -- return EXIT_FAILURE; -+ return dl_iterate_phdr(callback, argc == 2 ? argv[1] : NULL); -+} - -- ret = print_lib_dl(NETTLE_LIBRARY_SONAME, "nettle_aes_set_encrypt_key"); -- if (ret < 0) -- return EXIT_FAILURE; -- -- ret = print_lib_dl(HOGWEED_LIBRARY_SONAME, "nettle_mpz_sizeinbase_256_u"); -- if (ret < 0) -- return EXIT_FAILURE; -- -- ret = print_lib_dl(GMP_LIBRARY_SONAME, "__gmpz_init"); -- if (ret < 0) -- return EXIT_FAILURE; -+#else - -- return EXIT_SUCCESS; -+int main(void) -+{ -+ fprintf(stderr, "Function dl_iterate_phdr is missing\n"); -+ return EXIT_FAILURE; - } -+ -+#endif /* HAVE_DL_ITERATE_PHDR */ -diff --color -ruNp a/lib/Makefile.am b/lib/Makefile.am ---- a/lib/Makefile.am 2022-05-18 16:46:00.000000000 +0200 -+++ b/lib/Makefile.am 2022-12-15 11:00:18.789697779 +0100 -@@ -202,14 +202,14 @@ noinst_PROGRAMS = fipshmac - fipshmac_SOURCES = fipshmac.c - fipshmac_LDADD = libgnutls.la ../gl/libgnu.la - --hmac_files = .libs/.gnutls.hmac -+hmac_file = .libs/.$(gnutls_so).hmac - --all-local: $(hmac_files) -+all-local: $(hmac_file) - --.libs/.gnutls.hmac: libgnutls.la fipshmac -+$(hmac_file): libgnutls.la fipshmac - $(AM_V_GEN) $(builddir)/fipshmac > $@-t && mv $@-t $@ - --CLEANFILES = $(hmac_files) -+CLEANFILES = $(hmac_file) - endif - - if NEED_LTLIBDL diff --git a/gnutls-3.7.8-rsa-kx-timing.patch b/gnutls-3.7.8-rsa-kx-timing.patch deleted file mode 100644 index 9107321..0000000 --- a/gnutls-3.7.8-rsa-kx-timing.patch +++ /dev/null @@ -1,114 +0,0 @@ -From c149dd0767f32789e391280cb1eb06b7eb7c6bce Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Tue, 9 Aug 2022 16:05:53 +0200 -Subject: [PATCH 1/2] auth/rsa: side-step potential side-channel - -Remove branching that depends on secret data. - -Signed-off-by: Alexander Sosedkin -Signed-off-by: Hubert Kario -Tested-by: Hubert Kario ---- - lib/auth/rsa.c | 10 ---------- - 1 file changed, 10 deletions(-) - -diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c -index 8108ee841d..6b158bacb2 100644 ---- a/lib/auth/rsa.c -+++ b/lib/auth/rsa.c -@@ -155,7 +155,6 @@ static int - proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, - size_t _data_size) - { -- const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n"; - gnutls_datum_t ciphertext; - int ret, dsize; - ssize_t data_size = _data_size; -@@ -235,15 +234,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, - ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) & - CONSTCHECK_EQUAL(session->key.key.data[1], ver_min); - -- if (ok) { -- /* call logging function unconditionally so all branches are -- * indistinguishable for timing and cache access when debug -- * logging is disabled */ -- _gnutls_no_log("%s", attack_error); -- } else { -- _gnutls_debug_log("%s", attack_error); -- } -- - /* This is here to avoid the version check attack - * discussed above. - */ --- -2.39.1 - - -From 7c963102ec2119eecc1789b993aabe5edfd75f3b Mon Sep 17 00:00:00 2001 -From: Hubert Kario -Date: Wed, 8 Feb 2023 14:32:09 +0100 -Subject: [PATCH 2/2] rsa: remove dead code - -since the `ok` variable isn't used any more, we can remove all code -used to calculate it - -Signed-off-by: Hubert Kario ---- - lib/auth/rsa.c | 20 +++----------------- - 1 file changed, 3 insertions(+), 17 deletions(-) - -diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c -index 6b158bacb2..858701fe6e 100644 ---- a/lib/auth/rsa.c -+++ b/lib/auth/rsa.c -@@ -159,8 +159,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, - int ret, dsize; - ssize_t data_size = _data_size; - volatile uint8_t ver_maj, ver_min; -- volatile uint8_t check_ver_min; -- volatile uint32_t ok; - - #ifdef ENABLE_SSL3 - if (get_num_version(session) == GNUTLS_SSL3) { -@@ -186,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, - - ver_maj = _gnutls_get_adv_version_major(session); - ver_min = _gnutls_get_adv_version_minor(session); -- check_ver_min = (session->internals.allow_wrong_pms == 0); - - session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE); - if (session->key.key.data == NULL) { -@@ -205,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, - return ret; - } - -- ret = -- gnutls_privkey_decrypt_data2(session->internals.selected_key, -- 0, &ciphertext, session->key.key.data, -- session->key.key.size); -+ gnutls_privkey_decrypt_data2(session->internals.selected_key, -+ 0, &ciphertext, session->key.key.data, -+ session->key.key.size); - /* After this point, any conditional on failure that cause differences - * in execution may create a timing or cache access pattern side - * channel that can be used as an oracle, so treat very carefully */ -@@ -224,16 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, - * Vlastimil Klima, Ondej Pokorny and Tomas Rosa. - */ - -- /* ok is 0 in case of error and 1 in case of success. */ -- -- /* if ret < 0 */ -- ok = CONSTCHECK_EQUAL(ret, 0); -- /* session->key.key.data[0] must equal ver_maj */ -- ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj); -- /* if check_ver_min then session->key.key.data[1] must equal ver_min */ -- ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) & -- CONSTCHECK_EQUAL(session->key.key.data[1], ver_min); -- - /* This is here to avoid the version check attack - * discussed above. - */ --- -2.39.1 - diff --git a/gnutls-3.7.8-xts-key-check.patch b/gnutls-3.7.8-xts-key-check.patch deleted file mode 100644 index a922f93..0000000 --- a/gnutls-3.7.8-xts-key-check.patch +++ /dev/null @@ -1,220 +0,0 @@ -diff --color -ruNp a/lib/accelerated/x86/aes-xts-x86-aesni.c b/lib/accelerated/x86/aes-xts-x86-aesni.c ---- a/lib/accelerated/x86/aes-xts-x86-aesni.c 2022-03-02 12:38:09.000000000 +0100 -+++ b/lib/accelerated/x86/aes-xts-x86-aesni.c 2022-11-07 14:12:38.476982750 +0100 -@@ -73,7 +73,6 @@ x86_aes_xts_cipher_setkey(void *_ctx, co - /* Check key block according to FIPS-140-2 IG A.9 */ - if (_gnutls_fips_mode_enabled()){ - if (gnutls_memcmp(key, key + (keysize / 2), keysize / 2) == 0) { -- _gnutls_switch_lib_state(LIB_STATE_ERROR); - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - } - } -diff --color -ruNp a/lib/nettle/cipher.c b/lib/nettle/cipher.c ---- a/lib/nettle/cipher.c 2022-11-07 14:10:13.672085930 +0100 -+++ b/lib/nettle/cipher.c 2022-11-07 14:12:38.477982770 +0100 -@@ -448,12 +448,14 @@ _gcm_decrypt(struct nettle_cipher_ctx *c - length, dst, src); - } - --static void _des_set_key(struct des_ctx *ctx, const uint8_t *key) -+static void -+_des_set_key(struct des_ctx *ctx, const uint8_t *key) - { - des_set_key(ctx, key); - } - --static void _des3_set_key(struct des3_ctx *ctx, const uint8_t *key) -+static void -+_des3_set_key(struct des3_ctx *ctx, const uint8_t *key) - { - des3_set_key(ctx, key); - } -@@ -477,50 +479,6 @@ _cfb8_decrypt(struct nettle_cipher_ctx * - } - - static void --_xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, -- const uint8_t *key) --{ -- if (_gnutls_fips_mode_enabled() && -- gnutls_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) -- _gnutls_switch_lib_state(LIB_STATE_ERROR); -- -- xts_aes128_set_encrypt_key(xts_key, key); --} -- --static void --_xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, -- const uint8_t *key) --{ -- if (_gnutls_fips_mode_enabled() && -- gnutls_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) -- _gnutls_switch_lib_state(LIB_STATE_ERROR); -- -- xts_aes128_set_decrypt_key(xts_key, key); --} -- --static void --_xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, -- const uint8_t *key) --{ -- if (_gnutls_fips_mode_enabled() && -- gnutls_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0) -- _gnutls_switch_lib_state(LIB_STATE_ERROR); -- -- xts_aes256_set_encrypt_key(xts_key, key); --} -- --static void --_xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, -- const uint8_t *key) --{ -- if (_gnutls_fips_mode_enabled() && -- gnutls_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0) -- _gnutls_switch_lib_state(LIB_STATE_ERROR); -- -- xts_aes256_set_decrypt_key(xts_key, key); --} -- --static void - _xts_aes128_encrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst, - const uint8_t * src) - { -@@ -1041,8 +999,8 @@ static const struct nettle_cipher_st bui - .ctx_size = sizeof(struct xts_aes128_key), - .encrypt = _xts_aes128_encrypt, - .decrypt = _xts_aes128_decrypt, -- .set_encrypt_key = (nettle_set_key_func*)_xts_aes128_set_encrypt_key, -- .set_decrypt_key = (nettle_set_key_func*)_xts_aes128_set_decrypt_key, -+ .set_encrypt_key = (nettle_set_key_func*)xts_aes128_set_encrypt_key, -+ .set_decrypt_key = (nettle_set_key_func*)xts_aes128_set_decrypt_key, - .max_iv_size = AES_BLOCK_SIZE, - }, - { .algo = GNUTLS_CIPHER_AES_256_XTS, -@@ -1052,8 +1010,8 @@ static const struct nettle_cipher_st bui - .ctx_size = sizeof(struct xts_aes256_key), - .encrypt = _xts_aes256_encrypt, - .decrypt = _xts_aes256_decrypt, -- .set_encrypt_key = (nettle_set_key_func*)_xts_aes256_set_encrypt_key, -- .set_decrypt_key = (nettle_set_key_func*)_xts_aes256_set_decrypt_key, -+ .set_encrypt_key = (nettle_set_key_func*)xts_aes256_set_encrypt_key, -+ .set_decrypt_key = (nettle_set_key_func*)xts_aes256_set_decrypt_key, - .max_iv_size = AES_BLOCK_SIZE, - }, - { .algo = GNUTLS_CIPHER_AES_128_SIV, -@@ -1144,6 +1102,21 @@ wrap_nettle_cipher_setkey(void *_ctx, co - return 0; - } - -+ switch (ctx->cipher->algo) { -+ case GNUTLS_CIPHER_AES_128_XTS: -+ if (_gnutls_fips_mode_enabled() && -+ gnutls_memcmp(key, (char *)key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ break; -+ case GNUTLS_CIPHER_AES_256_XTS: -+ if (_gnutls_fips_mode_enabled() && -+ gnutls_memcmp(key, (char *)key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0) -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ break; -+ default: -+ break; -+ } -+ - if (ctx->enc) - ctx->cipher->set_encrypt_key(ctx->ctx_ptr, key); - else -diff --color -ruNp a/tests/Makefile.am b/tests/Makefile.am ---- a/tests/Makefile.am 2022-11-07 14:10:13.836089211 +0100 -+++ b/tests/Makefile.am 2022-11-07 14:12:38.478982790 +0100 -@@ -233,7 +233,7 @@ ctests += mini-record-2 simple gnutls_hm - tls13-without-timeout-func buffer status-request-revoked \ - set_x509_ocsp_multi_cli kdf-api keylog-func handshake-write \ - x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \ -- x509-upnconstraint pkcs7-verify-double-free \ -+ x509-upnconstraint xts-key-check pkcs7-verify-double-free \ - fips-rsa-sizes - - ctests += tls-channel-binding -diff --color -ruNp a/tests/xts-key-check.c b/tests/xts-key-check.c ---- a/tests/xts-key-check.c 1970-01-01 01:00:00.000000000 +0100 -+++ b/tests/xts-key-check.c 2022-11-07 14:12:38.478982790 +0100 -@@ -0,0 +1,78 @@ -+/* -+ * Copyright (C) 2022 Red Hat, Inc. -+ * -+ * Author: Zoltan Fridrich -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software: you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation, either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with GnuTLS. If not, see . -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+ -+#include "utils.h" -+ -+static void test_xts_check(gnutls_cipher_algorithm_t alg) -+{ -+ int ret; -+ gnutls_cipher_hd_t ctx; -+ gnutls_datum_t key, iv; -+ -+ iv.size = gnutls_cipher_get_iv_size(alg); -+ iv.data = gnutls_malloc(iv.size); -+ if (iv.data == NULL) -+ fail("Error: %s\n", gnutls_strerror(GNUTLS_E_MEMORY_ERROR)); -+ gnutls_memset(iv.data, 0xf0, iv.size); -+ -+ key.size = gnutls_cipher_get_key_size(alg); -+ key.data = gnutls_malloc(key.size); -+ if (key.data == NULL) { -+ gnutls_free(iv.data); -+ fail("Error: %s\n", gnutls_strerror(GNUTLS_E_MEMORY_ERROR)); -+ } -+ gnutls_memset(key.data, 0xf0, key.size); -+ -+ ret = gnutls_cipher_init(&ctx, alg, &key, &iv); -+ if (ret == GNUTLS_E_SUCCESS) { -+ gnutls_cipher_deinit(ctx); -+ gnutls_free(iv.data); -+ gnutls_free(key.data); -+ fail("cipher initialization should fail for key1 == key2\n"); -+ } -+ -+ key.data[0] = 0xff; -+ -+ ret = gnutls_cipher_init(&ctx, alg, &key, &iv); -+ gnutls_free(iv.data); -+ gnutls_free(key.data); -+ -+ if (ret == GNUTLS_E_SUCCESS) -+ gnutls_cipher_deinit(ctx); -+ else -+ fail("cipher initialization should succeed with key1 != key2" -+ "\n%s\n", gnutls_strerror(ret)); -+} -+ -+void doit(void) -+{ -+ if (!gnutls_fips140_mode_enabled()) -+ exit(77); -+ -+ test_xts_check(GNUTLS_CIPHER_AES_128_XTS); -+ test_xts_check(GNUTLS_CIPHER_AES_256_XTS); -+} diff --git a/gnutls.spec b/gnutls.spec index 934c048..1b119eb 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,42 +12,16 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.7.6 -Release: 23%{?dist} +Version: 3.8.2 +Release: 1%{?dist} # not upstreamed -Patch: gnutls-3.6.7-no-now-guile.patch Patch: gnutls-3.2.7-rpath.patch Patch: gnutls-3.7.2-enable-intel-cet.patch Patch: gnutls-3.7.2-no-explicit-init.patch - -# upstreamed -Patch: gnutls-3.7.6-fips-run-selftests.patch -Patch: gnutls-3.7.6-ktls-disable-by-default.patch -Patch: gnutls-3.7.6-ktls-fixes.patch -Patch: gnutls-3.7.6-aes-gcm-pt-limit.patch -Patch: gnutls-3.7.6-pkcs7-verify.patch -Patch: gnutls-3.7.6-fips-pkcs12-des-cbc.patch -Patch: gnutls-3.7.6-fips-rsa-key-sizes.patch -Patch: gnutls-3.7.6-fips-symkey-limit.patch -Patch: gnutls-3.7.6-fips-ecdsa-hash-check.patch -Patch: gnutls-3.7.8-xts-key-check.patch -Patch: gnutls-3.7.8-clear-session-ticket.patch -Patch: gnutls-3.7.7-aes-cbc-padding-support.patch -Patch: gnutls-3.7.8-integrity-check.patch -Patch: gnutls-3.7.6-fips-service-indicator-test-functions.patch -Patch: gnutls-3.7.6-fips-ccm-taglen.patch -Patch: gnutls-3.7.6-fips-rsa-pss-saltlen.patch -Patch: gnutls-3.7.8-revert-hmac-name.patch -Patch: gnutls-3.7.8-rsa-kx-timing.patch -Patch: gnutls-3.7.8-fips-pct-dh.patch -Patch: gnutls-3.7.6-fips-ems.patch -Patch: gnutls-3.7.6-fips-sha1-sigver.patch - -# not upstreamed Patch: gnutls-3.7.3-disable-config-reload.patch Patch: gnutls-3.7.3-fips-dsa-post.patch Patch: gnutls-3.7.6-drbg-reseed.patch -Patch: gnutls-3.7.6-cpuid-fixes.patch +Patch: gnutls-3.7.6-fips-sha1-sigver.patch Patch: gnutls-3.7.6-gmp-static.patch %bcond_without bootstrap @@ -64,6 +38,8 @@ Patch: gnutls-3.7.6-gmp-static.patch %bcond_with gost %bcond_with certificate_compression %bcond_without tests +%bcond_without srp +%bcond_without heartbeat Summary: A TLS protocol implementation Name: gnutls @@ -269,6 +245,16 @@ export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" --enable-gost \ %else --disable-gost \ +%endif +%if %{with srp} + --enable-srp-authentication \ +%else + --disable-srp-authentication \ +%endif +%if %{with heartbeat} + --enable-heartbeat-support \ +%else + --disable-heartbeat-support \ %endif --enable-sha1-support \ --disable-static \ @@ -355,17 +341,19 @@ ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac" %check %if %{with tests} -xfail_tests= +# This test shouldn't work until the kernel gets support for KeyUpdate +xfail_tests=ktls_keyupdate.sh + +# The ktls.sh test currently only supports kernel 5.11+. This needs to +# be checked at run time, as the koji builder might be using a different +# version of kernel on the host than the one indicated by the +# kernel-devel package. -# With older kernel, key installation fails if the host is x86_64 and -# the package is built with -m32: -%ifarch %{ix86} case "$(uname -r)" in - 4.*.x86_64) + 4.* | 5.[0-9].* | 5.10.* ) xfail_tests="$xfail_tests ktls.sh" ;; esac -%endif make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null XFAIL_TESTS="$xfail_tests" %endif @@ -421,6 +409,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null XFAIL_TESTS="$x %endif %changelog +* Thu Nov 16 2023 Daiki Ueno - 3.8.2-1 +- Update to gnutls 3.8.2 (RHEL-14891) + * Sat Jul 29 2023 Daiki Ueno - 3.7.6-23 - Mark SHA-1 signature verification non-approved in FIPS (#2102751) diff --git a/sources b/sources index 0714cc7..de64bfe 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.7.6.tar.xz) = f872339df80ec31d292821ff00eaafbe50e0bd4cdbb86e21e4f78541cd0a26d843596d5e69c91de4db8ce7d027fc639ae6462b57d89fb116162ae63c5a97486a -SHA512 (gnutls-3.7.6.tar.xz.sig) = c969da9a938b9d29a70cea3b00cce337f9a4c4304aae7f501ef6263894f81a420395ddbe1b005f35dff2e900d3fac75e288f10bbfde0ebea034f7e257bb16d0e SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 +SHA512 (gnutls-3.8.2.tar.xz) = b3aa6e0fa7272cfca0bb0d364fe5dc9ca70cfd41878631d57271ba0a597cf6020a55a19e97a2c02f13a253455b119d296cf6f701be2b4e6880ebeeb07c93ef38 +SHA512 (gnutls-3.8.2.tar.xz.sig) = 9feb30bfccb8c83e83d3d6df009f2a61f4c48eb357c988789c93b2e5a06a34cb490f33741ad0fd4f881fcd34747b3cf9c5aa45bbb15da680ebba35e07ba602f6