rpms/gnutls
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10
rpms:c9
rpms:c10s-gating-update
rpms:c8s
rpms:c9s
rpms:c10s
rpms:c9-beta
rpms:c8-beta
rpms:imports/c8/gnutls-3.6.16-8.el8_10.6
rpms:imports/c10/gnutls-3.8.10-4.el10_2
rpms:imports/c9/gnutls-3.8.10-4.el9_8
rpms:imports/c9/gnutls-3.8.10-3.el9
rpms:imports/c10s/gnutls-3.8.10-4.el10
rpms:imports/c9-beta/gnutls-3.8.10-3.el9
rpms:imports/c8/gnutls-3.6.16-8.el8_10.5
rpms:imports/c9/gnutls-3.8.3-10.el9_7
rpms:imports/c10/gnutls-3.8.10-3.el10_1
rpms:imports/c10s/gnutls-3.8.10-3.el10
rpms:imports/c10/gnutls-3.8.10-2.el10
rpms:imports/c9/gnutls-3.8.3-9.el9
rpms:imports/c8/gnutls-3.6.16-8.el8_10.4
rpms:imports/c9/gnutls-3.8.3-6.el9_6.2
rpms:imports/c10/gnutls-3.8.9-9.el10_0.14
rpms:imports/c9-beta/gnutls-3.8.3-9.el9
rpms:imports/c10s/gnutls-3.8.10-2.el10
rpms:imports/c10s/gnutls-3.8.10-1.el10
rpms:imports/c10s/gnutls-3.8.9-18.el10
rpms:imports/c10/gnutls-3.8.9-9.el10_0
rpms:imports/c9/gnutls-3.8.3-6.el9
rpms:imports/c10s/gnutls-3.8.9-16.el10
rpms:imports/c10s/gnutls-3.8.9-14.el10
rpms:imports/c8/gnutls-3.6.16-8.el8_10.3
rpms:imports/c9-beta/gnutls-3.8.3-6.el9
rpms:imports/c10s/gnutls-3.8.9-9.el10
rpms:imports/c10s/gnutls-3.8.9-1.el10
rpms:imports/c10s/gnutls-3.8.8-1.el10
rpms:imports/c10s/gnutls-3.8.7-3.el10
rpms:imports/c10s/gnutls-3.8.7-1.el10
rpms:imports/c10s/gnutls-3.8.5-7.el10
rpms:imports/c9/gnutls-3.8.3-4.el9_4
rpms:imports/c9/gnutls-3.7.6-23.el9_3.4
rpms:imports/c8/gnutls-3.6.16-8.el8_9.3
rpms:imports/c8/gnutls-3.6.16-8.el8_9.1
rpms:imports/c9/gnutls-3.7.6-23.el9_3.3
rpms:imports/c8/gnutls-3.6.16-8.el8_9
rpms:imports/c8/gnutls-3.6.16-7.el8
rpms:imports/c9/gnutls-3.7.6-23.el9
rpms:imports/c8-beta/gnutls-3.6.16-7.el8
rpms:imports/c9-beta/gnutls-3.7.6-23.el9
rpms:imports/c9/gnutls-3.7.6-21.el9_2
rpms:imports/c9/gnutls-3.7.6-20.el9_2
rpms:imports/c8/gnutls-3.6.16-6.el8_7
rpms:imports/c9-beta/gnutls-3.7.6-18.el9
rpms:imports/c8-beta/gnutls-3.6.16-6.el8
rpms:imports/c8s/gnutls-3.6.16-6.el8_7
rpms:imports/c9/gnutls-3.7.6-18.el9_1
rpms:imports/c8s/gnutls-3.6.16-6.el8
rpms:imports/c8/gnutls-3.6.16-5.el8_6
rpms:imports/c9/gnutls-3.7.6-12.el9_0
rpms:imports/c9-beta/gnutls-3.7.6-11.el9_0
rpms:imports/c8s/gnutls-3.6.16-5.el8_6
rpms:imports/c9/gnutls-3.7.3-9.el9
rpms:imports/c9-beta/gnutls-3.7.3-9.el9
rpms:imports/c9-beta/gnutls-3.7.3-5.el9
rpms:imports/c9-beta/gnutls-3.7.2-8.el9
rpms:imports/c9-beta/gnutls-3.7.2-4.el9
rpms:imports/c8/gnutls-3.6.16-4.el8
rpms:imports/c8-beta/gnutls-3.6.16-4.el8
rpms:imports/c8-beta/gnutls-3.6.14-7.el8_3
rpms:imports/c8-beta/gnutls-3.6.14-3.el8
rpms:imports/c8-beta/gnutls-3.6.8-9.el8
rpms:imports/c8-beta/gnutls-3.6.8-3.el8
rpms:imports/c8s/gnutls-3.6.16-4.el8
rpms:imports/c8s/gnutls-3.6.16-3.el8
rpms:imports/c8s/gnutls-3.6.14-7.el8_3
rpms:imports/c8s/gnutls-3.6.14-6.el8
rpms:imports/c8s/gnutls-3.6.14-5.el8
rpms:imports/c8/gnutls-3.6.14-8.el8_3
rpms:imports/c8/gnutls-3.6.14-7.el8_3
rpms:imports/c8/gnutls-3.6.14-6.el8
rpms:imports/c8/gnutls-3.6.8-11.el8_2
rpms:imports/c8/gnutls-3.6.8-10.el8_2
...
pull from: rpms:c10s-gating-update
Branches Tags
rpms:c8
rpms:c10
rpms:c9
rpms:c10s-gating-update
rpms:c8s
rpms:c9s
rpms:c10s
rpms:c9-beta
rpms:c8-beta
rpms:imports/c8/gnutls-3.6.16-8.el8_10.6
rpms:imports/c10/gnutls-3.8.10-4.el10_2
rpms:imports/c9/gnutls-3.8.10-4.el9_8
rpms:imports/c9/gnutls-3.8.10-3.el9
rpms:imports/c10s/gnutls-3.8.10-4.el10
rpms:imports/c9-beta/gnutls-3.8.10-3.el9
rpms:imports/c8/gnutls-3.6.16-8.el8_10.5
rpms:imports/c9/gnutls-3.8.3-10.el9_7
rpms:imports/c10/gnutls-3.8.10-3.el10_1
rpms:imports/c10s/gnutls-3.8.10-3.el10
rpms:imports/c10/gnutls-3.8.10-2.el10
rpms:imports/c9/gnutls-3.8.3-9.el9
rpms:imports/c8/gnutls-3.6.16-8.el8_10.4
rpms:imports/c9/gnutls-3.8.3-6.el9_6.2
rpms:imports/c10/gnutls-3.8.9-9.el10_0.14
rpms:imports/c9-beta/gnutls-3.8.3-9.el9
rpms:imports/c10s/gnutls-3.8.10-2.el10
rpms:imports/c10s/gnutls-3.8.10-1.el10
rpms:imports/c10s/gnutls-3.8.9-18.el10
rpms:imports/c10/gnutls-3.8.9-9.el10_0
rpms:imports/c9/gnutls-3.8.3-6.el9
rpms:imports/c10s/gnutls-3.8.9-16.el10
rpms:imports/c10s/gnutls-3.8.9-14.el10
rpms:imports/c8/gnutls-3.6.16-8.el8_10.3
rpms:imports/c9-beta/gnutls-3.8.3-6.el9
rpms:imports/c10s/gnutls-3.8.9-9.el10
rpms:imports/c10s/gnutls-3.8.9-1.el10
rpms:imports/c10s/gnutls-3.8.8-1.el10
rpms:imports/c10s/gnutls-3.8.7-3.el10
rpms:imports/c10s/gnutls-3.8.7-1.el10
rpms:imports/c10s/gnutls-3.8.5-7.el10
rpms:imports/c9/gnutls-3.8.3-4.el9_4
rpms:imports/c9/gnutls-3.7.6-23.el9_3.4
rpms:imports/c8/gnutls-3.6.16-8.el8_9.3
rpms:imports/c8/gnutls-3.6.16-8.el8_9.1
rpms:imports/c9/gnutls-3.7.6-23.el9_3.3
rpms:imports/c8/gnutls-3.6.16-8.el8_9
rpms:imports/c8/gnutls-3.6.16-7.el8
rpms:imports/c9/gnutls-3.7.6-23.el9
rpms:imports/c8-beta/gnutls-3.6.16-7.el8
rpms:imports/c9-beta/gnutls-3.7.6-23.el9
rpms:imports/c9/gnutls-3.7.6-21.el9_2
rpms:imports/c9/gnutls-3.7.6-20.el9_2
rpms:imports/c8/gnutls-3.6.16-6.el8_7
rpms:imports/c9-beta/gnutls-3.7.6-18.el9
rpms:imports/c8-beta/gnutls-3.6.16-6.el8
rpms:imports/c8s/gnutls-3.6.16-6.el8_7
rpms:imports/c9/gnutls-3.7.6-18.el9_1
rpms:imports/c8s/gnutls-3.6.16-6.el8
rpms:imports/c8/gnutls-3.6.16-5.el8_6
rpms:imports/c9/gnutls-3.7.6-12.el9_0
rpms:imports/c9-beta/gnutls-3.7.6-11.el9_0
rpms:imports/c8s/gnutls-3.6.16-5.el8_6
rpms:imports/c9/gnutls-3.7.3-9.el9
rpms:imports/c9-beta/gnutls-3.7.3-9.el9
rpms:imports/c9-beta/gnutls-3.7.3-5.el9
rpms:imports/c9-beta/gnutls-3.7.2-8.el9
rpms:imports/c9-beta/gnutls-3.7.2-4.el9
rpms:imports/c8/gnutls-3.6.16-4.el8
rpms:imports/c8-beta/gnutls-3.6.16-4.el8
rpms:imports/c8-beta/gnutls-3.6.14-7.el8_3
rpms:imports/c8-beta/gnutls-3.6.14-3.el8
rpms:imports/c8-beta/gnutls-3.6.8-9.el8
rpms:imports/c8-beta/gnutls-3.6.8-3.el8
rpms:imports/c8s/gnutls-3.6.16-4.el8
rpms:imports/c8s/gnutls-3.6.16-3.el8
rpms:imports/c8s/gnutls-3.6.14-7.el8_3
rpms:imports/c8s/gnutls-3.6.14-6.el8
rpms:imports/c8s/gnutls-3.6.14-5.el8
rpms:imports/c8/gnutls-3.6.14-8.el8_3
rpms:imports/c8/gnutls-3.6.14-7.el8_3
rpms:imports/c8/gnutls-3.6.14-6.el8
rpms:imports/c8/gnutls-3.6.8-11.el8_2
rpms:imports/c8/gnutls-3.6.8-10.el8_2

No commits in common. "c8" and "c10s-gating-update" have entirely different histories.
c8 ... c10s-gatin

75 changed files with 13394 additions and 16614 deletions
Show Stats Expand all files Collapse all files

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

179
.gitignore vendored
View File

@ -1,3 +1,176 @@
SOURCES/gnutls-3.6.16.tar.xz
SOURCES/gnutls-3.6.16.tar.xz.sig
SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
gnutls-2.8.6-nosrp.tar.bz2
gnutls-2.10.1-nosrp.tar.bz2
/gnutls-2.10.2-nosrp.tar.bz2
/gnutls-2.10.3-nosrp.tar.bz2
/gnutls-2.10.4-nosrp.tar.bz2
/gnutls-2.10.5-nosrp.tar.bz2
/gnutls-2.12.2-nosrp.tar.bz2
/gnutls-2.12.3-nosrp.tar.bz2
/gnutls-2.12.4-nosrp.tar.bz2
/gnutls-2.12.7-nosrp.tar.bz2
/gnutls-2.12.8-nosrp.tar.bz2
/gnutls-2.12.9-nosrp.tar.bz2
/gnutls-2.12.11-nosrp.tar.bz2
/gnutls-2.12.12-nosrp.tar.bz2
/gnutls-2.12.14-nosrp.tar.bz2
/gnutls-2.12.17-nosrp.tar.xz
/gnutls-2.12.18-nosrp.tar.xz
/gnutls-2.12.19-nosrp.tar.xz
/gnutls-2.12.20-nosrp.tar.xz
/gnutls-2.12.21-nosrp.tar.xz
/gnutls-2.12.22-nosrp.tar.xz
/gnutls-3.1.7-hobbled.tar.xz
/gnutls-3.1.8-hobbled.tar.xz
/gnutls-3.1.9-hobbled.tar.xz
/gnutls-3.1.10-hobbled.tar.xz
/gnutls-3.1.11-hobbled.tar.xz
/gnutls-3.1.13-hobbled.tar.xz
/gnutls-3.1.13-hobbled-el.tar.xz
/gnutls-3.1.15-hobbled.tar.xz
/gnutls-3.1.16-hobbled.tar.xz
/gnutls-3.2.7-hobbled.tar.xz
/gnutls-3.2.8-hobbled.tar.xz
/gnutls-3.2.10-hobbled.tar.xz
/gnutls-3.2.12.tar.xz
/gnutls-3.2.12-hobbled.tar.xz
/gnutls-3.2.12.1-hobbled.tar.xz
/gnutls-3.2.13-hobbled.tar.xz
/gnutls-3.3.0-hobbled.tar.xz
/gnutls-3.3.1-hobbled.tar.xz
/gnutls-3.3.2-hobbled.tar.xz
/gnutls-3.3.3-hobbled.tar.xz
/gnutls-3.3.4-hobbled.tar.xz
/gnutls-3.3.5-hobbled.tar.xz
/gnutls-3.3.6-hobbled.tar.xz
/gnutls-3.3.7-hobbled.tar.xz
/gnutls-3.3.8-hobbled.tar.xz
/gnutls-3.3.9-hobbled.tar.xz
/gnutls-3.3.10-hobbled.tar.xz
/gnutls-3.3.11-hobbled.tar.xz
/gnutls-3.3.12-hobbled.tar.xz
/gnutls-3.3.13-hobbled.tar.xz
/gnutls-3.3.14-hobbled.tar.xz
/gnutls-3.4.1-hobbled.tar.xz
/gnutls-3.4.2-hobbled.tar.xz
/gnutls-3.4.3-hobbled.tar.xz
/gnutls-3.4.4-hobbled.tar.xz
/gnutls-3.4.5-hobbled.tar.xz
/gnutls-3.4.6-hobbled.tar.xz
/gnutls-3.4.7-hobbled.tar.xz
/gnutls-3.4.8-hobbled.tar.xz
/gnutls-3.4.9-hobbled.tar.xz
/gnutls-3.4.10-hobbled.tar.xz
/gnutls-3.4.11-hobbled.tar.xz
/gnutls-3.4.12-hobbled.tar.xz
/gnutls-3.4.13-hobbled.tar.xz
/gnutls-3.5.1-hobbled.tar.xz
/gnutls-3.5.2-hobbled.tar.xz
/gnutls-3.5.3-hobbled.tar.xz
/gnutls-3.5.4-hobbled.tar.xz
/gnutls-3.5.5-hobbled.tar.xz
/gnutls-3.5.6-hobbled.tar.xz
/gnutls-3.5.7-hobbled.tar.xz
/gnutls-3.5.8-hobbled.tar.xz
/gnutls-3.5.9-hobbled.tar.xz
/gnutls-3.5.10-hobbled.tar.xz
/gnutls-3.5.11-hobbled.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.5.12.tar.xz.sig
/gnutls-3.5.12.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.5.13.tar.xz.sig
/gnutls-3.5.13.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.5.14.tar.xz.sig
/gnutls-3.5.14.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.0.tar.xz.sig
/gnutls-3.6.0.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.1.tar.xz.sig
/gnutls-3.6.1.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.2.tar.xz.sig
/gnutls-3.6.2.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.2.tar.xz.sig
/gnutls-3.6.2.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.3.tar.xz.sig
/gnutls-3.6.3.tar.xz
/gnutls-3.6.4.tar.xz
/gnutls-3.6.4.tar.xz.sig
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.5.tar.xz.sig
/gnutls-3.6.5.tar.xz
/gnutls-3.6.6.tar.xz
/gnutls-3.6.6.tar.xz.sig
/gnutls-3.6.7.tar.xz
/gnutls-3.6.7.tar.xz.sig
/gnutls-3.6.8.tar.xz.sig
/gnutls-3.6.8.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.9.tar.xz.sig
/gnutls-3.6.9.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.10.tar.xz.sig
/gnutls-3.6.10.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.11.tar.xz.sig
/gnutls-3.6.11.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.12.tar.xz.sig
/gnutls-3.6.12.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.13.tar.xz.sig
/gnutls-3.6.13.tar.xz
/gnutls-3.6.14.tar.xz
/gnutls-3.6.14.tar.xz.sig
/gnutls-3.6.15.tar.xz
/gnutls-3.6.15.tar.xz.sig
/gnutls-3.7.0.tar.xz
/gnutls-3.7.0.tar.xz.sig
/gnutls-3.7.1.tar.xz
/gnutls-3.7.1.tar.xz.sig
/gnutls-3.7.2.tar.xz
/gnutls-3.7.2.tar.xz.sig
/gnutls-3.7.3.tar.xz
/gnutls-3.7.3.tar.xz.sig
/gnutls-3.7.4.tar.xz
/gnutls-3.7.5.tar.xz
/gnutls-3.7.6.tar.xz
/gnutls-3.7.7.tar.xz
/gnutls-3.7.8.tar.xz
/gnutls-3.8.0.tar.xz
/gnutls-3.8.0.tar.xz.sig
/gnutls-release-keyring.gpg
/gnutls-3.8.1.tar.xz
/gnutls-3.8.1.tar.xz.sig
/gnutls-3.8.2.tar.xz
/gnutls-3.8.2.tar.xz.sig
/gnutls-3.8.3.tar.xz
/gnutls-3.8.3.tar.xz.sig
/gnutls-3.8.4.tar.xz
/gnutls-3.8.4.tar.xz.sig
/gnutls-3.8.5.tar.xz
/gnutls-3.8.5.tar.xz.sig
/gnutls-3.8.6.tar.xz
/gnutls-3.8.6.tar.xz.sig
/gmp-6.2.1.tar.xz
/gnutls-3.8.7.tar.xz
/gnutls-3.8.7.tar.xz.sig
/gnutls-3.8.7.1.tar.xz
/gnutls-3.8.7.1.tar.xz.sig
/nettle-3.10-hobbled.tar.xz
/gnutls-3.8.8.tar.xz
/gnutls-3.8.8.tar.xz.sig
/gnutls-3.8.9.tar.xz
/gnutls-3.8.9.tar.xz.sig
/leancrypto-1.2.0.tar.gz
/nettle-3.10.1.tar.gz
/nettle-3.10.1.tar.gz.sig
/nettle-release-keyring.gpg
/leancrypto-1.3.0.tar.gz
/gnutls-3.8.10.tar.xz
/gnutls-3.8.10.tar.xz.sig
/leancrypto-1.5.0.tar.gz

3
.gnutls.metadata
View File

@ -1,3 +0,0 @@
6ba8fb898dcf4b4046b60662ba97df835593e687 SOURCES/gnutls-3.6.16.tar.xz
b41ac56ff6cca4539c8b084db2c84e8bc21d60ac SOURCES/gnutls-3.6.16.tar.xz.sig
648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

32
.packit.yaml Normal file
View File

@ -0,0 +1,32 @@
# See the documentation for more information:
# https://packit.dev/docs/configuration/
specfile_path: gnutls.spec
files_to_sync:
- .packit.yaml
- gnutls.spec
upstream_project_url: https://gitlab.com/gnutls/gnutls
upstream_package_name: gnutls
downstream_package_name: gnutls
actions:
post-upstream-clone:
- "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls.spec"
- "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.2.7-rpath.patch"
get-current-version:
- "git describe --abbrev=0"
create-archive:
- |
bash -c "wget https://www.gnupg.org/ftp/gcrypt/gnutls/v$(expr $PACKIT_PROJECT_VERSION : '^\([0-9]*\.[0-9]*\)')/gnutls-${PACKIT_PROJECT_VERSION}.tar.xz"
- |
bash -c "wget https://www.gnupg.org/ftp/gcrypt/gnutls/v$(expr $PACKIT_PROJECT_VERSION : '^\([0-9]*\.[0-9]*\)')/gnutls-${PACKIT_PROJECT_VERSION}.tar.xz.sig"
- bash -c "echo gnutls-${PACKIT_PROJECT_VERSION}.tar.xz"
- bash -c "echo gnutls-${PACKIT_PROJECT_VERSION}.tar.xz.sig"
jobs:
- job: propose_downstream
trigger: release
metadata:
dist_git_branches: fedora-all

3
README.packit Normal file
View File

@ -0,0 +1,3 @@
This repository is maintained by packit.
https://packit.dev/
The file was generated using packit 0.100.0.

7849
SOURCES/gnutls-3.6.13-enable-intel-cet.patch
View File

File diff suppressed because it is too large Load Diff

204
SOURCES/gnutls-3.6.14-fips-dh-selftests.patch
View File

@ -1,204 +0,0 @@
From f09b7627a63defb1c55e9965fb05e0bbddb90247 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 6 Oct 2020 11:54:21 +0200
Subject: [PATCH] fips: use larger prime for DH self-tests
According to FIPS140-2 IG 7.5, the minimum key size of FFC through
2030 is defined as 2048 bits. This updates the relevant self-test
using ffdhe3072 defined in RFC 7919.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/crypto-selftests-pk.c | 142 ++++++++++++++++++++++++++++++++++----
lib/dh-primes.c | 4 --
2 files changed, 130 insertions(+), 16 deletions(-)
diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
index 70b0f618f..9b7c692a8 100644
--- a/lib/crypto-selftests-pk.c
+++ b/lib/crypto-selftests-pk.c
@@ -620,32 +620,150 @@ static int test_dh(void)
gnutls_pk_params_st priv;
gnutls_pk_params_st pub;
gnutls_datum_t out = {NULL, 0};
+
+ /* FFDHE 3072 test vector provided by Stephan Mueller in:
+ * https://gitlab.com/gnutls/gnutls/-/merge_requests/1342#note_424430996
+ */
static const uint8_t known_dh_k[] = {
- 0x10, 0x25, 0x04, 0xb5, 0xc6, 0xc2, 0xcb,
- 0x0c, 0xe9, 0xc5, 0x58, 0x0d, 0x22, 0x62};
- static const uint8_t test_p[] = {
- 0x24, 0x85, 0xdd, 0x3a, 0x74, 0x42, 0xe4,
- 0xb3, 0xf1, 0x0b, 0x13, 0xf9, 0x17, 0x4d };
- static const uint8_t test_g[] = { 0x02 };
+ 0xec, 0xb3, 0x85, 0x0c, 0x72, 0x55, 0x55, 0xc2, 0x98, 0x36,
+ 0xbe, 0x75, 0x9e, 0xc9, 0x9d, 0x8b, 0x16, 0xa6, 0xe6, 0x84,
+ 0x33, 0x12, 0x80, 0x1d, 0xac, 0xde, 0x6a, 0xd7, 0x3b, 0x1e,
+ 0x15, 0xca, 0x5d, 0x26, 0xb3, 0x0a, 0x35, 0xf4, 0xbb, 0xad,
+ 0x71, 0xcb, 0x03, 0x1a, 0xcb, 0xfb, 0x83, 0xf0, 0xa8, 0xde,
+ 0xed, 0x5e, 0x3d, 0x98, 0xd2, 0xb0, 0xef, 0xad, 0xdf, 0x32,
+ 0xa0, 0x16, 0x7d, 0x0e, 0x29, 0xd8, 0x85, 0xca, 0x12, 0x97,
+ 0x56, 0xab, 0x6a, 0x26, 0xa4, 0x46, 0x3d, 0x87, 0xd7, 0xe0,
+ 0xb4, 0x3e, 0x28, 0x75, 0xac, 0x59, 0xc5, 0x71, 0x3a, 0x24,
+ 0x15, 0x76, 0x98, 0x72, 0x94, 0x2d, 0xd0, 0x0e, 0xbc, 0x9a,
+ 0x77, 0xd4, 0xe2, 0xb2, 0x76, 0x54, 0x4a, 0x56, 0xbe, 0x0b,
+ 0x43, 0xf8, 0x21, 0x6f, 0x54, 0x32, 0xde, 0xb7, 0xd5, 0xb7,
+ 0x08, 0x00, 0xd2, 0x57, 0x8c, 0x0b, 0x8b, 0x02, 0x3e, 0xdb,
+ 0x72, 0x54, 0x3a, 0xc0, 0x50, 0x66, 0xbc, 0xc9, 0x67, 0xf5,
+ 0x22, 0x28, 0xf2, 0x3c, 0x51, 0x94, 0x61, 0x26, 0x9a, 0xc6,
+ 0x42, 0x0e, 0x8b, 0x42, 0xad, 0x79, 0x40, 0xa9, 0x0b, 0xdc,
+ 0x84, 0xd5, 0x71, 0x83, 0x94, 0xd9, 0x83, 0x2f, 0x08, 0x74,
+ 0xbc, 0x37, 0x6a, 0x3e, 0x1e, 0xbc, 0xcc, 0x09, 0x23, 0x30,
+ 0x79, 0x01, 0x39, 0xf6, 0xe3, 0xa8, 0xc0, 0xfa, 0x7e, 0xdb,
+ 0x0b, 0x71, 0x3e, 0x4f, 0x1f, 0x69, 0x84, 0xa6, 0x58, 0x6c,
+ 0x36, 0x2c, 0xcc, 0xb4, 0x7c, 0x94, 0xec, 0x06, 0x0b, 0x11,
+ 0x53, 0x95, 0xe6, 0x05, 0x43, 0xa4, 0xe4, 0xea, 0x1d, 0x4f,
+ 0xdc, 0xd0, 0x38, 0x0e, 0x32, 0xa1, 0xde, 0xd9, 0x8d, 0xd8,
+ 0x20, 0xac, 0x04, 0x83, 0xf8, 0x1b, 0x55, 0x52, 0x16, 0x20,
+ 0xe3, 0x2e, 0x6d, 0x11, 0x15, 0x29, 0x2f, 0x3a, 0x7c, 0x80,
+ 0x0a, 0x71, 0x3d, 0x31, 0x9c, 0x1b, 0x73, 0x59, 0xe1, 0x0d,
+ 0x27, 0xc5, 0xc0, 0x6a, 0x72, 0x3a, 0x5b, 0xd6, 0xf6, 0x50,
+ 0xe6, 0x69, 0x48, 0x1e, 0xfd, 0xeb, 0x4a, 0x47, 0x73, 0xfb,
+ 0x88, 0x14, 0xea, 0x6d, 0x36, 0xe1, 0x4c, 0x2c, 0xf9, 0x04,
+ 0xc1, 0xb7, 0x29, 0xfc, 0x5d, 0x02, 0x5d, 0x1c, 0x4d, 0x31,
+ 0x4a, 0x51, 0x3f, 0xa4, 0x45, 0x19, 0x29, 0xc4, 0x32, 0xa6,
+ 0x45, 0xdb, 0x94, 0x3a, 0xbd, 0x76, 0x2c, 0xd6, 0x1a, 0xb1,
+ 0xff, 0xe7, 0x62, 0x75, 0x16, 0xe5, 0x0b, 0xa3, 0x3a, 0x93,
+ 0x84, 0xd6, 0xad, 0xc2, 0x24, 0x68, 0x3d, 0xd6, 0x07, 0xe4,
+ 0xbe, 0x5a, 0x49, 0x31, 0x06, 0xad, 0x3f, 0x31, 0x4a, 0x1c,
+ 0xf7, 0x58, 0xdf, 0x34, 0xcb, 0xc8, 0xa9, 0x07, 0x24, 0x42,
+ 0x63, 0xa5, 0x8e, 0xdd, 0x37, 0x78, 0x92, 0x68, 0x3f, 0xd8,
+ 0x2f, 0xea, 0x8c, 0xf1, 0x8e, 0xd4, 0x8b, 0xa7, 0x3f, 0xa0,
+ 0xfa, 0xaf, 0xf0, 0x35,
+ };
static const uint8_t test_x[] = {
- 0x06, 0x2c, 0x96, 0xae, 0x0e, 0x9e, 0x9b,
- 0xbb, 0x41, 0x51, 0x7a, 0xa7, 0xc5, 0xfe };
+ 0x16, 0x5c, 0xa6, 0xe0, 0x9b, 0x87, 0xfa, 0x2d, 0xbc, 0x13,
+ 0x20, 0xcd, 0xac, 0x4e, 0xcc, 0x60, 0x1e, 0x48, 0xec, 0xbe,
+ 0x73, 0x0c, 0xa8, 0x6b, 0x6e, 0x2a, 0xee, 0xdd, 0xd8, 0xf3,
+ 0x2d, 0x5f, 0x75, 0xf3, 0x07, 0x94, 0x88, 0x3d, 0xb1, 0x38,
+ 0xcf, 0xae, 0x4a, 0xcc, 0xcb, 0x6a, 0x80, 0xbc, 0xeb, 0x3b,
+ 0xaa, 0x0b, 0x18, 0x74, 0x58, 0x7c, 0x3e, 0x74, 0xef, 0xb6,
+ 0xd3, 0x15, 0xee, 0x73, 0x29, 0x88, 0x7b, 0x65, 0x02, 0x39,
+ 0x33, 0xec, 0x22, 0x06, 0x8c, 0x5b, 0xd6, 0x2f, 0x4c, 0xf7,
+ 0xe0, 0x97, 0x6d, 0x2a, 0x90, 0x36, 0xfe, 0x1a, 0x44, 0x4d,
+ 0x9d, 0x41, 0x4b, 0xcb, 0xec, 0x25, 0xf4, 0xc3, 0xa5, 0x91,
+ 0xd0, 0x90, 0xc9, 0x34, 0x7b, 0xba, 0x27, 0x30, 0x5a, 0xa2,
+ 0x21, 0x58, 0xce, 0x88, 0x25, 0x39, 0xaf, 0xf1, 0x17, 0x02,
+ 0x12, 0xf8, 0x55, 0xdc, 0xd2, 0x08, 0x5b, 0xd3, 0xc7, 0x8e,
+ 0xcf, 0x29, 0x85, 0x85, 0xdb, 0x5c, 0x08, 0xc2, 0xd7, 0xb0,
+ 0x33, 0x0e, 0xe3, 0xb9, 0x2c, 0x1a, 0x1d, 0x4b, 0xe5, 0x76,
+ 0x8f, 0xd3, 0x14, 0xb6, 0x8c, 0xdc, 0x9a, 0xe8, 0x15, 0x60,
+ 0x60, 0x5e, 0xaa, 0xf9, 0xfa, 0xa6, 0xb2, 0x4f, 0xff, 0x46,
+ 0xc1, 0x5e, 0x93, 0x50, 0x90, 0x7e, 0x4c, 0x26, 0xd7, 0xbb,
+ 0x21, 0x05, 0x3d, 0x27, 0xc5, 0x9b, 0x0d, 0x46, 0x69, 0xe4,
+ 0x74, 0x87, 0x74, 0x55, 0xee, 0x5f, 0xe5, 0x72, 0x04, 0x46,
+ 0x1f, 0x2e, 0x55, 0xc7, 0xcc, 0x2b, 0x2b, 0x39, 0x6d, 0x90,
+ 0x60, 0x31, 0x37, 0x5b, 0x44, 0xde, 0xfd, 0xf2, 0xd1, 0xc6,
+ 0x9c, 0x12, 0x82, 0xcc, 0x7c, 0xb1, 0x0e, 0xa9, 0x95, 0x9d,
+ 0xe0, 0xa8, 0x3e, 0xc1, 0xa3, 0x4a, 0x6a, 0x37, 0x59, 0x17,
+ 0x93, 0x63, 0x1e, 0xbf, 0x04, 0xa3, 0xaa, 0xc0, 0x1d, 0xc4,
+ 0x6d, 0x7a, 0xdc, 0x69, 0x9c, 0xb0, 0x22, 0x56, 0xd9, 0x76,
+ 0x92, 0x2d, 0x1e, 0x62, 0xae, 0xfd, 0xd6, 0x9b, 0xfd, 0x08,
+ 0x2c, 0x95, 0xec, 0xe7, 0x02, 0x43, 0x62, 0x68, 0x1a, 0xaf,
+ 0x46, 0x59, 0xb7, 0xce, 0x8e, 0x42, 0x24, 0xae, 0xf7, 0x0e,
+ 0x9a, 0x3b, 0xf8, 0x77, 0xdf, 0x26, 0x85, 0x9f, 0x45, 0xad,
+ 0x8c, 0xa9, 0x54, 0x9c, 0x46, 0x44, 0xd5, 0x8a, 0xe9, 0xcc,
+ 0x34, 0x5e, 0xc5, 0xd1, 0x42, 0x6f, 0x44, 0xf3, 0x0f, 0x90,
+ 0x3a, 0x32, 0x1a, 0x9c, 0x2a, 0x63, 0xec, 0x21, 0xb4, 0xfc,
+ 0xfa, 0xa5, 0xcf, 0xe7, 0x9e, 0x43, 0xc7, 0x49, 0x56, 0xbc,
+ 0x50, 0xc5, 0x84, 0xf0, 0x42, 0xc8, 0x6a, 0xf1, 0x78, 0xe4,
+ 0xaa, 0x06, 0x37, 0xe1, 0x30, 0xf7, 0x65, 0x97, 0xca, 0xfd,
+ 0x35, 0xfa, 0xeb, 0x48, 0x6d, 0xaa, 0x45, 0x46, 0x9d, 0xbc,
+ 0x1d, 0x98, 0x17, 0x45, 0xa3, 0xee, 0x21, 0xa0, 0x97, 0x38,
+ 0x80, 0xc5, 0x28, 0x1f,
+ };
static const uint8_t test_y[] = { /* y=g^x mod p */
- 0x1e, 0xca, 0x23, 0x2a, 0xfd, 0x34, 0xe1,
- 0x10, 0x7a, 0xff, 0xaf, 0x2d, 0xaa, 0x53 };
+ 0x93, 0xeb, 0x5c, 0x37, 0x1d, 0x3c, 0x06, 0x6f, 0xbf, 0xbe,
+ 0x96, 0x51, 0x26, 0x58, 0x81, 0x36, 0xc6, 0x4f, 0x9a, 0x34,
+ 0xc4, 0xc5, 0xa8, 0xa3, 0x2c, 0x41, 0x76, 0xa8, 0xc6, 0xc0,
+ 0xa0, 0xc8, 0x51, 0x36, 0xc4, 0x40, 0x4e, 0x2c, 0x69, 0xf7,
+ 0x51, 0xbb, 0xb0, 0xd6, 0xf5, 0xdb, 0x40, 0x29, 0x50, 0x3b,
+ 0x8a, 0xf9, 0xf3, 0x53, 0x78, 0xfc, 0x86, 0xe9, 0xf1, 0xe9,
+ 0xac, 0x85, 0x13, 0x65, 0x62, 0x22, 0x04, 0x1b, 0x14, 0x2a,
+ 0xf4, 0x8f, 0x2f, 0xf1, 0x2f, 0x81, 0xd6, 0x18, 0x0e, 0x76,
+ 0x91, 0x43, 0xb2, 0xfc, 0x7c, 0x6f, 0x0c, 0x45, 0x37, 0x31,
+ 0x31, 0x58, 0x5c, 0xdf, 0x42, 0x24, 0x7a, 0xba, 0x8b, 0x7f,
+ 0x79, 0x06, 0x07, 0xef, 0xd6, 0x06, 0xeb, 0xcb, 0x3c, 0xbd,
+ 0xbc, 0xe5, 0xff, 0xfd, 0x62, 0x15, 0x0c, 0x40, 0x46, 0x37,
+ 0xef, 0xd0, 0xa1, 0xde, 0x63, 0x4f, 0x20, 0x0b, 0x45, 0x7d,
+ 0x06, 0x77, 0xfd, 0x23, 0xc1, 0x32, 0x8a, 0x89, 0x65, 0x16,
+ 0xe8, 0x48, 0x12, 0x1c, 0x25, 0x33, 0x2d, 0xbd, 0xd8, 0x9f,
+ 0x1c, 0x9d, 0xbc, 0xe3, 0x08, 0x60, 0x87, 0x1a, 0xc6, 0x06,
+ 0x36, 0xd2, 0xac, 0x09, 0x6d, 0x99, 0x02, 0x89, 0xc6, 0x12,
+ 0x93, 0x8c, 0x4b, 0xd0, 0x7e, 0x36, 0x8a, 0xd6, 0xa0, 0x97,
+ 0x4f, 0x97, 0x3f, 0x97, 0x0b, 0xfe, 0x05, 0xfc, 0xc8, 0xef,
+ 0x21, 0x4d, 0x4a, 0x06, 0x6e, 0xb4, 0xa6, 0x4f, 0xe1, 0xdd,
+ 0x44, 0x06, 0xfa, 0xd5, 0x0e, 0x54, 0xf5, 0x54, 0x3e, 0x8c,
+ 0xb9, 0x85, 0x86, 0x00, 0x40, 0x98, 0xe7, 0x01, 0xdd, 0x93,
+ 0x9d, 0x95, 0xea, 0xf0, 0xd3, 0x99, 0x4b, 0xeb, 0xd5, 0x79,
+ 0x47, 0xa4, 0xad, 0x2a, 0xe0, 0x4d, 0x36, 0x3b, 0x46, 0x10,
+ 0x96, 0xbb, 0x48, 0xe9, 0xa1, 0x78, 0x01, 0x35, 0x0a, 0x5c,
+ 0x7b, 0x3f, 0xf5, 0xf7, 0xb1, 0xe3, 0x97, 0x17, 0x4d, 0x76,
+ 0x10, 0x8d, 0x68, 0x4c, 0x94, 0x7d, 0xee, 0x0e, 0x20, 0x8b,
+ 0xce, 0x7d, 0x0a, 0xa3, 0x51, 0xfb, 0xe6, 0xcf, 0xf0, 0x0e,
+ 0x7f, 0x3c, 0xd4, 0xef, 0x56, 0x31, 0xb2, 0x95, 0xf0, 0x5f,
+ 0x4b, 0x9c, 0x03, 0x9e, 0xae, 0xb1, 0xc1, 0x46, 0xd7, 0xc0,
+ 0x4f, 0xb0, 0xf6, 0x6c, 0xe1, 0xe9, 0x2a, 0x97, 0xe0, 0x3f,
+ 0x3a, 0x93, 0x04, 0xcd, 0x41, 0x7d, 0x45, 0x03, 0xb3, 0x40,
+ 0x20, 0xe6, 0xad, 0x2d, 0xd3, 0xf7, 0x32, 0x7b, 0xcc, 0x4f,
+ 0x81, 0x18, 0x4c, 0x50, 0x77, 0xc4, 0xb7, 0x6a, 0x4d, 0x05,
+ 0xd8, 0x6d, 0xbf, 0x6f, 0xba, 0x1d, 0x38, 0x78, 0x87, 0xd2,
+ 0x8e, 0xc2, 0x6d, 0xb6, 0xed, 0x66, 0x61, 0xa8, 0xb9, 0x19,
+ 0x0e, 0x93, 0xd1, 0xcd, 0x5b, 0xbe, 0x19, 0x05, 0x52, 0x43,
+ 0xd6, 0xc1, 0x07, 0x3c, 0x6a, 0x62, 0xbd, 0x33, 0x9b, 0x1b,
+ 0x02, 0x42, 0x61, 0x14,
+ };
gnutls_pk_params_init(&priv);
gnutls_pk_params_init(&pub);
priv.algo = pub.algo = GNUTLS_PK_DH;
- ret = _gnutls_mpi_init_scan(&priv.params[DH_P], test_p, sizeof(test_p));
+ ret = _gnutls_mpi_init_scan(&priv.params[DH_P],
+ gnutls_ffdhe_3072_group_prime.data,
+ gnutls_ffdhe_3072_group_prime.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
- ret = _gnutls_mpi_init_scan(&priv.params[DH_G], test_g, sizeof(test_g));
+ ret = _gnutls_mpi_init_scan(&priv.params[DH_G],
+ gnutls_ffdhe_3072_group_generator.data,
+ gnutls_ffdhe_3072_group_generator.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
diff --git a/lib/dh-primes.c b/lib/dh-primes.c
index a440b5b98..94b69e345 100644
--- a/lib/dh-primes.c
+++ b/lib/dh-primes.c
@@ -23,8 +23,6 @@
#include "gnutls_int.h"
#include <gnutls/gnutls.h>
-#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
-
#include "dh.h"
static const unsigned char ffdhe_generator = 0x02;
@@ -1934,5 +1932,3 @@ _gnutls_dh_prime_match_fips_approved(const uint8_t *prime,
return 0;
}
-
-#endif
--
2.26.2

713
SOURCES/gnutls-3.6.14-fips-kdf-selftests.patch
View File

@ -1,713 +0,0 @@
From 93c0e3ba4d2cfee86b32f28f33303a2193c4133c Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 5 Oct 2020 16:12:46 +0200
Subject: [PATCH 1/4] fips: add self-tests for HKDF
FIPS140-2 IG D.8 mandates self-test on approved KDF algorithms. As
the guidance only requires running a single instance of each KDF
mechanism, this only exercises HKDF-Extract and HKDF-Expand operations
with HMAC-SHA-256 as the underlying MAC.
Although HKDF is non-approved, it would be sensible to do that as it
will be approved in FIPS140-3.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
devel/libgnutls-latest-x86_64.abi | 1 +
lib/crypto-selftests.c | 159 ++++++++++++++++++++++++++++++
lib/fips.c | 7 ++
lib/includes/gnutls/self-test.h | 1 +
lib/libgnutls.map | 1 +
5 files changed, 169 insertions(+)
diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
index 7a1c7729c..bd148b6af 100644
--- a/lib/crypto-selftests.c
+++ b/lib/crypto-selftests.c
@@ -2917,3 +2917,162 @@ int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest)
return 0;
}
+
+struct hkdf_vectors_st {
+ const uint8_t *ikm;
+ unsigned int ikm_size;
+ const uint8_t *salt;
+ unsigned int salt_size;
+ const uint8_t *prk;
+ unsigned int prk_size;
+ const uint8_t *info;
+ unsigned int info_size;
+ const uint8_t *okm;
+ unsigned int okm_size;
+};
+
+const struct hkdf_vectors_st hkdf_sha256_vectors[] = {
+ /* RFC 5869: A.1. Test Case 1: Basic test case with SHA-256 */
+ {
+ STR(ikm, ikm_size,
+ "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+ "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"),
+ STR(salt, salt_size,
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c"),
+ STR(prk, prk_size,
+ "\x07\x77\x09\x36\x2c\x2e\x32\xdf\x0d\xdc\x3f\x0d\xc4\x7b"
+ "\xba\x63\x90\xb6\xc7\x3b\xb5\x0f\x9c\x31\x22\xec\x84\x4a"
+ "\xd7\xc2\xb3\xe5"),
+ STR(info, info_size,
+ "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9"),
+ STR(okm, okm_size,
+ "\x3c\xb2\x5f\x25\xfa\xac\xd5\x7a\x90\x43\x4f\x64\xd0\x36"
+ "\x2f\x2a\x2d\x2d\x0a\x90\xcf\x1a\x5a\x4c\x5d\xb0\x2d\x56"
+ "\xec\xc4\xc5\xbf\x34\x00\x72\x08\xd5\xb8\x87\x18\x58\x65"),
+ },
+ /* RFC 5869: A.2. Test Case 2: Test with SHA-256 and longer inputs/outputs */
+ {
+ STR(ikm, ikm_size,
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d"
+ "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b"
+ "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29"
+ "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37"
+ "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45"
+ "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"),
+ STR(salt, salt_size,
+ "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d"
+ "\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b"
+ "\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89"
+ "\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97"
+ "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5"
+ "\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"),
+ STR(prk, prk_size,
+ "\x06\xa6\xb8\x8c\x58\x53\x36\x1a\x06\x10\x4c\x9c\xeb\x35"
+ "\xb4\x5c\xef\x76\x00\x14\x90\x46\x71\x01\x4a\x19\x3f\x40"
+ "\xc1\x5f\xc2\x44"),
+ STR(info, info_size,
+ "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd"
+ "\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb"
+ "\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9"
+ "\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7"
+ "\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5"
+ "\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"),
+ STR(okm, okm_size,
+ "\xb1\x1e\x39\x8d\xc8\x03\x27\xa1\xc8\xe7\xf7\x8c\x59\x6a"
+ "\x49\x34\x4f\x01\x2e\xda\x2d\x4e\xfa\xd8\xa0\x50\xcc\x4c"
+ "\x19\xaf\xa9\x7c\x59\x04\x5a\x99\xca\xc7\x82\x72\x71\xcb"
+ "\x41\xc6\x5e\x59\x0e\x09\xda\x32\x75\x60\x0c\x2f\x09\xb8"
+ "\x36\x77\x93\xa9\xac\xa3\xdb\x71\xcc\x30\xc5\x81\x79\xec"
+ "\x3e\x87\xc1\x4c\x01\xd5\xc1\xf3\x43\x4f\x1d\x87"),
+ },
+};
+
+static int test_hkdf(gnutls_mac_algorithm_t mac,
+ const struct hkdf_vectors_st *vectors,
+ size_t vectors_size, unsigned flags)
+{
+ unsigned int i;
+
+ for (i = 0; i < vectors_size; i++) {
+ gnutls_datum_t ikm, prk, salt, info;
+ uint8_t output[4096];
+ int ret;
+
+ ikm.data = (void *) vectors[i].ikm;
+ ikm.size = vectors[i].ikm_size;
+ salt.data = (void *) vectors[i].salt;
+ salt.size = vectors[i].salt_size;
+
+ ret = gnutls_hkdf_extract(mac, &ikm, &salt, output);
+ if (ret < 0) {
+ _gnutls_debug_log("error extracting HKDF: MAC-%s\n",
+ gnutls_mac_get_name(mac));
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+
+ if (memcmp(output, vectors[i].prk, vectors[i].prk_size) != 0) {
+ _gnutls_debug_log
+ ("HKDF extract: MAC-%s test vector failed!\n",
+ gnutls_mac_get_name(mac));
+
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+
+ prk.data = (void *) vectors[i].prk;
+ prk.size = vectors[i].prk_size;
+ info.data = (void *) vectors[i].info;
+ info.size = vectors[i].info_size;
+
+ ret = gnutls_hkdf_expand(mac, &prk, &info,
+ output, vectors[i].okm_size);
+ if (ret < 0) {
+ _gnutls_debug_log("error extracting HKDF: MAC-%s\n",
+ gnutls_mac_get_name(mac));
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+
+ if (memcmp(output, vectors[i].okm, vectors[i].okm_size) != 0) {
+ _gnutls_debug_log
+ ("HKDF expand: MAC-%s test vector failed!\n",
+ gnutls_mac_get_name(mac));
+
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+ }
+
+ _gnutls_debug_log
+ ("HKDF: MAC-%s self check succeeded\n",
+ gnutls_mac_get_name(mac));
+
+ return 0;
+}
+
+/*-
+ * gnutls_hkdf_self_test:
+ * @flags: GNUTLS_SELF_TEST_FLAG flags
+ * @mac: the message authentication algorithm to use
+ *
+ * This function will run self tests on HKDF with the provided mac.
+ *
+ * Returns: Zero or a negative error code on error.
+ *
+ * Since: 3.3.0-FIPS140
+ -*/
+int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
+{
+ int ret;
+
+ if (flags & GNUTLS_SELF_TEST_FLAG_ALL)
+ mac = GNUTLS_MAC_UNKNOWN;
+
+ switch (mac) {
+ case GNUTLS_MAC_UNKNOWN:
+ CASE(GNUTLS_MAC_SHA256, test_hkdf, hkdf_sha256_vectors);
+
+ break;
+ default:
+ return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST);
+ }
+
+ return 0;
+}
diff --git a/lib/fips.c b/lib/fips.c
index f8b10f750..48891ed57 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -423,6 +423,13 @@ int _gnutls_fips_perform_self_checks2(void)
goto error;
}
+ /* HKDF */
+ ret = gnutls_hkdf_self_test(0, GNUTLS_MAC_SHA256);
+ if (ret < 0) {
+ gnutls_assert();
+ goto error;
+ }
+
if (_gnutls_rnd_ops.self_test == NULL) {
gnutls_assert();
goto error;
diff --git a/lib/includes/gnutls/self-test.h b/lib/includes/gnutls/self-test.h
index aacbe94ca..9b7be8159 100644
--- a/lib/includes/gnutls/self-test.h
+++ b/lib/includes/gnutls/self-test.h
@@ -34,5 +34,6 @@ int gnutls_cipher_self_test(unsigned flags, gnutls_cipher_algorithm_t cipher);
int gnutls_mac_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest);
int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk);
+int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
#endif
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 61276e534..386b66f83 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1347,6 +1347,7 @@ GNUTLS_FIPS140_3_4 {
gnutls_pk_self_test;
gnutls_mac_self_test;
gnutls_digest_self_test;
+ gnutls_hkdf_self_test;
#for FIPS140-2 validation
drbg_aes_reseed;
drbg_aes_init;
--
2.26.2
From 31cc94275cd267f4e0db60999cc932fd76d43d5a Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 5 Oct 2020 16:59:50 +0200
Subject: [PATCH 2/4] fips: add self-tests for PBKDF2
FIPS140-2 IG D.8 mandates self-tests on approved KDF algorithms. As
the guidance only requires running a single instance of each KDF
mechanism, this only exercises PBKDF2 with HMAC-SHA-256 as the
underlying MAC algorithm.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
devel/libgnutls-latest-x86_64.abi | 1 +
lib/crypto-selftests.c | 107 ++++++++++++++++++++++++++++++
lib/fips.c | 7 ++
lib/includes/gnutls/self-test.h | 1 +
lib/libgnutls.map | 1 +
5 files changed, 117 insertions(+)
diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
index bd148b6af..c4b0bd207 100644
--- a/lib/crypto-selftests.c
+++ b/lib/crypto-selftests.c
@@ -3076,3 +3076,110 @@ int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
return 0;
}
+
+struct pbkdf2_vectors_st {
+ const uint8_t *key;
+ size_t key_size;
+ const uint8_t *salt;
+ size_t salt_size;
+ unsigned iter_count;
+ const uint8_t *output;
+ size_t output_size;
+};
+
+const struct pbkdf2_vectors_st pbkdf2_sha256_vectors[] = {
+ /* RFC 7914: 11. Test Vectors for PBKDF2 with HMAC-SHA-256 */
+ {
+ STR(key, key_size, "passwd"),
+ STR(salt, salt_size, "salt"),
+ .iter_count = 1,
+ STR(output, output_size,
+ "\x55\xac\x04\x6e\x56\xe3\x08\x9f\xec\x16\x91\xc2\x25\x44"
+ "\xb6\x05\xf9\x41\x85\x21\x6d\xde\x04\x65\xe6\x8b\x9d\x57"
+ "\xc2\x0d\xac\xbc\x49\xca\x9c\xcc\xf1\x79\xb6\x45\x99\x16"
+ "\x64\xb3\x9d\x77\xef\x31\x7c\x71\xb8\x45\xb1\xe3\x0b\xd5"
+ "\x09\x11\x20\x41\xd3\xa1\x97\x83"),
+ },
+ /* RFC 7914: 11. Test Vectors for PBKDF2 with HMAC-SHA-256 */
+ {
+ STR(key, key_size, "Password"),
+ STR(salt, salt_size, "NaCl"),
+ .iter_count = 80000,
+ STR(output, output_size,
+ "\x4d\xdc\xd8\xf6\x0b\x98\xbe\x21\x83\x0c\xee\x5e\xf2\x27"
+ "\x01\xf9\x64\x1a\x44\x18\xd0\x4c\x04\x14\xae\xff\x08\x87"
+ "\x6b\x34\xab\x56\xa1\xd4\x25\xa1\x22\x58\x33\x54\x9a\xdb"
+ "\x84\x1b\x51\xc9\xb3\x17\x6a\x27\x2b\xde\xbb\xa1\xd0\x78"
+ "\x47\x8f\x62\xb3\x97\xf3\x3c\x8d"),
+ },
+};
+
+static int test_pbkdf2(gnutls_mac_algorithm_t mac,
+ const struct pbkdf2_vectors_st *vectors,
+ size_t vectors_size, unsigned flags)
+{
+ unsigned int i;
+
+ for (i = 0; i < vectors_size; i++) {
+ gnutls_datum_t key, salt;
+ uint8_t output[4096];
+ int ret;
+
+ key.data = (void *) vectors[i].key;
+ key.size = vectors[i].key_size;
+ salt.data = (void *) vectors[i].salt;
+ salt.size = vectors[i].salt_size;
+
+ ret = gnutls_pbkdf2(mac, &key, &salt, vectors[i].iter_count,
+ output, vectors[i].output_size);
+ if (ret < 0) {
+ _gnutls_debug_log("error calculating PBKDF2: MAC-%s\n",
+ gnutls_mac_get_name(mac));
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+
+ if (memcmp(output, vectors[i].output, vectors[i].output_size) != 0) {
+ _gnutls_debug_log
+ ("PBKDF2: MAC-%s test vector failed!\n",
+ gnutls_mac_get_name(mac));
+
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+ }
+
+ _gnutls_debug_log
+ ("PBKDF2: MAC-%s self check succeeded\n",
+ gnutls_mac_get_name(mac));
+
+ return 0;
+}
+
+/*-
+ * gnutls_pbkdf2_self_test:
+ * @flags: GNUTLS_SELF_TEST_FLAG flags
+ * @mac: the message authentication algorithm to use
+ *
+ * This function will run self tests on PBKDF2 with the provided mac.
+ *
+ * Returns: Zero or a negative error code on error.
+ *
+ * Since: 3.3.0-FIPS140
+ -*/
+int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
+{
+ int ret;
+
+ if (flags & GNUTLS_SELF_TEST_FLAG_ALL)
+ mac = GNUTLS_MAC_UNKNOWN;
+
+ switch (mac) {
+ case GNUTLS_MAC_UNKNOWN:
+ CASE(GNUTLS_MAC_SHA256, test_pbkdf2, pbkdf2_sha256_vectors);
+
+ break;
+ default:
+ return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST);
+ }
+
+ return 0;
+}
diff --git a/lib/fips.c b/lib/fips.c
index 48891ed57..7cfab1049 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -430,6 +430,13 @@ int _gnutls_fips_perform_self_checks2(void)
goto error;
}
+ /* PBKDF2 */
+ ret = gnutls_pbkdf2_self_test(0, GNUTLS_MAC_SHA256);
+ if (ret < 0) {
+ gnutls_assert();
+ goto error;
+ }
+
if (_gnutls_rnd_ops.self_test == NULL) {
gnutls_assert();
goto error;
diff --git a/lib/includes/gnutls/self-test.h b/lib/includes/gnutls/self-test.h
index 9b7be8159..958c0da8f 100644
--- a/lib/includes/gnutls/self-test.h
+++ b/lib/includes/gnutls/self-test.h
@@ -35,5 +35,6 @@ int gnutls_mac_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest);
int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk);
int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
+int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
#endif
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 386b66f83..f5537a386 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1348,6 +1348,7 @@ GNUTLS_FIPS140_3_4 {
gnutls_mac_self_test;
gnutls_digest_self_test;
gnutls_hkdf_self_test;
+ gnutls_pbkdf2_self_test;
#for FIPS140-2 validation
drbg_aes_reseed;
drbg_aes_init;
--
2.26.2
From d1a3235e8c829855969d00364d8b5456fce2c78c Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 5 Oct 2020 17:44:30 +0200
Subject: [PATCH 3/4] fips: add self-tests for TLS-PRF
FIPS140-2 IG D.8 mandates self-tests on approved KDF algorithms. As
the guidance only requires to run a single instance of each KDF
mechanism, this only exercises TLS1.2 PRF with HMAC-SHA-256 as the
underlying MAC algorithm.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
devel/libgnutls-latest-x86_64.abi | 1 +
lib/crypto-selftests.c | 196 ++++++++++++++++++++++++++++++
lib/fips.c | 7 ++
lib/includes/gnutls/self-test.h | 1 +
lib/libgnutls.map | 1 +
5 files changed, 206 insertions(+)
diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
index c4b0bd207..b740936d6 100644
--- a/lib/crypto-selftests.c
+++ b/lib/crypto-selftests.c
@@ -3183,3 +3183,199 @@ int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
return 0;
}
+
+struct tlsprf_vectors_st {
+ const uint8_t *key;
+ size_t key_size;
+ const uint8_t *label;
+ size_t label_size;
+ const uint8_t *seed;
+ size_t seed_size;
+ const uint8_t *output;
+ size_t output_size;
+};
+
+const struct tlsprf_vectors_st tls10prf_vectors[] = {
+ /* tests/tls10-prf.c: test1 */
+ {
+ STR(key, key_size,
+ "\x26\x3b\xdb\xbb\x6f\x6d\x4c\x66\x4e\x05\x8d\x0a\xa9\xd3"
+ "\x21\xbe"),
+ STR(label, label_size,
+ "test label"),
+ STR(seed, seed_size,
+ "\xb9\x20\x57\x3b\x19\x96\x01\x02\x4f\x04\xd6\xdc\x61\x96"
+ "\x6e\x65"),
+ STR(output, output_size,
+ "\x66\x17\x99\x37\x65\xfa\x6c\xa7\x03\xd1\x9e\xc7\x0d\xd5"
+ "\xdd\x16\x0f\xfc\xc0\x77\x25\xfa\xfb\x71\x4a\x9f\x81\x5a"
+ "\x2a\x30\xbf\xb7\xe3\xbb\xfb\x7e\xee\x57\x4b\x3b\x61\x3e"
+ "\xb7\xfe\x80\xee\xc9\x69\x1d\x8c\x1b\x0e\x2d\x9b\x3c\x8b"
+ "\x4b\x02\xb6\xb6\xd6\xdb\x88\xe2\x09\x46\x23\xef\x62\x40"
+ "\x60\x7e\xda\x7a\xbe\x3c\x84\x6e\x82\xa3"),
+ },
+};
+
+const struct tlsprf_vectors_st tls12prf_sha256_vectors[] = {
+ /* tests/tls12-prf.c: sha256_test1 */
+ {
+ STR(key, key_size,
+ "\x04\x50\xb0\xea\x9e\xcd\x36\x02\xee\x0d\x76\xc5\xc3\xc8"
+ "\x6f\x4a"),
+ STR(label, label_size,
+ "test label"),
+ STR(seed, seed_size,
+ "\x20\x7a\xcc\x02\x54\xb8\x67\xf5\xb9\x25\xb4\x5a\x33\x60"
+ "\x1d\x8b"),
+ STR(output, output_size,
+ "\xae\x67\x9e\x0e\x71\x4f\x59\x75\x76\x37\x68\xb1\x66\x97"
+ "\x9e\x1d"),
+ },
+ /* tests/tls12-prf.c: sha256_test2 */
+ {
+ STR(key, key_size,
+ "\x34\x20\x4a\x9d\xf0\xbe\x6e\xb4\xe9\x25\xa8\x02\x7c\xf6"
+ "\xc6\x02"),
+ STR(label, label_size,
+ "test label"),
+ STR(seed, seed_size,
+ "\x98\xb2\xc4\x0b\xcd\x66\x4c\x83\xbb\x92\x0c\x18\x20\x1a"
+ "\x63\x95"),
+ STR(output, output_size,
+ "\xaf\xa9\x31\x24\x53\xc2\x2f\xa8\x3d\x2b\x51\x1b\x37\x2d"
+ "\x73\xa4\x02\xa2\xa6\x28\x73\x23\x9a\x51\xfa\xde\x45\x08"
+ "\x2f\xaf\x3f\xd2\xbb\x7f\xfb\x3e\x9b\xf3\x6e\x28\xb3\x14"
+ "\x1a\xab\xa4\x84\x00\x53\x32\xa9\xf9\xe3\x88\xa4\xd3\x29"
+ "\xf1\x58\x7a\x4b\x31\x7d\xa0\x77\x08\xea\x1b\xa9\x5a\x53"
+ "\xf8\x78\x67\x24\xbd\x83\xce\x4b\x03\xaf"),
+ },
+ /* tests/tls12-prf.c: sha256_test3 */
+ {
+ STR(key, key_size,
+ "\xa3\x69\x1a\xa1\xf6\x81\x4b\x80\x59\x2b\xf1\xcf\x2a\xcf"
+ "\x16\x97"),
+ STR(label, label_size,
+ "test label"),
+ STR(seed, seed_size,
+ "\x55\x23\xd4\x1e\x32\x0e\x69\x4d\x0c\x1f\xf5\x73\x4d\x83"
+ "\x0b\x93\x3e\x46\x92\x70\x71\xc9\x26\x21"),
+ STR(output, output_size,
+ "\x6a\xd0\x98\x4f\xa0\x6f\x78\xfe\x16\x1b\xd4\x6d\x7c\x26"
+ "\x1d\xe4\x33\x40\xd7\x28\xdd\xdc\x3d\x0f\xf0\xdd\x7e\x0d"),
+ },
+ /* tests/tls12-prf.c: sha256_test4 */
+ {
+ STR(key, key_size,
+ "\x21\x0e\xc9\x37\x06\x97\x07\xe5\x46\x5b\xc4\x6b\xf7\x79"
+ "\xe1\x04\x10\x8b\x18\xfd\xb7\x93\xbe\x7b\x21\x8d\xbf\x14"
+ "\x5c\x86\x41\xf3"),
+ STR(label, label_size,
+ "test label"),
+ STR(seed, seed_size,
+ "\x1e\x35\x1a\x0b\xaf\x35\xc7\x99\x45\x92\x43\x94\xb8\x81"
+ "\xcf\xe3\x1d\xae\x8f\x1c\x1e\xd5\x4d\x3b"),
+ STR(output, output_size,
+ "\x76\x53\xfa\x80\x9c\xde\x3b\x55\x3c\x4a\x17\xe2\xcd\xbc"
+ "\xc9\x18\xf3\x65\x27\xf2\x22\x19\xa7\xd7\xf9\x5d\x97\x24"
+ "\x3f\xf2\xd5\xde\xe8\x26\x5e\xf0\xaf\x03"),
+ },
+};
+
+const struct tlsprf_vectors_st tls12prf_sha384_vectors[] = {
+ /* tests/tls12-prf.c: sha384_test1
+ * https://www.ietf.org/mail-archive/web/tls/current/msg03416.html
+ */
+ {
+ STR(key, key_size,
+ "\xb8\x0b\x73\x3d\x6c\xee\xfc\xdc\x71\x56\x6e\xa4\x8e\x55"
+ "\x67\xdf"),
+ STR(label, label_size,
+ "test label"),
+ STR(seed, seed_size,
+ "\xcd\x66\x5c\xf6\xa8\x44\x7d\xd6\xff\x8b\x27\x55\x5e\xdb"
+ "\x74\x65"),
+ STR(output, output_size,
+ "\x7b\x0c\x18\xe9\xce\xd4\x10\xed\x18\x04\xf2\xcf\xa3\x4a"
+ "\x33\x6a\x1c\x14\xdf\xfb\x49\x00\xbb\x5f\xd7\x94\x21\x07"
+ "\xe8\x1c\x83\xcd\xe9\xca\x0f\xaa\x60\xbe\x9f\xe3\x4f\x82"
+ "\xb1\x23\x3c\x91\x46\xa0\xe5\x34\xcb\x40\x0f\xed\x27\x00"
+ "\x88\x4f\x9d\xc2\x36\xf8\x0e\xdd\x8b\xfa\x96\x11\x44\xc9"
+ "\xe8\xd7\x92\xec\xa7\x22\xa7\xb3\x2f\xc3\xd4\x16\xd4\x73"
+ "\xeb\xc2\xc5\xfd\x4a\xbf\xda\xd0\x5d\x91\x84\x25\x9b\x5b"
+ "\xf8\xcd\x4d\x90\xfa\x0d\x31\xe2\xde\xc4\x79\xe4\xf1\xa2"
+ "\x60\x66\xf2\xee\xa9\xa6\x92\x36\xa3\xe5\x26\x55\xc9\xe9"
+ "\xae\xe6\x91\xc8\xf3\xa2\x68\x54\x30\x8d\x5e\xaa\x3b\xe8"
+ "\x5e\x09\x90\x70\x3d\x73\xe5\x6f"),
+ },
+};
+
+static int test_tlsprf(gnutls_mac_algorithm_t mac,
+ const struct tlsprf_vectors_st *vectors,
+ size_t vectors_size, unsigned flags)
+{
+ unsigned int i;
+
+ for (i = 0; i < vectors_size; i++) {
+ char output[4096];
+ int ret;
+
+ ret = _gnutls_prf_raw(mac,
+ vectors[i].key_size, vectors[i].key,
+ vectors[i].label_size, (const char *)vectors[i].label,
+ vectors[i].seed_size, vectors[i].seed,
+ vectors[i].output_size, output);
+ if (ret < 0) {
+ _gnutls_debug_log("error calculating TLS-PRF: MAC-%s\n",
+ gnutls_mac_get_name(mac));
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+
+ if (memcmp(output, vectors[i].output, vectors[i].output_size) != 0) {
+ _gnutls_debug_log
+ ("TLS-PRF: MAC-%s test vector failed!\n",
+ gnutls_mac_get_name(mac));
+
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ }
+ }
+
+ _gnutls_debug_log
+ ("TLS-PRF: MAC-%s self check succeeded\n",
+ gnutls_mac_get_name(mac));
+
+ return 0;
+}
+
+/*-
+ * gnutls_tlsprf_self_test:
+ * @flags: GNUTLS_SELF_TEST_FLAG flags
+ * @mac: the message authentication algorithm to use
+ *
+ * This function will run self tests on TLS-PRF with the provided mac.
+ *
+ * Returns: Zero or a negative error code on error.
+ *
+ * Since: 3.3.0-FIPS140
+ -*/
+int gnutls_tlsprf_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
+{
+ int ret;
+
+ if (flags & GNUTLS_SELF_TEST_FLAG_ALL)
+ mac = GNUTLS_MAC_UNKNOWN;
+
+ switch (mac) {
+ case GNUTLS_MAC_UNKNOWN:
+ NON_FIPS_CASE(GNUTLS_MAC_MD5_SHA1, test_tlsprf, tls10prf_vectors);
+ FALLTHROUGH;
+ CASE(GNUTLS_MAC_SHA256, test_tlsprf, tls12prf_sha256_vectors);
+ FALLTHROUGH;
+ CASE(GNUTLS_MAC_SHA384, test_tlsprf, tls12prf_sha384_vectors);
+
+ break;
+ default:
+ return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST);
+ }
+
+ return 0;
+}
diff --git a/lib/fips.c b/lib/fips.c
index 7cfab1049..30d396b2c 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -437,6 +437,13 @@ int _gnutls_fips_perform_self_checks2(void)
goto error;
}
+ /* TLS-PRF */
+ ret = gnutls_tlsprf_self_test(0, GNUTLS_MAC_SHA256);
+ if (ret < 0) {
+ gnutls_assert();
+ goto error;
+ }
+
if (_gnutls_rnd_ops.self_test == NULL) {
gnutls_assert();
goto error;
diff --git a/lib/includes/gnutls/self-test.h b/lib/includes/gnutls/self-test.h
index 958c0da8f..88b5a8dbf 100644
--- a/lib/includes/gnutls/self-test.h
+++ b/lib/includes/gnutls/self-test.h
@@ -36,5 +36,6 @@ int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest);
int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk);
int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
+int gnutls_tlsprf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
#endif
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index f5537a386..643d400a1 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1349,6 +1349,7 @@ GNUTLS_FIPS140_3_4 {
gnutls_digest_self_test;
gnutls_hkdf_self_test;
gnutls_pbkdf2_self_test;
+ gnutls_tlsprf_self_test;
#for FIPS140-2 validation
drbg_aes_reseed;
drbg_aes_init;
--
2.26.2
From af3df0102fc377591a6de3112b034d4a492fc92c Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 5 Oct 2020 17:59:46 +0200
Subject: [PATCH 4/4] fips: run CMAC self-tests
FIPS140-2 IG D.8 mandates self-tests on CMAC.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/fips.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/fips.c b/lib/fips.c
index 30d396b2c..51567953d 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -398,6 +398,12 @@ int _gnutls_fips_perform_self_checks2(void)
goto error;
}
+ ret = gnutls_mac_self_test(0, GNUTLS_MAC_AES_CMAC_256);
+ if (ret < 0) {
+ gnutls_assert();
+ goto error;
+ }
+
/* PK */
ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
if (ret < 0) {
--
2.26.2

409
SOURCES/gnutls-3.6.16-CVE-2025-9820.patch
View File

@ -1,409 +0,0 @@
From 08f979a318f8c553b4b781e0a586ba54f4e7b165 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Fri, 6 Feb 2026 15:43:54 +0100
Subject: [PATCH 1/2] tests/pkcs11/pkcs11-mock4: add, modified for 3.8.10
---
tests/Makefile.am | 6 ++
tests/pkcs11/pkcs11-mock4.c | 125 ++++++++++++++++++++++++++++++++++++
2 files changed, 131 insertions(+)
create mode 100644 tests/pkcs11/pkcs11-mock4.c
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 1019f6c1d8..467284925a 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -338,6 +338,11 @@ libpkcs11mock2_la_SOURCES = pkcs11/pkcs11-mock2.c
libpkcs11mock2_la_LDFLAGS = -shared -rpath $(pkglibdir) -module -no-undefined -avoid-version
libpkcs11mock2_la_LIBADD = ../gl/libgnu.la
+noinst_LTLIBRARIES += libpkcs11mock4.la
+libpkcs11mock4_la_SOURCES = pkcs11/pkcs11-mock4.c
+libpkcs11mock4_la_LDFLAGS = -shared -rpath $(pkglibdir) -module -no-undefined -avoid-version
+libpkcs11mock4_la_LIBADD = ../gl/libgnu.la
+
pkcs11_cert_import_url_exts_SOURCES = pkcs11/pkcs11-cert-import-url-exts.c
pkcs11_cert_import_url_exts_DEPENDENCIES = libpkcs11mock1.la libutils.la
@@ -586,6 +591,7 @@ TESTS_ENVIRONMENT += \
CAFILE=$(srcdir)/cert-tests/data/ca-certs.pem \
P11MOCKLIB1=$(abs_builddir)/.libs/libpkcs11mock1.so \
P11MOCKLIB2=$(abs_builddir)/.libs/libpkcs11mock2.so \
+ P11MOCKLIB4=$(abs_builddir)/.libs/libpkcs11mock4.so \
PKCS12_MANY_CERTS_FILE=$(srcdir)/cert-tests/data/pkcs12_5certs.p12 \
PKCS12FILE=$(srcdir)/cert-tests/data/client.p12 \
PKCS12PASSWORD=foobar \
diff --git a/tests/pkcs11/pkcs11-mock4.c b/tests/pkcs11/pkcs11-mock4.c
new file mode 100644
index 0000000000..a6dd21cddd
--- /dev/null
+++ b/tests/pkcs11/pkcs11-mock4.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2025 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <dlfcn.h>
+#include <p11-kit/pkcs11.h>
+#include <p11-kit/pkcs11x.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <assert.h>
+
+#include "softhsm.h"
+
+/* This provides a mock PKCS #11 module that delegates all the
+ * operations to SoftHSM except that it returns CKR_CANT_LOCK upon
+ * C_Initialize if CKF_OS_LOCKING_OK is set.
+ */
+
+static void *dl;
+static CK_C_Initialize base_C_Initialize;
+static CK_FUNCTION_LIST override_funcs;
+
+#ifdef __sun
+#pragma fini(mock_deinit)
+#pragma init(mock_init)
+#define _CONSTRUCTOR
+#define _DESTRUCTOR
+#else
+#define _CONSTRUCTOR __attribute__((constructor))
+#define _DESTRUCTOR __attribute__((destructor))
+#endif
+
+#define LOCK_FLAGS (CKF_LIBRARY_CANT_CREATE_OS_THREADS | CKF_OS_LOCKING_OK)
+
+static CK_RV override_C_Initialize(void *args)
+{
+ CK_C_INITIALIZE_ARGS *init_args = args;
+ static bool first = true;
+
+ // we don't have threadsafe initialization/fallback in 3.8.10...
+ /*
+ if (first) {
+ assert(init_args &&
+ (init_args->flags & LOCK_FLAGS) == LOCK_FLAGS);
+ first = false;
+ return CKR_CANT_LOCK;
+ } else {
+ assert(!init_args ||
+ (init_args->flags & LOCK_FLAGS) != LOCK_FLAGS);
+ }
+ */
+ // ... so we expect 3.8.10 behaviour
+ assert(first);
+ assert(init_args);
+ assert(!(init_args->flags & LOCK_FLAGS) != LOCK_FLAGS);
+ first = false;
+
+ return base_C_Initialize(args);
+}
+
+CK_RV C_GetFunctionList(CK_FUNCTION_LIST **function_list)
+{
+ CK_C_GetFunctionList func;
+ CK_FUNCTION_LIST *funcs;
+
+ assert(dl);
+
+ func = dlsym(dl, "C_GetFunctionList");
+ if (func == NULL) {
+ return CKR_GENERAL_ERROR;
+ }
+
+ func(&funcs);
+
+ base_C_Initialize = funcs->C_Initialize;
+
+ memcpy(&override_funcs, funcs, sizeof(CK_FUNCTION_LIST));
+ override_funcs.C_Initialize = override_C_Initialize;
+ *function_list = &override_funcs;
+
+ return CKR_OK;
+}
+
+static _CONSTRUCTOR void mock_init(void)
+{
+ const char *lib;
+
+ /* suppress compiler warning */
+ (void)set_softhsm_conf;
+
+ lib = softhsm_lib();
+
+ dl = dlopen(lib, RTLD_NOW);
+ if (dl == NULL)
+ exit(77);
+}
+
+static _DESTRUCTOR void mock_deinit(void)
+{
+ dlclose(dl);
+}
--
2.52.0
From ab8ad3b005c1937ed52993cdd6a0c5e4eec98cfc Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 18 Nov 2025 13:17:55 +0900
Subject: [PATCH 2/2] pkcs11: avoid stack overwrite when initializing a token
If gnutls_pkcs11_token_init is called with label longer than 32
characters, the internal storage used to blank-fill it would
overflow. This adds a guard to prevent that.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/pkcs11_write.c | 5 +-
tests/Makefile.am | 4 +-
tests/pkcs11/long-label.c | 164 ++++++++++++++++++++++++++++++++++++++
3 files changed, 170 insertions(+), 3 deletions(-)
create mode 100644 tests/pkcs11/long-label.c
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index 3ce794b076..5685411ee1 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -28,6 +28,7 @@
#include "pkcs11x.h"
#include <x509/common.h>
#include "pk.h"
+#include "minmax.h"
static const ck_bool_t tval = 1;
static const ck_bool_t fval = 0;
@@ -1199,7 +1200,7 @@ int gnutls_pkcs11_delete_url(const char *object_url, unsigned int flags)
* gnutls_pkcs11_token_init:
* @token_url: A PKCS #11 URL specifying a token
* @so_pin: Security Officer's PIN
- * @label: A name to be used for the token
+ * @label: A name to be used for the token, at most 32 characters
*
* This function will initialize (format) a token. If the token is
* at a factory defaults state the security officer's PIN given will be
@@ -1238,7 +1239,7 @@ gnutls_pkcs11_token_init(const char *token_url,
/* so it seems memset has other uses than zeroing! */
memset(flabel, ' ', sizeof(flabel));
if (label != NULL)
- memcpy(flabel, label, strlen(label));
+ memcpy(flabel, label, MIN(sizeof(flabel), strlen(label)));
rv = pkcs11_init_token(module, slot, (uint8_t *) so_pin,
strlen(so_pin), (uint8_t *) flabel);
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 467284925a..ed8b7e19c3 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -488,11 +488,13 @@ buffer_CPPFLAGS = $(AM_CPPFLAGS) \
if ENABLE_PKCS11
if !WINDOWS
ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \
- global-init-override
+ global-init-override pkcs11/long-label
tls13_post_handshake_with_cert_pkcs11_DEPENDENCIES = libpkcs11mock2.la libutils.la
tls13_post_handshake_with_cert_pkcs11_LDADD = $(LDADD) $(LIBDL)
pkcs11_tls_neg_pkcs11_no_key_DEPENDENCIES = libpkcs11mock2.la libutils.la
pkcs11_tls_neg_pkcs11_no_key_LDADD = $(LDADD) $(LIBDL)
+pkcs11_long_label_DEPENDENCIES = libpkcs11mock4.la libutils.la
+pkcs11_long_label_LDADD = $(LDADD) $(LIBDL)
endif
endif
diff --git a/tests/pkcs11/long-label.c b/tests/pkcs11/long-label.c
new file mode 100644
index 0000000000..a70bc97284
--- /dev/null
+++ b/tests/pkcs11/long-label.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2025 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(_WIN32)
+
+int main(void)
+{
+ exit(77);
+}
+
+#else
+
+#include <string.h>
+#include <unistd.h>
+#include <gnutls/gnutls.h>
+
+#include "cert-common.h"
+#include "pkcs11/softhsm.h"
+#include "utils.h"
+
+/* This program tests that a token can be initialized with
+ * a label longer than 32 characters.
+ */
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "server|<%d>| %s", level, str);
+}
+
+#define PIN "1234"
+
+#define CONFIG_NAME "softhsm-long-label"
+#define CONFIG CONFIG_NAME ".config"
+
+static int pin_func(void *userdata, int attempt, const char *url,
+ const char *label, unsigned flags, char *pin,
+ size_t pin_max)
+{
+ if (attempt == 0) {
+ strcpy(pin, PIN);
+ return 0;
+ }
+ return -1;
+}
+
+static void test(const char *provider)
+{
+ int ret;
+ size_t i;
+
+ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+
+ success("test with %s\n", provider);
+
+ if (debug) {
+ gnutls_global_set_log_function(tls_log_func);
+ gnutls_global_set_log_level(4711);
+ }
+
+ /* point to SoftHSM token that libpkcs11mock4.so internally uses */
+ setenv(SOFTHSM_ENV, CONFIG, 1);
+
+ gnutls_pkcs11_set_pin_function(pin_func, NULL);
+
+ ret = gnutls_pkcs11_add_provider(provider, "trusted");
+ if (ret != 0) {
+ fail("gnutls_pkcs11_add_provider: %s\n", gnutls_strerror(ret));
+ }
+
+ /* initialize softhsm token */
+ ret = gnutls_pkcs11_token_init(
+ SOFTHSM_URL, PIN,
+ "this is a very long label whose length exceeds 32");
+ if (ret < 0) {
+ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
+ }
+
+ for (i = 0;; i++) {
+ char *url = NULL;
+
+ ret = gnutls_pkcs11_token_get_url(i, 0, &url);
+ if (ret < 0)
+ break;
+ if (strstr(url,
+ "token=this%20is%20a%20very%20long%20label%20whose"))
+ break;
+ }
+ if (ret < 0)
+ fail("gnutls_pkcs11_token_get_url: %s\n", gnutls_strerror(ret));
+
+ gnutls_pkcs11_deinit();
+}
+
+void doit(void)
+{
+ const char *bin;
+ const char *lib;
+ char buf[128];
+
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
+ /* this must be called once in the program */
+ global_init();
+
+ /* we call gnutls_pkcs11_init manually */
+ gnutls_pkcs11_deinit();
+
+ /* check if softhsm module is loadable */
+ lib = softhsm_lib();
+
+ /* initialize SoftHSM token that libpkcs11mock4.so internally uses */
+ bin = softhsm_bin();
+
+ set_softhsm_conf(CONFIG);
+ snprintf(buf, sizeof(buf),
+ "%s --init-token --slot 0 --label test --so-pin " PIN
+ " --pin " PIN,
+ bin);
+ system(buf);
+
+ test(lib);
+
+ lib = getenv("P11MOCKLIB4");
+ if (lib == NULL) {
+ fail("P11MOCKLIB4 is not set\n");
+ }
+
+ set_softhsm_conf(CONFIG);
+ snprintf(buf, sizeof(buf),
+ "%s --init-token --slot 0 --label test --so-pin " PIN
+ " --pin " PIN,
+ bin);
+ system(buf);
+
+ test(lib);
+}
+#endif /* _WIN32 */
--
2.52.0

247
SOURCES/gnutls-3.6.16-cpuid.patch
View File

@ -1,247 +0,0 @@
From 300c6315d2e644ae81b43fa2dd7bbf68b3afb5b2 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 18 Nov 2021 19:02:03 +0100
Subject: [PATCH 1/2] accelerated: fix CPU feature detection for Intel CPUs
This fixes read_cpuid_vals to correctly read the CPUID quadruple, as
well as to set the bit the ustream CRYPTOGAMS uses to identify Intel
CPUs.
Suggested by Rafael Gieschke in:
https://gitlab.com/gnutls/gnutls/-/issues/1282
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/accelerated/x86/x86-common.c | 91 +++++++++++++++++++++++++-------
1 file changed, 71 insertions(+), 20 deletions(-)
diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
index 3845c6b4c9..cf615ef24f 100644
--- a/lib/accelerated/x86/x86-common.c
+++ b/lib/accelerated/x86/x86-common.c
@@ -81,15 +81,38 @@ unsigned int _gnutls_x86_cpuid_s[4];
# define bit_AVX 0x10000000
#endif
-#ifndef OSXSAVE_MASK
-/* OSXSAVE|FMA|MOVBE */
-# define OSXSAVE_MASK (0x8000000|0x1000|0x400000)
+#ifndef bit_AVX2
+# define bit_AVX2 0x00000020
+#endif
+
+#ifndef bit_AVX512F
+# define bit_AVX512F 0x00010000
+#endif
+
+#ifndef bit_AVX512IFMA
+# define bit_AVX512IFMA 0x00200000
+#endif
+
+#ifndef bit_AVX512BW
+# define bit_AVX512BW 0x40000000
+#endif
+
+#ifndef bit_AVX512VL
+# define bit_AVX512VL 0x80000000
+#endif
+
+#ifndef bit_OSXSAVE
+# define bit_OSXSAVE 0x8000000
#endif
#ifndef bit_MOVBE
# define bit_MOVBE 0x00400000
#endif
+#ifndef OSXSAVE_MASK
+# define OSXSAVE_MASK (bit_OSXSAVE|bit_MOVBE)
+#endif
+
#define via_bit_PADLOCK (0x3 << 6)
#define via_bit_PADLOCK_PHE (0x3 << 10)
#define via_bit_PADLOCK_PHE_SHA512 (0x3 << 25)
@@ -127,7 +150,7 @@ static unsigned read_cpuid_vals(unsigned int vals[4])
unsigned t1, t2, t3;
vals[0] = vals[1] = vals[2] = vals[3] = 0;
- if (!__get_cpuid(1, &t1, &vals[0], &vals[1], &t2))
+ if (!__get_cpuid(1, &t1, &t2, &vals[1], &vals[0]))
return 0;
/* suppress AVX512; it works conditionally on certain CPUs on the original code */
vals[1] &= 0xfffff7ff;
@@ -145,7 +168,7 @@ static unsigned check_4th_gen_intel_features(unsigned ecx)
{
uint32_t xcr0;
- if ((ecx & OSXSAVE_MASK) != OSXSAVE_MASK)
+ if ((ecx & bit_OSXSAVE) != bit_OSXSAVE)
return 0;
#if defined(_MSC_VER) && !defined(__clang__)
@@ -233,10 +256,7 @@ static unsigned check_sha(void)
#ifdef ASM_X86_64
static unsigned check_avx_movbe(void)
{
- if (check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1]) == 0)
- return 0;
-
- return ((_gnutls_x86_cpuid_s[1] & bit_AVX));
+ return (_gnutls_x86_cpuid_s[1] & bit_AVX);
}
static unsigned check_pclmul(void)
@@ -514,33 +534,47 @@ void register_x86_padlock_crypto(unsigned capabilities)
}
#endif
-static unsigned check_intel_or_amd(void)
+enum x86_cpu_vendor {
+ X86_CPU_VENDOR_OTHER,
+ X86_CPU_VENDOR_INTEL,
+ X86_CPU_VENDOR_AMD,
+};
+
+static enum x86_cpu_vendor check_x86_cpu_vendor(void)
{
unsigned int a, b, c, d;
- if (!__get_cpuid(0, &a, &b, &c, &d))
- return 0;
+ if (!__get_cpuid(0, &a, &b, &c, &d)) {
+ return X86_CPU_VENDOR_OTHER;
+ }
- if ((memcmp(&b, "Genu", 4) == 0 &&
- memcmp(&d, "ineI", 4) == 0 &&
- memcmp(&c, "ntel", 4) == 0) ||
- (memcmp(&b, "Auth", 4) == 0 &&
- memcmp(&d, "enti", 4) == 0 && memcmp(&c, "cAMD", 4) == 0)) {
- return 1;
+ if (memcmp(&b, "Genu", 4) == 0 &&
+ memcmp(&d, "ineI", 4) == 0 &&
+ memcmp(&c, "ntel", 4) == 0) {
+ return X86_CPU_VENDOR_INTEL;
}
- return 0;
+ if (memcmp(&b, "Auth", 4) == 0 &&
+ memcmp(&d, "enti", 4) == 0 &&
+ memcmp(&c, "cAMD", 4) == 0) {
+ return X86_CPU_VENDOR_AMD;
+ }
+
+ return X86_CPU_VENDOR_OTHER;
}
static
void register_x86_intel_crypto(unsigned capabilities)
{
int ret;
+ enum x86_cpu_vendor vendor;
memset(_gnutls_x86_cpuid_s, 0, sizeof(_gnutls_x86_cpuid_s));
- if (check_intel_or_amd() == 0)
+ vendor = check_x86_cpu_vendor();
+ if (vendor == X86_CPU_VENDOR_OTHER) {
return;
+ }
if (capabilities == 0) {
if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
@@ -549,6 +583,23 @@ void register_x86_intel_crypto(unsigned capabilities)
capabilities_to_intel_cpuid(capabilities);
}
+ /* CRYPTOGAMS uses the (1 << 30) bit as an indicator of Intel CPUs */
+ if (vendor == X86_CPU_VENDOR_INTEL) {
+ _gnutls_x86_cpuid_s[0] |= 1 << 30;
+ } else {
+ _gnutls_x86_cpuid_s[0] &= ~(1 << 30);
+ }
+
+ if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
+ _gnutls_x86_cpuid_s[1] &= ~bit_AVX;
+
+ /* Clear AVX2 bits as well, according to what OpenSSL does.
+ * Should we clear bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER, and
+ * bit_AVX512CD? */
+ _gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|bit_AVX512F|bit_AVX512IFMA|
+ bit_AVX512BW|bit_AVX512BW);
+ }
+
if (check_ssse3()) {
_gnutls_debug_log("Intel SSSE3 was detected\n");
--
2.37.3
From cd509dac9e6d1bf76fd12c72c1fd61f1708c254a Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 15 Aug 2022 09:39:18 +0900
Subject: [PATCH 2/2] accelerated: clear AVX bits if it cannot be queried
through XSAVE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The algorithm to detect AVX is described in 14.3 of "Intel® 64 and IA-32
Architectures Software Developers Manual".
GnuTLS previously only followed that algorithm when registering the
crypto backend, while the CRYPTOGAMS derived SHA code assembly expects
that the extension bits are propagated to _gnutls_x86_cpuid_s.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/accelerated/x86/x86-common.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
index cf615ef24f..655d0c65f2 100644
--- a/lib/accelerated/x86/x86-common.c
+++ b/lib/accelerated/x86/x86-common.c
@@ -210,7 +210,8 @@ static void capabilities_to_intel_cpuid(unsigned capabilities)
}
if (capabilities & INTEL_AVX) {
- if ((a[1] & bit_AVX) && check_4th_gen_intel_features(a[1])) {
+ if ((a[1] & bit_AVX) && (a[1] & bit_MOVBE) &&
+ check_4th_gen_intel_features(a[1])) {
_gnutls_x86_cpuid_s[1] |= bit_AVX|bit_MOVBE;
} else {
_gnutls_debug_log
@@ -256,7 +257,7 @@ static unsigned check_sha(void)
#ifdef ASM_X86_64
static unsigned check_avx_movbe(void)
{
- return (_gnutls_x86_cpuid_s[1] & bit_AVX);
+ return (_gnutls_x86_cpuid_s[1] & (bit_AVX|bit_MOVBE)) == (bit_AVX|bit_MOVBE);
}
static unsigned check_pclmul(void)
@@ -579,6 +580,19 @@ void register_x86_intel_crypto(unsigned capabilities)
if (capabilities == 0) {
if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
return;
+ if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
+ _gnutls_x86_cpuid_s[1] &= ~bit_AVX;
+
+ /* Clear AVX2 bits as well, according to what
+ * OpenSSL does. Should we clear
+ * bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER,
+ * and bit_AVX512CD? */
+ _gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|
+ bit_AVX512F|
+ bit_AVX512IFMA|
+ bit_AVX512BW|
+ bit_AVX512BW);
+ }
} else {
capabilities_to_intel_cpuid(capabilities);
}
--
2.37.3

38
SOURCES/gnutls-3.6.16-cve-2025-32988.patch
View File

@ -1,38 +0,0 @@
commit 3b68043ef7e338118bce3ccdcbfafc8f005a6725
Author: Daiki Ueno <ueno@gnu.org>
Date: Mon Jul 7 10:44:12 2025 +0900
x509: avoid double free when exporting othernames in SAN
Previously, the _gnutls_write_new_othername function, called by
gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
certificate's SAN extension, freed the caller allocated ASN.1
structure upon error, resulting in a potential double-free.
Reported by OpenAI Security Research Team.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Backported-by: Alexander Sosedkin <asosedki@redhat.com>
Backported-from: 608829769cbc247679ffe98841109fc73875e573
Fixes: CVE-2025-32988
diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c
index c9fef21a12..c0acdf9a94 100644
--- a/lib/x509/extensions.c
+++ b/lib/x509/extensions.c
@@ -805,7 +805,6 @@ _gnutls_write_new_othername(ASN1_TYPE ext, const char *ext_name,
result = asn1_write_value(ext, name2, oid, 1);
if (result != ASN1_SUCCESS) {
gnutls_assert();
- asn1_delete_structure(&ext);
return _gnutls_asn2err(result);
}
@@ -814,7 +813,6 @@ _gnutls_write_new_othername(ASN1_TYPE ext, const char *ext_name,
result = asn1_write_value(ext, name2, data, data_size);
if (result != ASN1_SUCCESS) {
gnutls_assert();
- asn1_delete_structure(&ext);
return _gnutls_asn2err(result);
}

2085
SOURCES/gnutls-3.6.16-cve-2025-32990.patch
View File

File diff suppressed because it is too large Load Diff

272
SOURCES/gnutls-3.6.16-cve-2025-6395.patch
View File

@ -1,272 +0,0 @@
commit 8af3c1686d41b059f6f4b8352d36d9686cf7febe
Author: Daiki Ueno <ueno@gnu.org>
Date: Mon Jul 7 11:15:45 2025 +0900
handshake: clear HSK_PSK_SELECTED is when resetting binders
When a TLS 1.3 handshake involves HRR and resumption or PSK, and the
second Client Hello omits PSK, the server would result in a NULL
pointer dereference as the PSK binder information is cleared while the
HSK_PSK_SELECTED flag is still set. This makes sure that
HSK_PSK_SELECTED flag is always cleared when the PSK binders are
reset. This also makes it clear the HSK_PSK_SELECTED flag is valid
only during a handshake; after that, whether PSK is used can be
checked with gnutls_auth_client_get_type.
Reported by Stefan Bühler.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Backported-by: Alexander Sosedkin <asosedki@redhat.com>
Backported-from: 23135619773e6ec087ff2abc65405bd4d5676bad
Fixes: CVE-2025-6395
diff --git a/lib/handshake.c b/lib/handshake.c
index ce2d160e20..b156223cbc 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -580,9 +580,28 @@ static int set_auth_types(gnutls_session_t session)
/* Under TLS1.3 this returns a KX which matches the negotiated
* groups from the key shares; if we are resuming then the KX seen
* here doesn't match the original session. */
- if (session->internals.resumed == RESUME_FALSE)
- kx = gnutls_kx_get(session);
- else
+ if (session->internals.resumed == RESUME_FALSE) {
+ const gnutls_group_entry_st *group = get_group(session);
+
+ if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
+ if (group) {
+ kx = group->pk == GNUTLS_PK_DH ?
+ GNUTLS_KX_DHE_PSK :
+ GNUTLS_KX_ECDHE_PSK;
+ } else {
+ kx = GNUTLS_KX_PSK;
+ }
+ } else if (group) {
+ /* Not necessarily be RSA, but just to
+ * make _gnutls_map_kx_get_cred below
+ * work.
+ */
+ kx = group->pk == GNUTLS_PK_DH ?
+ GNUTLS_KX_DHE_RSA :
+ GNUTLS_KX_ECDHE_RSA;
+ } else
+ kx = GNUTLS_KX_UNKNOWN;
+ } else
kx = GNUTLS_KX_UNKNOWN;
} else {
/* TLS1.2 or earlier, kx is associated with ciphersuite */
diff --git a/lib/state.c b/lib/state.c
index 817a7b8cd8..2bd08c3190 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -175,7 +175,8 @@ gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session)
const gnutls_group_entry_st *group = get_group(session);
if (ver->tls13_sem) {
- if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
+ if (gnutls_auth_client_get_type(session) ==
+ GNUTLS_CRD_PSK) {
if (group) {
if (group->pk == GNUTLS_PK_DH)
return GNUTLS_KX_DHE_PSK;
@@ -264,6 +265,7 @@ void reset_binders(gnutls_session_t session)
_gnutls_free_temp_key_datum(&session->key.binders[0].psk);
_gnutls_free_temp_key_datum(&session->key.binders[1].psk);
memset(session->key.binders, 0, sizeof(session->key.binders));
+ session->internals.hsk_flags &= ~HSK_PSK_SELECTED;
}
/* Check whether certificate credentials of type @cert_type are set
diff --git a/tests/Makefile.am b/tests/Makefile.am
index b04cb081b4..1019f6c1d8 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -118,6 +118,8 @@ ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \
ctests += tls13/hello_retry_request
+ctests += tls13/hello_retry_request_psk
+
ctests += tls13/psk-ext
ctests += tls13/key_update
diff --git a/tests/tls13/hello_retry_request_psk.c b/tests/tls13/hello_retry_request_psk.c
new file mode 100644
index 0000000000..a20cb0d965
--- /dev/null
+++ b/tests/tls13/hello_retry_request_psk.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2017-2025 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos, Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+
+#include <string.h>
+#include <gnutls/gnutls.h>
+#include <assert.h>
+
+#include "cert-common.h"
+#include "utils.h"
+#include "tls13/ext-parse.h"
+#include "eagain-common.h"
+
+/* This program exercises the case where a TLS 1.3 handshake ends up
+ * with HRR, and the first CH includes PSK while the 2nd CH omits
+ * it */
+
+const char *testname = "hello entry request";
+
+const char *side = "";
+
+#define myfail(fmt, ...) fail("%s: " fmt, testname, ##__VA_ARGS__)
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "%s|<%d>| %s", side, level, str);
+}
+
+struct ctx_st {
+ unsigned hrr_seen;
+ unsigned hello_counter;
+};
+
+static int pskfunc(gnutls_session_t session, const char *username,
+ gnutls_datum_t *key)
+{
+ if (debug)
+ printf("psk: username %s\n", username);
+ key->data = gnutls_malloc(4);
+ key->data[0] = 0xDE;
+ key->data[1] = 0xAD;
+ key->data[2] = 0xBE;
+ key->data[3] = 0xEF;
+ key->size = 4;
+ return 0;
+}
+
+static int hello_callback(gnutls_session_t session, unsigned int htype,
+ unsigned post, unsigned int incoming,
+ const gnutls_datum_t *msg)
+{
+ struct ctx_st *ctx = gnutls_session_get_ptr(session);
+ assert(ctx != NULL);
+
+ if (htype == GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST)
+ ctx->hrr_seen = 1;
+
+ if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) {
+ if (post == GNUTLS_HOOK_POST)
+ ctx->hello_counter++;
+ else {
+ /* Unset the PSK credential to omit the extension */
+ gnutls_credentials_set(session, GNUTLS_CRD_PSK, NULL);
+ }
+ }
+
+ return 0;
+}
+
+void doit(void)
+{
+ int sret, cret;
+ gnutls_psk_server_credentials_t scred;
+ gnutls_psk_client_credentials_t ccred;
+ gnutls_certificate_credentials_t ccred2;
+ gnutls_session_t server, client;
+ /* Need to enable anonymous KX specifically. */
+ const gnutls_datum_t key = { (void *)"DEADBEEF", 8 };
+
+ struct ctx_st ctx;
+ memset(&ctx, 0, sizeof(ctx));
+
+ global_init();
+
+ gnutls_global_set_log_function(tls_log_func);
+ if (debug)
+ gnutls_global_set_log_level(9);
+
+ /* Init server */
+ assert(gnutls_psk_allocate_server_credentials(&scred) >= 0);
+ gnutls_psk_set_server_credentials_function(scred, pskfunc);
+
+ gnutls_init(&server, GNUTLS_SERVER);
+
+ assert(gnutls_priority_set_direct(
+ server,
+ "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+DHE-PSK",
+ NULL) >= 0);
+
+ gnutls_credentials_set(server, GNUTLS_CRD_PSK, scred);
+ gnutls_transport_set_push_function(server, server_push);
+ gnutls_transport_set_pull_function(server, server_pull);
+ gnutls_transport_set_ptr(server, server);
+
+ /* Init client */
+ assert(gnutls_psk_allocate_client_credentials(&ccred) >= 0);
+ gnutls_psk_set_client_credentials(ccred, "test", &key,
+ GNUTLS_PSK_KEY_HEX);
+ assert(gnutls_certificate_allocate_credentials(&ccred2) >= 0);
+
+ assert(gnutls_init(&client, GNUTLS_CLIENT | GNUTLS_KEY_SHARE_TOP) >= 0);
+
+ gnutls_session_set_ptr(client, &ctx);
+
+ cret = gnutls_priority_set_direct(
+ client,
+ "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-X25519:+DHE-PSK",
+ NULL);
+ if (cret < 0)
+ myfail("cannot set TLS 1.3 priorities\n");
+
+ gnutls_credentials_set(client, GNUTLS_CRD_PSK, ccred);
+ gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred2);
+ gnutls_transport_set_push_function(client, client_push);
+ gnutls_transport_set_pull_function(client, client_pull);
+ gnutls_transport_set_ptr(client, client);
+
+ gnutls_handshake_set_hook_function(client, GNUTLS_HANDSHAKE_ANY,
+ GNUTLS_HOOK_BOTH, hello_callback);
+
+ HANDSHAKE_EXPECT(client, server, GNUTLS_E_AGAIN,
+ GNUTLS_E_INSUFFICIENT_CREDENTIALS);
+
+ assert(ctx.hrr_seen != 0);
+
+ gnutls_bye(client, GNUTLS_SHUT_WR);
+ gnutls_bye(server, GNUTLS_SHUT_WR);
+
+ gnutls_deinit(client);
+ gnutls_deinit(server);
+
+ gnutls_psk_free_server_credentials(scred);
+ gnutls_psk_free_client_credentials(ccred);
+ gnutls_certificate_free_credentials(ccred2);
+
+ gnutls_global_deinit();
+ reset_buffers();
+}

474
SOURCES/gnutls-3.6.16-deterministic-ecdsa-fixes.patch
View File

@ -1,474 +0,0 @@
From 0d39e4120bc5ece53c86c5802c546259b8ca286a Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 12 Jan 2024 17:56:58 +0900
Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA
This removes function calls that potentially leak bit-length of a
private key used to calculate a nonce in deterministic ECDSA. Namely:
- _gnutls_dsa_compute_k has been rewritten to work on always
zero-padded mp_limb_t arrays instead of mpz_t
- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
by a byte array instead of an mpz_t value
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/nettle/int/dsa-compute-k.c | 84 +++++++++++++++++++------------
lib/nettle/int/dsa-compute-k.h | 31 +++++++++---
lib/nettle/int/ecdsa-compute-k.c | 71 +++++++++-----------------
lib/nettle/int/ecdsa-compute-k.h | 8 +--
lib/nettle/pk.c | 79 ++++++++++++++++++++---------
tests/sign-verify-deterministic.c | 2 +-
6 files changed, 158 insertions(+), 117 deletions(-)
diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
index 17d63318c4..ddeb6f6d1e 100644
--- a/lib/nettle/int/dsa-compute-k.c
+++ b/lib/nettle/int/dsa-compute-k.c
@@ -31,33 +31,37 @@
#include "mpn-base256.h"
#include <string.h>
-#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
-
-/* The maximum size of q, choosen from the fact that we support
- * 521-bit elliptic curve generator and 512-bit DSA subgroup at
- * maximum. */
-#define MAX_Q_BITS 521
-#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
-#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
-
-#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
-#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
-
-int
-_gnutls_dsa_compute_k(mpz_t k,
- const mpz_t q,
- const mpz_t x,
- gnutls_mac_algorithm_t mac,
- const uint8_t *digest,
- size_t length)
+/* For mini-gmp */
+#ifndef GMP_LIMB_BITS
+#define GMP_LIMB_BITS GMP_NUMB_BITS
+#endif
+
+static inline int is_zero_limb(mp_limb_t x)
+{
+ x |= (x << 1);
+ return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
+}
+
+static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
+{
+ volatile mp_limb_t w;
+ mp_size_t i;
+
+ for (i = 0, w = 0; i < n; i++)
+ w |= ap[i];
+
+ return is_zero_limb(w);
+}
+
+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
+ mp_size_t qn, mp_bitcnt_t q_bits,
+ gnutls_mac_algorithm_t mac, const uint8_t *digest,
+ size_t length)
{
uint8_t V[MAX_HASH_SIZE];
uint8_t K[MAX_HASH_SIZE];
uint8_t xp[MAX_Q_SIZE];
uint8_t tp[MAX_Q_SIZE];
- mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
- mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2);
- mp_size_t qn = mpz_size(q);
mp_bitcnt_t h_bits = length * 8;
mp_size_t hn = BITS_TO_LIMBS(h_bits);
size_t nbytes = (q_bits + 7) / 8;
@@ -66,6 +70,7 @@ _gnutls_dsa_compute_k(mpz_t k,
mp_limb_t cy;
gnutls_hmac_hd_t hd;
int ret = 0;
+ mp_limb_t scratch[MAX_Q_LIMBS];
if (unlikely(q_bits > MAX_Q_BITS))
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -73,7 +78,7 @@ _gnutls_dsa_compute_k(mpz_t k,
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
/* int2octets(x) */
- mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
+ mpn_get_base256(xp, nbytes, x, qn);
/* bits2octets(h) */
mpn_set_base256(h, hn, digest, length);
@@ -97,12 +102,12 @@ _gnutls_dsa_compute_k(mpz_t k,
mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
}
- cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
+ cy = mpn_sub_n(h, h, q, qn);
/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
#ifdef mpn_cnd_add_n
- mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
+ mpn_cnd_add_n(cy, h, h, q, qn);
#else
- mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
+ mpn_addmul_1(h, q, qn, cy != 0);
#endif
mpn_get_base256(tp, nbytes, h, qn);
@@ -178,12 +183,8 @@ _gnutls_dsa_compute_k(mpz_t k,
if (tlen * 8 > q_bits)
mpn_rshift (h, h, qn, tlen * 8 - q_bits);
/* Check if k is in [1,q-1] */
- if (!mpn_zero_p (h, qn) &&
- mpn_cmp (h, mpz_limbs_read(q), qn) < 0) {
- mpn_copyi(mpz_limbs_write(k, qn), h, qn);
- mpz_limbs_finish(k, qn);
+ if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn))
break;
- }
ret = gnutls_hmac_init(&hd, mac, K, length);
if (ret < 0)
@@ -207,3 +208,24 @@ _gnutls_dsa_compute_k(mpz_t k,
return ret;
}
+
+/* cancel-out dsa_sign's addition of 1 to random data */
+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
+ mp_size_t n)
+{
+ /* Fall back to sub_1, if nettle is linked with mini-gmp. */
+#ifdef mpn_sec_sub_1
+ mp_limb_t t[MAX_Q_LIMBS];
+
+ mpn_sec_sub_1(h, h, n, 1, t);
+#else
+ mpn_sub_1(h, h, n, 1);
+#endif
+ mpn_get_base256(k, nbytes, h, n);
+}
+
+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
+ mp_size_t n)
+{
+ mpn_get_base256(k, nbytes, h, n);
+}
diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
index 64e90e0ca2..e88fce0a6d 100644
--- a/lib/nettle/int/dsa-compute-k.h
+++ b/lib/nettle/int/dsa-compute-k.h
@@ -26,12 +26,29 @@
#include <gnutls/gnutls.h>
#include <nettle/bignum.h> /* includes gmp.h */
-int
-_gnutls_dsa_compute_k(mpz_t k,
- const mpz_t q,
- const mpz_t x,
- gnutls_mac_algorithm_t mac,
- const uint8_t *digest,
- size_t length);
+#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
+
+/* The maximum size of q, chosen from the fact that we support
+ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
+ * maximum. */
+#define MAX_Q_BITS 521
+#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
+#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
+
+#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
+#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
+
+#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)
+
+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
+ mp_size_t qn, mp_bitcnt_t q_bits,
+ gnutls_mac_algorithm_t mac, const uint8_t *digest,
+ size_t length);
+
+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
+ mp_size_t n);
+
+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
+ mp_size_t n);
#endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
index 94914ebdfa..819302c1c7 100644
--- a/lib/nettle/int/ecdsa-compute-k.c
+++ b/lib/nettle/int/ecdsa-compute-k.c
@@ -29,67 +29,46 @@
#include "dsa-compute-k.h"
#include "gnutls_int.h"
-static inline int
-_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
+int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve)
{
switch (curve) {
#ifdef ENABLE_NON_SUITEB_CURVES
case GNUTLS_ECC_CURVE_SECP192R1:
- mpz_init_set_str(*q,
- "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
- "146BC9B1B4D22831",
- 16);
+ mpz_set_str(q,
+ "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
+ "146BC9B1B4D22831",
+ 16);
return 0;
case GNUTLS_ECC_CURVE_SECP224R1:
- mpz_init_set_str(*q,
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
- "E0B8F03E13DD29455C5C2A3D",
- 16);
+ mpz_set_str(q,
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
+ "E0B8F03E13DD29455C5C2A3D",
+ 16);
return 0;
#endif
case GNUTLS_ECC_CURVE_SECP256R1:
- mpz_init_set_str(*q,
- "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
- "BCE6FAADA7179E84F3B9CAC2FC632551",
- 16);
+ mpz_set_str(q,
+ "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
+ "BCE6FAADA7179E84F3B9CAC2FC632551",
+ 16);
return 0;
case GNUTLS_ECC_CURVE_SECP384R1:
- mpz_init_set_str(*q,
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
- "581A0DB248B0A77AECEC196ACCC52973",
- 16);
+ mpz_set_str(q,
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
+ "581A0DB248B0A77AECEC196ACCC52973",
+ 16);
return 0;
case GNUTLS_ECC_CURVE_SECP521R1:
- mpz_init_set_str(*q,
- "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFA51868783BF2F966B7FCC0148F709A"
- "5D03BB5C9B8899C47AEBB6FB71E91386"
- "409",
- 16);
+ mpz_set_str(q,
+ "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFA51868783BF2F966B7FCC0148F709A"
+ "5D03BB5C9B8899C47AEBB6FB71E91386"
+ "409",
+ 16);
return 0;
default:
return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
}
}
-
-int
-_gnutls_ecdsa_compute_k (mpz_t k,
- gnutls_ecc_curve_t curve,
- const mpz_t x,
- gnutls_mac_algorithm_t mac,
- const uint8_t *digest,
- size_t length)
-{
- mpz_t q;
- int ret;
-
- ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
- if (ret < 0)
- return gnutls_assert_val(ret);
-
- ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length);
- mpz_clear(q);
- return ret;
-}
diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
index 7ca401d6e4..a7e612bcab 100644
--- a/lib/nettle/int/ecdsa-compute-k.h
+++ b/lib/nettle/int/ecdsa-compute-k.h
@@ -26,12 +26,6 @@
#include <gnutls/gnutls.h>
#include <nettle/bignum.h> /* includes gmp.h */
-int
-_gnutls_ecdsa_compute_k (mpz_t k,
- gnutls_ecc_curve_t curve,
- const mpz_t x,
- gnutls_mac_algorithm_t mac,
- const uint8_t *digest,
- size_t length);
+int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve);
#endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 588e9df502..b19fe3804a 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -102,10 +102,16 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
}
}
-static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
+static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
{
- mpz_t *k = _ctx;
- nettle_mpz_get_str_256 (length, data, *k);
+ gnutls_datum_t *d = ctx;
+
+ if (length > d->size) {
+ memset(data, 0, length - d->size);
+ memcpy(data + (length - d->size), d->data, d->size);
+ } else {
+ memcpy(data, d->data, length);
+ }
}
static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
@@ -976,7 +982,10 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
struct dsa_signature sig;
int curve_id = pk_params->curve;
const struct ecc_curve *curve;
- mpz_t k;
+ mpz_t q;
+ /* 521-bit elliptic curve generator at maximum */
+ uint8_t buf[(521 + 7) / 8];
+ gnutls_datum_t k = { NULL, 0 };
void *random_ctx;
nettle_random_func *random_func;
@@ -1005,19 +1014,32 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
hash_len = vdata->size;
}
- mpz_init(k);
+ mpz_init(q);
+
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
(sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
- ret = _gnutls_ecdsa_compute_k(k,
- curve_id,
- pk_params->params[ECC_K],
- DIG_TO_MAC(sign_params->dsa_dig),
- vdata->data,
- vdata->size);
+ mp_limb_t h[DSA_COMPUTE_K_ITCH];
+
+ ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
if (ret < 0)
goto ecdsa_cleanup;
+
+ ret = _gnutls_dsa_compute_k(
+ h, mpz_limbs_read(q), priv.p,
+ ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
+ DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
+ vdata->size);
+ if (ret < 0)
+ goto ecdsa_cleanup;
+
+ k.data = buf;
+ k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
+
+ _gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
+ ecc_size(priv.ecc));
+
random_ctx = &k;
- random_func = rnd_mpz_func;
+ random_func = rnd_datum_func;
} else {
random_ctx = NULL;
random_func = rnd_nonce_func;
@@ -1038,7 +1060,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
ecdsa_cleanup:
dsa_signature_clear(&sig);
ecc_scalar_zclear(&priv);
- mpz_clear(k);
+ mpz_clear(q);
if (ret < 0) {
gnutls_assert();
@@ -1051,7 +1073,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
struct dsa_params pub;
bigint_t priv;
struct dsa_signature sig;
- mpz_t k;
+ /* 512-bit DSA subgroup at maximum */
+ uint8_t buf[(512 + 7) / 8];
+ gnutls_datum_t k = { NULL, 0 };
void *random_ctx;
nettle_random_func *random_func;
@@ -1074,21 +1098,27 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
hash_len = vdata->size;
}
- mpz_init(k);
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
(sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
- ret = _gnutls_dsa_compute_k(k,
- pub.q,
- TOMPZ(priv),
- DIG_TO_MAC(sign_params->dsa_dig),
- vdata->data,
- vdata->size);
+ mp_limb_t h[DSA_COMPUTE_K_ITCH];
+
+ ret = _gnutls_dsa_compute_k(
+ h, mpz_limbs_read(pub.q),
+ mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
+ mpz_sizeinbase(pub.q, 2),
+ DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
+ vdata->size);
if (ret < 0)
goto dsa_fail;
- /* cancel-out dsa_sign's addition of 1 to random data */
- mpz_sub_ui (k, k, 1);
+
+ k.data = buf;
+ k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
+
+ _gnutls_dsa_compute_k_finish(k.data, k.size, h,
+ mpz_size(pub.q));
+
random_ctx = &k;
- random_func = rnd_mpz_func;
+ random_func = rnd_datum_func;
} else {
random_ctx = NULL;
random_func = rnd_nonce_func;
@@ -1108,7 +1138,6 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
dsa_fail:
dsa_signature_clear(&sig);
- mpz_clear(k);
if (ret < 0) {
gnutls_assert();
diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
index 6e907288ee..25aa553a59 100644
--- a/tests/sign-verify-deterministic.c
+++ b/tests/sign-verify-deterministic.c
@@ -197,7 +197,7 @@ void doit(void)
&signature);
if (ret < 0)
testfail("gnutls_pubkey_verify_data2\n");
- success(" - pass");
+ success(" - pass\n");
next:
gnutls_free(signature.data);
--
2.44.0

14
SOURCES/gnutls-3.6.16-doc-p11tool-ckaid.patch
View File

@ -1,14 +0,0 @@
--- gnutls-3.7.2/doc/manpages/p11tool.1 2021-05-29 10:15:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1 2021-06-28 09:35:23.000000000 +0200
@@ -230,8 +230,9 @@
.NOP \f\*[B-Font]\-\-write\f[]
Writes the loaded objects to a PKCS #11 token.
.sp
-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
- one of \--load-privkey, \--load-pubkey, \--load-certificate option.
+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of \--load-privkey, \--load-pubkey, \--load-certificate option.
+.sp
+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
.TP
.NOP \f\*[B-Font]\-\-delete\f[]
Deletes the objects matching the given PKCS #11 URL.

266
SOURCES/gnutls-3.6.16-pkcs7-verify.patch
View File

@ -1,266 +0,0 @@
From e5dc27d1a457d1b3abc0582cd133910dff0fc309 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Fri, 22 Jul 2022 12:00:11 +0200
Subject: [PATCH] Fix double free during gnutls_pkcs7_verify
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
.gitignore | 1 +
lib/x509/pkcs7.c | 3 +-
tests/Makefile.am | 3 +-
tests/pkcs7-verify-double-free.c | 215 +++++++++++++++++++++++++++++++
4 files changed, 220 insertions(+), 2 deletions(-)
create mode 100644 tests/pkcs7-verify-double-free.c
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index 0ff55ba04b..878f867862 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -1318,7 +1318,8 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl,
issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags);
if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) {
- if (prev) gnutls_x509_crt_deinit(prev);
+ if (prev && prev != signer)
+ gnutls_x509_crt_deinit(prev);
prev = issuer;
break;
}
diff --git a/tests/Makefile.am b/tests/Makefile.am
index b04cb081b4..0563d3c754 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -220,7 +220,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \
tls13-without-timeout-func buffer status-request-revoked \
set_x509_ocsp_multi_cli kdf-api keylog-func \
- dtls_hello_random_value tls_hello_random_value x509cert-dntypes
+ dtls_hello_random_value tls_hello_random_value x509cert-dntypes \
+ pkcs7-verify-double-free
if HAVE_SECCOMP_TESTS
ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
diff --git a/tests/pkcs7-verify-double-free.c b/tests/pkcs7-verify-double-free.c
new file mode 100644
index 0000000000..fadf307829
--- /dev/null
+++ b/tests/pkcs7-verify-double-free.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) 2022 Red Hat, Inc.
+ *
+ * Author: Zoltan Fridrich
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <gnutls/pkcs7.h>
+#include <gnutls/x509.h>
+
+#include "utils.h"
+
+static char rca_pem[] =
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
+ "cGxlIENBMCAXDTE3MDcyMTE0NDMzNloYDzIyMjIwNzIxMTQ0MzM2WjAVMRMwEQYD\n"
+ "VQQKDApFeGFtcGxlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n"
+ "v8hnKPJ/IA0SQB/A/a0Uh+npZ67vsgIMrtTQo0r0kJkmkBz5323xO3DVuJfB3QmX\n"
+ "v9zvoeCQLuDvWar5Aixfxgm6s5Q+yPvJj9t3NebDrU+Y4+qyewBIJUF8EF/5iBPC\n"
+ "ZHONmzbfIRWvQWGGgb2CRcOHp2J7AY/QLB6LsWPaLjs/DHva28Q13JaTTHIpdu8v\n"
+ "t6vHr0nXf66DN4MvtoF3N+o+v3snJCMsfXOqASi4tbWR7gtOfCfiz9uBjh0W2Dut\n"
+ "/jclBQkJkLe6esNSM+f4YiOpctVDjmfj8yoHCp394vt0wFqhG38wsTFAyVP6qIcf\n"
+ "5zoSu9ovEt2cTkhnZHjiiwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n"
+ "DwEB/wQEAwIBBjAdBgNVHQ4EFgQUhjeO6Uc5imbjOl2I2ltVA27Hu9YwHwYDVR0j\n"
+ "BBgwFoAUhjeO6Uc5imbjOl2I2ltVA27Hu9YwDQYJKoZIhvcNAQELBQADggEBAD+r\n"
+ "i/7FsbG0OFKGF2+JOnth6NjJQcMfM8LiglqAuBUijrv7vltoZ0Z3FJH1Vi4OeMXn\n"
+ "l7X/9tWUve0uFl75MfjDrf0+lCEdYRY1LCba2BrUgpbbkLywVUdnbsvndehegCgS\n"
+ "jss2/zys3Hlo3ZaHlTMQ/NQ4nrxcxkjOvkZSEOqgxJTLpzm6pr7YUts4k6c6lNiB\n"
+ "FSiJiDzsJCmWR9C3fBbUlfDfTJYGN3JwqX270KchXDElo8gNoDnF7jBMpLFFSEKm\n"
+ "MyfbNLX/srh+CEfZaN/OZV4A3MQ0L8vQEp6M4CJhvRLIuMVabZ2coJ0AzystrOMU\n"
+ "LirBWjg89RoAjFQ7bTE=\n"
+ "-----END CERTIFICATE-----\n";
+
+static char ca_pem[] =
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
+ "cGxlIENBMCAXDTE3MDcyMTE0NDQzNFoYDzIyMjIwNzIxMTQ0NDM0WjAiMSAwHgYD\n"
+ "VQQKDBdFeGFtcGxlIGludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD\n"
+ "ggEPADCCAQoCggEBAKb9ACB8u//sP6MfNU1OsVw68xz3eTPLgKxS0vpqexm6iGVg\n"
+ "ug/o9uYRLzqiEukv/eyz9WzHmY7sqlOJjOFdv92+SaNg79Jc51WHPFXgea4/qyfr\n"
+ "4y14PGs0SNxm6T44sXurUs7cXydQVUgnq2VCaWFOTUdxXoAWkV8r8GaUoPD/klVz\n"
+ "RqxSZVETmX1XBKhsMnnov41kRwVph2C+VfUspsbaUZaz/o/S1/nokhXRACzKsMBr\n"
+ "obqiGxbY35uVzsmbAW5ErhQz98AWJL3Bub1fsEMXg6OEMmPH4AtX888dTIYZNw0E\n"
+ "bUIESspz1kjJQTtVQDHTprhwz16YiSVeUonlLgMCAwEAAaNjMGEwDwYDVR0TAQH/\n"
+ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPBjxDWjMhjXERirKF9O\n"
+ "o/5Cllc5MB8GA1UdIwQYMBaAFIY3julHOYpm4zpdiNpbVQNux7vWMA0GCSqGSIb3\n"
+ "DQEBCwUAA4IBAQCTm+vv3hBa6lL5IT+Fw8aTxQ2Ne7mZ5oyazhvXYwwfKNMX3SML\n"
+ "W2JdPaL64ZwbxxxYvW401o5Z0CEgru3YFrsqB/hEdl0Uf8UWWJmE1rRa+miTmbjt\n"
+ "lrLNCWdrs6CiwvsPITTHg7jevB4KyZYsTSxQFcyr3N3xF+6EmOTC4IkhPPnXYXcp\n"
+ "248ih+WOavSYoRvzgB/Dip1WnPYU2mfIV3O8JReRryngA0TzWCLPLUoWR3R4jwtC\n"
+ "+1uSLoqaenz3qv3F1WEbke37az9YJuXx/5D8CqFQiZ62TUUtI6fYd8mkMBM4Qfh6\n"
+ "NW9XrCkI9wlpL5K9HllhuW0BhKeJkuPpyQ2p\n"
+ "-----END CERTIFICATE-----\n";
+
+static char ee_pem[] =
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdFeGFt\n"
+ "cGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzdaGA8yMjIyMDcyMTE0\n"
+ "NDUzN1owFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEBBQAD\n"
+ "ggEPADCCAQoCggEBAMb1uuxppBFY+WVD45iyHUq7DkIJNNOI/JRaybVJfPktWq2E\n"
+ "eNe7XhV05KKnqZTbDO2iYqNHqGhZ8pz/IstDRTZP3z/q1vXTG0P9Gx28rEy5TaUY\n"
+ "QjtD+ZoFUQm0ORMDBjd8jikqtJ87hKeuOPMH4rzdydotMaPQSm7KLzHBGBr6gg7z\n"
+ "g1IxPWkhMyHapoMqqrhjwjzoTY97UIXpZTEoIA+KpEC8f9CciBtL0i1MPBjWozB6\n"
+ "Jma9q5iEwZXuRr3cnPYeIPlK2drgDZCMuSFcYiT8ApLw5OhKqY1m2EvfZ2ox2s9R\n"
+ "68/HzYdPi3kZwiNEtlBvMlpt5yKBJAflp76d7DkCAwEAAaNuMGwwCwYDVR0PBAQD\n"
+ "AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUc+Mi\n"
+ "kr8WMCk00SQo+P2iggp/oQkwHwYDVR0jBBgwFoAU8GPENaMyGNcRGKsoX06j/kKW\n"
+ "VzkwDQYJKoZIhvcNAQELBQADggEBAKU9+CUR0Jcfybd1+8Aqgh1RH96yQygnVuyt\n"
+ "Na9rFz4fM3ij9tGXDHXrkZw8bW1dWLU9quu8zeTxKxc3aiDIw739Alz0tukttDo7\n"
+ "dW7YqIb77zsIsWB9p7G9dlxT6ieUy+5IKk69BbeK8KR0vAciAG4KVQxPhuPy/LGX\n"
+ "PzqlJIJ4h61s3UOroReHPB1keLZgpORqrvtpClOmABH9TLFRJA/WFg8Q2XYB/p0x\n"
+ "l/pWiaoBC+8wK9cDoMUK5yOwXeuCLffCb+UlAD0+z/qxJ2pisE8E9X8rRKRrWI+i\n"
+ "G7LtJCEn86EQK8KuRlJxKgj8lClZhoULB0oL4jbblBuNow9WRmM=\n"
+ "-----END CERTIFICATE-----\n";
+
+static char msg_pem[] =
+ "-----BEGIN PKCS7-----\n"
+ "MIIK2QYJKoZIhvcNAQcCoIIKyjCCCsYCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\n"
+ "hvcNAQcBoIIJTzCCAwowggHyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwFTETMBEG\n"
+ "A1UECgwKRXhhbXBsZSBDQTAgFw0xNzA3MjExNDQzMjFaGA8yMjIyMDcyMTE0NDMy\n"
+ "MVowFTETMBEGA1UECgwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n"
+ "ADCCAQoCggEBAL51eyE4j8wAKQKMGlO9HEY2iaGvsdPSJmidSdmCi1jnNK39Lx4Y\n"
+ "31h279hSHF5wtI6VM91HHfeLf1mjEZHlKrXXJQzBPLpbHWapD778drHBitOP8e56\n"
+ "fDMIfofLV4tkMk8690vPe4cJH1UHGspMyz6EQF9kPRaW80XtMV/6dalgL/9Esmaw\n"
+ "XBNPJAS1VutDuXQkJ/3/rWFLmkpYHHtGPjX782YRmT1s+VOVTsLqmKx0TEL8A381\n"
+ "bbElHPUAMjPcyWR5qqA8KWnS5Dwqk3LwI0AvuhQytCq0S7Xl4DXauvxwTRXv0UU7\n"
+ "W8r3MLAw9DnlnJiD/RFjw5rbGO3wMePk/qUCAwEAAaNjMGEwDwYDVR0TAQH/BAUw\n"
+ "AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIh2KRoKJoe2VtpOwWMkRAkR\n"
+ "mLWKMB8GA1UdIwQYMBaAFIh2KRoKJoe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEB\n"
+ "CwUAA4IBAQBovvlOjoy0MCT5U0eWfcPQQjY4Ssrn3IiPNlVkqSNo+FHX+2baTLVQ\n"
+ "5QTHxwXwzdIJiwtjFWDdGEQXqmuIvnFG+u/whGbeg6oQygfnQ5Y+q6epOxCsPgLQ\n"
+ "mKKEaF7mvh8DauUx4QSbYCNGCctOZuB1vlN9bJ3/5QbH+2pFPOfCr5CAyPDwHo6S\n"
+ "qO3yPcutRwT9xS7gXEHM9HhLp+DmdCGh4eVBPiFilyZm1d92lWxU8oxoSfXgzDT/\n"
+ "GCzlMykNZNs4JD9QmiRClP/3U0dQbOhah/Fda+N+L90xaqEgGcvwKKZa3pzo59pl\n"
+ "BbkcIP4YPyHeinwkgAn5UVJg9DOxNCS0MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG\n"
+ "9w0BAQsFADAVMRMwEQYDVQQKDApFeGFtcGxlIENBMCAXDTE3MDcyMTE0NDQxM1oY\n"
+ "DzIyMjIwNzIxMTQ0NDEzWjAiMSAwHgYDVQQKDBdFeGFtcGxlIGludGVybWVkaWF0\n"
+ "ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPFDEvDANwvhviu\n"
+ "pwXTvaKyxyX94jVu1wgAhIRyQBVRiMbrn8MEufLG8oA0vKd8s92gv/lWe1jFb2rn\n"
+ "91jMkZWsjWjiJFD6SzqFfBo+XxOGikEqO1MAf92UqavmSGlXVRG1Vy7T7dWibZP0\n"
+ "WODhHYWayR0Y6owSz5IqNfrHXzDME+lSJxHgRFI7pK+b0OgiVmvyXDKFPvyU6GrP\n"
+ "lxXDi/XbjyPvC5gpiwtTgm+s8KERwmdlfZUNjkh2PpHx1g1joijHT3wIvO/Pek1E\n"
+ "C+Xs6w3XxGgL6TTL7FDuv4AjZVX9KK66/yBhX3aN8bkqAg+hs9XNk3zzWC0XEFOS\n"
+ "Qoh2va0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
+ "HQYDVR0OBBYEFHwi/7dUWGjkMWJctOm7MCjjQj1cMB8GA1UdIwQYMBaAFIh2KRoK\n"
+ "Joe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEBCwUAA4IBAQCF6sHCBdYRwBwvfCve\n"
+ "og9cPnmPqZrG4AtmSvtoSsMvgvKb/4z3/gG8oPtTBkeRcAHoMoEp/oA+B2ylwIAc\n"
+ "S5U7jx+lYH/Pqih0X/OcOLbaMv8uzGSGQxk+L9LuuIT6E/THfRRIPEvkDkzC+/uk\n"
+ "7vUbG17bSEWeF0o/6sjzAY2aH1jnbCDyu0UC78GXkc6bZ5QlH98uLMDMrOmqcZjS\n"
+ "JFfvuRDQyKV5yBdBkYaobsIWSQDsgYxJzf/2y8c3r+HXqT+jhrXPWJ3btgMPxpu7\n"
+ "E8KmoFgp9EM+48oYlXJ66rk08/KjaVmgN7R+Hm3e2+MFT2kme4fBKalLjcazTe3x\n"
+ "0FisMIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdF\n"
+ "eGFtcGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzBaGA8yMjIyMDcy\n"
+ "MTE0NDUzMVowFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEB\n"
+ "BQADggEPADCCAQoCggEBAMjhSqhdD5RjmOm6W3hG7zkgKBP9whRN/SipcdEMlkgc\n"
+ "F/U3QMu66qIfKwheNdWalC1JLtruLDWP92ysa6Vw+CCG8aSax1AgB//RKQB7kgPA\n"
+ "9js9hi/oCdBmCv2HJxhWSLz+MVoxgzW4C7S9FenI+btxe/99Uw4nOw7kwjsYDLKr\n"
+ "tMw8myv7aCW/63CuBYGtohiZupM3RI3kKFcZots+KRPLlZpjv+I2h9xSln8VxKNb\n"
+ "XiMrYwGfHB7iX7ghe1TvFjKatEUhsqa7AvIq7nfe/cyq97f0ODQO814njgZtk5iQ\n"
+ "JVavXHdhTVaypt1HdAFMuHX5UATylHxx9tRCgSIijUsCAwEAAaNuMGwwCwYDVR0P\n"
+ "BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU\n"
+ "31+vHl4E/2Jpnwinbzf+d7usshcwHwYDVR0jBBgwFoAUfCL/t1RYaOQxYly06bsw\n"
+ "KONCPVwwDQYJKoZIhvcNAQELBQADggEBAAWe63DcNwmleQ3INFGDJZ/m2I/R/cBa\n"
+ "nnrxgR5Ey1ljHdA/x1z1JLTGmGVwqGExs5DNG9Q//Pmc9pZ1yPa8J4Xf8AvFcmkY\n"
+ "mWoH1HvW0xu/RF1UN5SAoD2PRQ+Vq4OSPD58IlEu/u4o1wZV7Wl91Cv6VNpiAb63\n"
+ "j9PA1YacOpOtcRqG59Vuj9HFm9f30ejHVo2+KJcpo290cR3Zg4fOm8mtjeMdt/QS\n"
+ "Atq+RqPAQ7yxqvEEv8zPIZj2kAOQm3mh/yYqBrR68lQUD/dBTP7ApIZkhUK3XK6U\n"
+ "nf9JvoF6Fn2+Cnqb//FLBgHSnoeqeQNwDLUXTsD02iYxHzJrhokSY4YxggFQMIIB\n"
+ "TAIBATAnMCIxIDAeBgNVBAoMF0V4YW1wbGUgaW50ZXJtZWRpYXRlIENBAgEBMAsG\n"
+ "CWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQATHg6wNsBcs/Ub1GQfKwTpKCk5\n"
+ "8QXuNnZ0u7b6mKgrSY2Gf47fpL2aRgaR+BAQncbctu5EH/IL38pWjaGtOhFAj/5q\n"
+ "7luVQW11kuyJN3Bd/dtLqawWOwMmAIEigw6X50l5ZHnEVzFfxt+RKTNhk4XWVtbi\n"
+ "2iIlITOplW0rnvxYAwCxKL9ocaB7etK8au7ixMxbFp75Ts4iLX8dhlAFdCuFCk8k\n"
+ "B8mi9HHuwr3QYRqMPW61hu1wBL3yB8eoZNOwPXb0gkIh6ZvgptxgQzm/cc+Iw9fP\n"
+ "QkR0fTM7ElJ5QZmSV98AUbZDHmDvpmcjcUxfSPMc3IoT8T300usRu7QHqKJi\n"
+ "-----END PKCS7-----\n";
+
+const gnutls_datum_t rca_datum = { (void *)rca_pem, sizeof(rca_pem) - 1 };
+const gnutls_datum_t ca_datum = { (void *)ca_pem, sizeof(ca_pem) - 1 };
+const gnutls_datum_t ee_datum = { (void *)ee_pem, sizeof(ee_pem) - 1 };
+const gnutls_datum_t msg_datum = { (void *)msg_pem, sizeof(msg_pem) - 1 };
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "%s |<%d>| %s", "err", level, str);
+}
+
+#define CHECK(X)\
+{\
+ r = X;\
+ if (r < 0)\
+ fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\
+}\
+
+void doit(void)
+{
+ int r;
+ gnutls_x509_crt_t rca_cert = NULL;
+ gnutls_x509_crt_t ca_cert = NULL;
+ gnutls_x509_crt_t ee_cert = NULL;
+ gnutls_x509_trust_list_t tlist = NULL;
+ gnutls_pkcs7_t pkcs7 = NULL;
+ gnutls_datum_t data = { (unsigned char *)"xxx", 3 };
+
+ if (debug) {
+ gnutls_global_set_log_function(tls_log_func);
+ gnutls_global_set_log_level(4711);
+ }
+
+ // Import certificates
+ CHECK(gnutls_x509_crt_init(&rca_cert));
+ CHECK(gnutls_x509_crt_import(rca_cert, &rca_datum, GNUTLS_X509_FMT_PEM));
+ CHECK(gnutls_x509_crt_init(&ca_cert));
+ CHECK(gnutls_x509_crt_import(ca_cert, &ca_datum, GNUTLS_X509_FMT_PEM));
+ CHECK(gnutls_x509_crt_init(&ee_cert));
+ CHECK(gnutls_x509_crt_import(ee_cert, &ee_datum, GNUTLS_X509_FMT_PEM));
+
+ // Setup trust store
+ CHECK(gnutls_x509_trust_list_init(&tlist, 0));
+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, rca_cert, "rca", 3, 0));
+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ca_cert, "ca", 2, 0));
+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ee_cert, "ee", 2, 0));
+
+ // Setup pkcs7 structure
+ CHECK(gnutls_pkcs7_init(&pkcs7));
+ CHECK(gnutls_pkcs7_import(pkcs7, &msg_datum, GNUTLS_X509_FMT_PEM));
+
+ // Signature verification
+ gnutls_pkcs7_verify(pkcs7, tlist, NULL, 0, 0, &data, 0);
+
+ gnutls_x509_crt_deinit(rca_cert);
+ gnutls_x509_crt_deinit(ca_cert);
+ gnutls_x509_crt_deinit(ee_cert);
+ gnutls_x509_trust_list_deinit(tlist, 0);
+ gnutls_pkcs7_deinit(pkcs7);
+}
--
2.37.2

242
SOURCES/gnutls-3.6.16-rehandshake-tickets.patch
View File

@ -1,242 +0,0 @@
From 9b50d94bf1c8e749d7dfc593c89e689a161444ae Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 26 Jun 2023 09:30:03 +0200
Subject: [PATCH] gnutls-3.6.16-rehandshake-tickets.patch
Signed-off-by: rpm-build <rpm-build>
---
lib/ext/session_ticket.c | 6 ++
lib/ext/session_ticket.h | 1 +
lib/libgnutls.map | 2 +
lib/state.c | 1 +
tests/Makefile.am | 3 +-
tests/tls12-rehandshake-ticket.c | 152 +++++++++++++++++++++++++++++++
6 files changed, 164 insertions(+), 1 deletion(-)
create mode 100644 tests/tls12-rehandshake-ticket.c
diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
index 8f22462..8d83a6c 100644
--- a/lib/ext/session_ticket.c
+++ b/lib/ext/session_ticket.c
@@ -618,6 +618,12 @@ gnutls_session_ticket_enable_server(gnutls_session_t session,
return 0;
}
+void
+_gnutls_session_ticket_disable_server(gnutls_session_t session)
+{
+ session->internals.flags |= GNUTLS_NO_TICKETS;
+}
+
/*
* Return zero if session tickets haven't been enabled.
*/
diff --git a/lib/ext/session_ticket.h b/lib/ext/session_ticket.h
index da804ec..660c9d3 100644
--- a/lib/ext/session_ticket.h
+++ b/lib/ext/session_ticket.h
@@ -36,5 +36,6 @@ int _gnutls_encrypt_session_ticket(gnutls_session_t session,
int _gnutls_decrypt_session_ticket(gnutls_session_t session,
const gnutls_datum_t *ticket_data,
gnutls_datum_t *state);
+void _gnutls_session_ticket_disable_server(gnutls_session_t session);
#endif /* GNUTLS_LIB_EXT_SESSION_TICKET_H */
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index d2f7c0a..6748b3a 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1432,4 +1432,6 @@ GNUTLS_PRIVATE_3_4 {
_gnutls_buffer_unescape;
_gnutls_buffer_pop_datum;
_gnutls_buffer_clear;
+ # needed by tests/tls12-rehandshake-cert-ticket
+ _gnutls_session_ticket_disable_server;
} GNUTLS_3_4;
diff --git a/lib/state.c b/lib/state.c
index 817a7b8..f1e9daa 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -452,6 +452,7 @@ void _gnutls_handshake_internal_state_clear(gnutls_session_t session)
session->internals.tfo.connect_addrlen = 0;
session->internals.tfo.connect_only = 0;
session->internals.early_data_received = 0;
+ session->internals.session_ticket_renew = 0;
}
/**
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 0563d3c..7c5f5c4 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -221,7 +221,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
tls13-without-timeout-func buffer status-request-revoked \
set_x509_ocsp_multi_cli kdf-api keylog-func \
dtls_hello_random_value tls_hello_random_value x509cert-dntypes \
- pkcs7-verify-double-free
+ pkcs7-verify-double-free \
+ tls12-rehandshake-ticket
if HAVE_SECCOMP_TESTS
ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
diff --git a/tests/tls12-rehandshake-ticket.c b/tests/tls12-rehandshake-ticket.c
new file mode 100644
index 0000000..f96e46e
--- /dev/null
+++ b/tests/tls12-rehandshake-ticket.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) 2022 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <gnutls/gnutls.h>
+#include <assert.h>
+#include "cert-common.h"
+
+#include "utils.h"
+#include "eagain-common.h"
+
+const char *side = "";
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "%s|<%d>| %s", side, level, str);
+}
+
+#define MAX_BUF 1024
+
+void _gnutls_session_ticket_disable_server(gnutls_session_t session);
+
+static void run(void)
+{
+ char buffer[MAX_BUF + 1];
+ /* Server stuff. */
+ gnutls_certificate_credentials_t scred;
+ gnutls_session_t server;
+ gnutls_datum_t session_ticket_key = { NULL, 0 };
+ int sret;
+ /* Client stuff. */
+ gnutls_certificate_credentials_t ccred;
+ gnutls_session_t client;
+ int cret;
+
+ /* General init. */
+ global_init();
+ gnutls_global_set_log_function(tls_log_func);
+ if (debug)
+ gnutls_global_set_log_level(9);
+
+ /* Init server */
+ assert(gnutls_certificate_allocate_credentials(&scred) >= 0);
+ assert(gnutls_certificate_set_x509_key_mem(scred,
+ &server_ca3_localhost_cert,
+ &server_ca3_key,
+ GNUTLS_X509_FMT_PEM) >= 0);
+ assert(gnutls_certificate_set_x509_trust_mem(scred,
+ &ca3_cert,
+ GNUTLS_X509_FMT_PEM) >= 0);
+
+ assert(gnutls_init(&server, GNUTLS_SERVER) >= 0);
+ gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
+ assert(gnutls_priority_set_direct(server,
+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2",
+ NULL) >= 0);
+
+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
+ gnutls_transport_set_push_function(server, server_push);
+ gnutls_transport_set_pull_function(server, server_pull);
+ gnutls_transport_set_ptr(server, server);
+
+ gnutls_session_ticket_key_generate(&session_ticket_key);
+ gnutls_session_ticket_enable_server(server, &session_ticket_key);
+
+ /* Init client */
+ assert(gnutls_certificate_allocate_credentials(&ccred) >= 0);
+ assert(gnutls_certificate_set_x509_key_mem
+ (ccred, &cli_ca3_cert_chain, &cli_ca3_key, GNUTLS_X509_FMT_PEM) >= 0);
+ assert(gnutls_certificate_set_x509_trust_mem
+ (ccred, &ca3_cert, GNUTLS_X509_FMT_PEM) >= 0);
+
+ gnutls_init(&client, GNUTLS_CLIENT);
+ assert(gnutls_priority_set_direct(client,
+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2",
+ NULL) >= 0);
+
+ assert(gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred) >= 0);
+
+ gnutls_transport_set_push_function(client, client_push);
+ gnutls_transport_set_pull_function(client, client_pull);
+ gnutls_transport_set_ptr(client, client);
+
+ HANDSHAKE(client, server);
+
+ /* Server initiates rehandshake */
+ switch_side("server");
+ sret = gnutls_rehandshake(server);
+ if (sret < 0) {
+ fail("Error sending %d byte packet: %s\n",
+ (int)sizeof(buffer), gnutls_strerror(sret));
+ } else if (debug)
+ success("server: starting rehandshake\n");
+
+ /* Stop sending session ticket */
+ _gnutls_session_ticket_disable_server(server);
+
+ /* Client gets notified with rehandshake */
+ switch_side("client");
+ do {
+ do {
+ cret = gnutls_record_recv(client, buffer, MAX_BUF);
+ } while (cret == GNUTLS_E_AGAIN || cret == GNUTLS_E_INTERRUPTED);
+ } while (cret > 0);
+
+ if (cret != GNUTLS_E_REHANDSHAKE) {
+ fail("client: Error receiving rehandshake: %s\n",
+ gnutls_strerror(cret));
+ }
+
+ HANDSHAKE(client, server);
+
+ gnutls_bye(client, GNUTLS_SHUT_WR);
+ gnutls_bye(server, GNUTLS_SHUT_WR);
+
+ gnutls_deinit(client);
+ gnutls_deinit(server);
+
+ gnutls_certificate_free_credentials(scred);
+ gnutls_certificate_free_credentials(ccred);
+
+ gnutls_free(session_ticket_key.data);
+
+ gnutls_global_deinit();
+ reset_buffers();
+}
+
+void doit(void)
+{
+ run();
+}
--
2.41.0

121
SOURCES/gnutls-3.6.16-rsa-psk-timing-followup.patch
View File

@ -1,121 +0,0 @@
From fe912c5dba49dcecbd5c32bf8184e60a949af452 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 10 Jan 2024 19:13:17 +0900
Subject: [PATCH] rsa-psk: minimize branching after decryption
This moves any non-trivial code between gnutls_privkey_decrypt_data2
and the function return in _gnutls_proc_rsa_psk_client_kx up until the
decryption. This also avoids an extra memcpy to session->key.key.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
1 file changed, 35 insertions(+), 33 deletions(-)
diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
index 93c2dc9998..8f3fe5a4bd 100644
--- a/lib/auth/rsa_psk.c
+++ b/lib/auth/rsa_psk.c
@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
int ret, dsize;
ssize_t data_size = _data_size;
gnutls_psk_server_credentials_t cred;
- gnutls_datum_t premaster_secret = { NULL, 0 };
volatile uint8_t ver_maj, ver_min;
cred = (gnutls_psk_server_credentials_t)
@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
ver_maj = _gnutls_get_adv_version_major(session);
ver_min = _gnutls_get_adv_version_minor(session);
- premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
- if (premaster_secret.data == NULL) {
+ /* Find the key of this username. A random value will be
+ * filled in if the key is not found.
+ */
+ ret =
+ _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ /* Allocate memory for premaster secret, and fill in the
+ * fields except the decryption result.
+ */
+ session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
+ session->key.key.data = gnutls_malloc(session->key.key.size);
+ if (session->key.key.data == NULL) {
gnutls_assert();
+ _gnutls_free_key_datum(&pwd_psk);
+ /* No need to zeroize, as the secret is not copied in yet */
+ _gnutls_free_datum(&session->key.key);
return GNUTLS_E_MEMORY_ERROR;
}
- premaster_secret.size = GNUTLS_MASTER_SIZE;
/* Fallback value when decryption fails. Needs to be unpredictable. */
- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
- premaster_secret.size);
+ ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
+ GNUTLS_MASTER_SIZE);
if (ret < 0) {
gnutls_assert();
- goto cleanup;
+ _gnutls_free_key_datum(&pwd_psk);
+ /* No need to zeroize, as the secret is not copied in yet */
+ _gnutls_free_datum(&session->key.key);
+ return ret;
}
+ _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
+ _gnutls_write_uint16(pwd_psk.size,
+ &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
+ memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2],
+ pwd_psk.data, pwd_psk.size);
+ _gnutls_free_key_datum(&pwd_psk);
+
gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
- &ciphertext, premaster_secret.data,
- premaster_secret.size);
+ &ciphertext, session->key.key.data + 2,
+ GNUTLS_MASTER_SIZE);
/* After this point, any conditional on failure that cause differences
* in execution may create a timing or cache access pattern side
* channel that can be used as an oracle, so tread carefully */
@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
/* This is here to avoid the version check attack
* discussed above.
*/
- premaster_secret.data[0] = ver_maj;
- premaster_secret.data[1] = ver_min;
-
- /* find the key of this username
- */
- ret =
- _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
- if (ret < 0) {
- gnutls_assert();
- goto cleanup;
- }
-
- ret =
- set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
- if (ret < 0) {
- gnutls_assert();
- goto cleanup;
- }
+ session->key.key.data[2] = ver_maj;
+ session->key.key.data[3] = ver_min;
- ret = 0;
- cleanup:
- _gnutls_free_key_datum(&pwd_psk);
- _gnutls_free_temp_key_datum(&premaster_secret);
-
- return ret;
+ return 0;
}
static int
--
2.43.0

202
SOURCES/gnutls-3.6.16-rsa-psk-timing.patch
View File

@ -1,202 +0,0 @@
From e007a54432c98618bde500649817d153225abf6b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 7 Dec 2023 11:52:08 +0900
Subject: [PATCH] gnutls-3.6.16-rsa-psk-timing.patch
Signed-off-by: rpm-build <rpm-build>
---
lib/auth/rsa.c | 2 +-
lib/auth/rsa_psk.c | 93 +++++++++++++++++-----------------------------
lib/gnutls_int.h | 4 --
lib/priority.c | 1 -
4 files changed, 35 insertions(+), 65 deletions(-)
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
index 858701f..02b6a34 100644
--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
session->key.key.size);
/* After this point, any conditional on failure that cause differences
* in execution may create a timing or cache access pattern side
- * channel that can be used as an oracle, so treat very carefully */
+ * channel that can be used as an oracle, so tread carefully */
/* Error handling logic:
* In case decryption fails then don't inform the peer. Just use the
diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
index 1a9dab5..93c2dc9 100644
--- a/lib/auth/rsa_psk.c
+++ b/lib/auth/rsa_psk.c
@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
{
gnutls_datum_t username;
psk_auth_info_t info;
- gnutls_datum_t plaintext;
gnutls_datum_t ciphertext;
gnutls_datum_t pwd_psk = { NULL, 0 };
int ret, dsize;
- int randomize_key = 0;
ssize_t data_size = _data_size;
gnutls_psk_server_credentials_t cred;
gnutls_datum_t premaster_secret = { NULL, 0 };
+ volatile uint8_t ver_maj, ver_min;
cred = (gnutls_psk_server_credentials_t)
_gnutls_get_cred(session, GNUTLS_CRD_PSK);
@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
}
ciphertext.size = dsize;
- ret =
- gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
- &ciphertext, &plaintext);
- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
- /* In case decryption fails then don't inform
- * the peer. Just use a random key. (in order to avoid
- * attack against pkcs-1 formatting).
- */
+ ver_maj = _gnutls_get_adv_version_major(session);
+ ver_min = _gnutls_get_adv_version_minor(session);
+
+ premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+ if (premaster_secret.data == NULL) {
gnutls_assert();
- _gnutls_debug_log
- ("auth_rsa_psk: Possible PKCS #1 format attack\n");
- if (ret >= 0) {
- gnutls_free(plaintext.data);
- }
- randomize_key = 1;
- } else {
- /* If the secret was properly formatted, then
- * check the version number.
- */
- if (_gnutls_get_adv_version_major(session) !=
- plaintext.data[0]
- || (session->internals.allow_wrong_pms == 0
- && _gnutls_get_adv_version_minor(session) !=
- plaintext.data[1])) {
- /* No error is returned here, if the version number check
- * fails. We proceed normally.
- * That is to defend against the attack described in the paper
- * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
- * Ondej Pokorny and Tomas Rosa.
- */
- gnutls_assert();
- _gnutls_debug_log
- ("auth_rsa: Possible PKCS #1 version check format attack\n");
- }
+ return GNUTLS_E_MEMORY_ERROR;
}
+ premaster_secret.size = GNUTLS_MASTER_SIZE;
-
- if (randomize_key != 0) {
- premaster_secret.size = GNUTLS_MASTER_SIZE;
- premaster_secret.data =
- gnutls_malloc(premaster_secret.size);
- if (premaster_secret.data == NULL) {
- gnutls_assert();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- /* we do not need strong random numbers here.
- */
- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
- premaster_secret.size);
- if (ret < 0) {
- gnutls_assert();
- goto cleanup;
- }
- } else {
- premaster_secret.data = plaintext.data;
- premaster_secret.size = plaintext.size;
+ /* Fallback value when decryption fails. Needs to be unpredictable. */
+ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+ premaster_secret.size);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
}
+ gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+ &ciphertext, premaster_secret.data,
+ premaster_secret.size);
+ /* After this point, any conditional on failure that cause differences
+ * in execution may create a timing or cache access pattern side
+ * channel that can be used as an oracle, so tread carefully */
+
+ /* Error handling logic:
+ * In case decryption fails then don't inform the peer. Just use the
+ * random key previously generated. (in order to avoid attack against
+ * pkcs-1 formatting).
+ *
+ * If we get version mismatches no error is returned either. We
+ * proceed normally. This is to defend against the attack described
+ * in the paper "Attacking RSA-based sessions in SSL/TLS" by
+ * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
+ */
+
/* This is here to avoid the version check attack
* discussed above.
*/
-
- premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
- premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
+ premaster_secret.data[0] = ver_maj;
+ premaster_secret.data[1] = ver_min;
/* find the key of this username
*/
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 31cec5c..815f69b 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -971,7 +971,6 @@ struct gnutls_priority_st {
bool _no_etm;
bool _no_ext_master_secret;
bool _allow_key_usage_violation;
- bool _allow_wrong_pms;
bool _dumbfw;
unsigned int _dh_prime_bits; /* old (deprecated) variable */
@@ -989,7 +988,6 @@ struct gnutls_priority_st {
(x)->no_etm = 1; \
(x)->no_ext_master_secret = 1; \
(x)->allow_key_usage_violation = 1; \
- (x)->allow_wrong_pms = 1; \
(x)->dumbfw = 1
#define ENABLE_PRIO_COMPAT(x) \
@@ -998,7 +996,6 @@ struct gnutls_priority_st {
(x)->_no_etm = 1; \
(x)->_no_ext_master_secret = 1; \
(x)->_allow_key_usage_violation = 1; \
- (x)->_allow_wrong_pms = 1; \
(x)->_dumbfw = 1
/* DH and RSA parameters types.
@@ -1123,7 +1120,6 @@ typedef struct {
bool no_etm;
bool no_ext_master_secret;
bool allow_key_usage_violation;
- bool allow_wrong_pms;
bool dumbfw;
/* old (deprecated) variable. This is used for both srp_prime_bits
diff --git a/lib/priority.c b/lib/priority.c
index 0a284ae..67ec887 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority)
COPY_TO_INTERNALS(no_etm);
COPY_TO_INTERNALS(no_ext_master_secret);
COPY_TO_INTERNALS(allow_key_usage_violation);
- COPY_TO_INTERNALS(allow_wrong_pms);
COPY_TO_INTERNALS(dumbfw);
COPY_TO_INTERNALS(dh_prime_bits);
--
2.43.0

125
SOURCES/gnutls-3.6.16-tls12-cert-type.patch
View File

@ -1,125 +0,0 @@
From 339bef12f478b3a12c59571c53645e31280baf7e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 14 May 2021 15:59:37 +0200
Subject: [PATCH] cert auth: filter out unsupported cert types from TLS 1.2 CR
When the server is advertising signature algorithms in TLS 1.2
CertificateRequest, it shouldn't send certificate_types not backed by
any of those algorithms.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/auth/cert.c | 76 +++++++++++++++++++++++--
tests/suite/tls-fuzzer/gnutls-cert.json | 19 +++++++
2 files changed, 89 insertions(+), 6 deletions(-)
diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 3073a33d3..0b0f04b2b 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -64,6 +64,16 @@ typedef enum CertificateSigType { RSA_SIGN = 1, DSA_SIGN = 2, ECDSA_SIGN = 64,
#endif
} CertificateSigType;
+enum CertificateSigTypeFlags {
+ RSA_SIGN_FLAG = 1,
+ DSA_SIGN_FLAG = 1 << 1,
+ ECDSA_SIGN_FLAG = 1 << 2,
+#ifdef ENABLE_GOST
+ GOSTR34102012_256_SIGN_FLAG = 1 << 3,
+ GOSTR34102012_512_SIGN_FLAG = 1 << 4
+#endif
+};
+
/* Moves data from an internal certificate struct (gnutls_pcert_st) to
* another internal certificate struct (cert_auth_info_t), and deinitializes
* the former.
@@ -1281,6 +1291,7 @@ _gnutls_gen_cert_server_cert_req(gnutls_session_t session,
uint8_t tmp_data[CERTTYPE_SIZE];
const version_entry_st *ver = get_version(session);
unsigned init_pos = data->length;
+ enum CertificateSigTypeFlags flags;
if (unlikely(ver == NULL))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
@@ -1297,18 +1308,71 @@ _gnutls_gen_cert_server_cert_req(gnutls_session_t session,
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
- i = 1;
+ if (_gnutls_version_has_selectable_sighash(ver)) {
+ size_t j;
+
+ flags = 0;
+ for (j = 0; j < session->internals.priorities->sigalg.size; j++) {
+ const gnutls_sign_entry_st *se =
+ session->internals.priorities->sigalg.entry[j];
+ switch (se->pk) {
+ case GNUTLS_PK_RSA:
+ case GNUTLS_PK_RSA_PSS:
+ flags |= RSA_SIGN_FLAG;
+ break;
+ case GNUTLS_PK_DSA:
+ flags |= DSA_SIGN_FLAG;
+ break;
+ case GNUTLS_PK_ECDSA:
+ flags |= ECDSA_SIGN_FLAG;
+ break;
#ifdef ENABLE_GOST
- if (_gnutls_kx_is_vko_gost(session->security_parameters.cs->kx_algorithm)) {
- tmp_data[i++] = GOSTR34102012_256_SIGN;
- tmp_data[i++] = GOSTR34102012_512_SIGN;
- } else
+ case GNUTLS_PK_GOST_12_256:
+ flags |= GOSTR34102012_256_SIGN_FLAG;
+ break;
+ case GNUTLS_PK_GOST_12_512:
+ flags |= GOSTR34102012_512_SIGN_FLAG;
+ break;
+#endif
+ default:
+ gnutls_assert();
+ _gnutls_debug_log(
+ "%s is unsupported for cert request\n",
+ gnutls_pk_get_name(se->pk));
+ }
+ }
+
+ } else {
+#ifdef ENABLE_GOST
+ if (_gnutls_kx_is_vko_gost(session->security_parameters.
+ cs->kx_algorithm)) {
+ flags = GOSTR34102012_256_SIGN_FLAG |
+ GOSTR34102012_512_SIGN_FLAG;
+ } else
#endif
- {
+ {
+ flags = RSA_SIGN_FLAG | DSA_SIGN_FLAG | ECDSA_SIGN_FLAG;
+ }
+ }
+
+ i = 1;
+ if (flags & RSA_SIGN_FLAG) {
tmp_data[i++] = RSA_SIGN;
+ }
+ if (flags & DSA_SIGN_FLAG) {
tmp_data[i++] = DSA_SIGN;
+ }
+ if (flags & ECDSA_SIGN_FLAG) {
tmp_data[i++] = ECDSA_SIGN;
}
+#ifdef ENABLE_GOST
+ if (flags & GOSTR34102012_256_SIGN_FLAG) {
+ tmp_data[i++] = GOSTR34102012_256_SIGN;
+ }
+ if (flags & GOSTR34102012_512_SIGN_FLAG) {
+ tmp_data[i++] = GOSTR34102012_512_SIGN;
+ }
+#endif
tmp_data[0] = i - 1;
ret = _gnutls_buffer_append_data(data, tmp_data, i);
--
2.31.1

283
SOURCES/gnutls-3.6.16-trust-ca-sha1.patch
View File

@ -1,283 +0,0 @@
From c2409e479df41620bceac314c76cabb1d35a4075 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 3 May 2021 16:35:43 +0200
Subject: [PATCH] x509/verify: treat SHA-1 signed CA in the trusted set
differently
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Suppose there is a certificate chain ending with an intermediate CA:
EE → ICA1 → ICA2. If the system trust store contains a root CA
generated with the same key as ICA2 but signed with a prohibited
algorithm, such as SHA-1, the library previously reported a
verification failure, though the situation is not uncommon during a
transition period of root CA.
This changes the library behavior such that the check on signature
algorithm will be skipped when examining the trusted root CA.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/x509/verify.c | 26 ++++---
tests/test-chains.h | 165 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 182 insertions(+), 9 deletions(-)
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index fd7c6a164..a50b5ea44 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -415,14 +415,19 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
#define CASE_SEC_PARAM(profile, level) \
case profile: \
sym_bits = gnutls_sec_param_to_symmetric_bits(level); \
- hash = gnutls_sign_get_hash_algorithm(sigalg); \
- entry = mac_to_entry(hash); \
- if (hash <= 0 || entry == NULL) { \
+ se = _gnutls_sign_to_entry(sigalg); \
+ if (unlikely(se == NULL)) { \
+ _gnutls_cert_log("cert", crt); \
+ _gnutls_debug_log(#level": certificate's signature algorithm is unknown\n"); \
+ return gnutls_assert_val(0); \
+ } \
+ if (unlikely(se->hash == GNUTLS_DIG_UNKNOWN)) { \
_gnutls_cert_log("cert", crt); \
_gnutls_debug_log(#level": certificate's signature hash is unknown\n"); \
return gnutls_assert_val(0); \
} \
- if (_gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
+ if (!trusted && \
+ _gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
_gnutls_cert_log("cert", crt); \
_gnutls_debug_log(#level": certificate's signature hash strength is unacceptable (is %u bits, needed %u)\n", _gnutls_sign_get_hash_strength(sigalg), sym_bits); \
return gnutls_assert_val(0); \
@@ -449,19 +454,22 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
* @crt: a certificate
* @issuer: the certificates issuer (allowed to be NULL)
* @sigalg: the signature algorithm used
+ * @trusted: whether @crt is treated as trusted (e.g., present in the system
+ * trust list); if it is true, the check on signature algorithm will
+ * be skipped
* @flags: the specified verification flags
*/
static unsigned is_level_acceptable(
gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
- gnutls_sign_algorithm_t sigalg, unsigned flags)
+ gnutls_sign_algorithm_t sigalg, bool trusted,
+ unsigned flags)
{
gnutls_certificate_verification_profiles_t profile = GNUTLS_VFLAGS_TO_PROFILE(flags);
- const mac_entry_st *entry;
int issuer_pkalg = 0, pkalg, ret;
unsigned bits = 0, issuer_bits = 0, sym_bits = 0;
gnutls_pk_params_st params;
gnutls_sec_param_t sp;
- int hash;
+ const gnutls_sign_entry_st *se;
gnutls_certificate_verification_profiles_t min_profile;
min_profile = _gnutls_get_system_wide_verification_profile();
@@ -798,7 +806,7 @@ verify_crt(gnutls_x509_crt_t cert,
}
if (sigalg >= 0 && se) {
- if (is_level_acceptable(cert, issuer, sigalg, flags) == 0) {
+ if (is_level_acceptable(cert, issuer, sigalg, false, flags) == 0) {
MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM);
}
@@ -893,7 +901,7 @@ unsigned check_ca_sanity(const gnutls_x509_crt_t issuer,
/* we explicitly allow CAs which we do not support their self-algorithms
* to pass. */
- if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, flags)) {
+ if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, true, flags)) {
status |= GNUTLS_CERT_INSECURE_ALGORITHM|GNUTLS_CERT_INVALID;
}
diff --git a/tests/test-chains.h b/tests/test-chains.h
index 9b06b85f5..64f50fabf 100644
--- a/tests/test-chains.h
+++ b/tests/test-chains.h
@@ -4106,6 +4106,163 @@ static const char *superseding_ca[] = {
NULL
};
+static const char *rsa_sha1_in_trusted[] = {
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIID0jCCAoqgAwIBAgIUezaBB7f4TW75oc3UV57oJvXmbBYwDQYJKoZIhvcNAQEL\n"
+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyNzIxWhcN\n"
+ "MjIwNTAzMTQyNzIxWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
+ "BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
+ "AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
+ "dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
+ "Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
+ "mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
+ "+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
+ "CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
+ "ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
+ "MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
+ "ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
+ "GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
+ "AAOCATEAXs8lOV231HQerhSGEjZJz0vBuA3biKYlu3cwCTKvF6EOyYMSWOnfqqD0\n"
+ "eDhpo1pzGtUa2zYLHagb+sU2NSTe0sqP+PK1giUg8X8/tRtWKk1p/m76yK/3iaty\n"
+ "flgz+eMai4xQu2FvAJzIASFjM9R+Pgpcf/zdvkiUPv8Rdm9FieyAZnJSo9hJHLxN\n"
+ "x60tfC5yyswdbGGW0GbJ2kr+xMfVZvxgO/x6AXlOaUGQ+jZAu9eJwFQMDW5h5/S1\n"
+ "PJkIt7f7jkU33cG+BawcjhT0GzxuvDnnCG0L7/z7bR+Sw2kNKqHbHorzv91R20Oh\n"
+ "CIISJPkiiP+mYcglTp1d9gw09GwSkGbldb9ibfc0hKyxiImFfIiTqDbXJcpKH98o\n"
+ "W8hWkb20QURlY+QM5MD49znfhPKMTQ==\n"
+ "-----END CERTIFICATE-----\n",
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIID2TCCAkGgAwIBAgIUWsb4DATcefXbo0WrBfgqVMvPGawwDQYJKoZIhvcNAQEL\n"
+ "BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI2\n"
+ "MzVaFw0yMjA1MDMxNDI2MzVaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
+ "UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
+ "g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
+ "EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
+ "cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
+ "sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
+ "67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
+ "CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
+ "AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
+ "BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
+ "GctysPWxl+SfMA0GCSqGSIb3DQEBCwUAA4IBgQBbboeDr/rLT1tZWrdHq8FvflGm\n"
+ "EpxZIRU4DdDD/SUCWSPQvjBq0MvuKxs5FfJCKrDf2kS2qlZ1rO0AuWwREoDeTOEc\n"
+ "arjFoCry+JQ+USqS5F4gsp4XlYvli27iMp3dlnhFXEQQy7/y+gM5c9wnMi8v/LUz\n"
+ "AV6QHX0fkb4XeazeJ+Nq0EkjqiYxylN6mP+5LAEMBG/wGviAoviQ5tN9zdoQs/nT\n"
+ "3jTw3cOauuPjdcOTfo71+/MtBzhPchgNIyQo4aB40XVWsLAoruL/3CFFlTniihtd\n"
+ "zA2zA7JvbuuKx6BOv2IbWOUweb732ZpYbDgEcXp/6Cj/SIUGxidpEgdCJGqyqdC7\n"
+ "b58ujxclC6QTcicw+SX5LBox8WGLfj+x+V3uVBz9+EK608xphTj4kLh9peII9v3n\n"
+ "vBUoZRTiUTCvH4AJJgAfa3mYrSxzueuqBOwXcvZ+8OJ0J1CP21pmK5nxR7f1nm9Q\n"
+ "sYA1VHfC2dtyAYlByeF5iHl5hFR6vy1jJyzxg2M=\n"
+ "-----END CERTIFICATE-----\n",
+ NULL
+};
+
+static const char *rsa_sha1_in_trusted_ca[] = {
+ /* This CA is generated with the same key as rsa_sha1_in_trusted[1], but
+ * self-signed using SHA-1.
+ */
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIDYzCCAhugAwIBAgIUahO8CvYPHTAltKCC2rAIcXUiLlAwDQYJKoZIhvcNAQEF\n"
+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyMDM1WhcN\n"
+ "MjIwNTAzMTQyMDM1WjAZMRcwFQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCCAVIwDQYJ\n"
+ "KoZIhvcNAQEBBQADggE/ADCCAToCggExAJzkQrF9bp5f/38tnddOeF3biIP9wqlQ\n"
+ "Wk9x3GuuUhKA8IdCoj7UKDoGS3SmNnKGxrP6I2LTo3LNCp5T2HZrYxIelhIbiVPe\n"
+ "b+E0HQuDizIhOeniBqtudoWQGx6Ey/OENeA8UFhrs0CvN9Ippe328NlnCHEUPLxR\n"
+ "rPEs318Ot/jCOhauojAECKj9PFsxpkUcy+cLwoj4QlZKz5sG16AAbm+gALGMFjyQ\n"
+ "fdTPf5ceYBR+ZPf4j34t7NioNxfDDnKaahWI8Q0p7H4s+njIdfm2FSAKN+u7xlWB\n"
+ "4oFzBGQthXs5cCB2mc6RKBZWN2uyxSdNMq40PddK/FBPghDE2MxONA9KJQjKOxQP\n"
+ "UQo3jt21CKGGiHVU1BlhBh1knqMRnovRpJurvgEo/H/otI8XQ9ql7HsCAwEAAaND\n"
+ "MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQe\n"
+ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQUFAAOCATEAYLm/4DfUp+mA\n"
+ "S/23a2bwybJoPCMzKZpi+veXkqoq/a/BCUkFpqnjpVjz0ujVKK121oeOPBAa/mG1\n"
+ "Y3fJYP+b3PloL/6xj/8680TveGirCr0Rp/8XWa8lt+Ge8DM3mfTGWFTWHa0lD9VK\n"
+ "gjV1oNZNLe5SKA6dJLAp/NjCxc/vuOkThQPeaoO5Iy/Z6m7CpTLO7T4syJFtDmSn\n"
+ "Pa/yFUDTgJYFlGVM+KC1r8bhZ6Ao1CAXTcT5Lcbe/aCcyk6B3J2AnYsqPMVNEVhb\n"
+ "9eMGO/WG24hMLy6eb1r/yL8uQ/uGi2rRlNJN8GTg09YR7l5fHrHxuHc/sme0jsnJ\n"
+ "wtqGLCJsrh7Ae1fKVUueO00Yx9BGuzLswMvnT5f0oYs0jrXgMrTbIWS/DjOcYIHb\n"
+ "w3SV1ZRcNg==\n"
+ "-----END CERTIFICATE-----\n",
+ NULL
+};
+
+static const char *rsa_sha1_not_in_trusted[] = {
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIID0jCCAoqgAwIBAgIUNCvPV9OvyuVMtnkC3ZAvh959h4MwDQYJKoZIhvcNAQEL\n"
+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTA0MDg0NzAzWhcN\n"
+ "MjIwNTA0MDg0NzAzWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
+ "BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
+ "AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
+ "dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
+ "Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
+ "mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
+ "+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
+ "CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
+ "ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
+ "MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
+ "ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
+ "GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
+ "AAOCATEAWs/Qa1Ebydwo4Ke2KEdy5cUTSZjnoz93XpbrP9W60MJ4d2DIQPcYUcLF\n"
+ "+glez+mRtVXDRtH5V/4yZX1EdgrPVQGeVlO5HbNiYyYw/Yj3H6kzWtUbBxdOAOE/\n"
+ "/ul8RCKKMfvYBHCBgjBMW0aFm31Q1Z8m8nanBusyJ0DG1scBHu4/3vTCZthZAxc5\n"
+ "3l3t/jjsNRS+k5t6Ay8nEY1tAZSGVqN8qufzO2NBO06sQagp09FTfDh581OBcVtF\n"
+ "X7O0cffAWHk3JoywzEWFEAhVPqFlk07wG2O+k+fYZfavsJko5q+yWkxu8RDh4wAx\n"
+ "7UzKudGOQ+NhfYJ7N7V1/RFg1z75gE3GTUX7qmGZEVDOsMyiuUeYg8znyYpBV55Q\n"
+ "4BNr0ukwmwOdvUf+ksCu6PdOGaqThA==\n"
+ "-----END CERTIFICATE-----\n",
+ /* ICA with SHA1 signature */
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIID2TCCAkGgAwIBAgIUYaKJkQft87M1TF+Jd30py3yIq4swDQYJKoZIhvcNAQEF\n"
+ "BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDQwODQ1\n"
+ "NDdaFw0yMjA1MDQwODQ1NDdaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
+ "UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
+ "g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
+ "EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
+ "cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
+ "sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
+ "67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
+ "CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
+ "AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
+ "BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
+ "GctysPWxl+SfMA0GCSqGSIb3DQEBBQUAA4IBgQAewBcAGUGX28I5PDtuJkxoHonD\n"
+ "muHdXpYnrz1YXN4b7odNXockz++Xovgj126fo+PeWgmaaCic98ZcGnyVTi9+3oqN\n"
+ "2Bf4NNfyzSccgZZTphzbwjMcnc983HLQgsLSAOVivPHj5GEN58EWWamc9yA0VjGn\n"
+ "cuYmFN2dlFA8/ClEbVGu3UXBe6OljR5zUr+6oiSp2J+Rl7SerVSHlst07iU2tkeB\n"
+ "dlfOD5CquUGSka3SKvEfvu5SwYrCQVfYB6eMLInm7A0/ca0Jn3Oh4fMf2rIg/E3K\n"
+ "qsopxsu8BXrLoGK4MxbxPA65JpczhZgilQQi3e3RIvxrvyD2qamjaNbyG5cr8mW4\n"
+ "VOLf3vUORbkTi5sE7uRMu2B3z3N7ajsuQM8RHB17hOCB2FO/8rermq/oeJNtx57L\n"
+ "5s5NxCHYTksQ4gkpR4gfTIO/zwXJSwGa/Zi2y2wIi/1qr7lppBsKV2rDWX7QiIeA\n"
+ "PxOxyJA2eSeqCorz9vk3aHXleSpxsWGgKiJVmV0=\n"
+ "-----END CERTIFICATE-----\n",
+ NULL
+};
+
+static const char *rsa_sha1_not_in_trusted_ca[] = {
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIEDTCCAnWgAwIBAgIUd5X8NZput+aNPEd9h92r4KAu16MwDQYJKoZIhvcNAQEL\n"
+ "BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI1\n"
+ "MDNaFw0yMjA1MDMxNDI1MDNaMB4xHDAaBgNVBAMTE0dudVRMUyB0ZXN0IHJvb3Qg\n"
+ "Q0EwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCsFAaMb/iRN+OFqQNh\n"
+ "OkkXGZlb+eLerLuB9ELnYwyLIh4MTXh0RjFZdCQLsQHfY/YFv0C50rmoXTA/d3Ef\n"
+ "K/P243KjX0XBWjO9TBuN0zth50eq94zf69yxA/a+kmT+O5YLfhi2ELM5F3IjOUoZ\n"
+ "lL0IGlFJwauAkaNylp/Evd5nW7g5DUJvMm4A3RXNfZt9gAD4lPRwryQq9jxT48Xu\n"
+ "fB0kAPEG/l/Izbz2rYin5+nySL+a0CSNuEbITxidtMhveB747oR0QS2sMQKji1ur\n"
+ "pRJ945SHiYJIgVuFAJc9StikSyIrxZgK45kAzcQAyRWWKiMNH5PprGFYJp+ypwhm\n"
+ "1t8Bphj2RFJAG3XRRZF/9uJIYc5mEHCsZFZ/IFRaKqyN30kAUijgNt+lW5mZXVFU\n"
+ "aqzV2zHjSG8jsGdia3cfBP46Z1q2eAh5jOCucTq1F7qZdVhOFmP9jFE6Uy5Kbwgc\n"
+ "kNAnsEllQeJQL2odVa7woKkZZ4M/c72X5tpBU38Rs3krn3sCAwEAAaNDMEEwDwYD\n"
+ "VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQgKVNENacW\n"
+ "S/gFtxnLcrD1sZfknzANBgkqhkiG9w0BAQsFAAOCAYEAaZMV71mZ9FYoVdpho61h\n"
+ "WWPs5GppQLJ1w70DNtGZ+lFrk/KopeDvOu1i61QLWRzcZCZMl+npiX1KH5kjVo3v\n"
+ "C9G8kdMW6EVRk5p6qCJMPFN2U+grMMp50aY5kmw+/v+Lhk5T/VG93l63P91FkUre\n"
+ "o8qhOudJExoUnR1uB9M6HMAxVn8Lm/N1LGPiP6A6Pboo716H7mg/A7pv9zoZ6jUp\n"
+ "7x693mA/b3I/QpDx/nJcmcdqxgEuW+aRlFXgnYZRFAawxi+5M9EwCWbkSTO4OMHP\n"
+ "Qlvak3tJO+wb92b0cICOOtzIPgQ+caiLg9d0FvesALmQzDmNmtqynoO85+Ia2Ywh\n"
+ "nxKPlpeImhLN9nGl9sOeW2m4mnA5r0h1vgML4v/MWL4TQhXallc31uFNj5HyFaTh\n"
+ "6Mr0g3GeQgN0jpT+aIOiKuW9fLts54+Ntj1NN40slqi3Y+/Yd6xhj+NgmbRvybZu\n"
+ "tnYFXKC0Q+QUf38horqG2Mc3/uh8MOm0eYUXwGJOdXYD\n"
+ "-----END CERTIFICATE-----\n",
+ NULL
+};
+
#if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
# pragma GCC diagnostic push
# pragma GCC diagnostic ignored "-Wunused-variable"
@@ -4275,6 +4432,14 @@ static struct
{ "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
0, NULL, 1584352960, 1},
{ "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },
+ { "rsa-sha1 in trusted - ok",
+ rsa_sha1_in_trusted, rsa_sha1_in_trusted_ca,
+ GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
+ 0, NULL, 1620052390, 1},
+ { "rsa-sha1 not in trusted - not ok",
+ rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
+ GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
+ GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
{ NULL, NULL, NULL, 0, 0}
};
--
2.31.1

13
SOURCES/gnutls-3.6.4-no-now-guile.patch
View File

@ -1,13 +0,0 @@
diff --git a/guile/src/Makefile.in b/guile/src/Makefile.in
index 95e1e9c..1dfc88e 100644
--- a/guile/src/Makefile.in
+++ b/guile/src/Makefile.in
@@ -1483,7 +1483,7 @@ guileextension_LTLIBRARIES = guile-gnutls-v-2.la
# Use '-module' to build a "dlopenable module", in Libtool terms.
# Use '-undefined' to placate Libtool on Windows; see
# <https://lists.gnutls.org/pipermail/gnutls-devel/2014-December/007294.html>.
-guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined
+guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -Wl,-z,lazy
# Linking against GnuTLS.
GNUTLS_CORE_LIBS = $(top_builddir)/lib/libgnutls.la

114
SOURCES/gnutls-3.7.8-rsa-kx-timing.patch
View File

@ -1,114 +0,0 @@
From c149dd0767f32789e391280cb1eb06b7eb7c6bce Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 9 Aug 2022 16:05:53 +0200
Subject: [PATCH 1/2] auth/rsa: side-step potential side-channel
Remove branching that depends on secret data.
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
Signed-off-by: Hubert Kario <hkario@redhat.com>
Tested-by: Hubert Kario <hkario@redhat.com>
---
lib/auth/rsa.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
index 8108ee841d..6b158bacb2 100644
--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
@@ -155,7 +155,6 @@ static int
proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
size_t _data_size)
{
- const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
gnutls_datum_t ciphertext;
int ret, dsize;
ssize_t data_size = _data_size;
@@ -235,15 +234,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
- if (ok) {
- /* call logging function unconditionally so all branches are
- * indistinguishable for timing and cache access when debug
- * logging is disabled */
- _gnutls_no_log("%s", attack_error);
- } else {
- _gnutls_debug_log("%s", attack_error);
- }
-
/* This is here to avoid the version check attack
* discussed above.
*/
--
2.39.1
From 7c963102ec2119eecc1789b993aabe5edfd75f3b Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Wed, 8 Feb 2023 14:32:09 +0100
Subject: [PATCH 2/2] rsa: remove dead code
since the `ok` variable isn't used any more, we can remove all code
used to calculate it
Signed-off-by: Hubert Kario <hkario@redhat.com>
---
lib/auth/rsa.c | 20 +++-----------------
1 file changed, 3 insertions(+), 17 deletions(-)
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
index 6b158bacb2..858701fe6e 100644
--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
@@ -159,8 +159,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
int ret, dsize;
ssize_t data_size = _data_size;
volatile uint8_t ver_maj, ver_min;
- volatile uint8_t check_ver_min;
- volatile uint32_t ok;
#ifdef ENABLE_SSL3
if (get_num_version(session) == GNUTLS_SSL3) {
@@ -186,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
ver_maj = _gnutls_get_adv_version_major(session);
ver_min = _gnutls_get_adv_version_minor(session);
- check_ver_min = (session->internals.allow_wrong_pms == 0);
session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
if (session->key.key.data == NULL) {
@@ -205,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
return ret;
}
- ret =
- gnutls_privkey_decrypt_data2(session->internals.selected_key,
- 0, &ciphertext, session->key.key.data,
- session->key.key.size);
+ gnutls_privkey_decrypt_data2(session->internals.selected_key,
+ 0, &ciphertext, session->key.key.data,
+ session->key.key.size);
/* After this point, any conditional on failure that cause differences
* in execution may create a timing or cache access pattern side
* channel that can be used as an oracle, so treat very carefully */
@@ -224,16 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
* Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
*/
- /* ok is 0 in case of error and 1 in case of success. */
-
- /* if ret < 0 */
- ok = CONSTCHECK_EQUAL(ret, 0);
- /* session->key.key.data[0] must equal ver_maj */
- ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
- /* if check_ver_min then session->key.key.data[1] must equal ver_min */
- ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
- CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
-
/* This is here to avoid the version check attack
* discussed above.
*/
--
2.39.1

1168
SOURCES/gnutls-3.8.9-CVE-2024-12243.patch
View File

File diff suppressed because it is too large Load Diff

586
SPECS/gnutls.spec → changelog
View File

@ -1,524 +1,190 @@
Version: 3.6.16
Release: 8%{?dist}.6
Patch1: gnutls-3.2.7-rpath.patch
Patch2: gnutls-3.6.4-no-now-guile.patch
Patch3: gnutls-3.6.13-enable-intel-cet.patch
Patch10: gnutls-3.6.14-fips-dh-selftests.patch
Patch11: gnutls-3.6.14-fips-kdf-selftests.patch
Patch12: gnutls-3.6.16-tls12-cert-type.patch
Patch13: gnutls-3.6.16-trust-ca-sha1.patch
Patch14: gnutls-3.6.16-doc-p11tool-ckaid.patch
Patch15: gnutls-3.6.16-pkcs7-verify.patch
Patch16: gnutls-3.6.16-cpuid.patch
Patch17: gnutls-3.7.8-rsa-kx-timing.patch
Patch18: gnutls-3.6.16-rehandshake-tickets.patch
Patch19: gnutls-3.6.16-rsa-psk-timing.patch
Patch20: gnutls-3.6.16-rsa-psk-timing-followup.patch
Patch21: gnutls-3.6.16-deterministic-ecdsa-fixes.patch
Patch22: gnutls-3.8.9-CVE-2024-12243.patch
Patch23: gnutls-3.6.16-cve-2025-6395.patch
Patch24: gnutls-3.6.16-cve-2025-32988.patch
Patch25: gnutls-3.6.16-cve-2025-32990.patch
Patch26: gnutls-3.6.16-CVE-2025-9820.patch
Patch27: gnutls-3.6.16-CVE-2025-14831.patch
# CVE fixes backported from 3.8.13 release
# (https://gitlab.com/gnutls/gnutls/-/merge_requests/2102)
Patch28: gnutls-3.6.16-CVE-2026-33846-dtls-len.patch
Patch29: gnutls-3.6.16-CVE-2026-42009-dtls-qsort.patch
Patch30: gnutls-3.6.16-CVE-2026-33845-dtls-uflow.patch
Patch31: gnutls-3.6.16-CVE-2026-42010-psk-nul.patch
Patch32: gnutls-3.6.16-CVE-2026-3833-nc-case.patch
Patch33: gnutls-3.6.16-CVE-2026-42011-nc-intersect.patch
Patch34: gnutls-3.6.16-CVE-2026-42012-url-san-cn.patch
Patch35: gnutls-3.6.16-CVE-2026-42013-oversized-san.patch
Patch36: gnutls-3.6.16-CVE-2026-42014-so-pin-uaf.patch
Patch37: gnutls-3.6.16-CVE-2026-5260-p11-rsa-overread.patch
Patch38: gnutls-3.6.16-CVE-2026-42015-p12-bag32.patch
# not in 3.6: CVE-2026-3832-ocsp-rev-0 - since 3.8.9
# not in 3.6: CVE-2026-5419-p7-constant-time - since 3.7.7
# non-CVE security fixes from the same release
Patch39: gnutls-3.6.16-1808-psk-rehandshake.patch
Patch40: gnutls-3.6.16-1810-ocsp-truncated-eku.patch
# not in 3.6: 1813-p11p-aes-ephemeral
Patch41: gnutls-3.6.16-1818-rsa-coprime.patch
Patch42: gnutls-3.6.16-1818-pem-parsing.patch
Patch43: gnutls-3.6.16-1819-dblfree-mid-import.patch
# not in 3.6: 1822-sct-overread
# not in 3.6: 1823-cfg-clear-options
Patch44: gnutls-3.6.16-1817-security-parameters.patch
# not in 3.6: 1820-p11p-kdf
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
%bcond_without dane
%if 0%{?rhel}
%bcond_with guile
%bcond_without fips
%else
%bcond_without guile
%bcond_without fips
%endif
* Tue Jan 18 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-1
- Update to upstream 3.7.3 release
- Remove dependency on autogen
- Add build-time conditionals for TPM 1.2 and GOST cryptography
Summary: A TLS protocol implementation
Name: gnutls
# The libraries are LGPLv2.1+, utilities are GPLv3+
License: GPLv3+ and LGPLv2+
Group: System Environment/Libraries
BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel
BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3
BuildRequires: libtool, automake, autoconf, texinfo
BuildRequires: autogen-libopts-devel >= 5.18 autogen
BuildRequires: nettle-devel >= 3.4.1
BuildRequires: trousers-devel >= 0.3.11.2
BuildRequires: libidn2-devel
BuildRequires: libunistring-devel
BuildRequires: gperf, net-tools, datefudge, softhsm, gcc, gcc-c++
BuildRequires: gnupg2
%if %{with fips}
BuildRequires: fipscheck
%endif
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
# for a sanity check on cert loading
BuildRequires: p11-kit-trust, ca-certificates
Requires: crypto-policies
Requires: p11-kit-trust
Requires: libtasn1 >= 4.3
Requires: nettle >= 3.4.1
Recommends: trousers >= 0.3.11.2
* Sat May 29 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-1
- Update to upstream 3.7.2 release
%if %{with dane}
BuildRequires: unbound-devel unbound-libs
%endif
%if %{with guile}
BuildRequires: guile-devel
%endif
URL: http://www.gnutls.org/
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
* Sun Mar 28 2021 Daiki Ueno <dueno@redhat.com> - 3.7.1-3
- Remove %%defattr invocations which are no longer necessary
- libpkcs11mock1.* is not installed anymore
- hobble-gnutls: Remove SRP removal
- Use correct source URL
- Switch to using %%gpgverify macro
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
Provides: bundled(gnulib) = 20130424
* Tue Mar 16 2021 Daiki Ueno <dueno@redhat.com> - 3.7.1-2
- Restore fipscheck dependency
%package c++
Summary: The C++ interface to GnuTLS
Requires: %{name}%{?_isa} = %{version}-%{release}
* Sat Mar 13 2021 Daiki Ueno <dueno@redhat.com> - 3.7.1-1
- Update to upstream 3.7.1 release
- Remove fipscheck dependency, as it is now calculated with an
internal tool
%package devel
Summary: Development files for the %{name} package
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-c++%{?_isa} = %{version}-%{release}
%if %{with dane}
Requires: %{name}-dane%{?_isa} = %{version}-%{release}
%endif
Requires: pkgconfig
Requires(post): /sbin/install-info
Requires(preun): /sbin/install-info
* Fri Mar 5 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-4
- Tolerate duplicate certs in the chain also with PKCS #11 trust store
%package utils
License: GPLv3+
Summary: Command line tools for TLS protocol
Group: Applications/System
Requires: %{name}%{?_isa} = %{version}-%{release}
%if %{with dane}
Requires: %{name}-dane%{?_isa} = %{version}-%{release}
%endif
* Tue Mar 2 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-3
- Reduce BRs for non-bootstrapping build
%if %{with dane}
%package dane
Summary: A DANE protocol implementation for GnuTLS
Requires: %{name}%{?_isa} = %{version}-%{release}
%endif
* Wed Feb 10 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-2
- Tolerate duplicate certs in the chain
%if %{with guile}
%package guile
Summary: Guile bindings for the GNUTLS library
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: guile
%endif
* Mon Feb 8 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-1
- Update to upstream 3.7.0 release
- Temporarily disable LTO
%description
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
* Tue Jan 26 2021 Daiki Ueno <dueno@redhat.com> - 3.6.15-4
- Fix broken tests on rawhide (#1908110)
- Add BuildRequires: make (by Tom Stellard)
%description c++
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.15-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
%description devel
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains files needed for developing applications with
the GnuTLS library.
* Mon Sep 28 2020 Jeff Law <law@redhat.com> - 3.6.15-2
- Re-enable LTO now that upstream GCC bugs have been fixed
%description utils
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains command line TLS client and server and certificate
manipulation tools.
* Fri Sep 4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.15-1
- Update to upstream 3.6.15 release
%if %{with dane}
%description dane
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains library that implements the DANE protocol for verifying
TLS certificates through DNSSEC.
%endif
* Mon Aug 17 2020 Jeff Law <law@redhat.com> - 3.6.14-7
- Disable LTO on ppc64le
%if %{with guile}
%description guile
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains Guile bindings for the library.
%endif
* Tue Aug 4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-6
- Fix underlinking of libpthread
%prep
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.14-5
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
%autosetup -p1 -S git
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.14-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h
* Thu Jul 02 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.14-3
- Rebuild with autogen built with guile-2.2 (#1852706)
echo "SYSTEM=NORMAL" >> tests/system.prio
# Note that we explicitly enable SHA1, as SHA1 deprecation is handled
# via the crypto policies
%build
autoreconf -fi
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
export CCASFLAGS
%configure --with-libtasn1-prefix=%{_prefix} \
%if %{with fips}
--enable-fips140-mode \
%endif
--enable-tls13-support \
--enable-sha1-support \
--disable-static \
--disable-openssl-compatibility \
--disable-non-suiteb-curves \
--with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
--with-default-trust-store-pkcs11="pkcs11:" \
--with-trousers-lib=%{_libdir}/libtspi.so.1 \
--htmldir=%{_docdir}/manual \
%if %{with guile}
--enable-guile \
%else
--disable-guile \
%endif
%if %{with dane}
--with-unbound-root-key-file=/var/lib/unbound/root.key \
--enable-dane \
%else
--disable-dane \
%endif
--disable-rpath \
--with-default-priority-string="@SYSTEM"
make %{?_smp_mflags} V=1
%if %{with fips}
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \
file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \
%{nil}
%endif
%install
make install DESTDIR=$RPM_BUILD_ROOT
make -C doc install-html DESTDIR=$RPM_BUILD_ROOT
rm -f $RPM_BUILD_ROOT%{_infodir}/dir
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.0/guile-gnutls*.a
rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.0/guile-gnutls*.la
rm -f $RPM_BUILD_ROOT%{_libdir}/gnutls/libpkcs11mock1.*
%if %{without dane}
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
%endif
%find_lang gnutls
%check
make check %{?_smp_mflags} V=1 VERBOSE=1
%post devel
if [ -f %{_infodir}/gnutls.info.gz ]; then
/sbin/install-info %{_infodir}/gnutls.info.gz %{_infodir}/dir || :
fi
%preun devel
if [ $1 = 0 -a -f %{_infodir}/gnutls.info.gz ]; then
/sbin/install-info --delete %{_infodir}/gnutls.info.gz %{_infodir}/dir || :
fi
%files -f gnutls.lang
%defattr(-,root,root,-)
%{_libdir}/libgnutls.so.30*
%if %{with fips}
%{_libdir}/.libgnutls.so.30*.hmac
%endif
%doc README.md AUTHORS NEWS THANKS
%license LICENSE doc/COPYING doc/COPYING.LESSER
%files c++
%{_libdir}/libgnutlsxx.so.*
%files devel
%defattr(-,root,root,-)
%{_includedir}/*
%{_libdir}/libgnutls*.so
%if %{with fips}
%{_libdir}/.libgnutls.so.*.hmac
%endif
%{_libdir}/pkgconfig/*.pc
%{_mandir}/man3/*
%{_infodir}/gnutls*
%{_infodir}/pkcs11-vision*
%{_docdir}/manual/*
%files utils
%defattr(-,root,root,-)
%{_bindir}/certtool
%{_bindir}/tpmtool
%{_bindir}/ocsptool
%{_bindir}/psktool
%{_bindir}/p11tool
%{_bindir}/srptool
%if %{with dane}
%{_bindir}/danetool
%endif
%{_bindir}/gnutls*
%{_mandir}/man1/*
%doc doc/certtool.cfg
%if %{with dane}
%files dane
%defattr(-,root,root,-)
%{_libdir}/libgnutls-dane.so.*
%endif
%if %{with guile}
%files guile
%defattr(-,root,root,-)
%{_libdir}/guile/2.0/guile-gnutls*.so*
%{_libdir}/guile/2.0/site-ccache/gnutls.go
%{_libdir}/guile/2.0/site-ccache/gnutls/extra.go
%{_datadir}/guile/site/2.0/gnutls.scm
%{_datadir}/guile/site/2.0/gnutls/extra.scm
%endif
%changelog
* Thu Apr 30 2026 Alexander Sosedkin <asosedkin@redhat.com> - 3.6.16-8.6
- Fix CVE-2026-33846 (DTLS fragment reassembly, High, heap overwrite)
- Fix CVE-2026-42009 (DTLS fragment reassembly, High, undefined behaviour)
- Fix CVE-2026-33845 (DTLS fragment reassembly, High, heap overread)
- Fix CVE-2026-42010 (PSK authentication, High, authentication bypass)
- Fix CVE-2026-3833 (Name constraints, Medium, name constraint bypass)
- Fix CVE-2026-42011 (Name constraints, Medium, name constraint bypass)
- Fix CVE-2026-42012 (CN fallback, Medium, certificate misuse)
- Fix CVE-2026-42013 (CN fallback, Medium, certificate misuse)
- Fix CVE-2026-42014 (PKCS#11 PIN change, Medium, use-after-free)
- Fix CVE-2026-5260 (PKCS#11 RSA, Medium, heap overread)
- Fix CVE-2026-42015 (PKCS#12 appending, Low, heap overwrite)
- Fix upstream security issue #1808 (PSK rehandshake)
- Fix upstream security issue #1810 (EKU OID prefix match)
- Fix upstream security issue #1818 (RSA correctness, OpenSSL format import)
- Fix upstream security issue #1819 (PKCS#11 trust removal error path)
- Fix upstream security issue #1817 (session parameter loading robustness)
* Thu Feb 12 2026 Alexander Sosedkin <asosedki@redhat.com> - 3.6.16-8.5
- Backport the fixes for CVE-2025-9820 and CVE-2025-14831
* Wed Feb 12 2025 Alexander Sosedkin <asosedki@redhat.com> - 3.6.16-8.4
- Backport the fixes for CVE-2025-6395, CVE-2025-32988 and CVE-2025-32990
* Wed Feb 12 2025 Alexander Sosedkin <asosedki@redhat.com> - 3.6.16-8.3
- Backport the fix for CVE-2024-12243
* Mon Mar 25 2024 Daiki Ueno <dueno@redhat.com> - 3.6.16-8.2
- Fix timing side-channel in deterministic ECDSA (RHEL-35231)
* Mon Jan 22 2024 Daiki Ueno <dueno@redhat.com> - 3.6.16-8.1
- auth/rsa-psk: minimize branching after decryption (RHEL-21550)
* Wed Dec 6 2023 Daiki Ueno <dueno@redhat.com> - 3.6.16-8
- auth/rsa_psk: side-step potential side-channel (RHEL-16754)
* Mon Jun 26 2023 Daiki Ueno <dueno@redhat.com> - 3.6.16-7
- Clear server's session ticket indication at rehandshake (#2089817)
* Thu Feb 23 2023 Zoltan Fridrich <zfridric@redhat.com> - 3.6.16-6
- Fix x86_64 CPU feature detection when AVX is not available (#2131152)
- Fix timing side-channel in TLS RSA key exchange (#2162598)
* Mon Aug 29 2022 Daiki Ueno <dueno@redhat.com> - 3.6.16-5
- Fix double-free in gnutls_pkcs7_verify (#2109788)
* Mon Jun 28 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-4
- p11tool: Document ID reuse behavior when importing certs (#1776250)
* Mon Jun 7 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-3
- Treat SHA-1 signed CA in the trusted set differently (#1965445)
* Wed May 26 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-2
- Filter certificate_types in TLS 1.2 CR based on signature algorithms (#1942216)
* Mon May 24 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-1
- Update to upstream 3.6.16 release (#1956783)
- Fix potential use-after-free in key_share handling (#1927597)
- Fix potential use-after-free in pre_shared_key handling (#1927593)
- Stop gnutls-serv relying on AI_ADDRCONFIG to decide listening address (#1908334)
- Fix cert expiration issue in tests (#1908110)
* Thu Apr 1 2021 Daiki Ueno <dueno@redhat.com> - 3.6.14-10
- Port fixes for potential miscalculation in ecdsa_verify (#1942931)
* Tue Nov 24 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-9
- Revert the previous change
* Wed Nov 11 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-8
- Depend on specific NVR of gmp and nettle (#1812933)
* Tue Nov 3 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-7
- Increase DH key bits to >= 2048 in self-tests (#1879506)
- Implement self-tests for KDF and CMAC (#1890870)
- Fix CVE-2020-24659: heap buffer-overflow when "no_renegotiation" alert is received (#1873959)
* Mon Aug 24 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-6
- Fix memory leak when serializing iovec_t (#1844112)
* Sat Jul 18 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-5
- Perform validation checks on (EC)DH public keys and share secrets (#1855803)
* Mon Jun 29 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-4
- Tighten FIPS DH primes check according to SP800-56A (rev 3) (#1849079)
* Fri Jun 5 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-3
- Update gnutls-3.6.14-fips-mode-check.patch
* Thu Jun 4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-2
- Return false from gnutls_fips140_mode_enabled() if selftests failed (#1827687)
* Tue Jun 09 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.14-2
- Fix memory leak when serializing iovec_t (#1845083)
- Fix automatic libraries sonames detection (#1845806)
* Thu Jun 4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-1
- Update to upstream 3.6.14 release
* Mon May 25 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-3
- Add an option to gnutls-cli to wait for resumption under TLS 1.3 (#1677754)
* Sun May 31 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-6
- Update gnutls-3.6.13-superseding-chain.patch
* Wed May 20 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-2
- Enable Intel CET (#1838476)
* Sun May 31 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-5
- Fix cert chain validation behavior if the last cert has expired (#1842178)
* Tue May 5 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-1
* Mon May 25 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-4
- Add option to gnutls-cli to wait for resumption under TLS 1.3
* Tue May 19 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-3
- Disable RSA blinding during FIPS self-tests
* Thu May 14 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-2
- Bump linked libraries soname to fix FIPS selftests (#1835265)
* Tue Mar 31 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-1
- Update to upstream 3.6.13 release
* Tue Apr 21 2020 Daiki Ueno <dueno@redhat.com> - 3.6.8-10
- Fix CVE-2020-11501 (#1822005)
* Thu Mar 26 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.12-2
- Fix FIPS POST (#1813384)
- Fix gnutls-serv --echo to not exit when a message is received (#1816583)
* Wed Nov 6 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-9
- Fix CFB8 decryption when repeatedly called (#1757848)
- Fix gnutls_aead_cipher_{en,de}cryptv2 with input not multiple of block size (#1757856)
* Sun Feb 02 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 3.6.12-1
- Update to upstream 3.6.12 release
* Fri Aug 16 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-8
- Use fallback random function for RSA blinding in FIPS selftests
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Aug 16 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-7
- Fix deterministic signature creation in selftests
* Mon Dec 02 2019 Nikos Mavrogiannopoulos <nmav@gnutls.org> - 3.6.11-1
- Update to upstream 3.6.11 release
* Fri Aug 16 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-6
- Treat login error more gracefully when enumerating PKCS#11 tokens (#1705478)
- Use deterministic ECDSA/DSA in FIPS selftests (#1716560)
- Add gnutls_aead_cipher_{encrypt,decrypt}v2 functions (#1684461)
* Sun Sep 29 2019 Nikos Mavrogiannopoulos <nmav@gnutls.org> - 3.6.10-1
- Update to upstream 3.6.10 release
* Fri Aug 9 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-5
- Avoid UB when encrypting session tickets
* Fri Jul 26 2019 Nikos Mavrogiannopoulos <nmav@gnutls.org> - 3.6.9-1
- Update to upstream 3.6.9 release
* Tue Jul 2 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-4
- Add RNG continuous test under FIPS
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jun 14 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-3
- Follow-up fix on multiple key updates handling (#1673975)
* Mon Jul 15 2019 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.8-2
- Rebuilt with guile-2.2
* Thu Jun 13 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-2
- Run FIPS AES self-tests over overridden algorithms
* Wed May 29 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-1
* Tue May 28 2019 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.8-1
- Update to upstream 3.6.8 release
* Fri May 24 2019 Anderson Sasaki <ansasaki@redhat.com> - 3.6.5-4
- Fixed FIPS signatures self tests (#1680509)
* Wed Mar 27 2019 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 3.6.7-1
- Update to upstream 3.6.7 release
- Fixed CVE-2019-3836 (#1693214)
- Fixed CVE-2019-3829 (#1693210)
* Wed Mar 27 2019 Anderson Sasaki <ansasaki@redhat.com> - 3.6.5-3
- Fixed CVE-2019-3829 (#1693285)
- Fixed CVE-2019-3836 (#1693288)
- Added explicit BuildRequires for nettle-devel >= 3.4.1
* Fri Feb 1 2019 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.6-1
- Update to upstream 3.6.6 release
* Fri Jan 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 3.6.5-2
- Fixed FIPS integrity self tests (#1665061)
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Dec 17 2018 Anderson Sasaki <ansasaki@redhat.com> - 3.6.5-1
- Update to upstream 3.6.5 release
- Fixes CVE-2018-16868 (#1655395)
- Removed ldconfig scriptlet
* Fri Jan 11 2019 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 3.6.5-2
- Added explicit Requires for nettle >= 3.4.1
* Mon Nov 26 2018 Anderson Sasaki <ansasaki@redhat.com> - 3.6.4-7
- Fix incorrect certificate type returned in TLS1.3 resumption (#1649786)
* Tue Dec 11 2018 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 3.6.5-1
- Update to upstream 3.6.5 release
* Mon Nov 12 2018 Anderson Sasaki <ansasaki@redhat.com> - 3.6.4-6
- Add support for record_size_limit extension in TLS1.2 (#1644850)
* Mon Oct 29 2018 James Antill <james.antill@redhat.com> - 3.6.4-5
- Remove ldconfig scriptlet, now done via. transfiletrigger in glibc.
* Tue Oct 30 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.4-5
- Fix issue with GOST ciphers (#1644193)
- Made gnutls-serv use the default priorities if none is specified (#1644243)
* Wed Oct 17 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.4-4
- Fix issue with rehandshake affecting glib-networking (#1634736)
* Wed Oct 24 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.4-3
- Fix issue with rehandshake affecting glib-networking (#1641072)
* Tue Oct 16 2018 Tomáš Mráz <tmraz@redhat.com> - 3.6.4-2
* Tue Oct 16 2018 Tomáš Mráz <tmraz@redhat.com> - 3.6.4-3
- Add missing annobin notes for assembler sources
* Tue Oct 09 2018 Petr Menšík <pemensik@redhat.com> - 3.6.4-2
- Rebuilt for unbound 1.8
* Tue Sep 25 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.4-1
- Updated to upstream 3.6.4 release
- Added support for the latest version of the TLS1.3 protocol
- Enabled SHA1 support as SHA1 deprecation is handled via the
fedora crypto policies.
* Thu Aug 16 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.3-4
- Fixed support for ECDSA public keys (backported from Fedora)
- Fixed gnutls-cli input reading
- Ensure that we do not cause issues with version rollback detection
and TLS1.3.
* Thu Jul 26 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.3-4
- Updated to upstream 3.6.3 release
* Tue Aug 07 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.3-3
- Fixed ECDSA public key import (#1612803)
* Thu Jul 26 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.3-2
- Backported regression fixes from 3.6.2
* Mon Jul 16 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.3-1
- Update to upstream 3.6.3 release
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jun 13 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.2-4
- Enable FIPS140-2 mode in Fedora
* Wed Jun 06 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.2-3
- Include FIPS mode
- Update to upstream 3.6.2 release
* Fri May 25 2018 David Abdurachmanov <david.abdurachmanov@gmail.com> - 3.6.2-2
- Add missing BuildRequires: gnupg2 for gpgv2 in %%prep
* Fri Feb 16 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.2-1
- Updated to upstream 3.6.2 release
- Update to upstream 3.6.2 release
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

14
gating.yaml Normal file
View File

@ -0,0 +1,14 @@
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_testing
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_stable
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

3515
gmp-6.2.1-intel-cet.patch Normal file
View File

File diff suppressed because it is too large Load Diff

0
SOURCES/gnutls-3.2.7-rpath.patch → gnutls-3.2.7-rpath.patch
View File

2567
gnutls-3.7.2-enable-intel-cet.patch Normal file
View File

File diff suppressed because it is too large Load Diff

33
gnutls-3.7.2-no-explicit-init.patch Normal file
View File

@ -0,0 +1,33 @@
From c7f4ce40eaecafdefbf4db0ac2d3665bc0c41b33 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 21 Nov 2023 14:13:38 +0900
Subject: [PATCH] gnutls-3.7.2-no-explicit-init.patch
Signed-off-by: rpm-build <rpm-build>
---
lib/global.c | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/lib/global.c b/lib/global.c
index 924ec94..3baa202 100644
--- a/lib/global.c
+++ b/lib/global.c
@@ -510,15 +510,6 @@ static void _CONSTRUCTOR lib_init(void)
return;
}
- e = secure_getenv("GNUTLS_NO_EXPLICIT_INIT");
- if (e != NULL) {
- _gnutls_debug_log(
- "GNUTLS_NO_EXPLICIT_INIT is deprecated; use GNUTLS_NO_IMPLICIT_INIT\n");
- ret = atoi(e);
- if (ret == 1)
- return;
- }
-
ret = _gnutls_global_init(1);
if (ret < 0) {
fprintf(stderr, "Error in GnuTLS initialization: %s\n",
--
2.41.0

26
gnutls-3.7.3-disable-config-reload.patch Normal file
View File

@ -0,0 +1,26 @@
diff --git a/lib/priority.c b/lib/priority.c
index 9feec47fe2..40511710fd 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -2001,13 +2001,14 @@ char *_gnutls_resolve_priorities(const char* priorities)
additional++;
}
- /* Always try to refresh the cached data, to allow it to be
- * updated without restarting all applications.
- */
- ret = _gnutls_update_system_priorities(false /* defer_system_wide */);
- if (ret < 0) {
- _gnutls_debug_log("failed to update system priorities: %s\n",
- gnutls_strerror(ret));
+ /* If priority string is not constructed yet, construct and finalize */
+ if (!system_wide_config.priority_string) {
+ ret = _gnutls_update_system_priorities(false
+ /* defer_system_wide */);
+ if (ret < 0) {
+ _gnutls_debug_log("failed to update system priorities: "
+ " %s\n", gnutls_strerror(ret));
+ }
}
do {

41
gnutls-3.7.6-drbg-reseed.patch Normal file
View File

@ -0,0 +1,41 @@
From 968de8a9779788a853a4c0cd75beda779cb15f52 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 16 Nov 2023 17:09:58 +0900
Subject: [PATCH] gnutls-3.7.6-drbg-reseed.patch
Signed-off-by: rpm-build <rpm-build>
---
lib/nettle/sysrng-linux.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lib/nettle/sysrng-linux.c b/lib/nettle/sysrng-linux.c
index 25d74fe..8b9cc46 100644
--- a/lib/nettle/sysrng-linux.c
+++ b/lib/nettle/sysrng-linux.c
@@ -31,6 +31,9 @@
#include "num.h"
#include <errno.h>
#include "rnd-common.h"
+#include "fips.h"
+#else
+#define _gnutls_fips_mode_enabled() 0
#endif
#include <sys/types.h>
@@ -104,7 +107,12 @@ static int force_getrandom(void *buf, size_t buflen, unsigned int flags)
static int _rnd_get_system_entropy_getrandom(void *_rnd, size_t size)
{
int ret;
- ret = force_getrandom(_rnd, size, 0);
+ unsigned int flags = 0;
+
+ if (_gnutls_fips_mode_enabled()) {
+ flags |= 2/*GRND_RANDOM*/;
+ }
+ ret = force_getrandom(_rnd, size, flags);
if (ret == -1) {
int e = errno;
gnutls_assert();
--
2.41.0

110
SOURCES/gnutls-3.6.16-1808-psk-rehandshake.patch → gnutls-3.8.10-1808-psk-rehandshake.patch
View File

@ -12,35 +12,28 @@ Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Fixes: #1808
Signed-off-by: Joshua Rogers <joshua@joshua.hu>
---
lib/handshake-checks.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
lib/handshake-checks.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/handshake-checks.c b/lib/handshake-checks.c
index b07b9680c..e02210531 100644
index 5231046e8..ad92932d7 100644
--- a/lib/handshake-checks.c
+++ b/lib/handshake-checks.c
@@ -75,11 +75,16 @@ int _gnutls_check_id_for_change(gnutls_session_t session)
if (username == NULL)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
@@ -80,10 +80,10 @@ int _gnutls_check_id_for_change(gnutls_session_t session)
- if (session->internals.saved_username_size != -1) {
- if (session->internals.saved_username_size == username_length &&
- strncmp(session->internals.saved_username, username, username_length) != 0) {
- _gnutls_debug_log("Session's PSK username changed during rehandshake; aborting!\n");
- return gnutls_assert_val(GNUTLS_E_SESSION_USER_ID_CHANGED);
+ if (session->internals.saved_username &&
+ session->internals.saved_username_size != -1) {
if (session->internals.saved_username &&
session->internals.saved_username_size != -1) {
- if (session->internals.saved_username_size ==
- username_length &&
- strncmp(session->internals.saved_username, username,
- username_length)) {
+ if (session->internals.saved_username_size !=
+ username_length ||
+ memcmp(session->internals.saved_username, username,
+ username_length)) {
+ _gnutls_debug_log(
+ "Session's PSK username changed during rehandshake; aborting!\n");
+ return gnutls_assert_val(
+ GNUTLS_E_SESSION_USER_ID_CHANGED);
}
} else {
memcpy(session->internals.saved_username, username, username_length);
_gnutls_debug_log(
"Session's PSK username changed during rehandshake; aborting!\n");
return gnutls_assert_val(
--
2.53.0
@ -52,18 +45,14 @@ Subject: [PATCH 2/3] tests/rehandshake-switch-psk-id: refactor a bit
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
tests/rehandshake-switch-psk-id.c | 50 ++++++++++++++++++-------------
1 file changed, 29 insertions(+), 21 deletions(-)
tests/rehandshake-switch-psk-id.c | 46 +++++++++++++++++--------------
1 file changed, 25 insertions(+), 21 deletions(-)
diff --git a/tests/rehandshake-switch-psk-id.c b/tests/rehandshake-switch-psk-id.c
index c8beec13f..62593060a 100644
index 726ee06c2..a16048776 100644
--- a/tests/rehandshake-switch-psk-id.c
+++ b/tests/rehandshake-switch-psk-id.c
@@ -24,10 +24,10 @@
#include <config.h>
#endif
+#include <assert.h>
@@ -26,7 +26,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@ -71,7 +60,7 @@ index c8beec13f..62593060a 100644
#include <gnutls/gnutls.h>
#include "utils.h"
#include "eagain-common.h"
@@ -35,6 +35,8 @@
@@ -34,6 +33,8 @@
/* This test checks whether the server switching certificates is detected
* by the client */
@ -80,22 +69,17 @@ index c8beec13f..62593060a 100644
const char *side;
static void tls_log_func(int level, const char *str)
@@ -42,11 +44,8 @@ static void tls_log_func(int level, const char *str)
@@ -41,8 +42,6 @@ static void tls_log_func(int level, const char *str)
fprintf(stderr, "%s|<%d>| %s", side, level, str);
}
-#include "cert-common.h"
-
-static int
-pskfunc(gnutls_session_t session, const char *username,
- gnutls_datum_t * key)
+static int pskfunc(gnutls_session_t session, const char *username,
+ gnutls_datum_t *key)
static int pskfunc(gnutls_session_t session, const char *username,
gnutls_datum_t *key)
{
if (debug)
printf("psk: username %s\n", username);
@@ -76,6 +75,9 @@ static void try(const char *prio, gnutls_kx_algorithm_t kx, unsigned allow_chang
const gnutls_datum_t key = { (void *) "DEADBEEF", 8 };
@@ -74,6 +73,9 @@ static void try(const char *prio, gnutls_kx_algorithm_t kx,
const gnutls_datum_t key = { (void *)"DEADBEEF", 8 };
int cret = GNUTLS_E_AGAIN;
+ success("testing: prio=%s kx=%s allow_change=%d\n", prio,
@ -104,7 +88,7 @@ index c8beec13f..62593060a 100644
/* General init. */
gnutls_global_set_log_function(tls_log_func);
if (debug)
@@ -170,22 +172,28 @@ static void try(const char *prio, gnutls_kx_algorithm_t kx, unsigned allow_chang
@@ -163,26 +165,28 @@ static void try(const char *prio, gnutls_kx_algorithm_t kx,
void doit(void)
{
@ -125,17 +109,11 @@ index c8beec13f..62593060a 100644
- /* Allow change of ID */
- try("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", GNUTLS_KX_PSK, 0);
- reset_buffers();
- try("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", GNUTLS_KX_DHE_PSK, 0);
- try("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", GNUTLS_KX_DHE_PSK,
- 0);
- reset_buffers();
- try("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK", GNUTLS_KX_ECDHE_PSK, 0);
- reset_buffers();
-
- /* Prohibit (default) change of ID */
- try("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", GNUTLS_KX_PSK, 1);
- reset_buffers();
- try("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", GNUTLS_KX_DHE_PSK, 1);
- reset_buffers();
- try("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK", GNUTLS_KX_ECDHE_PSK, 1);
- try("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK",
- GNUTLS_KX_ECDHE_PSK, 0);
- reset_buffers();
+ /* loop over allowed (0) and disallowed (1) ID change */
+ for (unsigned allow = 0; allow <= 1; allow++) {
@ -145,7 +123,16 @@ index c8beec13f..62593060a 100644
+ reset_buffers();
+ }
+ }
+
- /* Prohibit (default) change of ID */
- try("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", GNUTLS_KX_PSK, 1);
- reset_buffers();
- try("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", GNUTLS_KX_DHE_PSK,
- 1);
- reset_buffers();
- try("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK",
- GNUTLS_KX_ECDHE_PSK, 1);
- reset_buffers();
gnutls_global_deinit();
}
--
@ -160,25 +147,24 @@ Subject: [PATCH 3/3] tests/rehandshake-switch-psk-id: test usernames of varied
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
tests/rehandshake-switch-psk-id.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
tests/rehandshake-switch-psk-id.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/tests/rehandshake-switch-psk-id.c b/tests/rehandshake-switch-psk-id.c
index 62593060a..5e06abe05 100644
index a16048776..84d8b9d67 100644
--- a/tests/rehandshake-switch-psk-id.c
+++ b/tests/rehandshake-switch-psk-id.c
@@ -58,7 +58,8 @@ static int pskfunc(gnutls_session_t session, const char *username,
return 0;
@@ -57,7 +57,7 @@ static int pskfunc(gnutls_session_t session, const char *username,
}
-static void try(const char *prio, gnutls_kx_algorithm_t kx, unsigned allow_change)
+static void try(const char *prio, gnutls_kx_algorithm_t kx,
static void try(const char *prio, gnutls_kx_algorithm_t kx,
- unsigned allow_change)
+ unsigned allow_change, const char *username)
{
int ret;
/* Server stuff. */
@@ -75,8 +76,8 @@ static void try(const char *prio, gnutls_kx_algorithm_t kx, unsigned allow_chang
const gnutls_datum_t key = { (void *) "DEADBEEF", 8 };
@@ -73,8 +73,8 @@ static void try(const char *prio, gnutls_kx_algorithm_t kx,
const gnutls_datum_t key = { (void *)"DEADBEEF", 8 };
int cret = GNUTLS_E_AGAIN;
- success("testing: prio=%s kx=%s allow_change=%d\n", prio,
@ -188,7 +174,7 @@ index 62593060a..5e06abe05 100644
/* General init. */
gnutls_global_set_log_function(tls_log_func);
@@ -120,7 +121,7 @@ static void try(const char *prio, gnutls_kx_algorithm_t kx, unsigned allow_chang
@@ -114,7 +114,7 @@ static void try(const char *prio, gnutls_kx_algorithm_t kx,
if (ret < 0)
exit(1);
@ -197,7 +183,7 @@ index 62593060a..5e06abe05 100644
GNUTLS_PSK_KEY_HEX);
ret = gnutls_init(&client, GNUTLS_CLIENT);
@@ -184,14 +185,21 @@ void doit(void)
@@ -177,14 +177,21 @@ void doit(void)
};
assert(SIZEOF(prio_list) == SIZEOF(kx_list));

233
SOURCES/gnutls-3.6.16-1810-ocsp-truncated-eku.patch → gnutls-3.8.10-1810-ocsp-truncated-eku.patch
View File

@ -17,17 +17,15 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index caa511e9d..74fd19ace 100644
index 8f3423f0a..ae04864d4 100644
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -2174,7 +2174,10 @@ static int check_ocsp_purpose(gnutls_x509_crt_t signercert)
@@ -2132,7 +2132,8 @@ static int check_ocsp_purpose(gnutls_x509_crt_t signercert)
return gnutls_assert_val(rc);
}
- if (memcmp(oidtmp, GNUTLS_KP_OCSP_SIGNING, oidsize) != 0) {
+ /* x509_read_value() includes NUL in size for OIDs on 3.6,
+ unlike in 3.8 */
+ if (oidsize != sizeof(GNUTLS_KP_OCSP_SIGNING) ||
+ if (oidsize != sizeof(GNUTLS_KP_OCSP_SIGNING) - 1 ||
+ memcmp(oidtmp, GNUTLS_KP_OCSP_SIGNING, oidsize) != 0) {
gnutls_assert();
continue;
@ -47,12 +45,12 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 163 insertions(+)
diff --git a/tests/ocsp.c b/tests/ocsp.c
index 0f1a1b8cf..ff50d974f 100644
index 3f30f6c3d..7e092bb17 100644
--- a/tests/ocsp.c
+++ b/tests/ocsp.c
@@ -489,6 +489,118 @@ static unsigned char long_resp_str[] =
@@ -492,6 +492,118 @@ static unsigned char long_resp_str[] =
gnutls_datum_t long_resp = {long_resp_str, sizeof(long_resp_str)-1 };
gnutls_datum_t long_resp = { long_resp_str, sizeof(long_resp_str) - 1 };
+/* EKU 1.3.6.1.5.5.7.3, not 1.3.6.1.5.5.7.3.9 (OCSPSigning) */
+static unsigned char truncated_eku_pem[] =
@ -169,7 +167,7 @@ index 0f1a1b8cf..ff50d974f 100644
static void ocsp_invalid_calls(void)
{
gnutls_ocsp_req_t req;
@@ -1601,6 +1713,56 @@ static void resp_verify(void)
@@ -1603,6 +1715,56 @@ static void resp_verify(void)
gnutls_x509_crt_deinit(signer);
}
@ -226,7 +224,7 @@ index 0f1a1b8cf..ff50d974f 100644
static void long_resp_check(void)
{
gnutls_ocsp_resp_t resp;
@@ -1676,6 +1838,7 @@ void doit(void)
@@ -1678,6 +1840,7 @@ void doit(void)
req_addcert_id();
req_addcert();
resp_verify();
@ -245,14 +243,14 @@ Subject: [PATCH 3/3] tests/ocsp: do not exit(1), fail does that
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
tests/ocsp.c | 642 ++++++++++++++-------------------------------------
1 file changed, 178 insertions(+), 464 deletions(-)
tests/ocsp.c | 558 +++++++++++++--------------------------------------
1 file changed, 138 insertions(+), 420 deletions(-)
diff --git a/tests/ocsp.c b/tests/ocsp.c
index ff50d974f..e42b10463 100644
index 7e092bb17..2447aa29c 100644
--- a/tests/ocsp.c
+++ b/tests/ocsp.c
@@ -611,329 +611,222 @@ static void ocsp_invalid_calls(void)
@@ -614,327 +614,221 @@ static void ocsp_invalid_calls(void)
int rc;
rc = gnutls_ocsp_req_init(&req);
@ -398,28 +396,22 @@ index ff50d974f..e42b10463 100644
- exit(1);
- }
- rc = gnutls_ocsp_req_add_cert_id(req, GNUTLS_DIG_SHA1, p, NULL,
- NULL);
rc = gnutls_ocsp_req_add_cert_id(req, GNUTLS_DIG_SHA1, p, NULL, NULL);
- if (rc != GNUTLS_E_INVALID_REQUEST) {
+ rc = gnutls_ocsp_req_add_cert_id(req, GNUTLS_DIG_SHA1, p, NULL, NULL);
+ if (rc != GNUTLS_E_INVALID_REQUEST)
fail("gnutls_ocsp_req_add_cert_id NULL\n");
- exit(1);
- }
- rc = gnutls_ocsp_req_add_cert_id(req, GNUTLS_DIG_SHA1, NULL, p,
- NULL);
rc = gnutls_ocsp_req_add_cert_id(req, GNUTLS_DIG_SHA1, NULL, p, NULL);
- if (rc != GNUTLS_E_INVALID_REQUEST) {
+ rc = gnutls_ocsp_req_add_cert_id(req, GNUTLS_DIG_SHA1, NULL, p, NULL);
+ if (rc != GNUTLS_E_INVALID_REQUEST)
fail("gnutls_ocsp_req_add_cert_id NULL\n");
- exit(1);
- }
- rc = gnutls_ocsp_req_add_cert_id(req, GNUTLS_DIG_SHA1, NULL, NULL,
- p);
rc = gnutls_ocsp_req_add_cert_id(req, GNUTLS_DIG_SHA1, NULL, NULL, p);
- if (rc != GNUTLS_E_INVALID_REQUEST) {
+ rc = gnutls_ocsp_req_add_cert_id(req, GNUTLS_DIG_SHA1, NULL, NULL, p);
+ if (rc != GNUTLS_E_INVALID_REQUEST)
fail("gnutls_ocsp_req_add_cert_id NULL\n");
- exit(1);
@ -460,7 +452,6 @@ index ff50d974f..e42b10463 100644
- exit(1);
- }
rc = gnutls_ocsp_req_add_cert(req, 0, p, NULL);
- if (rc != GNUTLS_E_INVALID_REQUEST) {
+ if (rc != GNUTLS_E_INVALID_REQUEST)
@ -629,20 +620,18 @@ index ff50d974f..e42b10463 100644
- exit(1);
- }
- rc = gnutls_ocsp_resp_get_responder_raw_id(resp, GNUTLS_OCSP_RESP_ID_KEY, &dat);
rc = gnutls_ocsp_resp_get_responder_raw_id(
resp, GNUTLS_OCSP_RESP_ID_KEY, &dat);
- if (rc != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
- fail("gnutls_ocsp_resp_get_responder_raw_id %s\n", gnutls_strerror(rc));
+ if (rc != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
fail("gnutls_ocsp_resp_get_responder_raw_id %s\n",
gnutls_strerror(rc));
- exit(1);
- }
+ rc = gnutls_ocsp_resp_get_responder_raw_id(
+ resp, GNUTLS_OCSP_RESP_ID_KEY, &dat);
+ if (rc != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ fail("gnutls_ocsp_resp_get_responder_raw_id %s\n",
+ gnutls_strerror(rc));
gnutls_free(dat.data);
@@ -951,26 +844,20 @@ static void req_parse(void)
@@ -952,26 +846,20 @@ static void req_parse(void)
/* init request */
ret = gnutls_ocsp_req_init(&req);
@ -672,7 +661,7 @@ index ff50d974f..e42b10463 100644
/* check nonce */
{
@@ -981,21 +868,15 @@ static void req_parse(void)
@@ -981,21 +869,15 @@ static void req_parse(void)
unsigned int critical;
ret = gnutls_ocsp_req_get_nonce(req, &critical, &got);
@ -697,7 +686,7 @@ index ff50d974f..e42b10463 100644
gnutls_free(got.data);
}
@@ -1003,10 +884,8 @@ static void req_parse(void)
@@ -1003,10 +885,8 @@ static void req_parse(void)
/* print request */
ret = gnutls_ocsp_req_print(req, GNUTLS_OCSP_PRINT_FULL, &d);
@ -709,9 +698,9 @@ index ff50d974f..e42b10463 100644
if (strlen(REQ1INFO) != d.size ||
memcmp(REQ1INFO, d.data, strlen(REQ1INFO)) != 0) {
@@ -1014,23 +893,18 @@ static void req_parse(void)
strlen(REQ1INFO), REQ1INFO, (int) d.size,
(int) d.size, d.data);
@@ -1014,23 +894,18 @@ static void req_parse(void)
strlen(REQ1INFO), REQ1INFO, (int)d.size, (int)d.size,
d.data);
fail("ocsp request print failed\n");
- exit(1);
}
@ -735,7 +724,7 @@ index ff50d974f..e42b10463 100644
gnutls_free(d.data);
/* test setting nonce */
@@ -1041,98 +915,68 @@ static void req_parse(void)
@@ -1041,98 +916,68 @@ static void req_parse(void)
unsigned critical;
ret = gnutls_ocsp_req_set_nonce(req, 0, &n1);
@ -840,9 +829,8 @@ index ff50d974f..e42b10463 100644
- exit(1);
- }
- if (n2.size == got.size
- && memcmp(n1.data, n2.data, n1.size) == 0) {
+ if (n2.size == got.size &&
if (n2.size == got.size &&
- memcmp(n1.data, n2.data, n1.size) == 0) {
+ memcmp(n1.data, n2.data, n1.size) == 0)
fail("ocsp request random nonce memcmp failed\n");
- exit(1);
@ -850,7 +838,7 @@ index ff50d974f..e42b10463 100644
gnutls_free(n1.data);
gnutls_free(n2.data);
@@ -1154,10 +998,8 @@ static void req_addcert_id(void)
@@ -1154,10 +999,8 @@ static void req_addcert_id(void)
/* init request */
ret = gnutls_ocsp_req_init(&req);
@ -862,17 +850,11 @@ index ff50d974f..e42b10463 100644
/* add ocsp request nonce */
@@ -1165,14 +1007,10 @@ static void req_addcert_id(void)
gnutls_datum_t nonce =
{ (unsigned char *) REQ1NONCE, sizeof(REQ1NONCE) - 1 };
@@ -1167,10 +1010,8 @@ static void req_addcert_id(void)
- ret =
- gnutls_ocsp_req_set_extension(req,
- "1.3.6.1.5.5.7.48.1.2",
- 0, &nonce);
ret = gnutls_ocsp_req_set_extension(req, "1.3.6.1.5.5.7.48.1.2",
0, &nonce);
- if (ret != 0) {
+ ret = gnutls_ocsp_req_set_extension(req, "1.3.6.1.5.5.7.48.1.2",
+ 0, &nonce);
+ if (ret != 0)
fail("gnutls_ocsp_req_set_extension %d\n", ret);
- exit(1);
@ -880,7 +862,7 @@ index ff50d974f..e42b10463 100644
}
/* add cert_id */
@@ -1188,19 +1026,15 @@ static void req_addcert_id(void)
@@ -1186,19 +1027,15 @@ static void req_addcert_id(void)
&issuer_name_hash,
&issuer_key_hash,
&serial_number);
@ -902,9 +884,9 @@ index ff50d974f..e42b10463 100644
if (strlen(REQ1INFO) != d.size ||
memcmp(REQ1INFO, d.data, strlen(REQ1INFO)) != 0) {
@@ -1208,23 +1042,18 @@ static void req_addcert_id(void)
strlen(REQ1INFO), REQ1INFO, (int) d.size,
(int) d.size, d.data);
@@ -1206,23 +1043,18 @@ static void req_addcert_id(void)
strlen(REQ1INFO), REQ1INFO, (int)d.size, (int)d.size,
d.data);
fail("ocsp request print failed\n");
- exit(1);
}
@ -928,7 +910,7 @@ index ff50d974f..e42b10463 100644
gnutls_free(d.data);
/* cleanup */
@@ -1243,10 +1072,8 @@ static void req_addcert(void)
@@ -1241,10 +1073,8 @@ static void req_addcert(void)
/* init request */
ret = gnutls_ocsp_req_init(&req);
@ -940,17 +922,11 @@ index ff50d974f..e42b10463 100644
/* add ocsp request nonce */
@@ -1254,14 +1081,10 @@ static void req_addcert(void)
gnutls_datum_t nonce =
{ (unsigned char *) REQ1NONCE, sizeof(REQ1NONCE) - 1 };
@@ -1254,10 +1084,8 @@ static void req_addcert(void)
- ret =
- gnutls_ocsp_req_set_extension(req,
- "1.3.6.1.5.5.7.48.1.2",
- 0, &nonce);
ret = gnutls_ocsp_req_set_extension(req, "1.3.6.1.5.5.7.48.1.2",
0, &nonce);
- if (ret != 0) {
+ ret = gnutls_ocsp_req_set_extension(req, "1.3.6.1.5.5.7.48.1.2",
+ 0, &nonce);
+ if (ret != 0)
fail("gnutls_ocsp_req_set_extension %d\n", ret);
- exit(1);
@ -958,7 +934,7 @@ index ff50d974f..e42b10463 100644
}
/* add cert_id */
@@ -1269,39 +1092,27 @@ static void req_addcert(void)
@@ -1265,37 +1093,27 @@ static void req_addcert(void)
gnutls_x509_crt_t issuer = NULL, subject = NULL;
ret = gnutls_x509_crt_init(&issuer);
@ -975,33 +951,25 @@ index ff50d974f..e42b10463 100644
- exit(1);
- }
- ret =
- gnutls_x509_crt_import(issuer, &issuer_data,
- GNUTLS_X509_FMT_PEM);
ret = gnutls_x509_crt_import(issuer, &issuer_data,
GNUTLS_X509_FMT_PEM);
- if (ret < 0) {
+ ret = gnutls_x509_crt_import(issuer, &issuer_data,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
fail("gnutls_x509_crt_import (issuer) %d\n", ret);
- exit(1);
- }
- ret =
- gnutls_x509_crt_import(subject, &subject_data,
- GNUTLS_X509_FMT_PEM);
ret = gnutls_x509_crt_import(subject, &subject_data,
GNUTLS_X509_FMT_PEM);
- if (ret < 0) {
+ ret = gnutls_x509_crt_import(subject, &subject_data,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
fail("gnutls_x509_crt_import (subject) %d\n", ret);
- exit(1);
- }
- ret = gnutls_ocsp_req_add_cert(req, GNUTLS_DIG_SHA1,
- issuer, subject);
ret = gnutls_ocsp_req_add_cert(req, GNUTLS_DIG_SHA1, issuer,
subject);
- if (ret != 0) {
+ ret = gnutls_ocsp_req_add_cert(req, GNUTLS_DIG_SHA1, issuer,
+ subject);
+ if (ret != 0)
fail("gnutls_ocsp_add_cert %d\n", ret);
- exit(1);
@ -1009,7 +977,7 @@ index ff50d974f..e42b10463 100644
gnutls_x509_crt_deinit(subject);
gnutls_x509_crt_deinit(issuer);
@@ -1310,10 +1121,8 @@ static void req_addcert(void)
@@ -1304,10 +1122,8 @@ static void req_addcert(void)
/* print request */
ret = gnutls_ocsp_req_print(req, GNUTLS_OCSP_PRINT_FULL, &d);
@ -1021,9 +989,9 @@ index ff50d974f..e42b10463 100644
if (strlen(REQ1INFO) != d.size ||
memcmp(REQ1INFO, d.data, strlen(REQ1INFO)) != 0) {
@@ -1321,23 +1130,18 @@ static void req_addcert(void)
strlen(REQ1INFO), REQ1INFO, (int) d.size,
(int) d.size, d.data);
@@ -1315,23 +1131,18 @@ static void req_addcert(void)
strlen(REQ1INFO), REQ1INFO, (int)d.size, (int)d.size,
d.data);
fail("ocsp request print failed\n");
- exit(1);
}
@ -1047,7 +1015,7 @@ index ff50d974f..e42b10463 100644
gnutls_free(d.data);
/* cleanup */
@@ -1396,26 +1200,21 @@ static void resp_import(void)
@@ -1395,27 +1206,21 @@ static void resp_import(void)
/* init response */
ret = gnutls_ocsp_resp_init(&resp);
@ -1061,12 +1029,11 @@ index ff50d974f..e42b10463 100644
ret = gnutls_ocsp_resp_import(resp, &resp1);
- if (ret != 0) {
- fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__, gnutls_strerror(ret));
+ if (ret != 0)
fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__,
gnutls_strerror(ret));
- exit(1);
- }
+ if (ret != 0)
+ fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__,
+ gnutls_strerror(ret));
/* print response */
@ -1079,9 +1046,9 @@ index ff50d974f..e42b10463 100644
if (strlen(RESP1INFO) != d.size ||
memcmp(RESP1INFO, d.data, strlen(RESP1INFO)) != 0) {
@@ -1423,33 +1222,28 @@ static void resp_import(void)
strlen(RESP1INFO), RESP1INFO, (int) d.size,
(int) d.size, d.data);
@@ -1423,34 +1228,28 @@ static void resp_import(void)
strlen(RESP1INFO), RESP1INFO, (int)d.size, (int)d.size,
d.data);
fail("ocsp response print failed\n");
- exit(1);
}
@ -1091,12 +1058,11 @@ index ff50d974f..e42b10463 100644
ret = gnutls_ocsp_resp_import(resp, &resp2);
- if (ret != 0) {
- fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__, gnutls_strerror(ret));
+ if (ret != 0)
fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__,
gnutls_strerror(ret));
- exit(1);
- }
+ if (ret != 0)
+ fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__,
+ gnutls_strerror(ret));
check_ocsp_resp(resp);
@ -1110,15 +1076,15 @@ index ff50d974f..e42b10463 100644
if (memcmp(RESP2INFO, d.data, strlen(RESP2INFO)) != 0) {
printf("expected (len %ld):\n%s\ngot (len %d):\n%.*s\n",
strlen(RESP2INFO), RESP2INFO, (int) d.size,
(int) d.size, d.data);
strlen(RESP2INFO), RESP2INFO, (int)d.size, (int)d.size,
d.data);
fail("ocsp response print failed\n");
- exit(1);
}
gnutls_free(d.data);
@@ -1460,31 +1254,25 @@ static void resp_import(void)
/* import ocsp response 3*/
@@ -1461,32 +1260,25 @@ static void resp_import(void)
/* import ocsp response 3 */
ret = gnutls_ocsp_resp_init(&resp);
- if (ret != 0) {
@ -1129,12 +1095,11 @@ index ff50d974f..e42b10463 100644
ret = gnutls_ocsp_resp_import(resp, &resp3);
- if (ret != 0) {
- fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__, gnutls_strerror(ret));
+ if (ret != 0)
fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__,
gnutls_strerror(ret));
- exit(1);
- }
+ if (ret != 0)
+ fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__,
+ gnutls_strerror(ret));
/* print response */
@ -1147,14 +1112,14 @@ index ff50d974f..e42b10463 100644
if (memcmp(RESP3INFO, d.data, strlen(RESP3INFO)) != 0) {
printf("expected (len %ld):\n%s\ngot (len %d):\n%.*s\n",
strlen(RESP3INFO), RESP3INFO, (int) d.size,
(int) d.size, d.data);
strlen(RESP3INFO), RESP3INFO, (int)d.size, (int)d.size,
d.data);
fail("ocsp response 3 print failed\n");
- exit(1);
}
gnutls_free(d.data);
@@ -1504,204 +1292,144 @@ static void resp_verify(void)
@@ -1506,204 +1298,144 @@ static void resp_verify(void)
/* init response */
ret = gnutls_ocsp_resp_init(&resp);
@ -1194,34 +1159,25 @@ index ff50d974f..e42b10463 100644
- exit(1);
- }
- ret =
- gnutls_x509_crt_import(cert, &blog_cert_data,
- GNUTLS_X509_FMT_PEM);
ret = gnutls_x509_crt_import(cert, &blog_cert_data,
GNUTLS_X509_FMT_PEM);
- if (ret < 0) {
+ ret = gnutls_x509_crt_import(cert, &blog_cert_data,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
fail("gnutls_x509_crt_import (cert) %d\n", ret);
- exit(1);
- }
- ret =
- gnutls_x509_crt_import(issuer, &blog_issuer_data,
- GNUTLS_X509_FMT_PEM);
ret = gnutls_x509_crt_import(issuer, &blog_issuer_data,
GNUTLS_X509_FMT_PEM);
- if (ret < 0) {
+ ret = gnutls_x509_crt_import(issuer, &blog_issuer_data,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
fail("gnutls_x509_crt_import (issuer) %d\n", ret);
- exit(1);
- }
- ret =
- gnutls_x509_crt_import(signer, &blog_signer_data,
- GNUTLS_X509_FMT_PEM);
ret = gnutls_x509_crt_import(signer, &blog_signer_data,
GNUTLS_X509_FMT_PEM);
- if (ret < 0) {
+ ret = gnutls_x509_crt_import(signer, &blog_signer_data,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
fail("gnutls_x509_crt_import (signer) %d\n", ret);
- exit(1);
@ -1244,10 +1200,9 @@ index ff50d974f..e42b10463 100644
/* check direct verify with cert (should fail) */
- ret = gnutls_ocsp_resp_verify_direct(resp, cert, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
ret = gnutls_ocsp_resp_verify_direct(resp, cert, &verify,
GNUTLS_VERIFY_ALLOW_BROKEN);
- if (ret < 0) {
+ ret = gnutls_ocsp_resp_verify_direct(resp, cert, &verify,
+ GNUTLS_VERIFY_ALLOW_BROKEN);
+ if (ret < 0)
fail("gnutls_ocsp_resp_verify_direct (cert) %d\n", ret);
- exit(1);
@ -1275,10 +1230,9 @@ index ff50d974f..e42b10463 100644
- exit(1);
- }
- ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
ret = gnutls_ocsp_resp_verify(resp, list, &verify,
GNUTLS_VERIFY_ALLOW_BROKEN);
- if (ret < 0) {
+ ret = gnutls_ocsp_resp_verify(resp, list, &verify,
+ GNUTLS_VERIFY_ALLOW_BROKEN);
+ if (ret < 0)
fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret);
- exit(1);
@ -1339,10 +1293,9 @@ index ff50d974f..e42b10463 100644
- exit(1);
- }
- ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
ret = gnutls_ocsp_resp_verify(resp, list, &verify,
GNUTLS_VERIFY_ALLOW_BROKEN);
- if (ret < 0) {
+ ret = gnutls_ocsp_resp_verify(resp, list, &verify,
+ GNUTLS_VERIFY_ALLOW_BROKEN);
+ if (ret < 0)
fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret);
- exit(1);
@ -1401,7 +1354,7 @@ index ff50d974f..e42b10463 100644
gnutls_x509_trust_list_deinit(list, 0);
@@ -1773,45 +1501,33 @@ static void long_resp_check(void)
@@ -1775,45 +1507,33 @@ static void long_resp_check(void)
/* init response */
ret = gnutls_ocsp_resp_init(&resp);
@ -1415,12 +1368,11 @@ index ff50d974f..e42b10463 100644
ret = gnutls_ocsp_resp_import(resp, &long_resp);
- if (ret != 0) {
- fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__, gnutls_strerror(ret));
+ if (ret != 0)
fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__,
gnutls_strerror(ret));
- exit(1);
- }
+ if (ret != 0)
+ fail("gnutls_ocsp_resp_import[%d]: %s\n", __LINE__,
+ gnutls_strerror(ret));
ret = gnutls_x509_crt_init(&signer);
- if (ret < 0) {
@ -1429,12 +1381,9 @@ index ff50d974f..e42b10463 100644
- exit(1);
- }
- ret =
- gnutls_x509_crt_import(signer, &long_resp_signer_data,
- GNUTLS_X509_FMT_PEM);
ret = gnutls_x509_crt_import(signer, &long_resp_signer_data,
GNUTLS_X509_FMT_PEM);
- if (ret < 0) {
+ ret = gnutls_x509_crt_import(signer, &long_resp_signer_data,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
fail("gnutls_x509_crt_import (cert) %d\n", ret);
- exit(1);
@ -1457,7 +1406,7 @@ index ff50d974f..e42b10463 100644
gnutls_x509_crt_deinit(signer);
gnutls_ocsp_resp_deinit(resp);
@@ -1822,10 +1538,8 @@ void doit(void)
@@ -1824,10 +1544,8 @@ void doit(void)
int ret;
ret = global_init();

25
gnutls-3.8.10-1813-p11p-aes-ephemeral.patch Normal file
View File

@ -0,0 +1,25 @@
From 9f0350271b12cb61d93e25af43ba6e6eedfcc304 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Wed, 25 Mar 2026 19:43:33 +0100
Subject: [PATCH] pkcs11/p11_cipher: make AES keys ephemeral objects
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
lib/pkcs11/p11_cipher.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/lib/pkcs11/p11_cipher.c b/lib/pkcs11/p11_cipher.c
index 8837aa803..5e64364cb 100644
--- a/lib/pkcs11/p11_cipher.c
+++ b/lib/pkcs11/p11_cipher.c
@@ -183,7 +183,6 @@ static int aes_set_key(struct p11_cipher_ctx *ctx, const void *key,
CK_ATTRIBUTE attrs[] = { { CKA_CLASS, &attr_class, sizeof(attr_class) },
{ CKA_KEY_TYPE, &attr_key_type,
sizeof(attr_key_type) },
- { CKA_TOKEN, &attr_true, sizeof(attr_true) },
{ CKA_ENCRYPT, &attr_true, sizeof(attr_true) },
{ CKA_DECRYPT, &attr_true, sizeof(attr_true) },
{ CKA_LABEL, label, sizeof(label) - 1 },
--
2.53.0

20
SOURCES/gnutls-3.6.16-1817-security-parameters.patch → gnutls-3.8.10-1817-security-parameters.patch
View File

@ -1,4 +1,4 @@
From 4e8d3ba9160dfd3155c2fab12e9d5ab973013c2d Mon Sep 17 00:00:00 2001
From 3d45a63b16f64ac53abe9f1a02135e8daf1020f8 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 7 Apr 2026 10:16:03 +0200
Subject: [PATCH] session_pack: validate session_id_size on unpacking
@ -12,24 +12,24 @@ Reported-by: Haruto Kimura (Stella)
Fixes: #1817
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/session_pack.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
lib/session_pack.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/session_pack.c b/lib/session_pack.c
index a6d11c4cf..823824e4c 100644
index bd1ce3361..6c1d98270 100644
--- a/lib/session_pack.c
+++ b/lib/session_pack.c
@@ -1006,6 +1006,10 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps)
&session->internals.resumed_security_parameters.
session_id_size, 1);
@@ -973,6 +973,10 @@ static int unpack_security_parameters(gnutls_session_t session,
&session->internals.resumed_security_parameters.session_id_size,
1);
+ if (session->internals.resumed_security_parameters.session_id_size >
+ GNUTLS_MAX_SESSION_ID_SIZE)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
BUFFER_POP(ps,
session->internals.resumed_security_parameters.
session_id,
BUFFER_POP(
ps, session->internals.resumed_security_parameters.session_id,
session->internals.resumed_security_parameters.session_id_size);
--
2.53.0

28
SOURCES/gnutls-3.6.16-1818-pem-parsing.patch → gnutls-3.8.10-1818-pem-parsing.patch
View File

@ -20,10 +20,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/x509/privkey_openssl.c b/lib/x509/privkey_openssl.c
index 9fc70e032..b81671e7f 100644
index eb8db9353..50eb6c040 100644
--- a/lib/x509/privkey_openssl.c
+++ b/lib/x509/privkey_openssl.c
@@ -174,7 +174,8 @@ gnutls_x509_privkey_import_openssl(gnutls_x509_privkey_t key,
@@ -173,7 +173,8 @@ int gnutls_x509_privkey_import_openssl(gnutls_x509_privkey_t key,
for (i = 0; i < sizeof(pem_ciphers) / sizeof(pem_ciphers[0]); i++) {
l = strlen(pem_ciphers[i].name);
@ -33,15 +33,15 @@ index 9fc70e032..b81671e7f 100644
pem_header[l] == ',') {
pem_header += l + 1;
cipher = pem_ciphers[i].cipher;
@@ -225,6 +226,8 @@ gnutls_x509_privkey_import_openssl(gnutls_x509_privkey_t key,
@@ -217,6 +218,8 @@ int gnutls_x509_privkey_import_openssl(gnutls_x509_privkey_t key,
while (*pem_header == '\n' || *pem_header == '\r')
pem_header++;
+ pem_header_size =
+ data->size - (ptrdiff_t)(pem_header - pem_header_start);
ret =
_gnutls_base64_decode((const void *) pem_header,
pem_header_size, &b64_data);
ret = _gnutls_base64_decode((const void *)pem_header, pem_header_size,
&b64_data);
if (ret < 0) {
--
2.53.0
@ -58,12 +58,12 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 37 insertions(+)
diff --git a/tests/key-openssl.c b/tests/key-openssl.c
index d2c8a724b..0e1e74804 100644
index 4a270312d..b769f142b 100644
--- a/tests/key-openssl.c
+++ b/tests/key-openssl.c
@@ -95,6 +95,21 @@ const char key2[] =
"F3bDyqlxSOm7uxF/K3YzI44v8/D8GGnLBTpN+ANBdiY=\n"
"-----END RSA PRIVATE KEY-----\n";
@@ -108,6 +108,21 @@ const char key_lowercase_iv[] =
"57ohSPIR3bXgRZuefjxBhQYthUPcZ+qktrbURcvHNLs=\n"
"-----END RSA PRIVATE KEY-----\n";
+const char key_newlines_head[] = /* key2... */
+ "-----BEGIN RSA PRIVATE KEY-----\n"
@ -80,10 +80,10 @@ index d2c8a724b..0e1e74804 100644
+ "F3bDyqlxSOm7uxF/K3YzI44v8/D8GGnLBTpN+ANBdiY=\n";
+/* "-----END RSA PRIVATE KEY-----\n"; intentionally omitted */
+
void doit(void)
{
gnutls_x509_privkey_t pkey;
@@ -167,5 +182,27 @@ void doit(void)
static int good_pwd_cb(void *userdata, int attempt, const char *token_url,
const char *token_label, unsigned int flags, char *pin,
size_t pin_max)
@@ -281,5 +296,27 @@ void doit(void)
}
gnutls_x509_privkey_deinit(pkey);

34
SOURCES/gnutls-3.6.16-1818-rsa-coprime.patch → gnutls-3.8.10-1818-rsa-coprime.patch
View File

@ -13,29 +13,27 @@ Reported-by: Kamil Frankowicz <kamil.frankowicz@cert.pl>
Related: #1818
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/nettle/pk.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
lib/nettle/pk.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index b19fe3804..9d1c97b86 100644
index 4047df377..e8b36f5fa 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -2911,9 +2911,12 @@ wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo,
goto rsa_cleanup;
}
@@ -4434,8 +4434,11 @@ static int wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo,
goto rsa_cleanup;
}
- mpz_invert(TOMPZ(t1),
- TOMPZ(params->params[RSA_PRIME2]),
- TOMPZ(params->params[RSA_PRIME1]));
+ if (!mpz_invert(TOMPZ(t1),
+ TOMPZ(params->params[RSA_PRIME2]),
+ TOMPZ(params->params[RSA_PRIME1]))) {
+ ret = gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
+ goto rsa_cleanup;
+ }
if (_gnutls_mpi_cmp(t1, params->params[RSA_COEF])
!= 0) {
ret =
- mpz_invert(TOMPZ(t1), TOMPZ(params->params[RSA_PRIME2]),
- TOMPZ(params->params[RSA_PRIME1]));
+ if (!mpz_invert(TOMPZ(t1), TOMPZ(params->params[RSA_PRIME2]),
+ TOMPZ(params->params[RSA_PRIME1]))) {
+ ret = gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
+ goto rsa_cleanup;
+ }
if (_gnutls_mpi_cmp(t1, params->params[RSA_COEF]) != 0) {
ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
goto rsa_cleanup;
--
2.53.0

22
SOURCES/gnutls-3.6.16-1819-dblfree-mid-import.patch → gnutls-3.8.10-1819-dblfree-mid-import.patch
View File

@ -16,15 +16,15 @@ Fixes: #1819
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/pkcs11.c | 1 +
lib/x509/verify-high2.c | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
lib/x509/verify-high2.c | 6 ++----
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index d8d4a6511..6a4915f3f 100644
index 1fe4ee61c..a93a8f3f3 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -3661,6 +3661,7 @@ gnutls_x509_crt_list_import_pkcs11(gnutls_x509_crt_t * certs,
cleanup:
@@ -3869,6 +3869,7 @@ int gnutls_x509_crt_list_import_pkcs11(gnutls_x509_crt_t *certs,
cleanup:
for (j = 0; j < i; j++) {
gnutls_x509_crt_deinit(certs[j]);
+ certs[j] = NULL;
@ -32,23 +32,25 @@ index d8d4a6511..6a4915f3f 100644
return ret;
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index 9820595e9..9f30a219d 100644
index dc975baeb..3beb703ba 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -216,7 +216,7 @@ int add_trust_list_pkcs11_object_url(gnutls_x509_trust_list_t list, const char *
@@ -207,8 +207,7 @@ static int add_trust_list_pkcs11_object_url(gnutls_x509_trust_list_t list,
goto cleanup;
}
- xcrt_list = gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size);
- xcrt_list = _gnutls_reallocarray(NULL, pcrt_list_size,
- sizeof(gnutls_x509_crt_t));
+ xcrt_list = gnutls_calloc(pcrt_list_size, sizeof(gnutls_x509_crt_t));
if (xcrt_list == NULL) {
ret = GNUTLS_E_MEMORY_ERROR;
goto cleanup;
@@ -264,7 +264,7 @@ int remove_pkcs11_object_url(gnutls_x509_trust_list_t list, const char *url)
@@ -254,8 +253,7 @@ static int remove_pkcs11_object_url(gnutls_x509_trust_list_t list,
goto cleanup;
}
- xcrt_list = gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size);
- xcrt_list = _gnutls_reallocarray(NULL, pcrt_list_size,
- sizeof(gnutls_x509_crt_t));
+ xcrt_list = gnutls_calloc(pcrt_list_size, sizeof(gnutls_x509_crt_t));
if (xcrt_list == NULL) {
ret = GNUTLS_E_MEMORY_ERROR;

61
gnutls-3.8.10-1820-p11p-kdf.patch Normal file
View File

@ -0,0 +1,61 @@
From fdef6b6f493c303bdeb2513e1626ffef896a98f2 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 13 Apr 2026 13:42:52 +0200
Subject: [PATCH] lib/pkcs11: do not silently pass on unimplemented
functionality
When the relevant PKCS#11 header macros were not defined,
several functions for FIPS PKCS#11 provider wrongfully reported success.
They have been modified to return GNUTLS_E_UNIMPLEMENTED_FEATURE instead.
Fixes: #1820
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Co-authored-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/pkcs11/p11_mac.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/lib/pkcs11/p11_mac.c b/lib/pkcs11/p11_mac.c
index c2e3bcd61..02e897e68 100644
--- a/lib/pkcs11/p11_mac.c
+++ b/lib/pkcs11/p11_mac.c
@@ -806,8 +806,10 @@ static int wrap_p11_hkdf_extract(gnutls_mac_algorithm_t _mac, const void *key,
}
_p11_provider_close_session(session);
-#endif
return 0;
+#else
+ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
+#endif
}
static int wrap_p11_hkdf_expand(gnutls_mac_algorithm_t _mac, const void *key,
@@ -871,8 +873,10 @@ static int wrap_p11_hkdf_expand(gnutls_mac_algorithm_t _mac, const void *key,
}
_p11_provider_close_session(session);
-#endif
return 0;
+#else
+ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
+#endif
}
static int wrap_p11_pbkdf2(gnutls_mac_algorithm_t _mac, const void *key,
@@ -952,8 +956,10 @@ static int wrap_p11_pbkdf2(gnutls_mac_algorithm_t _mac, const void *key,
}
_p11_provider_close_session(session);
-#endif
return 0;
+#else
+ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
+#endif
}
gnutls_crypto_mac_st _gnutls_p11_mac_ops = {
--
2.53.0

59
gnutls-3.8.10-1822-sct-overread.patch Normal file
View File

@ -0,0 +1,59 @@
From 2a03da0d3d901dd4b5c87876f1903322114f8f74 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 13 Apr 2026 18:42:56 +0200
Subject: [PATCH] lib/x509/x509_ext: avoid a heap overread in SCT extension
parser
Parsing a specially crafted SCT extension could previously lead to
a short heap overread.
The list-length validation didn't account for the 2-byte length field.
The fix now accounts for the header field length,
ensuring the parsing stays within the buffer.
Fixes: #1822
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/x509/x509_ext.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
index 33a4c913e..f5cabe3b6 100644
--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
@@ -3758,13 +3758,13 @@ int gnutls_x509_ext_ct_import_scts(const gnutls_datum_t *ext,
if (retval < 0)
return gnutls_assert_val(retval);
- if (scts_content.size < 2) {
+ if (scts_content.size < sizeof(uint16_t)) {
gnutls_free(scts_content.data);
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
length = _gnutls_read_uint16(scts_content.data);
- if (length < 4 || length > scts_content.size) {
+ if (length < 4 || length > scts_content.size - sizeof(uint16_t)) {
gnutls_free(scts_content.data);
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
@@ -3775,12 +3775,12 @@ int gnutls_x509_ext_ct_import_scts(const gnutls_datum_t *ext,
break;
sct_length = _gnutls_read_uint16(ptr);
- if (sct_length == 0 || sct_length > length)
- break;
-
ptr += sizeof(uint16_t);
length -= sizeof(uint16_t);
+ if (sct_length == 0 || sct_length > length)
+ break;
+
/*
* _gnutls_parse_ct_sct() will try to read exactly sct_length bytes,
* returning an error if it can't
--
2.53.0

62
gnutls-3.8.10-1823-cfg-clear-options.patch Normal file
View File

@ -0,0 +1,62 @@
From 055b2c742d6faf44c2fdaaa7e37c744a01856abc Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 14 Apr 2026 18:21:19 +0200
Subject: [PATCH 1/2] src/cfg: fix iterating in clear_options, on the error
path
Calling testing tools bundled with GnuTLS with malformed arguments
could lead to crashing them.
This change makes the error path of option parsing more robust.
Fixes: #1823
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Co-authored-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
src/cfg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cfg.c b/src/cfg.c
index 9a9627f18..47d2d6434 100644
--- a/src/cfg.c
+++ b/src/cfg.c
@@ -370,7 +370,7 @@ static int take_option(struct options_st *options, struct cfg_option_st *option)
static void clear_options(struct options_st *options)
{
- for (size_t i = 0; options->length; i++) {
+ for (size_t i = 0; i < options->length; i++) {
clear_option(&options->data[i]);
}
}
--
2.53.0
From 9649e899b677fdd945bf8f4f67b3f9f25cea314a Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 14 Apr 2026 18:25:13 +0200
Subject: [PATCH 2/2] src/cfg: avoid a data leak in clear_options, on the error
path
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
src/cfg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/cfg.c b/src/cfg.c
index 47d2d6434..c1f351dfb 100644
--- a/src/cfg.c
+++ b/src/cfg.c
@@ -373,6 +373,8 @@ static void clear_options(struct options_st *options)
for (size_t i = 0; i < options->length; i++) {
clear_option(&options->data[i]);
}
+ free(options->data);
+ memset(options, 0, sizeof(struct options_st));
}
cfg_option_t cfg_load(const char *filename)
--
2.53.0

80
gnutls-3.8.10-1841-hybrid-kx-zeroize.patch Normal file
View File

@ -0,0 +1,80 @@
From dcdce673516f4c578f37ae1c503f369d385ceb18 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 15 Apr 2026 21:21:46 +0900
Subject: [PATCH] key_share: zeroize derived shared secret after compositing
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/ext/key_share.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index 84cb031ae..85c1e46ec 100644
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -462,7 +462,7 @@ static int server_use_key_share_single(gnutls_session_t session,
return gnutls_assert_val(ret);
ret = append_key_datum(&session->key.key, &key);
- _gnutls_free_datum(&key);
+ _gnutls_free_key_datum(&key);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -506,7 +506,7 @@ static int server_use_key_share_single(gnutls_session_t session,
return gnutls_assert_val(ret);
ret = append_key_datum(&session->key.key, &key);
- _gnutls_free_datum(&key);
+ _gnutls_free_key_datum(&key);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -603,7 +603,7 @@ static int server_use_key_share_single(gnutls_session_t session,
return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
ret = append_key_datum(&session->key.key, &key);
- _gnutls_free_datum(&key);
+ _gnutls_free_key_datum(&key);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -700,7 +700,7 @@ static int client_use_key_share_single(gnutls_session_t session,
return gnutls_assert_val(ret);
ret = append_key_datum(&session->key.key, &key);
- _gnutls_free_datum(&key);
+ _gnutls_free_key_datum(&key);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -739,7 +739,7 @@ static int client_use_key_share_single(gnutls_session_t session,
return gnutls_assert_val(ret);
ret = append_key_datum(&session->key.key, &key);
- _gnutls_free_datum(&key);
+ _gnutls_free_key_datum(&key);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -776,7 +776,7 @@ static int client_use_key_share_single(gnutls_session_t session,
return gnutls_assert_val(ret);
ret = append_key_datum(&session->key.key, &key);
- _gnutls_free_datum(&key);
+ _gnutls_free_key_datum(&key);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -797,7 +797,7 @@ static int client_use_key_share_single(gnutls_session_t session,
return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
ret = append_key_datum(&session->key.key, &key);
- _gnutls_free_datum(&key);
+ _gnutls_free_key_datum(&key);
if (ret < 0)
return gnutls_assert_val(ret);
--
2.53.0

764
SOURCES/gnutls-3.6.16-CVE-2025-14831.patch → gnutls-3.8.10-CVE-2025-14831.patch
View File

File diff suppressed because it is too large Load Diff

666
gnutls-3.8.10-CVE-2025-9820.patch Normal file
View File

@ -0,0 +1,666 @@
From f23de850c8f37bd498bbdb1adc491ee05614ca11 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Fri, 6 Feb 2026 15:43:54 +0100
Subject: [PATCH 1/2] tests/pkcs11/pkcs11-mock4: add, modified for 3.8.10
---
tests/Makefile.am | 6 ++
tests/pkcs11/pkcs11-mock4.c | 125 ++++++++++++++++++++++++++++++++++++
2 files changed, 131 insertions(+)
create mode 100644 tests/pkcs11/pkcs11-mock4.c
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 9e5c7de84..62c4ec2f9 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -358,6 +358,11 @@ libpkcs11mock3_la_SOURCES = pkcs11/pkcs11-mock3.c
libpkcs11mock3_la_LDFLAGS = -shared -rpath $(pkglibdir) -module -no-undefined -avoid-version
libpkcs11mock3_la_LIBADD = ../gl/libgnu.la
+noinst_LTLIBRARIES += libpkcs11mock4.la
+libpkcs11mock4_la_SOURCES = pkcs11/pkcs11-mock4.c
+libpkcs11mock4_la_LDFLAGS = -shared -rpath $(pkglibdir) -module -no-undefined -avoid-version
+libpkcs11mock4_la_LIBADD = ../gl/libgnu.la
+
pkcs11_cert_import_url_exts_SOURCES = pkcs11/pkcs11-cert-import-url-exts.c
pkcs11_cert_import_url_exts_DEPENDENCIES = libpkcs11mock1.la libutils.la
@@ -655,6 +660,7 @@ TESTS_ENVIRONMENT += \
P11MOCKLIB1=$(abs_builddir)/.libs/libpkcs11mock1.so \
P11MOCKLIB2=$(abs_builddir)/.libs/libpkcs11mock2.so \
P11MOCKLIB3=$(abs_builddir)/.libs/libpkcs11mock3.so \
+ P11MOCKLIB4=$(abs_builddir)/.libs/libpkcs11mock4.so \
PKCS12_MANY_CERTS_FILE=$(srcdir)/cert-tests/data/pkcs12_5certs.p12 \
PKCS12FILE=$(srcdir)/cert-tests/data/client.p12 \
PKCS12PASSWORD=foobar \
diff --git a/tests/pkcs11/pkcs11-mock4.c b/tests/pkcs11/pkcs11-mock4.c
new file mode 100644
index 000000000..a6dd21cdd
--- /dev/null
+++ b/tests/pkcs11/pkcs11-mock4.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2025 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <dlfcn.h>
+#include <p11-kit/pkcs11.h>
+#include <p11-kit/pkcs11x.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <assert.h>
+
+#include "softhsm.h"
+
+/* This provides a mock PKCS #11 module that delegates all the
+ * operations to SoftHSM except that it returns CKR_CANT_LOCK upon
+ * C_Initialize if CKF_OS_LOCKING_OK is set.
+ */
+
+static void *dl;
+static CK_C_Initialize base_C_Initialize;
+static CK_FUNCTION_LIST override_funcs;
+
+#ifdef __sun
+#pragma fini(mock_deinit)
+#pragma init(mock_init)
+#define _CONSTRUCTOR
+#define _DESTRUCTOR
+#else
+#define _CONSTRUCTOR __attribute__((constructor))
+#define _DESTRUCTOR __attribute__((destructor))
+#endif
+
+#define LOCK_FLAGS (CKF_LIBRARY_CANT_CREATE_OS_THREADS | CKF_OS_LOCKING_OK)
+
+static CK_RV override_C_Initialize(void *args)
+{
+ CK_C_INITIALIZE_ARGS *init_args = args;
+ static bool first = true;
+
+ // we don't have threadsafe initialization/fallback in 3.8.10...
+ /*
+ if (first) {
+ assert(init_args &&
+ (init_args->flags & LOCK_FLAGS) == LOCK_FLAGS);
+ first = false;
+ return CKR_CANT_LOCK;
+ } else {
+ assert(!init_args ||
+ (init_args->flags & LOCK_FLAGS) != LOCK_FLAGS);
+ }
+ */
+ // ... so we expect 3.8.10 behaviour
+ assert(first);
+ assert(init_args);
+ assert(!(init_args->flags & LOCK_FLAGS) != LOCK_FLAGS);
+ first = false;
+
+ return base_C_Initialize(args);
+}
+
+CK_RV C_GetFunctionList(CK_FUNCTION_LIST **function_list)
+{
+ CK_C_GetFunctionList func;
+ CK_FUNCTION_LIST *funcs;
+
+ assert(dl);
+
+ func = dlsym(dl, "C_GetFunctionList");
+ if (func == NULL) {
+ return CKR_GENERAL_ERROR;
+ }
+
+ func(&funcs);
+
+ base_C_Initialize = funcs->C_Initialize;
+
+ memcpy(&override_funcs, funcs, sizeof(CK_FUNCTION_LIST));
+ override_funcs.C_Initialize = override_C_Initialize;
+ *function_list = &override_funcs;
+
+ return CKR_OK;
+}
+
+static _CONSTRUCTOR void mock_init(void)
+{
+ const char *lib;
+
+ /* suppress compiler warning */
+ (void)set_softhsm_conf;
+
+ lib = softhsm_lib();
+
+ dl = dlopen(lib, RTLD_NOW);
+ if (dl == NULL)
+ exit(77);
+}
+
+static _DESTRUCTOR void mock_deinit(void)
+{
+ dlclose(dl);
+}
--
2.52.0
From 87fc01fb853911e412e0fe238b069a68376ad8de Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 18 Nov 2025 13:17:55 +0900
Subject: [PATCH 2/2] pkcs11: avoid stack overwrite when initializing a token
If gnutls_pkcs11_token_init is called with label longer than 32
characters, the internal storage used to blank-fill it would
overflow. This adds a guard to prevent that.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/pkcs11_write.c | 5 +-
tests/Makefile.am | 4 +-
tests/Makefile.in | 86 +++++++++++++++++++++++++++++++-------
tests/pkcs11/long-label.c | 164 ++++++++++++++++++++++++++++++++++++++
4 files changed, 237 insertions(+), 22 deletions(-)
create mode 100644 tests/pkcs11/long-label.c
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index f5e9058e0..64b85a2df 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -28,6 +28,7 @@
#include "pkcs11x.h"
#include "x509/common.h"
#include "pk.h"
+#include "minmax.h"
static const ck_bool_t tval = 1;
static const ck_bool_t fval = 0;
@@ -1172,7 +1173,7 @@ int gnutls_pkcs11_delete_url(const char *object_url, unsigned int flags)
* gnutls_pkcs11_token_init:
* @token_url: A PKCS #11 URL specifying a token
* @so_pin: Security Officer's PIN
- * @label: A name to be used for the token
+ * @label: A name to be used for the token, at most 32 characters
*
* This function will initialize (format) a token. If the token is
* at a factory defaults state the security officer's PIN given will be
@@ -1210,7 +1211,7 @@ int gnutls_pkcs11_token_init(const char *token_url, const char *so_pin,
/* so it seems memset has other uses than zeroing! */
memset(flabel, ' ', sizeof(flabel));
if (label != NULL)
- memcpy(flabel, label, strlen(label));
+ memcpy(flabel, label, MIN(sizeof(flabel), strlen(label)));
rv = pkcs11_init_token(module, slot, (uint8_t *)so_pin, strlen(so_pin),
(uint8_t *)flabel);
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 62c4ec2f9..0e4d04342 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -508,13 +508,15 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \
if ENABLE_PKCS11
if !WINDOWS
ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \
- global-init-override pkcs11/distrust-after
+ global-init-override pkcs11/distrust-after pkcs11/long-label
tls13_post_handshake_with_cert_pkcs11_DEPENDENCIES = libpkcs11mock2.la libutils.la
tls13_post_handshake_with_cert_pkcs11_LDADD = $(LDADD) $(LIBDL)
pkcs11_tls_neg_pkcs11_no_key_DEPENDENCIES = libpkcs11mock2.la libutils.la
pkcs11_tls_neg_pkcs11_no_key_LDADD = $(LDADD) $(LIBDL)
pkcs11_distrust_after_DEPENDENCIES = libpkcs11mock3.la libutils.la
pkcs11_distrust_after_LDADD = $(LDADD) $(LIBDL)
+pkcs11_long_label_DEPENDENCIES = libpkcs11mock4.la libutils.la
+pkcs11_long_label_LDADD = $(LDADD) $(LIBDL)
endif
endif
diff --git a/tests/Makefile.in b/tests/Makefile.in
index 86c271f..334d9fb 100644
--- a/tests/Makefile.in
+++ b/tests/Makefile.in
@@ -124,7 +124,8 @@ host_triplet = @host@
@CROSS_COMPILING_FALSE@am__append_9 = tls-pthread fips-mode-pthread dtls-pthread rng-pthread
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@am__append_10 = libpkcs11mock1.la \
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ libpkcs11mock2.la \
-@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ libpkcs11mock3.la
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ libpkcs11mock3.la \
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ libpkcs11mock4.la
@ENABLE_PKCS11_FALSE@pkcs11_cert_import_url_exts_DEPENDENCIES = \
@ENABLE_PKCS11_FALSE@ $(COMMON_GNUTLS_LDADD) libutils.la \
@ENABLE_PKCS11_FALSE@ $(am__DEPENDENCIES_2)
@@ -171,7 +172,7 @@ host_triplet = @host@
@HAVE_FORK_TRUE@ resume-with-record-size-limit
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@am__append_17 = tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \
-@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ global-init-override pkcs11/distrust-after
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ global-init-override pkcs11/distrust-after pkcs11/long-label
@ENABLE_TPM2_TRUE@am__append_18 = tpm2.sh
@@ -519,7 +520,8 @@ am__EXEEXT_2 = $(am__EXEEXT_1)
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@am__EXEEXT_14 = tls13/post-handshake-with-cert-pkcs11$(EXEEXT) \
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ pkcs11/tls-neg-pkcs11-no-key$(EXEEXT) \
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ global-init-override$(EXEEXT) \
-@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ pkcs11/distrust-after$(EXEEXT)
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ pkcs11/distrust-after$(EXEEXT) \
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ pkcs11/long-label$(EXEEXT)
@WINDOWS_TRUE@am__EXEEXT_15 = win32-certopenstore$(EXEEXT)
am__EXEEXT_16 = tls13/supported_versions$(EXEEXT) \
tls13/tls12-no-tls13-exts$(EXEEXT) \
@@ -789,6 +791,17 @@ libpkcs11mock3_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
$(AM_CFLAGS) $(CFLAGS) $(libpkcs11mock3_la_LDFLAGS) $(LDFLAGS) \
-o $@
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@am_libpkcs11mock3_la_rpath =
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock4_la_DEPENDENCIES = \
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ ../gl/libgnu.la
+am__libpkcs11mock4_la_SOURCES_DIST = pkcs11/pkcs11-mock4.c
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@am_libpkcs11mock4_la_OBJECTS = \
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@ pkcs11/pkcs11-mock4.lo
+libpkcs11mock4_la_OBJECTS = $(am_libpkcs11mock4_la_OBJECTS)
+libpkcs11mock4_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libpkcs11mock4_la_LDFLAGS) $(LDFLAGS) \
+ -o $@
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@am_libpkcs11mock4_la_rpath =
libutils_la_DEPENDENCIES = ../lib/libgnutls.la
am_libutils_la_OBJECTS = utils.lo seccomp.lo utils-adv.lo
libutils_la_OBJECTS = $(am_libutils_la_OBJECTS)
@@ -1793,6 +1806,8 @@ pkcs11_list_tokens_OBJECTS = pkcs11/list-tokens.$(OBJEXT)
pkcs11_list_tokens_LDADD = $(LDADD)
pkcs11_list_tokens_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \
$(am__DEPENDENCIES_2)
+pkcs11_long_label_SOURCES = pkcs11/long-label.c
+pkcs11_long_label_OBJECTS = pkcs11/long-label.$(OBJEXT)
pkcs11_pkcs11_chainverify_SOURCES = pkcs11/pkcs11-chainverify.c
pkcs11_pkcs11_chainverify_OBJECTS = \
pkcs11/pkcs11-chainverify.$(OBJEXT)
@@ -3602,7 +3617,7 @@ am__depfiles_remade = ./$(DEPDIR)/aead-cipher-vec.Po \
pkcs11/$(DEPDIR)/gnutls_x509_crt_list_import_url.Po \
pkcs11/$(DEPDIR)/import_url_privkey_caps-pkcs11-import-url-privkey.Po \
pkcs11/$(DEPDIR)/list-objects.Po \
- pkcs11/$(DEPDIR)/list-tokens.Po \
+ pkcs11/$(DEPDIR)/list-tokens.Po pkcs11/$(DEPDIR)/long-label.Po \
pkcs11/$(DEPDIR)/pkcs11-cert-import-url-exts.Po \
pkcs11/$(DEPDIR)/pkcs11-cert-import-url4-exts.Po \
pkcs11/$(DEPDIR)/pkcs11-chainverify.Po \
@@ -3619,6 +3634,7 @@ am__depfiles_remade = ./$(DEPDIR)/aead-cipher-vec.Po \
pkcs11/$(DEPDIR)/pkcs11-mock.Plo \
pkcs11/$(DEPDIR)/pkcs11-mock2.Plo \
pkcs11/$(DEPDIR)/pkcs11-mock3.Plo \
+ pkcs11/$(DEPDIR)/pkcs11-mock4.Plo \
pkcs11/$(DEPDIR)/pkcs11-obj-import.Po \
pkcs11/$(DEPDIR)/pkcs11-obj-raw.Po \
pkcs11/$(DEPDIR)/pkcs11-pin-func.Po \
@@ -3712,16 +3728,17 @@ am__v_CXXLD_ = $(am__v_CXXLD_@AM_DEFAULT_V@)
am__v_CXXLD_0 = @echo " CXXLD " $@;
am__v_CXXLD_1 =
SOURCES = $(libpkcs11mock1_la_SOURCES) $(libpkcs11mock2_la_SOURCES) \
- $(libpkcs11mock3_la_SOURCES) $(libutils_la_SOURCES) \
- aead-cipher-vec.c alerts.c alpn-server-prec.c anonself.c \
- atfork.c auto-verify.c base64.c base64-raw.c buffer.c cert.c \
- cert-status.c cert_verify_inv_utf8.c \
- certificate_set_x509_crl.c certuniqueid.c chainverify.c \
- chainverify-unsorted.c cipher-alignment.c cipher-padding.c \
- ciphersuite-name.c client-fastopen.c client-sign-md5-rep.c \
- client_dsa_key.c $(compress_cert_conf_SOURCES) conv-utf8.c \
- crl-basic.c crl_apis.c crlverify.c crq-basic.c crq_apis.c \
- crq_key_id.c crt_apis.c crt_inv_write.c custom-urls.c \
+ $(libpkcs11mock3_la_SOURCES) $(libpkcs11mock4_la_SOURCES) \
+ $(libutils_la_SOURCES) aead-cipher-vec.c alerts.c \
+ alpn-server-prec.c anonself.c atfork.c auto-verify.c base64.c \
+ base64-raw.c buffer.c cert.c cert-status.c \
+ cert_verify_inv_utf8.c certificate_set_x509_crl.c \
+ certuniqueid.c chainverify.c chainverify-unsorted.c \
+ cipher-alignment.c cipher-padding.c ciphersuite-name.c \
+ client-fastopen.c client-sign-md5-rep.c client_dsa_key.c \
+ $(compress_cert_conf_SOURCES) conv-utf8.c crl-basic.c \
+ crl_apis.c crlverify.c crq-basic.c crq_apis.c crq_key_id.c \
+ crt_apis.c crt_inv_write.c custom-urls.c \
custom-urls-override.c cve-2008-4989.c cve-2009-1415.c \
cve-2009-1416.c dane.c dane-strcodes.c dh-compute.c \
dh-compute2.c dh-params.c dhepskself.c dhex509self.c dn.c \
@@ -3791,8 +3808,9 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $(libpkcs11mock2_la_SOURCES) \
$(pkcs11_token_raw_SOURCES) pkcs11/distrust-after.c \
pkcs11/gnutls_pcert_list_import_x509_file.c \
pkcs11/gnutls_x509_crt_list_import_url.c pkcs11/list-objects.c \
- pkcs11/list-tokens.c pkcs11/pkcs11-chainverify.c \
- pkcs11/pkcs11-combo.c pkcs11/pkcs11-ec-privkey-test.c \
+ pkcs11/list-tokens.c pkcs11/long-label.c \
+ pkcs11/pkcs11-chainverify.c pkcs11/pkcs11-combo.c \
+ pkcs11/pkcs11-ec-privkey-test.c \
pkcs11/pkcs11-eddsa-privkey-test.c pkcs11/pkcs11-get-issuer.c \
pkcs11/pkcs11-import-with-pin.c pkcs11/pkcs11-is-known.c \
pkcs11/pkcs11-obj-import.c pkcs11/pkcs11-pin-func.c \
@@ -3911,7 +3929,8 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $(libpkcs11mock2_la_SOURCES) \
x509sign-verify-rsa.c xts-key-check.c
DIST_SOURCES = $(am__libpkcs11mock1_la_SOURCES_DIST) \
$(am__libpkcs11mock2_la_SOURCES_DIST) \
- $(am__libpkcs11mock3_la_SOURCES_DIST) $(libutils_la_SOURCES) \
+ $(am__libpkcs11mock3_la_SOURCES_DIST) \
+ $(am__libpkcs11mock4_la_SOURCES_DIST) $(libutils_la_SOURCES) \
aead-cipher-vec.c alerts.c alpn-server-prec.c anonself.c \
atfork.c auto-verify.c base64.c base64-raw.c buffer.c cert.c \
cert-status.c cert_verify_inv_utf8.c \
@@ -3992,8 +4011,9 @@ DIST_SOURCES = $(am__libpkcs11mock1_la_SOURCES_DIST) \
$(am__pkcs11_token_raw_SOURCES_DIST) pkcs11/distrust-after.c \
pkcs11/gnutls_pcert_list_import_x509_file.c \
pkcs11/gnutls_x509_crt_list_import_url.c pkcs11/list-objects.c \
- pkcs11/list-tokens.c pkcs11/pkcs11-chainverify.c \
- pkcs11/pkcs11-combo.c pkcs11/pkcs11-ec-privkey-test.c \
+ pkcs11/list-tokens.c pkcs11/long-label.c \
+ pkcs11/pkcs11-chainverify.c pkcs11/pkcs11-combo.c \
+ pkcs11/pkcs11-ec-privkey-test.c \
pkcs11/pkcs11-eddsa-privkey-test.c pkcs11/pkcs11-get-issuer.c \
pkcs11/pkcs11-import-with-pin.c pkcs11/pkcs11-is-known.c \
pkcs11/pkcs11-obj-import.c pkcs11/pkcs11-pin-func.c \
@@ -6747,6 +6767,7 @@ TESTS_ENVIRONMENT = HOST_OS=$$(uname) $(am__append_31) CC="$(CC)" \
P11MOCKLIB1=$(abs_builddir)/.libs/libpkcs11mock1.so \
P11MOCKLIB2=$(abs_builddir)/.libs/libpkcs11mock2.so \
P11MOCKLIB3=$(abs_builddir)/.libs/libpkcs11mock3.so \
+ P11MOCKLIB4=$(abs_builddir)/.libs/libpkcs11mock4.so \
PKCS12_MANY_CERTS_FILE=$(srcdir)/cert-tests/data/pkcs12_5certs.p12 \
PKCS12FILE=$(srcdir)/cert-tests/data/client.p12 \
PKCS12PASSWORD=foobar \
@@ -7083,6 +7104,9 @@ ssl30_cert_key_exchange_SOURCES = common-cert-key-exchange.c ssl30-cert-key-exch
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock3_la_SOURCES = pkcs11/pkcs11-mock3.c
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock3_la_LDFLAGS = -shared -rpath $(pkglibdir) -module -no-undefined -avoid-version
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock3_la_LIBADD = ../gl/libgnu.la
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock4_la_SOURCES = pkcs11/pkcs11-mock4.c
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock4_la_LDFLAGS = -shared -rpath $(pkglibdir) -module -no-undefined -avoid-version
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock4_la_LIBADD = ../gl/libgnu.la
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@pkcs11_cert_import_url_exts_SOURCES = pkcs11/pkcs11-cert-import-url-exts.c
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@pkcs11_cert_import_url_exts_DEPENDENCIES = libpkcs11mock1.la libutils.la
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@pkcs11_cert_import_url4_exts_SOURCES = pkcs11/pkcs11-cert-import-url4-exts.c
@@ -7173,6 +7197,8 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@pkcs11_tls_neg_pkcs11_no_key_LDADD = $(LDADD) $(LIBDL)
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@pkcs11_distrust_after_DEPENDENCIES = libpkcs11mock3.la libutils.la
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@pkcs11_distrust_after_LDADD = $(LDADD) $(LIBDL)
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@pkcs11_long_label_DEPENDENCIES = libpkcs11mock4.la libutils.la
+@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@pkcs11_long_label_LDADD = $(LDADD) $(LIBDL)
dist_check_SCRIPTS = rfc2253-escape-test.sh \
rsa-md5-collision/rsa-md5-collision.sh systemkey.sh \
$(am__append_18) $(am__append_20) $(am__append_21) \
@@ -7280,6 +7306,11 @@ pkcs11/pkcs11-mock3.lo: pkcs11/$(am__dirstamp) \
libpkcs11mock3.la: $(libpkcs11mock3_la_OBJECTS) $(libpkcs11mock3_la_DEPENDENCIES) $(EXTRA_libpkcs11mock3_la_DEPENDENCIES)
$(AM_V_CCLD)$(libpkcs11mock3_la_LINK) $(am_libpkcs11mock3_la_rpath) $(libpkcs11mock3_la_OBJECTS) $(libpkcs11mock3_la_LIBADD) $(LIBS)
+pkcs11/pkcs11-mock4.lo: pkcs11/$(am__dirstamp) \
+ pkcs11/$(DEPDIR)/$(am__dirstamp)
+
+libpkcs11mock4.la: $(libpkcs11mock4_la_OBJECTS) $(libpkcs11mock4_la_DEPENDENCIES) $(EXTRA_libpkcs11mock4_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libpkcs11mock4_la_LINK) $(am_libpkcs11mock4_la_rpath) $(libpkcs11mock4_la_OBJECTS) $(libpkcs11mock4_la_LIBADD) $(LIBS)
libutils.la: $(libutils_la_OBJECTS) $(libutils_la_DEPENDENCIES) $(EXTRA_libutils_la_DEPENDENCIES)
$(AM_V_CCLD)$(LINK) $(libutils_la_OBJECTS) $(libutils_la_LIBADD) $(LIBS)
@@ -8145,6 +8176,12 @@ pkcs11/list-tokens.$(OBJEXT): pkcs11/$(am__dirstamp) \
pkcs11/list-tokens$(EXEEXT): $(pkcs11_list_tokens_OBJECTS) $(pkcs11_list_tokens_DEPENDENCIES) $(EXTRA_pkcs11_list_tokens_DEPENDENCIES) pkcs11/$(am__dirstamp)
@rm -f pkcs11/list-tokens$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(pkcs11_list_tokens_OBJECTS) $(pkcs11_list_tokens_LDADD) $(LIBS)
+pkcs11/long-label.$(OBJEXT): pkcs11/$(am__dirstamp) \
+ pkcs11/$(DEPDIR)/$(am__dirstamp)
+
+pkcs11/long-label$(EXEEXT): $(pkcs11_long_label_OBJECTS) $(pkcs11_long_label_DEPENDENCIES) $(EXTRA_pkcs11_long_label_DEPENDENCIES) pkcs11/$(am__dirstamp)
+ @rm -f pkcs11/long-label$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(pkcs11_long_label_OBJECTS) $(pkcs11_long_label_LDADD) $(LIBS)
pkcs11/pkcs11-chainverify.$(OBJEXT): pkcs11/$(am__dirstamp) \
pkcs11/$(DEPDIR)/$(am__dirstamp)
@@ -9778,6 +9815,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/import_url_privkey_caps-pkcs11-import-url-privkey.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/list-objects.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/list-tokens.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/long-label.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/pkcs11-cert-import-url-exts.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/pkcs11-cert-import-url4-exts.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/pkcs11-chainverify.Po@am__quote@ # am--include-marker
@@ -9794,6 +9832,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/pkcs11-mock.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/pkcs11-mock2.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/pkcs11-mock3.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/pkcs11-mock4.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/pkcs11-obj-import.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/pkcs11-obj-raw.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@pkcs11/$(DEPDIR)/pkcs11-pin-func.Po@am__quote@ # am--include-marker
@@ -13673,6 +13712,13 @@ pkcs11/distrust-after.log: pkcs11/distrust-after$(EXEEXT)
--log-file $$b.log --trs-file $$b.trs \
$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
"$$tst" $(AM_TESTS_FD_REDIRECT)
+pkcs11/long-label.log: pkcs11/long-label$(EXEEXT)
+ @p='pkcs11/long-label$(EXEEXT)'; \
+ b='pkcs11/long-label'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
win32-certopenstore.log: win32-certopenstore$(EXEEXT)
@p='win32-certopenstore$(EXEEXT)'; \
b='win32-certopenstore'; \
@@ -14211,6 +14257,7 @@ distclean: distclean-recursive
-rm -f pkcs11/$(DEPDIR)/import_url_privkey_caps-pkcs11-import-url-privkey.Po
-rm -f pkcs11/$(DEPDIR)/list-objects.Po
-rm -f pkcs11/$(DEPDIR)/list-tokens.Po
+ -rm -f pkcs11/$(DEPDIR)/long-label.Po
-rm -f pkcs11/$(DEPDIR)/pkcs11-cert-import-url-exts.Po
-rm -f pkcs11/$(DEPDIR)/pkcs11-cert-import-url4-exts.Po
-rm -f pkcs11/$(DEPDIR)/pkcs11-chainverify.Po
@@ -14227,6 +14274,7 @@ distclean: distclean-recursive
-rm -f pkcs11/$(DEPDIR)/pkcs11-mock.Plo
-rm -f pkcs11/$(DEPDIR)/pkcs11-mock2.Plo
-rm -f pkcs11/$(DEPDIR)/pkcs11-mock3.Plo
+ -rm -f pkcs11/$(DEPDIR)/pkcs11-mock4.Plo
-rm -f pkcs11/$(DEPDIR)/pkcs11-obj-import.Po
-rm -f pkcs11/$(DEPDIR)/pkcs11-obj-raw.Po
-rm -f pkcs11/$(DEPDIR)/pkcs11-pin-func.Po
@@ -14734,6 +14782,7 @@ maintainer-clean: maintainer-clean-recursive
-rm -f pkcs11/$(DEPDIR)/import_url_privkey_caps-pkcs11-import-url-privkey.Po
-rm -f pkcs11/$(DEPDIR)/list-objects.Po
-rm -f pkcs11/$(DEPDIR)/list-tokens.Po
+ -rm -f pkcs11/$(DEPDIR)/long-label.Po
-rm -f pkcs11/$(DEPDIR)/pkcs11-cert-import-url-exts.Po
-rm -f pkcs11/$(DEPDIR)/pkcs11-cert-import-url4-exts.Po
-rm -f pkcs11/$(DEPDIR)/pkcs11-chainverify.Po
@@ -14750,6 +14799,7 @@ maintainer-clean: maintainer-clean-recursive
-rm -f pkcs11/$(DEPDIR)/pkcs11-mock.Plo
-rm -f pkcs11/$(DEPDIR)/pkcs11-mock2.Plo
-rm -f pkcs11/$(DEPDIR)/pkcs11-mock3.Plo
+ -rm -f pkcs11/$(DEPDIR)/pkcs11-mock4.Plo
-rm -f pkcs11/$(DEPDIR)/pkcs11-obj-import.Po
-rm -f pkcs11/$(DEPDIR)/pkcs11-obj-raw.Po
-rm -f pkcs11/$(DEPDIR)/pkcs11-pin-func.Po
diff --git a/tests/pkcs11/long-label.c b/tests/pkcs11/long-label.c
new file mode 100644
index 000000000..a70bc9728
--- /dev/null
+++ b/tests/pkcs11/long-label.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2025 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(_WIN32)
+
+int main(void)
+{
+ exit(77);
+}
+
+#else
+
+#include <string.h>
+#include <unistd.h>
+#include <gnutls/gnutls.h>
+
+#include "cert-common.h"
+#include "pkcs11/softhsm.h"
+#include "utils.h"
+
+/* This program tests that a token can be initialized with
+ * a label longer than 32 characters.
+ */
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "server|<%d>| %s", level, str);
+}
+
+#define PIN "1234"
+
+#define CONFIG_NAME "softhsm-long-label"
+#define CONFIG CONFIG_NAME ".config"
+
+static int pin_func(void *userdata, int attempt, const char *url,
+ const char *label, unsigned flags, char *pin,
+ size_t pin_max)
+{
+ if (attempt == 0) {
+ strcpy(pin, PIN);
+ return 0;
+ }
+ return -1;
+}
+
+static void test(const char *provider)
+{
+ int ret;
+ size_t i;
+
+ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+
+ success("test with %s\n", provider);
+
+ if (debug) {
+ gnutls_global_set_log_function(tls_log_func);
+ gnutls_global_set_log_level(4711);
+ }
+
+ /* point to SoftHSM token that libpkcs11mock4.so internally uses */
+ setenv(SOFTHSM_ENV, CONFIG, 1);
+
+ gnutls_pkcs11_set_pin_function(pin_func, NULL);
+
+ ret = gnutls_pkcs11_add_provider(provider, "trusted");
+ if (ret != 0) {
+ fail("gnutls_pkcs11_add_provider: %s\n", gnutls_strerror(ret));
+ }
+
+ /* initialize softhsm token */
+ ret = gnutls_pkcs11_token_init(
+ SOFTHSM_URL, PIN,
+ "this is a very long label whose length exceeds 32");
+ if (ret < 0) {
+ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
+ }
+
+ for (i = 0;; i++) {
+ char *url = NULL;
+
+ ret = gnutls_pkcs11_token_get_url(i, 0, &url);
+ if (ret < 0)
+ break;
+ if (strstr(url,
+ "token=this%20is%20a%20very%20long%20label%20whose"))
+ break;
+ }
+ if (ret < 0)
+ fail("gnutls_pkcs11_token_get_url: %s\n", gnutls_strerror(ret));
+
+ gnutls_pkcs11_deinit();
+}
+
+void doit(void)
+{
+ const char *bin;
+ const char *lib;
+ char buf[128];
+
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
+ /* this must be called once in the program */
+ global_init();
+
+ /* we call gnutls_pkcs11_init manually */
+ gnutls_pkcs11_deinit();
+
+ /* check if softhsm module is loadable */
+ lib = softhsm_lib();
+
+ /* initialize SoftHSM token that libpkcs11mock4.so internally uses */
+ bin = softhsm_bin();
+
+ set_softhsm_conf(CONFIG);
+ snprintf(buf, sizeof(buf),
+ "%s --init-token --slot 0 --label test --so-pin " PIN
+ " --pin " PIN,
+ bin);
+ system(buf);
+
+ test(lib);
+
+ lib = getenv("P11MOCKLIB4");
+ if (lib == NULL) {
+ fail("P11MOCKLIB4 is not set\n");
+ }
+
+ set_softhsm_conf(CONFIG);
+ snprintf(buf, sizeof(buf),
+ "%s --init-token --slot 0 --label test --so-pin " PIN
+ " --pin " PIN,
+ bin);
+ system(buf);
+
+ test(lib);
+}
+#endif /* _WIN32 */
--
2.52.0

238
SOURCES/gnutls-3.6.16-CVE-2026-33845-dtls-uflow.patch → gnutls-3.8.10-CVE-2026-33845-dtls-uflow.patch
View File

@ -5,32 +5,32 @@ Subject: [PATCH 1/5] buffers: rename a variable in parse_handshake_header
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/buffers.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
lib/buffers.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/lib/buffers.c b/lib/buffers.c
index be51f3aac..d9ef1d907 100644
index 09779a8f3..e9ddf0403 100644
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -876,7 +876,7 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel,
@@ -853,7 +853,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
{
uint8_t *dataptr = NULL; /* for realloc */
size_t handshake_header_size =
- HANDSHAKE_HEADER_SIZE(session), data_size, frag_size;
+ HANDSHAKE_HEADER_SIZE(session), data_size, frag_length;
uint8_t *dataptr = NULL; /* for realloc */
size_t handshake_header_size = HANDSHAKE_HEADER_SIZE(session),
- data_size, frag_size;
+ data_size, frag_length;
/* Note: SSL2_HEADERS == 1 */
if (_mbuffer_get_udata_size(bufel) < handshake_header_size)
@@ -892,7 +892,7 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel,
&& bufel->htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)) {
handshake_header_size = SSL2_HEADERS; /* we've already read one byte */
@@ -868,7 +868,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
handshake_header_size =
SSL2_HEADERS; /* we've already read one byte */
- frag_size = _mbuffer_get_udata_size(bufel) - handshake_header_size; /* we've read the first byte */
+ frag_length = _mbuffer_get_udata_size(bufel) - handshake_header_size; /* we've read the first byte */
- frag_size =
+ frag_length =
_mbuffer_get_udata_size(bufel) -
handshake_header_size; /* we've read the first byte */
if (dataptr[0] != GNUTLS_HANDSHAKE_CLIENT_HELLO)
return
@@ -902,7 +902,7 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel,
@@ -879,7 +879,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
hsk->sequence = 0;
hsk->start_offset = 0;
@ -38,23 +38,26 @@ index be51f3aac..d9ef1d907 100644
+ hsk->length = frag_length;
} else
#endif
{ /* TLS or DTLS handshake headers */
@@ -919,12 +919,12 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel,
{ /* TLS or DTLS handshake headers */
@@ -894,13 +894,13 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
if (IS_DTLS(session)) {
hsk->sequence = _gnutls_read_uint16(&dataptr[4]);
hsk->start_offset =
_gnutls_read_uint24(&dataptr[6]);
- frag_size =
+ frag_length =
_gnutls_read_uint24(&dataptr[9]);
hsk->start_offset = _gnutls_read_uint24(&dataptr[6]);
- frag_size = _gnutls_read_uint24(&dataptr[9]);
+ frag_length = _gnutls_read_uint24(&dataptr[9]);
} else {
hsk->sequence = 0;
hsk->start_offset = 0;
- frag_size =
+ frag_length =
MIN((_mbuffer_get_udata_size(bufel) -
handshake_header_size), hsk->length);
- frag_size = MIN((_mbuffer_get_udata_size(bufel) -
- handshake_header_size),
- hsk->length);
+ frag_length = MIN((_mbuffer_get_udata_size(bufel) -
+ handshake_header_size),
+ hsk->length);
}
@@ -940,8 +940,8 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel,
/* TLS1.3: distinguish server hello versus hello retry request.
@@ -919,8 +919,8 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
}
data_size = _mbuffer_get_udata_size(bufel) - handshake_header_size;
@ -65,25 +68,25 @@ index be51f3aac..d9ef1d907 100644
else
hsk->end_offset = 0;
@@ -949,15 +949,15 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel,
("HSK[%p]: %s (%u) was received. Length %d[%d], frag offset %d, frag length: %d, sequence: %d\n",
session, _gnutls_handshake2str(hsk->htype),
(unsigned) hsk->htype, (int) hsk->length, (int) data_size,
- hsk->start_offset, (int) frag_size,
+ hsk->start_offset, (int) frag_length,
(int) hsk->sequence);
@@ -928,15 +928,15 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
"HSK[%p]: %s (%u) was received. Length %d[%d], frag offset %d, frag length: %d, sequence: %d\n",
session, _gnutls_handshake2str(hsk->htype),
(unsigned)hsk->htype, (int)hsk->length, (int)data_size,
- hsk->start_offset, (int)frag_size, (int)hsk->sequence);
+ hsk->start_offset, (int)frag_length, (int)hsk->sequence);
hsk->header_size = handshake_header_size;
memcpy(hsk->header, _mbuffer_get_udata_ptr(bufel),
handshake_header_size);
- if (hsk->length > 0 && (frag_size > data_size ||
- (frag_size > 0 &&
+ if (hsk->length > 0 && (frag_length > data_size ||
+ (frag_length > 0 &&
hsk->end_offset >= hsk->length))) {
return
gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
if (hsk->length > 0 &&
- (frag_size > data_size ||
- (frag_size > 0 && hsk->end_offset >= hsk->length))) {
+ (frag_length > data_size ||
+ (frag_length > 0 && hsk->end_offset >= hsk->length))) {
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
} else if (hsk->length == 0 && hsk->end_offset != 0 &&
hsk->start_offset != 0)
--
2.53.0
@ -109,15 +112,15 @@ Fixes: GNUTLS-SA-2026-04-29-3
CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/buffers.c | 64 +++++++++++++++++++++++++-----------------------
lib/gnutls_int.h | 4 +--
2 files changed, 36 insertions(+), 32 deletions(-)
lib/buffers.c | 51 +++++++++++++++++++++++++-----------------------
lib/gnutls_int.h | 4 ++--
2 files changed, 29 insertions(+), 26 deletions(-)
diff --git a/lib/buffers.c b/lib/buffers.c
index d9ef1d907..134d680f4 100644
index e9ddf0403..c3df8a37b 100644
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -940,10 +940,7 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel,
@@ -919,10 +919,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
}
data_size = _mbuffer_get_udata_size(bufel) - handshake_header_size;
@ -127,46 +130,28 @@ index d9ef1d907..134d680f4 100644
- hsk->end_offset = 0;
+ hsk->frag_length = frag_length;
_gnutls_handshake_log
("HSK[%p]: %s (%u) was received. Length %d[%d], frag offset %d, frag length: %d, sequence: %d\n",
@@ -956,14 +953,16 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel,
memcpy(hsk->header, _mbuffer_get_udata_ptr(bufel),
handshake_header_size);
_gnutls_handshake_log(
"HSK[%p]: %s (%u) was received. Length %d[%d], frag offset %d, frag length: %d, sequence: %d\n",
@@ -936,9 +933,11 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
- if (hsk->length > 0 && (frag_length > data_size ||
- (frag_length > 0 &&
- hsk->end_offset >= hsk->length))) {
+ if (hsk->length > 0 &&
+ (frag_length > data_size ||
if (hsk->length > 0 &&
(frag_length > data_size ||
- (frag_length > 0 && hsk->end_offset >= hsk->length))) {
+ (frag_length > 0 &&
+ hsk->start_offset + frag_length > hsk->length))) {
return
gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
}
- else if (hsk->length == 0 && hsk->end_offset != 0
- && hsk->start_offset != 0)
+ else if (hsk->length == 0 &&
+ hsk->start_offset + frag_length != hsk->start_offset &&
+ hsk->start_offset != 0)
return
gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
@@ -1020,19 +1019,19 @@ static int merge_handshake_packet(gnutls_session_t session,
gnutls_assert_val(GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS);
if (!exists) {
- if (hsk->length > 0 && hsk->end_offset > 0
- && hsk->end_offset - hsk->start_offset + 1 !=
- hsk->length) {
+ if (hsk->length > 0) {
ret =
_gnutls_buffer_resize(&hsk->data, hsk->length);
if (ret < 0)
return gnutls_assert_val(ret);
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
- } else if (hsk->length == 0 && hsk->end_offset != 0 &&
+ } else if (hsk->length == 0 &&
+ hsk->start_offset + frag_length != hsk->start_offset &&
hsk->start_offset != 0)
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
@@ -1002,11 +1001,10 @@ static int merge_handshake_packet(gnutls_session_t session,
hsk->data.length = hsk->length;
+ }
}
- if (hsk->length > 0 && hsk->end_offset > 0 &&
- hsk->end_offset - hsk->start_offset + 1 != hsk->length) {
+ if (hsk->length > 0 && hsk->frag_length > 0 &&
+ hsk->frag_length != hsk->length) {
memmove(&hsk->data.data[hsk->start_offset],
@ -176,7 +161,7 @@ index d9ef1d907..134d680f4 100644
}
session->internals.handshake_recv_buffer_size++;
@@ -1066,20 +1065,27 @@ static int merge_handshake_packet(gnutls_session_t session,
@@ -1040,20 +1038,27 @@ static int merge_handshake_packet(gnutls_session_t session,
}
if (hsk->start_offset < recv_buf[pos].start_offset &&
@ -210,55 +195,53 @@ index d9ef1d907..134d680f4 100644
}
_gnutls_handshake_buffer_clear(hsk);
}
@@ -1140,8 +1146,8 @@ static int get_last_packet(gnutls_session_t session,
@@ -1113,8 +1118,8 @@ static int get_last_packet(gnutls_session_t session,
}
else if ((recv_buf[LAST_ELEMENT].start_offset == 0 &&
- recv_buf[LAST_ELEMENT].end_offset ==
- recv_buf[LAST_ELEMENT].length - 1)
- recv_buf[LAST_ELEMENT].length - 1) ||
+ recv_buf[LAST_ELEMENT].frag_length ==
+ recv_buf[LAST_ELEMENT].length)
|| recv_buf[LAST_ELEMENT].length == 0) {
+ recv_buf[LAST_ELEMENT].length) ||
recv_buf[LAST_ELEMENT].length == 0) {
session->internals.dtls.hsk_read_seq++;
_gnutls_handshake_buffer_move(hsk,
@@ -1153,7 +1159,9 @@ static int get_last_packet(gnutls_session_t session,
@@ -1125,8 +1130,9 @@ static int get_last_packet(gnutls_session_t session,
/* if we don't have a complete handshake message, but we
* have queued data waiting, try again to reconstruct the
* handshake packet, using the queued */
- if (recv_buf[LAST_ELEMENT].end_offset != recv_buf[LAST_ELEMENT].length - 1 &&
- if (recv_buf[LAST_ELEMENT].end_offset !=
- recv_buf[LAST_ELEMENT].length - 1 &&
+ if ((recv_buf[LAST_ELEMENT].start_offset +
+ recv_buf[LAST_ELEMENT].frag_length) !=
+ recv_buf[LAST_ELEMENT].length &&
+ recv_buf[LAST_ELEMENT].length &&
record_check_unprocessed(session) > 0)
return gnutls_assert_val(GNUTLS_E_INT_CHECK_AGAIN);
else
@@ -1341,9 +1349,7 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session)
ret);
return gnutls_assert_val(
GNUTLS_E_INT_CHECK_AGAIN);
@@ -1313,9 +1319,7 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session)
&session->internals.record_buffer,
bufel, ret);
data_size =
- MIN(tmp.length,
- tmp.end_offset - tmp.start_offset +
- 1);
+ MIN(tmp.length, tmp.frag_length);
- data_size = MIN(tmp.length,
- tmp.end_offset -
- tmp.start_offset + 1);
+ data_size = MIN(tmp.length, tmp.frag_length);
ret =
_gnutls_buffer_append_data(&tmp.data,
@@ -1361,9 +1367,7 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session)
merge_handshake_packet(session, &tmp);
ret = _gnutls_buffer_append_data(
&tmp.data,
@@ -1331,7 +1335,6 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session)
ret = merge_handshake_packet(session, &tmp);
if (ret < 0)
return gnutls_assert_val(ret);
-
- }
- while (_mbuffer_get_udata_size(bufel) > 0);
+ } while (_mbuffer_get_udata_size(bufel) > 0);
} while (_mbuffer_get_udata_size(bufel) > 0);
prev = bufel;
bufel =
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 815f69b10..0e753a739 100644
index d1643be9d..3e5a8f361 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -396,10 +396,10 @@ typedef struct {
@@ -460,10 +460,10 @@ typedef struct {
uint16_t sequence;
/* indicate whether that message is complete.
@ -287,14 +270,14 @@ Subject: [PATCH 3/5] buffers: simplify and tighten parse_handshake_header
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/buffers.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
lib/buffers.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/lib/buffers.c b/lib/buffers.c
index 134d680f4..7aa22811f 100644
index c3df8a37b..af77c5c0f 100644
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -953,16 +953,10 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel,
@@ -931,14 +931,9 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
memcpy(hsk->header, _mbuffer_get_udata_ptr(bufel),
handshake_header_size);
@ -303,16 +286,14 @@ index 134d680f4..7aa22811f 100644
- (frag_length > 0 &&
- hsk->start_offset + frag_length > hsk->length))) {
+ if (frag_length > data_size) /* fragment straight up lying to us */
return
gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
- }
- else if (hsk->length == 0 &&
- hsk->start_offset + frag_length != hsk->start_offset &&
- hsk->start_offset != 0)
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
- } else if (hsk->length == 0 &&
- hsk->start_offset + frag_length != hsk->start_offset &&
- hsk->start_offset != 0)
+ if (frag_length + hsk->start_offset > hsk->length) /* reassembly OOB */
return
gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
return handshake_header_size;
--
2.53.0
@ -328,7 +309,7 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 47 insertions(+)
diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c
index 4f4c8f623..5d226a56a 100644
index 499a92a92..cde0ca5e6 100644
--- a/tests/mini-dtls-fragments.c
+++ b/tests/mini-dtls-fragments.c
@@ -165,6 +165,50 @@ static uint64_t read_u48(const uint8_t *p)
@ -382,7 +363,7 @@ index 4f4c8f623..5d226a56a 100644
static void test(gnutls_push_func client_push, bool expect_success)
{
gnutls_session_t client, server;
@@ -459,7 +503,10 @@ static ssize_t client_push_split_hello_bad_seq(gnutls_transport_ptr_t tr,
@@ -462,7 +506,10 @@ static ssize_t client_push_split_hello_bad_seq(gnutls_transport_ptr_t tr,
void doit(void)
{
global_init();
@ -404,14 +385,14 @@ Subject: [PATCH 5/5] tests/mini-dtls-fragments: test #1811 crashing datagram
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
tests/mini-dtls-fragments.c | 58 +++++++++++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)
tests/mini-dtls-fragments.c | 59 +++++++++++++++++++++++++++++++++++++
1 file changed, 59 insertions(+)
diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c
index 5d226a56a..03881058a 100644
index cde0ca5e6..ce61eb947 100644
--- a/tests/mini-dtls-fragments.c
+++ b/tests/mini-dtls-fragments.c
@@ -500,6 +500,62 @@ static ssize_t client_push_split_hello_bad_seq(gnutls_transport_ptr_t tr,
@@ -503,6 +503,63 @@ static ssize_t client_push_split_hello_bad_seq(gnutls_transport_ptr_t tr,
return l;
}
@ -445,7 +426,8 @@ index 5d226a56a..03881058a 100644
+ gnutls_priority_set_direct(server, "NORMAL:+VERS-DTLS1.2", NULL);
+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
+
+ gnutls_dtls_set_timeouts(server, 80 * 1000, 8 * 1000);
+ gnutls_dtls_set_timeouts(server, get_dtls_retransmit_timeout(),
+ get_timeout());
+
+ gnutls_transport_set_ptr(server, server);
+ gnutls_transport_set_push_function(server, server_push);
@ -474,7 +456,7 @@ index 5d226a56a..03881058a 100644
void doit(void)
{
global_init();
@@ -513,6 +569,8 @@ void doit(void)
@@ -516,6 +573,8 @@ void doit(void)
test(client_push_split_hello, true);
success("split client hello smoke-test and mangle sequence number\n");
test(client_push_split_hello_bad_seq, false);

183
SOURCES/gnutls-3.6.16-CVE-2026-33846-dtls-len.patch → gnutls-3.8.10-CVE-2026-33846-dtls-len.patch
View File

@ -1,29 +1,30 @@
From 4f94e5cfe1f252a431e41642b0752e7e0daf43b9 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Fri, 20 Mar 2026 16:09:40 +0100
Subject: [PATCH 1/8] tests/mini-dtls-fragments: implement a basic DTLS test
Subject: [PATCH 1/7] tests/mini-dtls-fragments: implement a basic DTLS test
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
tests/Makefile.am | 6 +-
tests/mini-dtls-fragments.c | 206 ++++++++++++++++++++++++++++++++++++
2 files changed, 211 insertions(+), 1 deletion(-)
tests/Makefile.am | 7 +-
tests/mini-dtls-fragments.c | 208 ++++++++++++++++++++++++++++++++++++
2 files changed, 214 insertions(+), 1 deletion(-)
create mode 100644 tests/mini-dtls-fragments.c
diff --git a/tests/Makefile.am b/tests/Makefile.am
index afb665597..f85a6947d 100644
index aeeaaf79d..586f1952d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -224,7 +224,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
set_x509_ocsp_multi_cli kdf-api keylog-func \
dtls_hello_random_value tls_hello_random_value x509cert-dntypes \
pkcs7-verify-double-free \
- tls12-rehandshake-ticket
+ tls12-rehandshake-ticket mini-dtls-fragments
@@ -241,7 +241,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \
x509-upnconstraint xts-key-check cipher-padding pkcs7-verify-double-free \
fips-rsa-sizes tls12-rehandshake-ticket pathbuf tls-force-ems \
- psk-importer privkey-derive dh-compute2 ecdh-compute2
+ psk-importer privkey-derive dh-compute2 ecdh-compute2 \
+ mini-dtls-fragments
if HAVE_SECCOMP_TESTS
ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
@@ -487,6 +487,10 @@ buffer_CPPFLAGS = $(AM_CPPFLAGS) \
ctests += tls-channel-binding
@@ -513,6 +514,10 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \
-I$(top_srcdir)/gl \
-I$(top_builddir)/gl
@ -36,10 +37,10 @@ index afb665597..f85a6947d 100644
ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \
diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c
new file mode 100644
index 000000000..0abe557f7
index 000000000..ee75feeb6
--- /dev/null
+++ b/tests/mini-dtls-fragments.c
@@ -0,0 +1,206 @@
@@ -0,0 +1,208 @@
+/*
+ * Copyright (C) 2026 Red Hat, Inc.
+ *
@ -195,8 +196,10 @@ index 000000000..0abe557f7
+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
+ gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred);
+
+ gnutls_dtls_set_timeouts(client, 80 * 1000, 8 * 1000);
+ gnutls_dtls_set_timeouts(server, 80 * 1000, 8 * 1000);
+ gnutls_dtls_set_timeouts(client, get_dtls_retransmit_timeout(),
+ get_timeout());
+ gnutls_dtls_set_timeouts(server, get_dtls_retransmit_timeout(),
+ get_timeout());
+
+ gnutls_transport_set_ptr(client, client);
+ gnutls_transport_set_push_function(client, client_push);
@ -250,107 +253,10 @@ index 000000000..0abe557f7
2.53.0
From 87b63fec37a9bae87ec34f6a55c57cb64fe4c7aa Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 4 May 2026 09:16:13 +0000
Subject: [PATCH 2/8] buffers: reformat ssmerge_handshake_packet
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/buffers.c | 64 +++++++++++++++++++++++++--------------------------
1 file changed, 31 insertions(+), 33 deletions(-)
diff --git a/lib/buffers.c b/lib/buffers.c
index 2d0e3d8af..827e97fe5 100644
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -1031,46 +1031,44 @@ static int merge_handshake_packet(gnutls_session_t session,
_gnutls_write_uint24(0, &hsk->header[6]);
_gnutls_write_uint24(hsk->length, &hsk->header[9]);
- _gnutls_handshake_buffer_move(&session->internals.
- handshake_recv_buffer[pos],
- hsk);
+ _gnutls_handshake_buffer_move(
+ &session->internals.handshake_recv_buffer[pos], hsk);
} else {
if (hsk->start_offset <
- session->internals.handshake_recv_buffer[pos].
- start_offset
- && hsk->end_offset + 1 >=
- session->internals.handshake_recv_buffer[pos].
- start_offset) {
- memcpy(&session->internals.
- handshake_recv_buffer[pos].data.data[hsk->
- start_offset],
+ session->internals.handshake_recv_buffer[pos]
+ .start_offset &&
+ hsk->end_offset + 1 >=
+ session->internals.handshake_recv_buffer[pos]
+ .start_offset) {
+ memcpy(&session->internals.handshake_recv_buffer[pos]
+ .data.data[hsk->start_offset],
hsk->data.data, hsk->data.length);
- session->internals.handshake_recv_buffer[pos].
- start_offset = hsk->start_offset;
- session->internals.handshake_recv_buffer[pos].
- end_offset =
- MIN(hsk->end_offset,
- session->internals.
- handshake_recv_buffer[pos].end_offset);
+ session->internals.handshake_recv_buffer[pos]
+ .start_offset = hsk->start_offset;
+ session->internals.handshake_recv_buffer[pos]
+ .end_offset = MIN(
+ hsk->end_offset,
+ session->internals.handshake_recv_buffer[pos]
+ .end_offset);
} else if (hsk->end_offset >
- session->internals.handshake_recv_buffer[pos].
- end_offset
- && hsk->start_offset <=
- session->internals.handshake_recv_buffer[pos].
- end_offset + 1) {
- memcpy(&session->internals.
- handshake_recv_buffer[pos].data.data[hsk->
- start_offset],
+ session->internals.handshake_recv_buffer[pos]
+ .end_offset &&
+ hsk->start_offset <=
+ session->internals.handshake_recv_buffer[pos]
+ .end_offset +
+ 1) {
+ memcpy(&session->internals.handshake_recv_buffer[pos]
+ .data.data[hsk->start_offset],
hsk->data.data, hsk->data.length);
- session->internals.handshake_recv_buffer[pos].
- end_offset = hsk->end_offset;
- session->internals.handshake_recv_buffer[pos].
- start_offset =
- MIN(hsk->start_offset,
- session->internals.
- handshake_recv_buffer[pos].start_offset);
+ session->internals.handshake_recv_buffer[pos]
+ .end_offset = hsk->end_offset;
+ session->internals.handshake_recv_buffer[pos]
+ .start_offset = MIN(
+ hsk->start_offset,
+ session->internals.handshake_recv_buffer[pos]
+ .start_offset);
}
_gnutls_handshake_buffer_clear(hsk);
}
--
2.53.0
From 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Fri, 17 Apr 2026 17:49:31 +0200
Subject: [PATCH 3/8] buffers: shorten merge_handshake_packet using recv_buf
Subject: [PATCH 2/7] buffers: shorten merge_handshake_packet using recv_buf
I had vague concerns about thread-safety of this,
but then this pattern already exists within the file.
@ -361,10 +267,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 17 insertions(+), 35 deletions(-)
diff --git a/lib/buffers.c b/lib/buffers.c
index 827e97fe5..9ff606501 100644
index 672380b05..d54c77022 100644
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -992,9 +992,11 @@ static int merge_handshake_packet(gnutls_session_t session,
@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session,
int exists = 0, i, pos = 0;
int ret;
@ -378,7 +284,7 @@ index 827e97fe5..9ff606501 100644
exists = 1;
pos = i;
break;
@@ -1031,44 +1033,24 @@ static int merge_handshake_packet(gnutls_session_t session,
@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session,
_gnutls_write_uint24(0, &hsk->header[6]);
_gnutls_write_uint24(hsk->length, &hsk->header[9]);
@ -443,7 +349,7 @@ index 827e97fe5..9ff606501 100644
From 65ab33fa54e34fba69d793735b7df3d383d1ff78 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Fri, 17 Apr 2026 18:21:36 +0200
Subject: [PATCH 4/8] buffers: add more checks to DTLS reassembly
Subject: [PATCH 3/7] buffers: add more checks to DTLS reassembly
Previously, gnutls didn't check that DTLS fragments claimed
a consistent message_length value.
@ -468,10 +374,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 20 insertions(+)
diff --git a/lib/buffers.c b/lib/buffers.c
index 9ff606501..20ff909bd 100644
index d54c77022..5d4d16276 100644
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -1036,6 +1036,26 @@ static int merge_handshake_packet(gnutls_session_t session,
@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session,
_gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
} else {
@ -505,15 +411,15 @@ index 9ff606501..20ff909bd 100644
From cf3f1955e58cbcc10373b841bb101fb058565d87 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Wed, 1 Apr 2026 19:51:45 +0200
Subject: [PATCH 5/8] tests/mini-dtls-fragments: extend with a #1816 reproducer
Subject: [PATCH 4/7] tests/mini-dtls-fragments: extend with a #1816 reproducer
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
tests/mini-dtls-fragments.c | 119 ++++++++++++++++++++++++++++++++++++
1 file changed, 119 insertions(+)
tests/mini-dtls-fragments.c | 120 ++++++++++++++++++++++++++++++++++++
1 file changed, 120 insertions(+)
diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c
index 0abe557f7..d997ad64f 100644
index ee75feeb6..8d5a18acd 100644
--- a/tests/mini-dtls-fragments.c
+++ b/tests/mini-dtls-fragments.c
@@ -106,6 +106,11 @@ static int pull_timeout(gnutls_transport_ptr_t tr, unsigned ms)
@ -528,7 +434,7 @@ index 0abe557f7..d997ad64f 100644
static ssize_t server_pull(gnutls_transport_ptr_t tr, void *b, size_t l)
{
return queue_get(&c2s, (gnutls_session_t)tr, b, l);
@@ -196,10 +201,124 @@ static void test(gnutls_push_func client_push)
@@ -198,10 +203,125 @@ static void test(gnutls_push_func client_push)
gnutls_certificate_free_credentials(scred);
}
@ -602,7 +508,8 @@ index 0abe557f7..d997ad64f 100644
+ gnutls_priority_set_direct(server, "NORMAL:+VERS-DTLS1.2", NULL);
+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
+
+ gnutls_dtls_set_timeouts(server, 80 * 1000, 8 * 1000);
+ gnutls_dtls_set_timeouts(server, get_dtls_retransmit_timeout(),
+ get_timeout());
+
+ gnutls_transport_set_ptr(server, server);
+ gnutls_transport_set_push_function(server, server_push);
@ -660,7 +567,7 @@ index 0abe557f7..d997ad64f 100644
From bb427ff74dba849d40753ed9c8511e873f762743 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 20 Apr 2026 16:08:11 +0200
Subject: [PATCH 6/8] tests/mini-dtls-fragments: extend with fragmenting
Subject: [PATCH 5/7] tests/mini-dtls-fragments: extend with fragmenting
ClientHello
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
@ -669,7 +576,7 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 107 insertions(+)
diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c
index d997ad64f..a1fa7f8dd 100644
index 8d5a18acd..93490bac2 100644
--- a/tests/mini-dtls-fragments.c
+++ b/tests/mini-dtls-fragments.c
@@ -132,6 +132,39 @@ static ssize_t client_push_normal(gnutls_transport_ptr_t tr, const void *b,
@ -712,7 +619,7 @@ index d997ad64f..a1fa7f8dd 100644
static void test(gnutls_push_func client_push)
{
gnutls_session_t client, server;
@@ -313,12 +346,86 @@ static void test_malicious1816(void)
@@ -316,12 +349,86 @@ static void test_malicious1816(void)
gnutls_certificate_free_credentials(scred);
}
@ -806,7 +713,7 @@ index d997ad64f..a1fa7f8dd 100644
From 092c65d004e2f125f2fea3db84d801ac49a09f78 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 20 Apr 2026 16:32:02 +0200
Subject: [PATCH 7/8] buffers: match DTLS datagrams by sequence number
Subject: [PATCH 6/7] buffers: match DTLS datagrams by sequence number
DTLS handshake fragment reassembly previously matched incoming fragments
by handshake type only, without checking the sequence number.
@ -825,10 +732,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/buffers.c b/lib/buffers.c
index 20ff909bd..48715adcc 100644
index 5d4d16276..62f140ed3 100644
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -996,7 +996,8 @@ static int merge_handshake_packet(gnutls_session_t session,
@@ -971,7 +971,8 @@ static int merge_handshake_packet(gnutls_session_t session,
session->internals.handshake_recv_buffer;
for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
@ -845,7 +752,7 @@ index 20ff909bd..48715adcc 100644
From a2b41be83a1a3529c551ccf54958da91a656550e Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 20 Apr 2026 16:36:08 +0200
Subject: [PATCH 8/8] tests/mini-dtls-fragments: #1839 mismatching message_seq
Subject: [PATCH 7/7] tests/mini-dtls-fragments: #1839 mismatching message_seq
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
@ -853,7 +760,7 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 47 insertions(+), 7 deletions(-)
diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c
index a1fa7f8dd..77daa6225 100644
index 93490bac2..499a92a92 100644
--- a/tests/mini-dtls-fragments.c
+++ b/tests/mini-dtls-fragments.c
@@ -165,7 +165,7 @@ static uint64_t read_u48(const uint8_t *p)
@ -865,7 +772,7 @@ index a1fa7f8dd..77daa6225 100644
{
gnutls_session_t client, server;
gnutls_certificate_credentials_t ccred, scred;
@@ -216,12 +216,22 @@ static void test(gnutls_push_func client_push)
@@ -218,12 +218,22 @@ static void test(gnutls_push_func client_push)
sr = gnutls_handshake(server);
if (!sr || gnutls_error_is_fatal(sr))
sdone = true;
@ -892,7 +799,7 @@ index a1fa7f8dd..77daa6225 100644
success("OK\n");
@@ -418,14 +428,44 @@ static ssize_t client_push_split_hello(gnutls_transport_ptr_t tr, const void *b,
@@ -421,14 +431,44 @@ static ssize_t client_push_split_hello(gnutls_transport_ptr_t tr, const void *b,
return l;
}

372
gnutls-3.8.10-CVE-2026-3832-ocsp-rev-0.patch Normal file
View File

@ -0,0 +1,372 @@
From 731861b9de8dccaf7d3b0c1446833051e48670c2 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Thu, 12 Mar 2026 09:48:57 +0100
Subject: [PATCH 1/5] cert-session: fix multi-entry OCSP revocation bypass
In check_ocsp_response(), the code first searched
for the SingleResponse that matches the certificate being validated.
But later, the status was retrieved from entry 0 unconditionally,
rather than from the matched resp_indx.
As a result, if entry 0 corresponded to a different certificate and was good,
while the matched entry for the peer certificate is revoked,
the revocation check could've mistakenly accept the certificate.
Reported-by: Oleh Konko (1seal) <security@1seal.org>
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Fixes: #1801
Fixes: #1812
Fixes: CVE-2026-3832
Fixes: GNUTLS-SA-2026-04-29-12
CVSS: 3.7 Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Introduced-in: ae404fe8488dee424876b5963c00d7e041672415 3.8.9
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/cert-session.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/cert-session.c b/lib/cert-session.c
index 34a15b19e..b8a70ad00 100644
--- a/lib/cert-session.c
+++ b/lib/cert-session.c
@@ -343,9 +343,9 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
goto cleanup;
}
- ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
- &cert_status, &vtime, &ntime, &rtime,
- NULL);
+ ret = gnutls_ocsp_resp_get_single(resp, resp_indx, NULL, NULL, NULL,
+ NULL, &cert_status, &vtime, &ntime,
+ &rtime, NULL);
if (ret < 0) {
_gnutls_audit_log(
session,
--
2.53.0
From d52d5f4f383e8c5d8e9a03334f2421ff35d37d2e Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Thu, 12 Mar 2026 15:25:24 +0100
Subject: [PATCH 2/5] tests/ocsp-tests/ocsp-must-staple-connection: test
CVE-2026-3832
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
.../ocsp-tests/ocsp-must-staple-connection.sh | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
diff --git a/tests/ocsp-tests/ocsp-must-staple-connection.sh b/tests/ocsp-tests/ocsp-must-staple-connection.sh
index 94d41ce24..5e100b9d9 100755
--- a/tests/ocsp-tests/ocsp-must-staple-connection.sh
+++ b/tests/ocsp-tests/ocsp-must-staple-connection.sh
@@ -85,6 +85,7 @@ OCSP_RESPONSE_FILE="$testdir/ms-resp.tmp"
OCSP_REQ_FILE="$testdir/ms-req.tmp"
INDEXFILE="$testdir/ocsp_index.txt"
ATTRFILE="${INDEXFILE}.attr"
+SERVER_CERT_BAD_FILE="$testdir/ms-cert-bad.pem.tmp"
stop_servers ()
{
@@ -118,6 +119,20 @@ ${CERTTOOL} \
--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
--template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null
+echo "=== Generating bad server certificate ==="
+
+rm -f "$TEMPLATE_FILE"
+cp "${srcdir}/ocsp-tests/certs/server_bad.template" "$TEMPLATE_FILE"
+chmod u+w "$TEMPLATE_FILE"
+echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
+
+${CERTTOOL} \
+ --attime "${CERTDATE}" \
+ --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+ --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+ --load-privkey "${srcdir}/ocsp-tests/certs/server_bad.key" \
+ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_BAD_FILE}" 2>/dev/null
+
echo "=== Bringing OCSP server up ==="
cp "${srcdir}/ocsp-tests/certs/ocsp_index.txt" ${INDEXFILE}
@@ -486,6 +501,61 @@ kill "${TLS_SERVER_PID}"
wait "${TLS_SERVER_PID}"
unset TLS_SERVER_PID
+echo "=== Test 10: Server with revoked certificate - CVE-2026-3832 ==="
+
+# The revocation status was always mistakenly checked for the first cert.
+# Check a pair of responses: (irrelevant good unrevoked, relevant bad revoked).
+
+rm -f "${OCSP_RESPONSE_FILE}"
+
+"$FAKETIME" "${TESTDATE}" \
+ ${OPENSSL} ocsp -index "${INDEXFILE}" \
+ -issuer "${srcdir}/ocsp-tests/certs/ca.pem" \
+ -CA "${srcdir}/ocsp-tests/certs/ca.pem" \
+ -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \
+ -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" \
+ -cert "${SERVER_CERT_FILE}" \
+ -cert "${SERVER_CERT_BAD_FILE}" \
+ -respout "${OCSP_RESPONSE_FILE}"
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server \
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_bad.key" \
+ --x509certfile="${SERVER_CERT_BAD_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+out=$(
+ echo "test 123456" | \
+ "${CLI}" -d1 --attime "${TESTDATE}" --ocsp \
+ --x509cafile "${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port "${TLS_SERVER_PORT}" localhost \
+ 2>&1
+ rc=$?
+)
+printf '%s\n' "$out"
+
+if test "${rc}" = "0"; then
+ echo 'ERROR: client accepted a revoked leaf (CVE-2026-3832)'
+ exit 1
+fi
+if ! echo "${out}" | grep "The certificate was revoked via OCSP" >/dev/null
+then
+ echo '"The certificate was revoked via OCSP" not found in output'
+ exit 1
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
kill ${OCSP_PID}
wait ${OCSP_PID}
--
2.53.0
From 8cb066878ae6dcb71e19b7f104ff90a141973352 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Thu, 12 Mar 2026 10:42:49 +0100
Subject: [PATCH 3/5] tests/ocsp-tests/ocsp-must-staple-connection: grep for
specific...
... error message: 'Got OCSP response with an unrelated certificate'.
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
.../ocsp-tests/ocsp-must-staple-connection.sh | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/tests/ocsp-tests/ocsp-must-staple-connection.sh b/tests/ocsp-tests/ocsp-must-staple-connection.sh
index 5e100b9d9..568aece2e 100755
--- a/tests/ocsp-tests/ocsp-must-staple-connection.sh
+++ b/tests/ocsp-tests/ocsp-must-staple-connection.sh
@@ -292,21 +292,31 @@ wait_server $TLS_SERVER_PID
wait_for_port "${TLS_SERVER_PORT}"
-echo "test 123456" | \
- "${CLI}" --attime "${TESTDATE}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
- --port="${TLS_SERVER_PORT}" localhost
+out=$(
+ echo "test 123456" | \
+ "${CLI}" --attime "${TESTDATE}" --ocsp \
+ --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost \
+ 2>&1
+)
rc=$?
+printf '%s\n' "$out"
if test "${rc}" = "0"; then
echo "Connecting to server with valid certificate and invalid staple succeeded"
exit 1
fi
+if ! echo "${out}" | grep "Got OCSP response with an unrelated certificate" > /dev/null
+then
+ echo '"Got OCSP response with an unrelated certificate" not found in output'
+ exit 1
+fi
+
kill "${TLS_SERVER_PID}"
wait "${TLS_SERVER_PID}"
unset TLS_SERVER_PID
-
echo "=== Test 5: Server with valid certificate - expired staple ==="
rm -f "${OCSP_RESPONSE_FILE}"
--
2.53.0
From 6a7999807d72bd2320d959092235fb06e751c332 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Thu, 12 Mar 2026 10:25:41 +0100
Subject: [PATCH 4/5] cert-session: log "no responses" case separately
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/cert-session.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/lib/cert-session.c b/lib/cert-session.c
index b8a70ad00..cb8abd736 100644
--- a/lib/cert-session.c
+++ b/lib/cert-session.c
@@ -283,10 +283,16 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
break;
}
if (ret < 0) {
+ if (resp_indx == 0 &&
+ ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ _gnutls_audit_log(session, "Got OCSP response with"
+ " no certificates.\n");
+ } else {
+ _gnutls_audit_log(session,
+ "Got OCSP response with"
+ " an unrelated certificate.\n");
+ }
ret = gnutls_assert_val(0);
- _gnutls_audit_log(
- session,
- "Got OCSP response with an unrelated certificate.\n");
check_failed = 1;
*ostatus |= GNUTLS_CERT_INVALID;
*ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
--
2.53.0
From f36276e1224719160584ae52398a0d2ceb670ac2 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Thu, 12 Mar 2026 10:57:14 +0100
Subject: [PATCH 5/5] tests/ocsp-tests/ocsp-must-staple-connection: no response
case
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
tests/Makefile.am | 4 +-
tests/ocsp-tests/certs/ocsp-staple-empty.der | Bin 0 -> 1202 bytes
.../ocsp-tests/ocsp-must-staple-connection.sh | 45 ++++++++++++++++++
3 files changed, 48 insertions(+), 1 deletion(-)
create mode 100644 tests/ocsp-tests/certs/ocsp-staple-empty.der
diff --git a/tests/Makefile.am b/tests/Makefile.am
index aeeaaf79d..f7d6254a9 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -61,7 +61,9 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
ocsp-tests/response2.der ocsp-tests/response3.der ocsp-tests/certs/ocsp_index.txt ocsp-tests/certs/ocsp_index.txt.attr \
ocsp-tests/response1.pem ocsp-tests/response2.pem \
ocsp-tests/certs/server_good.key ocsp-tests/certs/server_bad.key ocsp-tests/certs/server_good.template \
- ocsp-tests/certs/server_bad.template ocsp-tests/certs/ocsp-staple-unrelated.der ocsp-tests/suppressions.valgrind \
+ ocsp-tests/certs/server_bad.template ocsp-tests/certs/ocsp-staple-unrelated.der \
+ ocsp-tests/certs/ocsp-staple-empty.der \
+ ocsp-tests/suppressions.valgrind \
ocsp-tests/signer-verify/response-ca.der \
ocsp-tests/signer-verify/response-delegated.der \
ocsp-tests/signer-verify/response-non-delegated.der \
diff --git a/tests/ocsp-tests/certs/ocsp-staple-empty.der b/tests/ocsp-tests/certs/ocsp-staple-empty.der
new file mode 100644
index 0000000000000000000000000000000000000000..eccb9ecbfc246819fc360849867741615fb973a2
GIT binary patch
literal 1202
zcmXqLVp+$<$grS^Ww}8U%VIW8Z8k<$R(1nMMwTX)DF#g}6AZK$iLr=q9@<;)`-D4E
z!%f`Pb8})(pWKuC68uI6hGqt)#s)@4rj{n=Q3ebKylk9WZ60mkc^MhGSs9p{7#SJ*
zKKDM+|K1uQylhIwtsoDzluFGA?ZXE&PIf+c5v+0TcGfcqZWZ&R{0~*Tet2d7TGO}l
z!+Vdn(S~bZU+(aTuuf$DRg@UAPN3;@PSjFIwM^bDm2Xeic<S8X;B*T)<*;unYk|an
z?oTh~UvOueb)fY2@gLi&<T<T77cA|#{_gFSgjd%esM-nJM{~T>xBGnO&Vn0V-)09L
z*eSU130qD}Xy|i~uN$K$EwFzmD1OwO;ob#fqvNKGW+KNHT=iSTU#5BCQ0tnU0}2aP
zEc`I}(nVu^@z36~k2CM{{Ozt2QojE27PC#aKTXs1yO3lppy98VZkKq@xVgoCy=7h9
zg-e0!EBM~03M^=1_BLo@b~k8Zb~b2Y(q6#K#K^?N6ZTo+n$W$O;yI@lK0pgL0~tdp
z0|_?fP!?uk!I0GAlFYnx1;^5ojQpa^l1c+Pab80+17jm&BO@bA6Qd|`UPE&vu7S3p
zrhz&{w*rQ41%Kz@0EM8`;)49Vl++@FCPpP>+Zn-;#?N5T#K^@2ioMHBDO|iss(BB;
zyvhC0a>vyoFYdL9cF)R5je>zUAG@5-jj_MDNl2{P?%k%HQ`cNh`h97qQE7>q`>YzV
z_4iLso+qxiV_v#y;@8jTUvtQn7yetLuUsJ@v5M!ho>k>n!7?#({%v-%xBh0=-T0p4
z#<7YQvD24)IPQPOuz_XY)>}6v9g6=(i`Y%hRq#7gb+%~=8;`5~Ipg&kl|psD$2D8X
z?k|o?JXCx|_E2tGyzEZCc`GdCs~58D_gue{<^00N|I&>fV&#F;HJ)uPJ`%=s$o)^`
z5?@O$!wZ)SB&`&*jekx5*&`NrYi--H^=$1w-b|h+abdy1iRV^xcD`}9^@~c8D84e4
ziJ6gsadDYJi2)BAbEvE^BjbM-CIbcoVGvK1g~x!4jRTTrm^lsjL4y1sC9KTM><tVC
zvLFFI7BLo)=XMJVL>X7y`c&Zj-seQS)ZrN=wg&PbX=N4(1F;4X-5Vma#IEN4`@P}8
zy^mjyDsx{>+J_u7u<TT|?8tYQtwjz6+tT;`X*njD;@!f2%s%$;;b}=}TV)E2gp>>Q
zqOUiee2{c1IOO7SIYsShk7wOAcb*`bP--4<y=|h}LJt3j%yC^;KAe8<zkBf>)BSC^
z9Xw{QbMG;oyqoaq2<NgFOIf|2Jru3io2kMil33pE(pJH~skLNvU^Me4!;UY#UOJ(D
z6Eb!uDq4JDUEX>0NQnL%N3Ux<Pq*1_`!zGW%6n1TWuZ6EA2vUWlHEIj-R<GNWoJ(8
zTb%Fz<|tdy>8QmDb`{bqU$5Ws&)&GsqiV&~>(|<zNy~`vsNSk$$XvG}G4Vk9vMWFP
cp0LfeGq;*rZ97x{|Gzs$UE<vmlQK%#0A#V}1poj5
literal 0
HcmV?d00001
diff --git a/tests/ocsp-tests/ocsp-must-staple-connection.sh b/tests/ocsp-tests/ocsp-must-staple-connection.sh
index 568aece2e..8dcbb6869 100755
--- a/tests/ocsp-tests/ocsp-must-staple-connection.sh
+++ b/tests/ocsp-tests/ocsp-must-staple-connection.sh
@@ -317,6 +317,51 @@ kill "${TLS_SERVER_PID}"
wait "${TLS_SERVER_PID}"
unset TLS_SERVER_PID
+echo "=== Test 4.1: Server with valid certificate - no response staple ==="
+
+rm -f "${OCSP_RESPONSE_FILE}"
+cp "${srcdir}/ocsp-tests/certs/ocsp-staple-empty.der" "${OCSP_RESPONSE_FILE}"
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server \
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+out=$(
+ echo "test 123456" | \
+ "${CLI}" --attime "${TESTDATE}" --ocsp \
+ --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost \
+ 2>&1
+)
+rc=$?
+printf '%s\n' "$out"
+
+if test "${rc}" = "0"; then
+ echo "Connecting to server with valid certificate and no response staple succeeded"
+ exit 1
+fi
+
+if ! echo "${out}" | grep "Got OCSP response with no certificates" > /dev/null
+then
+ echo '"Got OCSP response with no certificates" not found in output'
+ exit 1
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
echo "=== Test 5: Server with valid certificate - expired staple ==="
rm -f "${OCSP_RESPONSE_FILE}"
--
2.53.0

16
SOURCES/gnutls-3.6.16-CVE-2026-3833-nc-case.patch → gnutls-3.8.10-CVE-2026-3833-nc-case.patch
View File

@ -30,18 +30,18 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index 197fc47ac..a126123b1 100644
index a89728451..410022239 100644
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -35,6 +35,7 @@
#include <x509_int.h>
#include <x509_ext_int.h>
#include "x509_int.h"
#include "x509_ext_int.h"
#include <libtasn1.h>
+#include "c-strcase.h"
#include "ip.h"
#include "ip-in-cidr.h"
@@ -80,7 +81,7 @@ enum name_constraint_relation {
@@ -100,7 +101,7 @@ enum name_constraint_relation {
NC_SORTS_AFTER = 2 /* unrelated constraints */
};
@ -50,7 +50,7 @@ index 197fc47ac..a126123b1 100644
static enum name_constraint_relation
compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len)
{
@@ -96,6 +97,22 @@ compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len)
@@ -116,6 +117,22 @@ compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len)
return NC_EQUAL;
}
@ -73,7 +73,7 @@ index 197fc47ac..a126123b1 100644
/* Rich-compare DNS names. Example order/relationships:
* z.x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x.b BEFORE y.b */
static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1,
@@ -121,8 +138,8 @@ static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1,
@@ -141,8 +158,8 @@ static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1,
while (j && n2->data[j - 1] != '.')
j--;
@ -99,10 +99,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 52 insertions(+)
diff --git a/tests/name-constraints.c b/tests/name-constraints.c
index 64e82ad35..7683da433 100644
index 71216b700..e85c03aae 100644
--- a/tests/name-constraints.c
+++ b/tests/name-constraints.c
@@ -324,6 +324,58 @@ void doit(void)
@@ -366,6 +366,58 @@ void doit(void)
gnutls_x509_name_constraints_deinit(nc);

8
SOURCES/gnutls-3.6.16-CVE-2026-42009-dtls-qsort.patch → gnutls-3.8.10-CVE-2026-42009-dtls-qsort.patch
View File

@ -21,10 +21,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/lib/buffers.c b/lib/buffers.c
index 48715adcc..9f33821dd 100644
index 62f140ed3..48f4a3210 100644
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -996,8 +996,20 @@ static int merge_handshake_packet(gnutls_session_t session,
@@ -971,8 +971,20 @@ static int merge_handshake_packet(gnutls_session_t session,
session->internals.handshake_recv_buffer;
for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
@ -74,10 +74,10 @@ Signed-off-by: Joshua Rogers <joshua@joshua.hu>
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/lib/buffers.c b/lib/buffers.c
index 9f33821dd..be51f3aac 100644
index 48f4a3210..09779a8f3 100644
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -866,11 +866,7 @@ static int handshake_compare(const void *_e1, const void *_e2)
@@ -844,11 +844,7 @@ static int handshake_compare(const void *_e1, const void *_e2)
{
const handshake_buffer_st *e1 = _e1;
const handshake_buffer_st *e2 = _e2;

211
SOURCES/gnutls-3.6.16-CVE-2026-42010-psk-nul.patch → gnutls-3.8.10-CVE-2026-42010-psk-nul.patch
View File

@ -1,77 +1,26 @@
From 382afcb74f8cdabd2234374c730c33332f06c7b2 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 4 May 2026 10:08:34 +0000
Subject: [PATCH 1/6] tests/pskself2: reformat
---
tests/pskself2.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/tests/pskself2.c b/tests/pskself2.c
index 81286a035..c587df060 100644
--- a/tests/pskself2.c
+++ b/tests/pskself2.c
@@ -287,8 +287,7 @@ static void server(int sd, const char *prio)
success("server: finished\n");
}
-static
-void run_test(const char *prio, unsigned exp_hint)
+static void run_test(const char *prio, unsigned exp_hint)
{
pid_t child;
int err;
@@ -331,11 +330,19 @@ void doit(void)
run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", 1);
run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:+PSK", 0);
- run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-FFDHE2048:+DHE-PSK", 0);
- run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-SECP256R1:+ECDHE-PSK", 0);
+ run_test(
+ "NORMAL:-VERS-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-FFDHE2048:+DHE-PSK",
+ 0);
+ run_test(
+ "NORMAL:-VERS-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-SECP256R1:+ECDHE-PSK",
+ 0);
run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", 0);
- run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+DHE-PSK", 0);
- run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+ECDHE-PSK", 0);
+ run_test(
+ "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+DHE-PSK",
+ 0);
+ run_test(
+ "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+ECDHE-PSK",
+ 0);
/* the following should work once we support PSK without DH */
run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+PSK", 0);
--
2.53.0
From e3ffd31846d1e6624338a26ca7fce7d1685b17cd Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 21 Apr 2026 19:02:43 +0200
Subject: [PATCH 2/6] tests/pskself2: extend with RSA-PSK support
Subject: [PATCH 1/5] tests/pskself2: extend with RSA-PSK support
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
tests/pskself2.c | 81 ++++++++++++++++++++++++++++++++----------------
1 file changed, 54 insertions(+), 27 deletions(-)
tests/pskself2.c | 79 ++++++++++++++++++++++++++++++++----------------
1 file changed, 53 insertions(+), 26 deletions(-)
diff --git a/tests/pskself2.c b/tests/pskself2.c
index c587df060..974d48334 100644
index e16146884..04283ca08 100644
--- a/tests/pskself2.c
+++ b/tests/pskself2.c
@@ -28,6 +28,7 @@
#include <config.h>
@@ -27,6 +27,7 @@
#include "config.h"
#endif
+#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
@@ -52,6 +53,7 @@ int main(int argc, char **argv)
@@ -51,6 +52,7 @@ int main(int argc, char **argv)
#include "utils.h"
#include "extras/hex.h"
@ -79,7 +28,7 @@ index c587df060..974d48334 100644
/* A very basic TLS client, with PSK authentication.
*/
@@ -66,12 +68,13 @@ static void tls_log_func(int level, const char *str)
@@ -65,12 +67,13 @@ static void tls_log_func(int level, const char *str)
#define MAX_BUF 1024
#define MSG "Hello TLS"
@ -92,9 +41,9 @@ index c587df060..974d48334 100644
gnutls_psk_client_credentials_t pskcred;
+ gnutls_certificate_credentials_t xcred = NULL;
/* Need to enable anonymous KX specifically. */
const gnutls_datum_t key = { (void *) "DEADBEEF", 8 };
const gnutls_datum_t key = { (void *)"DEADBEEF", 8 };
gnutls_datum_t user;
@@ -111,6 +114,11 @@ static void client(int sd, const char *prio, unsigned exp_hint)
@@ -110,6 +113,11 @@ static void client(int sd, const char *prio, unsigned exp_hint)
*/
gnutls_credentials_set(session, GNUTLS_CRD_PSK, pskcred);
@ -106,7 +55,7 @@ index c587df060..974d48334 100644
gnutls_transport_set_int(session, sd);
/* Perform the TLS handshake
@@ -166,6 +174,8 @@ static void client(int sd, const char *prio, unsigned exp_hint)
@@ -165,6 +173,8 @@ end:
gnutls_free(user.data);
gnutls_psk_free_client_credentials(pskcred);
@ -115,10 +64,10 @@ index c587df060..974d48334 100644
gnutls_global_deinit();
}
@@ -195,9 +205,10 @@ pskfunc(gnutls_session_t session, const gnutls_datum_t *username,
@@ -192,9 +202,10 @@ static int pskfunc(gnutls_session_t session, const gnutls_datum_t *username,
return 0;
}
-static void server(int sd, const char *prio)
+static void server(int sd, const char *prio, bool rsa)
{
@ -127,7 +76,7 @@ index c587df060..974d48334 100644
int ret;
gnutls_session_t session;
gnutls_datum_t psk_username;
@@ -217,6 +228,13 @@ static void server(int sd, const char *prio)
@@ -214,6 +225,13 @@ static void server(int sd, const char *prio)
gnutls_psk_set_server_credentials_hint(server_pskcred, "hint");
gnutls_psk_set_server_credentials_function2(server_pskcred, pskfunc);
@ -141,7 +90,7 @@ index c587df060..974d48334 100644
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
@@ -225,6 +243,9 @@ static void server(int sd, const char *prio)
@@ -222,6 +240,9 @@ static void server(int sd, const char *prio)
gnutls_priority_set_direct(session, prio, NULL);
gnutls_credentials_set(session, GNUTLS_CRD_PSK, server_pskcred);
@ -151,7 +100,7 @@ index c587df060..974d48334 100644
gnutls_transport_set_int(session, sd);
ret = gnutls_handshake(session);
@@ -280,6 +301,8 @@ static void server(int sd, const char *prio)
@@ -278,6 +299,8 @@ static void server(int sd, const char *prio)
gnutls_deinit(session);
gnutls_psk_free_server_credentials(server_pskcred);
@ -160,7 +109,7 @@ index c587df060..974d48334 100644
gnutls_global_deinit();
@@ -287,7 +310,7 @@ static void server(int sd, const char *prio)
@@ -285,7 +308,7 @@ static void server(int sd, const char *prio)
success("server: finished\n");
}
@ -169,7 +118,7 @@ index c587df060..974d48334 100644
{
pid_t child;
int err;
@@ -313,42 +336,46 @@ static void run_test(const char *prio, unsigned exp_hint)
@@ -311,42 +334,46 @@ static void run_test(const char *prio, unsigned exp_hint)
int status;
/* parent */
close(sockets[1]);
@ -190,7 +139,11 @@ index c587df060..974d48334 100644
- run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", 1);
- run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK", 1);
- run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", 1);
-
+ run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", true, false);
+ run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK", true,
+ false);
+ run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", true, false);
- run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:+PSK", 0);
- run_test(
- "NORMAL:-VERS-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-FFDHE2048:+DHE-PSK",
@ -205,11 +158,6 @@ index c587df060..974d48334 100644
- run_test(
- "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+ECDHE-PSK",
- 0);
+ run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", true, false);
+ run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK", true,
+ false);
+ run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", true, false);
+
+ run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:+PSK", false, false);
+ run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:"
+ "-GROUP-ALL:+GROUP-FFDHE2048:+DHE-PSK",
@ -227,19 +175,19 @@ index c587df060..974d48334 100644
/* the following should work once we support PSK without DH */
- run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+PSK", 0);
+ run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+PSK", false, false);
+
+ run_test("NORMAL:-KX-ALL:+PSK", false, false);
+ run_test("NORMAL:-KX-ALL:+ECDHE-PSK", false, false);
+ run_test("NORMAL:-KX-ALL:+DHE-PSK", false, false);
- run_test("NORMAL:-KX-ALL:+PSK", 0);
- run_test("NORMAL:-KX-ALL:+ECDHE-PSK", 0);
- run_test("NORMAL:-KX-ALL:+DHE-PSK", 0);
+ run_test("NORMAL:-KX-ALL:+PSK", false, false);
+ run_test("NORMAL:-KX-ALL:+ECDHE-PSK", false, false);
+ run_test("NORMAL:-KX-ALL:+DHE-PSK", false, false);
+
+ /* RSA-PSK */
+ run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+RSA-PSK", false, true);
}
#endif /* _WIN32 */
#endif /* _WIN32 */
--
2.53.0
@ -247,7 +195,7 @@ index c587df060..974d48334 100644
From cb1833afd9b6309563211b1c0a7c291f52ca98d5 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 21 Apr 2026 19:26:10 +0200
Subject: [PATCH 3/6] lib/auth/rsa_psk: fix binary PSK identity lookup
Subject: [PATCH 2/5] lib/auth/rsa_psk: fix binary PSK identity lookup
A server looking up PSK username with a NUL-character in it
was wrongfully matching username truncated at a NUL-character.
@ -260,19 +208,20 @@ Fixes: GNUTLS-SA-2026-04-29-4
CVSS: 7.1 High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/auth/rsa_psk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
lib/auth/rsa_psk.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
index 8f3fe5a4b..8813eeeec 100644
index 9f97569c5..8305f8386 100644
--- a/lib/auth/rsa_psk.c
+++ b/lib/auth/rsa_psk.c
@@ -332,7 +332,7 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
@@ -321,8 +321,7 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
* filled in if the key is not found.
*/
ret =
- _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
+ _gnutls_psk_pwd_find_entry(session, info->username, info->username_len, &pwd_psk);
ret = _gnutls_psk_pwd_find_entry(session, info->username,
- strlen(info->username), &pwd_psk,
- NULL);
+ info->username_len, &pwd_psk, NULL);
if (ret < 0)
return gnutls_assert_val(ret);
@ -280,30 +229,22 @@ index 8f3fe5a4b..8813eeeec 100644
2.53.0
From cf20434d5cb8f3508e6ed2abdcb3e07bf28b9b6f Mon Sep 17 00:00:00 2001
From 83e579a80ec4f165dc3b8e670d879370081f5945 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 21 Apr 2026 19:19:42 +0200
Subject: [PATCH 4/6] tests/pskself2: test username with NUL in the middle
Subject: [PATCH 3/5] tests/pskself2: test username with NUL in the middle
(#1850)
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
tests/pskself2.c | 31 +++++++++++++++++++++----------
1 file changed, 22 insertions(+), 10 deletions(-)
tests/pskself2.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/tests/pskself2.c b/tests/pskself2.c
index 974d48334..508711aa9 100644
index 04283ca08..247000077 100644
--- a/tests/pskself2.c
+++ b/tests/pskself2.c
@@ -28,6 +28,7 @@
#include <config.h>
#endif
+#include <assert.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
@@ -87,12 +87,15 @@ static void client(int sd, const char *prio, bool exp_hint, bool rsa)
@@ -86,12 +86,15 @@ static void client(int sd, const char *prio, bool exp_hint, bool rsa)
side = "client";
@ -323,9 +264,9 @@ index 974d48334..508711aa9 100644
gnutls_psk_allocate_client_credentials(&pskcred);
ret = gnutls_psk_set_client_credentials2(pskcred, &user, &key,
@@ -191,14 +194,20 @@ static int
pskfunc(gnutls_session_t session, const gnutls_datum_t *username,
gnutls_datum_t * key)
@@ -189,14 +192,20 @@ end:
static int pskfunc(gnutls_session_t session, const gnutls_datum_t *username,
gnutls_datum_t *key)
{
+ const unsigned char expected_user[] = { 0xCA, 0xFE, 0x00, 0xCA, 0xFE };
+ const unsigned char expected_key[] = { 0xDE, 0xAD, 0xBE, 0xEF };
@ -348,21 +289,23 @@ index 974d48334..508711aa9 100644
key->size = 4;
return 0;
@@ -212,7 +221,8 @@ static void server(int sd, const char *prio, bool rsa)
@@ -209,8 +218,8 @@ static void server(int sd, const char *prio, bool rsa)
int ret;
gnutls_session_t session;
gnutls_datum_t psk_username;
- char buffer[MAX_BUF + 1], expected_psk_username[] = { 0xDE, 0xAD, 0xBE, 0xEF };
- char buffer[MAX_BUF + 1],
- expected_psk_username[] = { 0xDE, 0xAD, 0xBE, 0xEF };
+ char buffer[MAX_BUF + 1];
+ const char expected_psk_username[] = { 0xCA, 0xFE, 0x00, 0xCA, 0xFE };
/* this must be called once in the program
*/
@@ -265,7 +275,8 @@ static void server(int sd, const char *prio, bool rsa)
@@ -262,8 +271,8 @@ static void server(int sd, const char *prio, bool rsa)
if (gnutls_psk_server_get_username2(session, &psk_username) < 0)
fail("server: Could not get PSK username\n");
- if (psk_username.size != 4 || memcmp(psk_username.data, expected_psk_username, 4))
- if (psk_username.size != 4 ||
- memcmp(psk_username.data, expected_psk_username, 4))
+ if (psk_username.size != 5 ||
+ memcmp(psk_username.data, expected_psk_username, 5))
fail("server: Unexpected PSK username\n");
@ -375,7 +318,7 @@ index 974d48334..508711aa9 100644
From 0f8539fac736a2cdcc79ee4ea5a2f2590a6bea6b Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 21 Apr 2026 19:49:47 +0200
Subject: [PATCH 5/6] tests/pskself2: sprinkle NUL into key for good measure
Subject: [PATCH 4/5] tests/pskself2: sprinkle NUL into key for good measure
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
@ -383,20 +326,20 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tests/pskself2.c b/tests/pskself2.c
index 508711aa9..71c94cc1d 100644
index 247000077..07f08adcd 100644
--- a/tests/pskself2.c
+++ b/tests/pskself2.c
@@ -76,7 +76,7 @@ static void client(int sd, const char *prio, bool exp_hint, bool rsa)
@@ -75,7 +75,7 @@ static void client(int sd, const char *prio, bool exp_hint, bool rsa)
gnutls_psk_client_credentials_t pskcred;
gnutls_certificate_credentials_t xcred = NULL;
/* Need to enable anonymous KX specifically. */
- const gnutls_datum_t key = { (void *) "DEADBEEF", 8 };
+ const gnutls_datum_t key = { (void *) "DEAD00BEEF", 10 };
- const gnutls_datum_t key = { (void *)"DEADBEEF", 8 };
+ const gnutls_datum_t key = { (void *)"DEAD00BEEF", 10 };
gnutls_datum_t user;
const char *hint;
@@ -195,7 +195,7 @@ pskfunc(gnutls_session_t session, const gnutls_datum_t *username,
gnutls_datum_t * key)
@@ -193,7 +193,7 @@ static int pskfunc(gnutls_session_t session, const gnutls_datum_t *username,
gnutls_datum_t *key)
{
const unsigned char expected_user[] = { 0xCA, 0xFE, 0x00, 0xCA, 0xFE };
- const unsigned char expected_key[] = { 0xDE, 0xAD, 0xBE, 0xEF };
@ -404,7 +347,7 @@ index 508711aa9..71c94cc1d 100644
if (debug)
printf("psk: Got username with length %d\n", username->size);
@@ -206,9 +206,9 @@ pskfunc(gnutls_session_t session, const gnutls_datum_t *username,
@@ -204,9 +204,9 @@ static int pskfunc(gnutls_session_t session, const gnutls_datum_t *username,
fail("pskfunc: username mismatch: got %u bytes, expected 5\n",
username->size);
@ -424,7 +367,7 @@ index 508711aa9..71c94cc1d 100644
From b10ac69270cd5ab4353efa62b92d9e04a5fec464 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 27 Apr 2026 17:16:25 +0200
Subject: [PATCH 6/6] lib/auth/psk_passwd: limit the length of the comparison
Subject: [PATCH 5/5] lib/auth/psk_passwd: limit the length of the comparison
Comparing a long username from a password file
to a short username from the wire
@ -434,23 +377,23 @@ Fixes: #1864
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/auth/psk_passwd.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
lib/auth/psk_passwd.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/lib/auth/psk_passwd.c b/lib/auth/psk_passwd.c
index 9a9d68c48..c87f2d68e 100644
index 518756e7d..abefd0d4a 100644
--- a/lib/auth/psk_passwd.c
+++ b/lib/auth/psk_passwd.c
@@ -78,7 +78,7 @@ static int pwd_put_values(gnutls_datum_t * psk, char *str)
static bool username_matches(const gnutls_datum_t *username,
const char *line, size_t line_size)
@@ -78,7 +78,7 @@ ATTRIBUTE_NONNULL((1, 2))
static bool username_matches(const gnutls_datum_t *username, const char *line,
size_t line_size)
{
- int retval;
+ bool retval;
unsigned i;
gnutls_datum_t hexline, hex_username = { NULL, 0 };
@@ -91,7 +91,7 @@ static bool username_matches(const gnutls_datum_t *username,
@@ -91,7 +91,7 @@ static bool username_matches(const gnutls_datum_t *username, const char *line,
return false;
if (line_size == 0)
@ -459,7 +402,7 @@ index 9a9d68c48..c87f2d68e 100644
/* move to first ':' */
i = 0;
@@ -100,6 +100,9 @@ static bool username_matches(const gnutls_datum_t *username,
@@ -99,6 +99,9 @@ static bool username_matches(const gnutls_datum_t *username, const char *line,
i++;
}
@ -468,13 +411,14 @@ index 9a9d68c48..c87f2d68e 100644
+
/* if format is in hex, e.g. #FAFAFA */
if (line[0] == '#' && line_size > 1) {
hexline.data = (void *) &line[1];
@@ -108,17 +111,17 @@ static bool username_matches(const gnutls_datum_t *username,
if ((retval = gnutls_hex_decode2(&hexline, &hex_username)) < 0)
hexline.data = (void *)&line[1];
@@ -107,19 +110,17 @@ static bool username_matches(const gnutls_datum_t *username, const char *line,
if (gnutls_hex_decode2(&hexline, &hex_username) < 0)
return gnutls_assert_val(0);
- if (hex_username.size == username->size)
- retval = memcmp(username->data, hex_username.data, username->size);
- retval = memcmp(username->data, hex_username.data,
- username->size);
- else
- retval = -1;
+ retval = hex_username.size == username->size &&
@ -483,16 +427,17 @@ index 9a9d68c48..c87f2d68e 100644
_gnutls_free_datum(&hex_username);
} else {
- retval = strncmp((const char *) username->data, line, MAX(i, username->size));
- retval = strncmp((const char *)username->data, line,
- MAX(i, username->size));
+ retval = i == username->size &&
+ strncmp((const char *) username->data, line, i) == 0;
+ strncmp((const char *)username->data, line, i) == 0;
}
- return (retval == 0);
+ return retval;
}
/* Randomizes the given password entry. It actually sets a random password.
--
2.53.0

8
SOURCES/gnutls-3.6.16-CVE-2026-42011-nc-intersect.patch → gnutls-3.8.10-CVE-2026-42011-nc-intersect.patch
View File

@ -20,10 +20,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 3 deletions(-)
diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index a126123b1..5161f9926 100644
index 04722bdf4..232d466c4 100644
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -717,9 +717,6 @@ static int name_constraints_node_list_intersect(
@@ -723,9 +723,6 @@ static int name_constraints_node_list_intersect(
type_bitmask_t types_in_p1 = 0, types_in_p2 = 0;
static const unsigned char universal_ip[32] = { 0 };
@ -48,10 +48,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 113 insertions(+)
diff --git a/tests/name-constraints-merge.c b/tests/name-constraints-merge.c
index 76430fb80..387395c6c 100644
index 70376aaa7..3ff8d6c60 100644
--- a/tests/name-constraints-merge.c
+++ b/tests/name-constraints-merge.c
@@ -369,6 +369,119 @@ void doit(void)
@@ -473,6 +473,119 @@ void doit(void)
gnutls_x509_name_constraints_deinit(nc1);
gnutls_x509_name_constraints_deinit(nc2);

312
SOURCES/gnutls-3.6.16-CVE-2026-42012-url-san-cn.patch → gnutls-3.8.10-CVE-2026-42012-url-san-cn.patch
View File

@ -1,7 +1,7 @@
From fc909c3abddcc2955bebf0de403136ed9ec689c2 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 28 Apr 2026 15:26:32 +0200
Subject: [PATCH 1/6] x509/virt-san: a small OOM-correctness fix
Subject: [PATCH 1/5] x509/virt-san: a small OOM-correctness fix
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
@ -9,32 +9,33 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/lib/x509/virt-san.c b/lib/x509/virt-san.c
index d2adc4e25..4bbfa1e0e 100644
index 92fcab2c8..ce3d2ca39 100644
--- a/lib/x509/virt-san.c
+++ b/lib/x509/virt-san.c
@@ -98,26 +98,27 @@ int _gnutls_alt_name_assign_virt_type(struct name_st *name, unsigned type, gnutl
if (ret < 0)
return gnutls_assert_val(ret);
@@ -108,11 +108,8 @@ int _gnutls_alt_name_assign_virt_type(struct name_st *name, unsigned type,
if (ret < 0)
return gnutls_assert_val(ret);
- name->type = GNUTLS_SAN_OTHERNAME;
name->san.data = encoded.data;
name->san.size = encoded.size;
- name->othername_oid.data = (void*)gnutls_strdup(oid);
- name->othername_oid.size = strlen(oid);
break;
- name->type = GNUTLS_SAN_OTHERNAME;
name->san.data = encoded.data;
name->san.size = encoded.size;
- name->othername_oid.data = (void *)gnutls_strdup(oid);
- name->othername_oid.size = strlen(oid);
break;
case GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL:
ret = _gnutls_krb5_principal_to_der((char*)san->data, &name->san);
if (ret < 0)
return gnutls_assert_val(ret);
case GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL:
@@ -120,15 +117,19 @@ int _gnutls_alt_name_assign_virt_type(struct name_st *name, unsigned type,
&name->san);
if (ret < 0)
return gnutls_assert_val(ret);
-
- name->othername_oid.data = (void*)gnutls_strdup(oid);
- name->othername_oid.size = strlen(oid);
- name->type = GNUTLS_SAN_OTHERNAME;
break;
- name->othername_oid.data = (void *)gnutls_strdup(oid);
- name->othername_oid.size = strlen(oid);
- name->type = GNUTLS_SAN_OTHERNAME;
break;
default:
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
default:
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
}
+ ret = _gnutls_set_strdatum(&name->othername_oid, oid,
+ strlen(oid));
@ -54,7 +55,7 @@ index d2adc4e25..4bbfa1e0e 100644
From 5cc003b9688378f6c7934b1df0aa147e80006be4 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Fri, 13 Mar 2026 17:41:33 +0100
Subject: [PATCH 2/6] x509: add bare-bones awareness of SRV virtual SAN
Subject: [PATCH 2/5] x509: add bare-bones awareness of SRV virtual SAN
There's no support for constraints, no certtool support, no nothing.
Just added what's easy to add because I needed a virtual SAN for them.
@ -64,77 +65,73 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
lib/includes/gnutls/gnutls.h.in | 4 +++-
lib/x509/common.h | 1 +
lib/x509/name_constraints.c | 3 ++-
lib/x509/output.c | 9 ++++++++-
lib/x509/virt-san.c | 25 +++++++++++++++++++++++++
lib/x509/x509.c | 6 ++++--
6 files changed, 43 insertions(+), 5 deletions(-)
lib/x509/output.c | 6 ++++++
lib/x509/virt-san.c | 24 ++++++++++++++++++++++++
lib/x509/x509.c | 3 ++-
6 files changed, 38 insertions(+), 3 deletions(-)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 264da238a..e5906617a 100644
index 964366ded..acce69301 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2692,6 +2692,7 @@ gnutls_psk_set_server_params_function(gnutls_psk_server_credentials_t
* @GNUTLS_SAN_REGISTERED_ID: RegisteredID.
@@ -2683,6 +2683,7 @@ void gnutls_psk_set_server_params_function(gnutls_psk_server_credentials_t res,
* @GNUTLS_SAN_OTHERNAME_XMPP: Virtual SAN, used by certain functions for convenience.
* @GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL: Virtual SAN, used by certain functions for convenience.
* @GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL: Virtual SAN, used by certain functions for convenience.
+ * @GNUTLS_SAN_OTHERNAME_SRV: Virtual SAN, used by certain functions for convenience.
*
* Enumeration of different subject alternative names types.
*/
@@ -2708,7 +2709,8 @@ typedef enum gnutls_x509_subject_alt_name_t {
that they are represented by an otherName value and an OID.
@@ -2700,7 +2701,8 @@ typedef enum gnutls_x509_subject_alt_name_t {
Used by gnutls_x509_crt_get_subject_alt_othername_oid. */
GNUTLS_SAN_OTHERNAME_XMPP = 1000,
- GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL
+ GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL,
GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL,
- GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL
+ GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL,
+ GNUTLS_SAN_OTHERNAME_SRV
} gnutls_x509_subject_alt_name_t;
struct gnutls_openpgp_crt_int;
diff --git a/lib/x509/common.h b/lib/x509/common.h
index 483bd1de6..37ed0b160 100644
index f039af15b..ed9409f62 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -102,6 +102,7 @@
@@ -107,6 +107,7 @@
#define XMPP_OID "1.3.6.1.5.5.7.8.5"
#define KRB5_PRINCIPAL_OID "1.3.6.1.5.2.2"
#define MSUSER_PRINCIPAL_NAME_OID "1.3.6.1.4.1.311.20.2.3"
+#define SRV_OID "1.3.6.1.5.5.7.8.7"
#define PKIX1_RSA_PSS_MGF1_OID "1.2.840.113549.1.1.8"
#define PKIX1_RSA_OAEP_P_SPECIFIED_OID "1.9"
#define GOST28147_89_OID "1.2.643.2.2.21"
diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index 5161f9926..37e1c098e 100644
index 3c6e30630..d3c624284 100644
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -520,7 +520,8 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type,
{
@@ -146,7 +146,8 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type,
if (type != GNUTLS_SAN_DNSNAME && type != GNUTLS_SAN_RFC822NAME &&
type != GNUTLS_SAN_DN && type != GNUTLS_SAN_URI &&
- type != GNUTLS_SAN_IPADDRESS) {
+ type != GNUTLS_SAN_IPADDRESS &&
+ type != GNUTLS_SAN_OTHERNAME_SRV) {
type != GNUTLS_SAN_DN && type != GNUTLS_SAN_URI &&
type != GNUTLS_SAN_IPADDRESS &&
- type != GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL) {
+ type != GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL &&
+ type != GNUTLS_SAN_OTHERNAME_SRV) {
return gnutls_assert_val(GNUTLS_E_X509_UNKNOWN_SAN);
}
diff --git a/lib/x509/output.c b/lib/x509/output.c
index 705e8babf..3c996186b 100644
index 4e983c659..78ad9cad7 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -108,8 +108,10 @@ print_name(gnutls_buffer_st *str, const char *prefix, unsigned type, gnutls_datu
if ((type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_OTHERNAME_XMPP
|| type == GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL
+ || type == GNUTLS_SAN_OTHERNAME_SRV
|| type == GNUTLS_SAN_RFC822NAME
- || type == GNUTLS_SAN_URI) && sname != NULL && strlen(sname) != name->size) {
+ || type == GNUTLS_SAN_URI) && sname != NULL
+ && strlen(sname) != name->size) {
adds(str,
_("warning: SAN contains an embedded NUL, "
"replacing with '!'\n"));
@@ -156,6 +158,11 @@ print_name(gnutls_buffer_st *str, const char *prefix, unsigned type, gnutls_datu
addf(str, _("%sKRB5Principal: %.*s\n"), prefix, name->size, NON_NULL(name->data));
@@ -121,6 +121,7 @@ static void print_name(gnutls_buffer_st *str, const char *prefix, unsigned type,
if ((type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_OTHERNAME_XMPP ||
type == GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL ||
type == GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL ||
+ type == GNUTLS_SAN_OTHERNAME_SRV ||
type == GNUTLS_SAN_RFC822NAME || type == GNUTLS_SAN_URI) &&
sname != NULL && strlen(sname) != name->size) {
adds(str, _("warning: SAN contains an embedded NUL, "
@@ -180,6 +181,11 @@ static void print_name(gnutls_buffer_st *str, const char *prefix, unsigned type,
name->size, NON_NULL(name->data));
break;
+ case GNUTLS_SAN_OTHERNAME_SRV:
@ -143,70 +140,69 @@ index 705e8babf..3c996186b 100644
+ break;
+
default:
addf(str, _("%sUnknown name: "), prefix);
addf(str, _("%sUnknown name: "), prefix);
_gnutls_buffer_hexprint(str, name->data, name->size);
diff --git a/lib/x509/virt-san.c b/lib/x509/virt-san.c
index 4bbfa1e0e..a59da4299 100644
index ce3d2ca39..e25b79b1c 100644
--- a/lib/x509/virt-san.c
+++ b/lib/x509/virt-san.c
@@ -40,6 +40,9 @@ int san_othername_to_virtual(const char *oid, size_t size)
else if ((unsigned) size == (sizeof(KRB5_PRINCIPAL_OID)-1)
&& memcmp(oid, KRB5_PRINCIPAL_OID, sizeof(KRB5_PRINCIPAL_OID)-1) == 0)
return GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL;
@@ -45,6 +45,9 @@ static int san_othername_to_virtual(const char *oid, size_t size)
memcmp(oid, MSUSER_PRINCIPAL_NAME_OID,
sizeof(MSUSER_PRINCIPAL_NAME_OID) - 1) == 0)
return GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL;
+ else if ((unsigned)size == (sizeof(SRV_OID) - 1) &&
+ memcmp(oid, SRV_OID, sizeof(SRV_OID) - 1) == 0)
+ return GNUTLS_SAN_OTHERNAME_SRV;
}
return GNUTLS_SAN_OTHERNAME;
@@ -53,6 +56,8 @@ const char * virtual_to_othername_oid(unsigned type)
return XMPP_OID;
case GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL:
return KRB5_PRINCIPAL_OID;
+ case GNUTLS_SAN_OTHERNAME_SRV:
+ return SRV_OID;
default:
return NULL;
@@ -59,6 +62,8 @@ static const char *virtual_to_othername_oid(unsigned type)
return KRB5_PRINCIPAL_OID;
case GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL:
return MSUSER_PRINCIPAL_NAME_OID;
+ case GNUTLS_SAN_OTHERNAME_SRV:
+ return SRV_OID;
default:
return NULL;
}
@@ -108,6 +113,17 @@ int _gnutls_alt_name_assign_virt_type(struct name_st *name, unsigned type, gnutl
return gnutls_assert_val(ret);
break;
@@ -119,6 +124,16 @@ int _gnutls_alt_name_assign_virt_type(struct name_st *name, unsigned type,
return gnutls_assert_val(ret);
break;
+ case GNUTLS_SAN_OTHERNAME_SRV:
+ ret = _gnutls_x509_encode_string(
+ ASN1_ETYPE_IA5_STRING,
+ san->data, san->size,
+ &encoded);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ name->san.data = encoded.data;
+ name->san.size = encoded.size;
+ break;
+
default:
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
}
@@ -172,6 +188,15 @@ int gnutls_x509_othername_to_virtual(const char *oid,
return ret;
}
return 0;
+ case GNUTLS_SAN_OTHERNAME_SRV:
+ ret = _gnutls_x509_decode_string
+ (ASN1_ETYPE_IA5_STRING, othername->data,
+ othername->size, virt, 0);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+ return 0;
+ ret = _gnutls_x509_encode_string(ASN1_ETYPE_IA5_STRING,
+ san->data, san->size,
+ &encoded);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ name->san.data = encoded.data;
+ name->san.size = encoded.size;
+ break;
+
default:
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
}
@@ -192,6 +207,15 @@ int gnutls_x509_othername_to_virtual(const char *oid,
return ret;
}
return 0;
+ case GNUTLS_SAN_OTHERNAME_SRV:
+ ret = _gnutls_x509_decode_string(ASN1_ETYPE_IA5_STRING,
+ othername->data,
+ othername->size, virt, 0);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+ return 0;
default:
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
}
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index c713f857a..877b88b26 100644
index a55389b34..e1d8c3cba 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -1382,7 +1382,8 @@ inline static int is_type_printable(int type)
@@ -1562,7 +1562,8 @@ inline static int is_type_printable(int type)
{
if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
type == GNUTLS_SAN_URI || type == GNUTLS_SAN_OTHERNAME_XMPP ||
@ -216,45 +212,6 @@ index c713f857a..877b88b26 100644
return 1;
else
return 0;
@@ -1855,7 +1856,8 @@ get_alt_name(gnutls_subject_alt_names_t san,
goto cleanup;
}
- if (othername_oid && type == GNUTLS_SAN_OTHERNAME && ooid.data) {
+ /* API uses othername_oid=0; map to virtual types regardless */
+ if (type == GNUTLS_SAN_OTHERNAME && ooid.data) {
unsigned vtype;
ret = gnutls_x509_othername_to_virtual((char*)ooid.data, &oname, &vtype, &virt);
if (ret >= 0) {
--
2.53.0
From 5a21e1e175f6c853ab3ee39a4d2d9adfb80e3731 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 4 May 2026 10:53:26 +0000
Subject: [PATCH 3/6] x509/hostname-verify: use memchr for embedded-null check
_gnutls_has_embedded_null uses strlen, which reads past the buffer if
there is no NUL within the first size bytes. memchr(p, '\0', size) is
the bounded equivalent.
---
lib/x509/hostname-verify.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c
index 6ef8ba030..15d548661 100644
--- a/lib/x509/hostname-verify.c
+++ b/lib/x509/hostname-verify.c
@@ -220,7 +220,7 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
if (ret == GNUTLS_SAN_DNSNAME) {
found_dnsname = 1;
- if (_gnutls_has_embedded_null(dnsname, dnsnamesize)) {
+ if (memchr(dnsname, '\0', dnsnamesize)) {
_gnutls_debug_log("certificate has %s with embedded null in name\n", dnsname);
continue;
}
--
2.53.0
@ -262,29 +219,28 @@ index 6ef8ba030..15d548661 100644
From 6133fb459b74a9dcfa2d0ff010a4e03c56822d39 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Fri, 13 Mar 2026 17:00:03 +0100
Subject: [PATCH 3/6] x509/hostname-verify: refactor and simplify CN fallback
Subject: [PATCH 3/5] x509/hostname-verify: refactor and simplify CN fallback
logic
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
lib/x509/hostname-verify.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
lib/x509/hostname-verify.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c
index 6ef8ba030..698356f32 100644
index 04e17aa23..dda19b54d 100644
--- a/lib/x509/hostname-verify.c
+++ b/lib/x509/hostname-verify.c
@@ -112,7 +112,8 @@ gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert,
@@ -108,7 +108,7 @@ unsigned gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert,
* that we do not fallback to CN-ID if we encounter a supported name
* type.
*/
-#define IS_SAN_SUPPORTED(san) (san==GNUTLS_SAN_DNSNAME||san==GNUTLS_SAN_IPADDRESS)
-#define IS_SAN_SUPPORTED(san) \
+#define PRECLUDES_CN_FALLBACK(san) \
+ (san == GNUTLS_SAN_DNSNAME || san == GNUTLS_SAN_IPADDRESS)
(san == GNUTLS_SAN_DNSNAME || san == GNUTLS_SAN_IPADDRESS)
/**
* gnutls_x509_crt_check_hostname2:
@@ -154,13 +155,12 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
@@ -151,13 +151,12 @@ unsigned gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
{
char dnsname[MAX_CN];
size_t dnsnamesize;
@ -299,20 +255,20 @@ index 6ef8ba030..698356f32 100644
gnutls_datum_t out;
/* check whether @hostname is an ip address */
@@ -217,9 +217,10 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
&dnsnamesize,
NULL);
@@ -213,9 +212,10 @@ hostname_fallback:
ret = gnutls_x509_crt_get_subject_alt_name(cert, i, dnsname,
&dnsnamesize, NULL);
- if (ret == GNUTLS_SAN_DNSNAME) {
- found_dnsname = 1;
+ if (PRECLUDES_CN_FALLBACK(ret))
+ cn_fallback_allowed = false;
+ if (ret == GNUTLS_SAN_DNSNAME) {
+
if (ret == GNUTLS_SAN_DNSNAME) {
- found_dnsname = 1;
-
if (memchr(dnsname, '\0', dnsnamesize)) {
_gnutls_debug_log("certificate has %s with embedded null in name\n", dnsname);
continue;
@@ -235,13 +236,11 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
_gnutls_debug_log(
"certificate has %s with embedded null in name\n",
@@ -236,13 +236,10 @@ hostname_fallback:
ret = 1;
goto cleanup;
}
@ -322,12 +278,11 @@ index 6ef8ba030..698356f32 100644
}
}
- if (!have_other_addresses && !found_dnsname && _gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER, 0) != 0) {
- if (!have_other_addresses && !found_dnsname &&
+ if (cn_fallback_allowed &&
+ _gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER, 0) != 0) {
_gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER, 0) != 0) {
/* did not get the necessary extension, use CN instead, if the
* certificate would have been acceptable for a TLS WWW server purpose.
* That is because only for that purpose the CN is a valid field to
--
2.53.0
@ -335,7 +290,7 @@ index 6ef8ba030..698356f32 100644
From 8dcc6a1f48945997666ac9f10896819edd01a03b Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Fri, 13 Mar 2026 17:02:07 +0100
Subject: [PATCH 5/6] x509/hostname-verify: make URI/SRV SAN preclude CN
Subject: [PATCH 4/5] x509/hostname-verify: make URI/SRV SAN preclude CN
fallback
URI/SRV SAN did not suppress CN fallback as required by RFC 6125 6.4.4:
@ -359,10 +314,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c
index eb0fddaa8..d46fd965f 100644
index dda19b54d..c772cece2 100644
--- a/lib/x509/hostname-verify.c
+++ b/lib/x509/hostname-verify.c
@@ -112,8 +112,9 @@ gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert,
@@ -108,8 +108,9 @@ unsigned gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert,
* that we do not fallback to CN-ID if we encounter a supported name
* type.
*/
@ -381,18 +336,18 @@ index eb0fddaa8..d46fd965f 100644
From b39429d77d4ba022f8597c99b84bbd0a073c815b Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Fri, 13 Mar 2026 17:54:56 +0100
Subject: [PATCH 6/6] tests/hostname-check: extend to exercise no-CN-fallback
Subject: [PATCH 5/5] tests/hostname-check: extend to exercise no-CN-fallback
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
tests/hostname-check.c | 141 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 141 insertions(+)
tests/hostname-check.c | 140 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 140 insertions(+)
diff --git a/tests/hostname-check.c b/tests/hostname-check.c
index 47f8d355d..71481cafb 100644
index 4edda6c40..4357f33f3 100644
--- a/tests/hostname-check.c
+++ b/tests/hostname-check.c
@@ -831,6 +831,99 @@ char txt_ip_in_cn[] =
@@ -804,6 +804,99 @@ char txt_ip_in_cn[] =
"f0+Un2eHAxFcRZPWdPy1/mn83NUMnjquuA/HHcju+pcoZrEwAI3PPQHgsGQ=\n"
"-----END CERTIFICATE-----\n";
@ -489,14 +444,13 @@ index 47f8d355d..71481cafb 100644
+ "p9Nnj64WFIqbTLoqM3nt7+zqFZDvwh+8ZEVcE1MazHOYhDQj1uU3jqIq/sZE8w==\n"
+ "-----END CERTIFICATE-----\n";
+
void doit(void)
{
@@ -1214,6 +1307,54 @@ void doit(void)
gnutls_x509_crt_t x509;
@@ -1175,6 +1268,53 @@ void doit(void)
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
gnutls_openpgp_crt_deinit(pgp);
#endif
+
+ if (debug)
+ success("Testing not falling back to CN with DNS+URI SAN...\n");
+ data.data = (unsigned char *)dns_uri_and_cn;

59
SOURCES/gnutls-3.6.16-CVE-2026-42013-oversized-san.patch → gnutls-3.8.10-CVE-2026-42013-oversized-san.patch
View File

@ -13,10 +13,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/lib/x509/email-verify.c b/lib/x509/email-verify.c
index 053e51287..0d55e5524 100644
index dbef0bb86..3c22ffed3 100644
--- a/lib/x509/email-verify.c
+++ b/lib/x509/email-verify.c
@@ -43,7 +43,7 @@ gnutls_x509_crt_check_email(gnutls_x509_crt_t cert,
@@ -42,7 +42,7 @@ unsigned gnutls_x509_crt_check_email(gnutls_x509_crt_t cert, const char *email,
{
char rfc822name[MAX_CN];
size_t rfc822namesize;
@ -25,16 +25,16 @@ index 053e51287..0d55e5524 100644
int ret = 0;
int i = 0;
char *a_email;
@@ -79,7 +79,7 @@ gnutls_x509_crt_check_email(gnutls_x509_crt_t cert,
NULL);
@@ -76,7 +76,7 @@ unsigned gnutls_x509_crt_check_email(gnutls_x509_crt_t cert, const char *email,
cert, i, rfc822name, &rfc822namesize, NULL);
if (ret == GNUTLS_SAN_RFC822NAME) {
- found_rfc822name = 1;
+ dn_fallback_allowed = false;
if (_gnutls_has_embedded_null(rfc822name, rfc822namesize)) {
_gnutls_debug_log("certificate has %s with embedded null in rfc822name\n", rfc822name);
@@ -99,12 +99,10 @@ gnutls_x509_crt_check_email(gnutls_x509_crt_t cert,
if (memchr(rfc822name, '\0', rfc822namesize)) {
_gnutls_debug_log(
@@ -102,12 +102,10 @@ unsigned gnutls_x509_crt_check_email(gnutls_x509_crt_t cert, const char *email,
}
}
@ -48,8 +48,8 @@ index 053e51287..0d55e5524 100644
- * a single CN must be present */
+ /* only a single one must be present */
rfc822namesize = sizeof(rfc822name);
ret = gnutls_x509_crt_get_dn_by_oid
(cert, GNUTLS_OID_PKCS9_EMAIL, 1, 0, rfc822name,
ret = gnutls_x509_crt_get_dn_by_oid(cert,
GNUTLS_OID_PKCS9_EMAIL, 1,
--
2.53.0
@ -79,12 +79,12 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
2 files changed, 28 insertions(+)
diff --git a/lib/x509/email-verify.c b/lib/x509/email-verify.c
index 0d55e5524..f755d766e 100644
index 3c22ffed3..c6cf7a948 100644
--- a/lib/x509/email-verify.c
+++ b/lib/x509/email-verify.c
@@ -78,6 +78,20 @@ gnutls_x509_crt_check_email(gnutls_x509_crt_t cert,
&rfc822namesize,
NULL);
@@ -75,6 +75,20 @@ unsigned gnutls_x509_crt_check_email(gnutls_x509_crt_t cert, const char *email,
ret = gnutls_x509_crt_get_subject_alt_name(
cert, i, rfc822name, &rfc822namesize, NULL);
+ if (ret < 0) {
+ if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
@ -104,12 +104,12 @@ index 0d55e5524..f755d766e 100644
dn_fallback_allowed = false;
diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c
index d46fd965f..6d6de00ca 100644
index c772cece2..2f1865a27 100644
--- a/lib/x509/hostname-verify.c
+++ b/lib/x509/hostname-verify.c
@@ -218,6 +218,20 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
&dnsnamesize,
NULL);
@@ -213,6 +213,20 @@ hostname_fallback:
ret = gnutls_x509_crt_get_subject_alt_name(cert, i, dnsname,
&dnsnamesize, NULL);
+ if (ret < 0) {
+ if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
@ -140,9 +140,9 @@ Subject: [PATCH 3/3] tests/cert-tests: add tests for #1825
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
.../cert-tests/email-certs/oversized-san.pem | 16 +++++++++
tests/cert-tests/email | 11 +++++++
tests/hostname-check.c | 33 +++++++++++++++++++
3 files changed, 60 insertions(+)
tests/cert-tests/email.sh | 11 ++++++
tests/hostname-check.c | 34 +++++++++++++++++++
3 files changed, 61 insertions(+)
create mode 100644 tests/cert-tests/email-certs/oversized-san.pem
diff --git a/tests/cert-tests/email-certs/oversized-san.pem b/tests/cert-tests/email-certs/oversized-san.pem
@ -167,11 +167,11 @@ index 000000000..44c0f6997
+zTZqdt4LXX21VFce7S99k6XX+N+xPAUo4beursVrlaesdVsfvDtEk2t+0b5WLbtW
+7UI9PxB9CN4hULrxrI8N
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/email b/tests/cert-tests/email
index a00281028..d2bd48ee3 100755
--- a/tests/cert-tests/email
+++ b/tests/cert-tests/email
@@ -96,5 +96,16 @@ if test "${rc}" != "1"; then
diff --git a/tests/cert-tests/email.sh b/tests/cert-tests/email.sh
index 68fbe3e12..8d3ca3317 100644
--- a/tests/cert-tests/email.sh
+++ b/tests/cert-tests/email.sh
@@ -95,5 +95,16 @@ if test "${rc}" != "1"; then
exit 1
fi
@ -189,10 +189,10 @@ index a00281028..d2bd48ee3 100755
exit 0
diff --git a/tests/hostname-check.c b/tests/hostname-check.c
index 71481cafb..068bf7831 100644
index 4357f33f3..4a4cdf956 100644
--- a/tests/hostname-check.c
+++ b/tests/hostname-check.c
@@ -924,6 +924,24 @@ char srv_and_cn[] =
@@ -897,6 +897,25 @@ char srv_and_cn[] =
"p9Nnj64WFIqbTLoqM3nt7+zqFZDvwh+8ZEVcE1MazHOYhDQj1uU3jqIq/sZE8w==\n"
"-----END CERTIFICATE-----\n";
@ -214,10 +214,11 @@ index 71481cafb..068bf7831 100644
+ "/oWt1Lrfz7Awk9h8yDoz1TKyHjAFBgMrZXADQQBfR5ByQyxpLEsVM5+ihYjSbmYF\n"
+ "1pOFndq0UIKPkWsRqBpitzDIVrVTLlIcY0fQpsxITNgdoIU68WynLGVrRHIF\n"
+ "-----END CERTIFICATE-----\n";
+
void doit(void)
{
@@ -1355,6 +1373,21 @@ void doit(void)
gnutls_x509_crt_t x509;
@@ -1315,6 +1334,21 @@ void doit(void)
fail("%d: Hostname incorrectly falls back to CN (%d)\n",
__LINE__, ret);

17
SOURCES/gnutls-3.6.16-CVE-2026-42014-so-pin-uaf.patch → gnutls-3.8.10-CVE-2026-42014-so-pin-uaf.patch
View File

@ -19,10 +19,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index 5685411ee..194126e95 100644
index 64b85a2df..1dff578f2 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -1297,10 +1297,9 @@ gnutls_pkcs11_token_set_pin(const char *token_url,
@@ -1266,10 +1266,9 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
ses_flags = SESSION_WRITE | SESSION_LOGIN;
ret = pkcs11_open_session(&sinfo, NULL, info, ses_flags);
@ -34,27 +34,28 @@ index 5685411ee..194126e95 100644
return ret;
}
@@ -1322,8 +1321,10 @@ gnutls_pkcs11_token_set_pin(const char *token_url,
@@ -1290,9 +1289,11 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
oldpin_size = L(oldpin);
if (!(sinfo.tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
- if (newpin == NULL)
- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- return gnutls_assert_val(
+ if (newpin == NULL) {
+ ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ ret = gnutls_assert_val(
GNUTLS_E_INVALID_REQUEST);
+ goto finish;
+ }
if (oldpin == NULL) {
struct pin_info_st pin_info;
@@ -1354,6 +1355,7 @@ gnutls_pkcs11_token_set_pin(const char *token_url,
@@ -1324,6 +1325,7 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
ret = 0;
finish:
finish:
+ p11_kit_uri_free(info);
pkcs11_close_session(&sinfo);
return ret;
}
--
2.53.0

4
SOURCES/gnutls-3.6.16-CVE-2026-42015-p12-bag32.patch → gnutls-3.8.10-CVE-2026-42015-p12-bag32.patch
View File

@ -27,10 +27,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
index 163b0fadb..351996b2f 100644
index 911aeff93..38228613c 100644
--- a/lib/x509/pkcs12_bag.c
+++ b/lib/x509/pkcs12_bag.c
@@ -394,7 +394,7 @@ gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag_t bag,
@@ -375,7 +375,7 @@ int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag_t bag,
return GNUTLS_E_INVALID_REQUEST;
}

20
SOURCES/gnutls-3.6.16-CVE-2026-5260-p11-rsa-overread.patch → gnutls-3.8.10-CVE-2026-5260-p11-rsa-overread.patch
View File

@ -22,10 +22,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
2 files changed, 10 insertions(+)
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
index 02b6a3425..b2665d3af 100644
index 4d181327b..496c378b3 100644
--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
@@ -159,6 +159,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
@@ -158,6 +158,7 @@ static int proc_rsa_client_kx(gnutls_session_t session, uint8_t *data,
int ret, dsize;
ssize_t data_size = _data_size;
volatile uint8_t ver_maj, ver_min;
@ -33,7 +33,7 @@ index 02b6a3425..b2665d3af 100644
#ifdef ENABLE_SSL3
if (get_num_version(session) == GNUTLS_SSL3) {
@@ -181,6 +182,10 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
@@ -180,6 +181,10 @@ static int proc_rsa_client_kx(gnutls_session_t session, uint8_t *data,
}
ciphertext.size = dsize;
}
@ -45,18 +45,18 @@ index 02b6a3425..b2665d3af 100644
ver_maj = _gnutls_get_adv_version_major(session);
ver_min = _gnutls_get_adv_version_minor(session);
diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
index 8813eeeec..7768b60f2 100644
index cc92b4aa9..dba40119e 100644
--- a/lib/auth/rsa_psk.c
+++ b/lib/auth/rsa_psk.c
@@ -270,6 +270,7 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
@@ -257,6 +257,7 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
ssize_t data_size = _data_size;
gnutls_psk_server_credentials_t cred;
volatile uint8_t ver_maj, ver_min;
+ unsigned int rsa_key_bits;
cred = (gnutls_psk_server_credentials_t)
_gnutls_get_cred(session, GNUTLS_CRD_PSK);
@@ -324,6 +325,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred(
session, GNUTLS_CRD_PSK);
@@ -313,6 +314,10 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
}
ciphertext.size = dsize;
@ -90,10 +90,10 @@ Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 3ecd1837b..334132ef3 100644
index 7f5db8d26..ea5054978 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -769,7 +769,7 @@ _gnutls_pkcs11_privkey_decrypt_data2(gnutls_pkcs11_privkey_t key,
@@ -838,7 +838,7 @@ int _gnutls_pkcs11_privkey_decrypt_data2(gnutls_pkcs11_privkey_t key,
if (ret != 0)
return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);

360
gnutls-3.8.10-CVE-2026-5419-p7-constant-time.patch Normal file
View File

@ -0,0 +1,360 @@
From 1e627aa5ad95c6dc0518d94e9a009997b081a1ab Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 1 Apr 2026 18:57:21 +0900
Subject: [PATCH 1/2] gnutls_cipher_decrypt3: make PKCS#7 unpadding branch free
This tries to make the logic of PKCS#7 padding removal constant-time,
by removing potential branching operations.
Reported-by: Doria Tang of Stony Brook University
Fixes: #1815
Fixes: CVE-2026-5419
Fixes: GNUTLS-SA-2026-04-29-13
CVSS: 3.7 Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/crypto-api.c | 54 +++++++++++++++++------
lib/libgnutls.map | 2 +
tests/Makefile.am | 2 +-
tests/pkcs7-pad.c | 109 ++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 153 insertions(+), 14 deletions(-)
create mode 100644 tests/pkcs7-pad.c
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index 01539d5b5..32143e9de 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -498,6 +498,39 @@ error:
return ret;
}
+/* If succeeds, returns the number of padding bytes to be removed;
+ * zero otherwise.
+ */
+unsigned int _gnutls_pkcs7_unpad(const uint8_t *block, unsigned int block_size)
+{
+ uint8_t padding = block[block_size - 1];
+ volatile unsigned int mask = ~0;
+ volatile unsigned int count = 0;
+
+ /* Count consecutive PADDING bytes from the end, in a
+ * constant-time manner.
+ */
+ for (size_t i = block_size; i > 0; i--) {
+ volatile unsigned int mask2;
+
+ mask2 = -(unsigned int)(block[i - 1] == padding);
+ mask2 &= -(unsigned int)(count < padding);
+
+ /* MASK is initially ~0 and will be flipped to 0 upon first
+ * non-padding bytes.
+ */
+ mask &= mask2;
+ count += 1 & mask;
+ }
+
+ /* PADDING == 0 is effectively excluded here, given COUNT
+ * will never be 0.
+ */
+ mask = -(unsigned int)(count <= block_size);
+ mask &= -(unsigned int)(count == padding);
+ return count & mask;
+}
+
/**
* gnutls_cipher_decrypt3:
* @handle: is a #gnutls_cipher_hd_t type
@@ -532,22 +565,17 @@ int gnutls_cipher_decrypt3(gnutls_cipher_hd_t handle, const void *ctext,
if (_gnutls_cipher_type(h->ctx_enc.e) == CIPHER_BLOCK &&
(flags & GNUTLS_CIPHER_PADDING_PKCS7)) {
uint8_t *p = ptext;
- uint8_t padding = p[*ptext_len - 1];
- if (!padding ||
- padding > _gnutls_cipher_get_block_size(h->ctx_enc.e)) {
- return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
- }
- /* Check that the prior bytes are all PADDING */
- for (size_t i = *ptext_len - padding; i < *ptext_len; i++) {
- if (padding != p[*ptext_len - 1]) {
- return gnutls_assert_val(
- GNUTLS_E_DECRYPTION_FAILED);
- }
- }
+ size_t block_size = _gnutls_cipher_get_block_size(h->ctx_enc.e);
+ uint8_t *block = &p[*ptext_len - block_size];
+ unsigned int padding = _gnutls_pkcs7_unpad(block, block_size);
+ volatile unsigned int mask;
+
+ mask = -(unsigned int)(padding == 0);
+ ret = GNUTLS_E_DECRYPTION_FAILED & mask;
*ptext_len -= padding;
}
- return 0;
+ return ret;
}
/**
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index c2366833d..e22150033 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1560,4 +1560,6 @@ GNUTLS_PRIVATE_3_4 {
_gnutls_pathbuf_append;
_gnutls_pathbuf_truncate;
_gnutls_pathbuf_deinit;
+ # needed by tests/pkcs7-pad
+ _gnutls_pkcs7_unpad;
} GNUTLS_3_4;
diff --git a/tests/Makefile.am b/tests/Makefile.am
index b0311169c..3bc3d0340 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -241,7 +241,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \
x509-upnconstraint xts-key-check cipher-padding pkcs7-verify-double-free \
fips-rsa-sizes tls12-rehandshake-ticket pathbuf tls-force-ems \
- psk-importer privkey-derive dh-compute2 ecdh-compute2 \
+ psk-importer privkey-derive dh-compute2 ecdh-compute2 pkcs7-pad \
mini-dtls-fragments
ctests += tls-channel-binding
diff --git a/tests/pkcs7-pad.c b/tests/pkcs7-pad.c
new file mode 100644
index 000000000..4a7c231c8
--- /dev/null
+++ b/tests/pkcs7-pad.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2026 Red Hat, Inc.
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+/* Test that _gnutls_pkcs7_unpad is branch-free, using valgrind */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdint.h>
+#include <string.h>
+
+#ifdef HAVE_VALGRIND_MEMCHECK_H
+#include <valgrind/memcheck.h>
+#endif
+
+#include "utils.h"
+
+static inline void _gnutls_memory_mark_undefined(void *addr, size_t size)
+{
+#ifdef HAVE_VALGRIND_MEMCHECK_H
+ if (RUNNING_ON_VALGRIND)
+ VALGRIND_MAKE_MEM_UNDEFINED(addr, size);
+#endif
+}
+
+static inline void _gnutls_memory_mark_defined(void *addr, size_t size)
+{
+#ifdef HAVE_VALGRIND_MEMCHECK_H
+ if (RUNNING_ON_VALGRIND)
+ VALGRIND_MAKE_MEM_DEFINED(addr, size);
+#endif
+}
+
+extern unsigned int _gnutls_pkcs7_unpad(const uint8_t *block,
+ unsigned int block_size);
+
+static unsigned int wrap_pkcs7_unpad(uint8_t *block, unsigned int block_size)
+{
+ unsigned int padding;
+
+ _gnutls_memory_mark_undefined(block, block_size);
+
+ padding = _gnutls_pkcs7_unpad(block, block_size);
+
+ _gnutls_memory_mark_defined(block, block_size);
+ _gnutls_memory_mark_defined(&padding, sizeof(padding));
+
+ return padding;
+}
+
+#define PAD 5
+
+void doit(void)
+{
+ uint8_t block[16];
+ unsigned int padding;
+
+ memset(block, 0xFF, sizeof(block));
+ memset(&block[sizeof(block) - PAD], PAD, PAD);
+
+ padding = wrap_pkcs7_unpad(block, sizeof(block));
+ if (padding != PAD)
+ fail("padding should be %d\n", PAD);
+
+ /* The last padding byte exceeds the block size */
+ block[sizeof(block) - 1] = sizeof(block) + 1;
+ padding = wrap_pkcs7_unpad(block, sizeof(block));
+ if (padding != 0)
+ fail("padding should be 0\n");
+ block[sizeof(block) - 1] = PAD;
+
+ /* The last padding byte is zero */
+ block[sizeof(block) - 1] = 0;
+ padding = wrap_pkcs7_unpad(block, sizeof(block));
+ if (padding != 0)
+ fail("padding should be 0\n");
+ block[sizeof(block) - 1] = PAD;
+
+ /* The first padding byte is invalid */
+ block[sizeof(block) - PAD] = PAD + 1;
+ padding = wrap_pkcs7_unpad(block, sizeof(block));
+ if (padding != 0)
+ fail("padding should be 0\n");
+ block[sizeof(block) - PAD] = PAD;
+
+ /* The byte before the first padding equals to PAD */
+ block[sizeof(block) - PAD - 1] = PAD;
+ padding = wrap_pkcs7_unpad(block, sizeof(block));
+ if (padding != PAD)
+ fail("padding should be %d\n", PAD);
+ block[sizeof(block) - PAD - 1] = 0xFF;
+}
--
2.53.0
From 74d8f53ed35a25c72c3756c5dfee52012dcf955e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 1 Apr 2026 19:01:50 +0900
Subject: [PATCH 2/2] tests/cipher-padding: exercise invalid padding case
This adds a negative test case, where a PKCS#7 padding is manipulated.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/cipher-padding.c | 53 +++++++++++++++++++++++++++++++-----------
1 file changed, 40 insertions(+), 13 deletions(-)
diff --git a/tests/cipher-padding.c b/tests/cipher-padding.c
index c5cca333f..2ee3588f5 100644
--- a/tests/cipher-padding.c
+++ b/tests/cipher-padding.c
@@ -43,9 +43,11 @@ static void start(gnutls_cipher_algorithm_t algo, size_t plaintext_size,
uint8_t key16[64];
uint8_t iv16[32];
uint8_t plaintext[128];
+ uint8_t plaintext2[128];
uint8_t ciphertext[128];
size_t block_size;
size_t size;
+ size_t ciphertext_size;
gnutls_datum_t key, iv;
success("%s %zu %u\n", gnutls_cipher_get_name(algo), plaintext_size,
@@ -80,39 +82,41 @@ static void start(gnutls_cipher_algorithm_t algo, size_t plaintext_size,
}
/* Get the ciphertext size */
- ret = gnutls_cipher_encrypt3(ch, plaintext, plaintext_size, NULL, &size,
- flags);
+ ret = gnutls_cipher_encrypt3(ch, plaintext, plaintext_size, NULL,
+ &ciphertext_size, flags);
if (ret < 0) {
fail("gnutls_cipher_encrypt3 failed\n");
}
if (flags & GNUTLS_CIPHER_PADDING_PKCS7) {
- if (size <= plaintext_size) {
+ if (ciphertext_size <= plaintext_size) {
fail("no padding appended\n");
}
- if (size != CLAMP(plaintext_size, block_size)) {
- fail("size does not match: %zu (expected %zu)\n", size,
+ if (ciphertext_size != CLAMP(plaintext_size, block_size)) {
+ fail("size does not match: %zu (expected %zu)\n",
+ ciphertext_size,
CLAMP(plaintext_size, block_size));
}
} else {
- if (size != plaintext_size) {
- fail("size does not match: %zu (expected %zu)\n", size,
- plaintext_size);
+ if (ciphertext_size != plaintext_size) {
+ fail("size does not match: %zu (expected %zu)\n",
+ ciphertext_size, plaintext_size);
}
}
/* Encrypt with padding */
ret = gnutls_cipher_encrypt3(ch, plaintext, plaintext_size, ciphertext,
- &size, flags);
+ &ciphertext_size, flags);
if (ret < 0) {
fail("gnutls_cipher_encrypt3 failed\n");
}
/* Decrypt with padding */
- ret = gnutls_cipher_decrypt3(ch, ciphertext, size, ciphertext, &size,
- flags);
+ size = ciphertext_size;
+ ret = gnutls_cipher_decrypt3(ch, ciphertext, ciphertext_size,
+ plaintext2, &size, flags);
if (ret < 0) {
- fail("gnutls_cipher_encrypt3 failed\n");
+ fail("gnutls_cipher_decrypt3 failed\n");
}
if (size != plaintext_size) {
@@ -120,10 +124,33 @@ static void start(gnutls_cipher_algorithm_t algo, size_t plaintext_size,
plaintext_size);
}
- if (memcmp(ciphertext, plaintext, size) != 0) {
+ if (memcmp(plaintext2, plaintext, size) != 0) {
fail("plaintext does not match\n");
}
+ if ((flags & GNUTLS_CIPHER_PADDING_PKCS7) &&
+ plaintext_size % block_size != 0) {
+ /* Encrypt with manual padding */
+ memset(&plaintext[plaintext_size],
+ ciphertext_size - plaintext_size,
+ ciphertext_size - plaintext_size);
+ /* Insert a wrong padding byte */
+ plaintext[plaintext_size] = block_size;
+ ret = gnutls_cipher_encrypt3(ch, plaintext, ciphertext_size,
+ ciphertext, &ciphertext_size, 0);
+ if (ret < 0) {
+ fail("gnutls_cipher_encrypt3 failed\n");
+ }
+
+ /* Decrypt with padding */
+ size = ciphertext_size;
+ ret = gnutls_cipher_decrypt3(ch, ciphertext, ciphertext_size,
+ plaintext, &size, flags);
+ if (ret != GNUTLS_E_DECRYPTION_FAILED) {
+ fail("gnutls_cipher_decrypt3 succeeded\n");
+ }
+ }
+
gnutls_cipher_deinit(ch);
}
--
2.53.0

295
gnutls-3.8.10-keyupdate.patch Normal file
View File

@ -0,0 +1,295 @@
From 5376a0cabf94314316005e6bf411ffcc7628b386 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 22 Jul 2025 10:49:33 +0900
Subject: [PATCH 1/3] key_update: fix state transition in KTLS code path
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/record.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/record.c b/lib/record.c
index d37f79a550..ebc75addec 100644
--- a/lib/record.c
+++ b/lib/record.c
@@ -2045,7 +2045,7 @@ ssize_t gnutls_record_send2(gnutls_session_t session, const void *data,
FALLTHROUGH;
case RECORD_SEND_KEY_UPDATE_3:
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
- return _gnutls_ktls_send(
+ ret = _gnutls_ktls_send(
session,
session->internals.record_key_update_buffer.data,
session->internals.record_key_update_buffer
--
2.50.1
From 30c264b661d49d135ef342426c6c4cd853209c06 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 31 Jul 2025 15:34:48 +0900
Subject: [PATCH 2/3] constate: switch epoch lookup to linear search
The previous logic of epoch lookup was utilizing the fact that epoch
numbers are monotonically increasing and there are no gaps in between
after garbarge collection. That is, however, no longer true when a TLS
1.3 key update is happening in only one direction.
This patch switches to using linear search instead, at the cost of
approx MAX_EPOCH_INDEX * 2 (= 8) comparison.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/constate.c | 47 ++++++++++++++++-------------------------------
lib/gnutls_int.h | 3 ---
2 files changed, 16 insertions(+), 34 deletions(-)
diff --git a/lib/constate.c b/lib/constate.c
index ca253a2bea..b091d891ff 100644
--- a/lib/constate.c
+++ b/lib/constate.c
@@ -932,17 +932,23 @@ static inline int epoch_resolve(gnutls_session_t session,
static inline record_parameters_st **epoch_get_slot(gnutls_session_t session,
uint16_t epoch)
{
- uint16_t epoch_index = epoch - session->security_parameters.epoch_min;
+ /* First look for a non-empty slot */
+ for (size_t i = 0; i < MAX_EPOCH_INDEX; i++) {
+ record_parameters_st **slot = &session->record_parameters[i];
+ if (*slot != NULL && (*slot)->epoch == epoch)
+ return slot;
+ }
- if (epoch_index >= MAX_EPOCH_INDEX) {
- _gnutls_handshake_log(
- "Epoch %d out of range (idx: %d, max: %d)\n",
- (int)epoch, (int)epoch_index, MAX_EPOCH_INDEX);
- gnutls_assert();
- return NULL;
+ /* Then look for an empty slot */
+ for (size_t i = 0; i < MAX_EPOCH_INDEX; i++) {
+ record_parameters_st **slot = &session->record_parameters[i];
+ if (*slot == NULL)
+ return slot;
}
- /* The slot may still be empty (NULL) */
- return &session->record_parameters[epoch_index];
+
+ gnutls_assert();
+ _gnutls_handshake_log("No slot available for epoch %u\n", epoch);
+ return NULL;
}
int _gnutls_epoch_get(gnutls_session_t session, unsigned int epoch_rel,
@@ -1063,8 +1069,7 @@ static inline int epoch_alive(gnutls_session_t session,
void _gnutls_epoch_gc(gnutls_session_t session)
{
- int i, j;
- unsigned int min_index = 0;
+ int i;
_gnutls_record_log("REC[%p]: Start of epoch cleanup\n", session);
@@ -1091,26 +1096,6 @@ void _gnutls_epoch_gc(gnutls_session_t session)
}
}
- /* Look for contiguous NULLs at the start of the array */
- for (i = 0;
- i < MAX_EPOCH_INDEX && session->record_parameters[i] == NULL; i++)
- ;
- min_index = i;
-
- /* Pick up the slack in the epoch window. */
- if (min_index != 0) {
- for (i = 0, j = min_index; j < MAX_EPOCH_INDEX; i++, j++) {
- session->record_parameters[i] =
- session->record_parameters[j];
- session->record_parameters[j] = NULL;
- }
- }
-
- /* Set the new epoch_min */
- if (session->record_parameters[0] != NULL)
- session->security_parameters.epoch_min =
- session->record_parameters[0]->epoch;
-
gnutls_mutex_unlock(&session->internals.epoch_lock);
_gnutls_record_log("REC[%p]: End of epoch cleanup\n", session);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 539486bc7d..e083520055 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -876,9 +876,6 @@ typedef struct {
/* The epoch that the next handshake will initialize. */
uint16_t epoch_next;
- /* The epoch at index 0 of record_parameters. */
- uint16_t epoch_min;
-
/* this is the ciphersuite we are going to use
* moved here from internals in order to be restored
* on resume;
--
2.50.1
From 1d830baac2f8a08a40b13e9eecfcc64ad032e7b5 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Sat, 19 Jul 2025 07:08:24 +0900
Subject: [PATCH 3/3] key_update: rework the rekeying logic
While RFC 8446 4.6.3 says that the sender of a KeyUpdate message
should only update its sending key, the previous implementation
updated both the sending and receiving keys, preventing that any
application data interleaved being decrypted.
This splits the key update logic into 2 phases: when sending a
KeyUpdate, only update the sending key, and when receiving a
KeyUpdate, only update the receiving key. In both cases, KeyUpdate
messages are encrypted/decrypted with the old keys.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/gnutls_int.h | 2 +-
lib/tls13/key_update.c | 72 +++++++++++++++++++++++++++---------------
2 files changed, 47 insertions(+), 27 deletions(-)
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index e083520055..f3caea1170 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -1672,7 +1672,7 @@ typedef struct {
} internals_st;
/* Maximum number of epochs we keep around. */
-#define MAX_EPOCH_INDEX 4
+#define MAX_EPOCH_INDEX 16
#define reset_cand_groups(session) \
session->internals.cand_ec_group = session->internals.cand_dh_group = \
diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
index 41243651b5..beee1dc41a 100644
--- a/lib/tls13/key_update.c
+++ b/lib/tls13/key_update.c
@@ -52,45 +52,47 @@ static inline int set_ktls_keys(gnutls_session_t session,
return 0;
}
-static int update_keys(gnutls_session_t session, hs_stage_t stage)
+static int update_sending_key(gnutls_session_t session, hs_stage_t stage)
{
int ret;
- ret = _tls13_update_secret(session,
- session->key.proto.tls13.temp_secret,
- session->key.proto.tls13.temp_secret_size);
+ _gnutls_epoch_bump(session);
+ ret = _gnutls_epoch_dup(session, EPOCH_WRITE_CURRENT);
if (ret < 0)
return gnutls_assert_val(ret);
- _gnutls_epoch_bump(session);
- ret = _gnutls_epoch_dup(session, EPOCH_READ_CURRENT);
+ ret = _tls13_write_connection_state_init(session, stage);
if (ret < 0)
return gnutls_assert_val(ret);
- /* If we send a key update during early start, only update our
- * write keys */
- if (session->internals.recv_state == RECV_STATE_EARLY_START) {
- ret = _tls13_write_connection_state_init(session, stage);
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
+ ret = set_ktls_keys(session, GNUTLS_KTLS_SEND);
if (ret < 0)
return gnutls_assert_val(ret);
+ }
- if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND))
- ret = set_ktls_keys(session, GNUTLS_KTLS_SEND);
- } else {
- ret = _tls13_connection_state_init(session, stage);
- if (ret < 0)
- return gnutls_assert_val(ret);
+ return 0;
+}
- if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) &&
- stage == STAGE_UPD_OURS)
- ret = set_ktls_keys(session, GNUTLS_KTLS_SEND);
- else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) &&
- stage == STAGE_UPD_PEERS)
- ret = set_ktls_keys(session, GNUTLS_KTLS_RECV);
- }
+static int update_receiving_key(gnutls_session_t session, hs_stage_t stage)
+{
+ int ret;
+
+ _gnutls_epoch_bump(session);
+ ret = _gnutls_epoch_dup(session, EPOCH_READ_CURRENT);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = _tls13_read_connection_state_init(session, stage);
if (ret < 0)
return gnutls_assert_val(ret);
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV)) {
+ ret = set_ktls_keys(session, GNUTLS_KTLS_RECV);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+
return 0;
}
@@ -128,7 +130,13 @@ int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st *buf)
switch (buf->data[0]) {
case 0:
/* peer updated its key, not requested our key update */
- ret = update_keys(session, STAGE_UPD_PEERS);
+ ret = _tls13_update_secret(
+ session, session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.temp_secret_size);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = update_receiving_key(session, STAGE_UPD_PEERS);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -141,7 +149,13 @@ int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st *buf)
}
/* peer updated its key, requested our key update */
- ret = update_keys(session, STAGE_UPD_PEERS);
+ ret = _tls13_update_secret(
+ session, session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.temp_secret_size);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = update_receiving_key(session, STAGE_UPD_PEERS);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -248,7 +262,13 @@ int gnutls_session_key_update(gnutls_session_t session, unsigned flags)
_gnutls_epoch_gc(session);
/* it was completely sent, update the keys */
- ret = update_keys(session, STAGE_UPD_OURS);
+ ret = _tls13_update_secret(session,
+ session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.temp_secret_size);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = update_sending_key(session, STAGE_UPD_OURS);
if (ret < 0)
return gnutls_assert_val(ret);
--
2.50.1

114
gnutls-3.8.10-tests-ktls.patch Normal file
View File

@ -0,0 +1,114 @@
From e0eb2bbb212a5c9d72311c59e7235832a0075dcc Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 9 Jul 2025 18:54:48 +0900
Subject: [PATCH] add tests/ktls_utils.h
Signed-off-by: rpm-build <rpm-build>
---
tests/ktls_utils.h | 94 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 94 insertions(+)
create mode 100644 tests/ktls_utils.h
diff --git a/tests/ktls_utils.h b/tests/ktls_utils.h
new file mode 100644
index 0000000..231618d
--- /dev/null
+++ b/tests/ktls_utils.h
@@ -0,0 +1,94 @@
+#ifndef GNUTLS_TESTS_KTLS_UTILS_H
+#define GNUTLS_TESTS_KTLS_UTILS_H
+
+#include <fcntl.h>
+#include <signal.h>
+
+#include <netinet/in.h>
+
+#include <sys/socket.h>
+#include <sys/wait.h>
+
+/* Sets the NONBLOCK flag on the socket(fd) */
+inline static int set_nonblocking(int fd)
+{
+ int flags = fcntl(fd, F_GETFL, 0);
+ if (flags == -1) {
+ return 1;
+ }
+
+ if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1) {
+ return 2;
+ }
+
+ return 0;
+}
+
+/* Creates a pair of TCP connected sockets */
+static int create_socket_pair(int *client_fd, int *server_fd)
+{
+ int ret;
+ struct sockaddr_in saddr;
+ socklen_t addrlen;
+ int listener;
+
+ listener = socket(AF_INET, SOCK_STREAM, 0);
+ if (listener == -1) {
+ fail("error in listener(): %s\n", strerror(errno));
+ return 1;
+ }
+
+ int opt = 0;
+ setsockopt(listener, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
+
+ memset(&saddr, 0, sizeof(saddr));
+ saddr.sin_family = AF_INET;
+ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ saddr.sin_port = 0;
+
+ ret = bind(listener, (struct sockaddr *)&saddr, sizeof(saddr));
+ if (ret == -1) {
+ fail("error in bind(): %s\n", strerror(errno));
+ return 1;
+ }
+
+ addrlen = sizeof(saddr);
+ ret = getsockname(listener, (struct sockaddr *)&saddr, &addrlen);
+ if (ret == -1) {
+ fail("error in getsockname(): %s\n", strerror(errno));
+ return 1;
+ }
+
+ ret = listen(listener, 1);
+ if (ret == -1) {
+ fail("error in listen(): %s\n", strerror(errno));
+ close(listener);
+ return 1;
+ }
+
+ *client_fd = socket(AF_INET, SOCK_STREAM, 0);
+ if (*client_fd < 0) {
+ fail("error in socket(): %s\n", strerror(errno));
+ return 1;
+ }
+
+ ret = connect(*client_fd, (struct sockaddr *)&saddr, addrlen);
+ if (ret < 0) {
+ fail("error in connect(): %s\n", strerror(errno));
+ close(listener);
+ close(*client_fd);
+ return 1;
+ }
+
+ *server_fd = accept(listener, NULL, NULL);
+ if (*server_fd < 0) {
+ fail("error in accept(): %s\n", strerror(errno));
+ close(listener);
+ close(*client_fd);
+ return 1;
+ }
+
+ return 0;
+}
+
+#endif //GNUTLS_TESTS_KTLS_UTILS_H
--
2.49.0

58
gnutls-3.8.10-tests-mldsa.patch Normal file
View File

@ -0,0 +1,58 @@
From 15fb5ad536c375a74cc0d87859c9fc919d924c9d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 10 Jul 2025 05:45:06 +0900
Subject: [PATCH] support VPATH build for mldsa tests
Signed-off-by: rpm-build <rpm-build>
---
tests/cert-tests/mldsa.sh | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tests/cert-tests/mldsa.sh b/tests/cert-tests/mldsa.sh
index 7e31e11..55e31ce 100644
--- a/tests/cert-tests/mldsa.sh
+++ b/tests/cert-tests/mldsa.sh
@@ -130,7 +130,7 @@ for variant in 44 65 87; do
# Check default
TMPKEYDEFAULT=$testdir/key-$algo-$format-default
TMPKEY=$testdir/key-$algo-$format
- ${VALGRIND} "${CERTTOOL}" -k --no-text --infile "data/key-$algo-$format.pem" >"$TMPKEYDEFAULT"
+ ${VALGRIND} "${CERTTOOL}" -k --no-text --infile "$srcdir/data/key-$algo-$format.pem" >"$TMPKEYDEFAULT"
if [ $? != 0 ]; then
cat "$TMPKEYDEFAULT"
exit 1
@@ -138,19 +138,19 @@ for variant in 44 65 87; do
# The "expandedKey" format doesn't have public key part
if [ "$format" = seed ] || [ "$format" = both ]; then
- if ! "${DIFF}" "$TMPKEYDEFAULT" "data/key-$algo-both.pem"; then
+ if ! "${DIFF}" "$TMPKEYDEFAULT" "$srcdir/data/key-$algo-both.pem"; then
exit 1
fi
fi
# Check roundtrip with --key-format
- ${VALGRIND} "${CERTTOOL}" -k --no-text --key-format "$format" --infile "data/key-$algo-$format.pem" >"$TMPKEY"
+ ${VALGRIND} "${CERTTOOL}" -k --no-text --key-format "$format" --infile "$srcdir/data/key-$algo-$format.pem" >"$TMPKEY"
if [ $? != 0 ]; then
cat "$TMPKEY"
exit 1
fi
- if ! "${DIFF}" "$TMPKEY" "data/key-$algo-$format.pem"; then
+ if ! "${DIFF}" "$TMPKEY" "$srcdir/data/key-$algo-$format.pem"; then
exit 1
fi
done
@@ -164,7 +164,7 @@ for n in 1; do
fi
echo "Testing inconsistent ML-DSA key ($n)"
- if "${CERTTOOL}" -k --infile "data/key-mldsa-inconsistent$n.pem"; then
+ if "${CERTTOOL}" -k --infile "$srcdir/data/key-mldsa-inconsistent$n.pem"; then
exit 1
fi
done
--
2.49.0

29
gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch Normal file
View File

@ -0,0 +1,29 @@
From a36b73a21e4b5b6e051b23192a645dea34c9d6af Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 5 Nov 2024 14:45:46 +0900
Subject: [PATCH] tests: skip CHACHA20-POLY1305 in TLS 1.2 when KTLS is enabled
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/gnutls_ktls.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c
index 90d3e9af91..d5ac4efecc 100644
--- a/tests/gnutls_ktls.c
+++ b/tests/gnutls_ktls.c
@@ -347,9 +347,11 @@ void doit(void)
{
run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM");
run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM");
+#if 0
if (!gnutls_fips140_mode_enabled()) {
run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305");
}
+#endif
run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM");
run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM");
if (!gnutls_fips140_mode_enabled()) {
--
2.47.0

775
gnutls-3.8.9-allow-rsa-pkcs1-encrypt.patch Normal file
View File

@ -0,0 +1,775 @@
From 56402841df86125e2eb21fd548bae1bf482d939b Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 18 Dec 2024 01:11:50 +0900
Subject: [PATCH 1/6] pk: use deterministic RNG for RSA-PSS in self-tests
This ports the logic to use a specialized RNG with deterministic
behavior from RSA PKCS#1 v1.5 signature creation.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/nettle/pk.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 5986a410c2..7baf003f41 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -1494,11 +1494,7 @@ static int _rsa_pss_sign_digest_tr(gnutls_digest_algorithm_t dig,
if (salt == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- ret = gnutls_rnd(GNUTLS_RND_NONCE, salt, salt_size);
- if (ret < 0) {
- gnutls_assert();
- goto cleanup;
- }
+ rnd_func(NULL, salt_size, salt);
}
ret = sign_func(pub, priv, rnd_ctx, rnd_func, salt_size, salt, digest,
@@ -1509,7 +1505,6 @@ static int _rsa_pss_sign_digest_tr(gnutls_digest_algorithm_t dig,
} else
ret = 0;
-cleanup:
gnutls_free(salt);
return ret;
}
@@ -2126,6 +2121,7 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
case GNUTLS_PK_RSA_PSS: {
struct rsa_private_key priv;
struct rsa_public_key pub;
+ nettle_random_func *random_func;
mpz_t s;
_rsa_params_to_privkey(pk_params, &priv);
@@ -2157,8 +2153,12 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
not_approved = true;
}
+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+ random_func = rnd_nonce_func_fallback;
+ else
+ random_func = rnd_nonce_func;
ret = _rsa_pss_sign_digest_tr(sign_params->rsa_pss_dig, &pub,
- &priv, NULL, rnd_nonce_func,
+ &priv, NULL, random_func,
sign_params->salt_size,
vdata->data, s);
if (ret < 0) {
--
2.49.0
From 9f60b84e1496fa7bc62a136b83519e54ba935721 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 17 Dec 2024 16:55:47 +0900
Subject: [PATCH 2/6] fips: perform RSA self-tests using RSA-PSS instead of
PKCS#1 v1.5
Previously the RSA self-tests were using PKCS#1 v1.5, for both
signature generation and encryption/decryption, which turned a bit
problematic as GnuTLS now has a run-time option to disable that
scheme.
According to FIPS 140-3 IG 10.3.A, for each FIPS 186-4 and FIPS 186-5
public key digital signature algorithm, a CAST shall be performed
using at least one of the schemes approved for use in the approved
mode. Similarly, the IG annex D.G mentions that if the RSA signature
generation algorithm and RSA un-encapsulation scheme use the same
implementation, only test for signature generation suffices.
Therefore, this switches to using RSA-PSS only and drop the
RSA encryption/decryption self-tests.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/crypto-selftests-pk.c | 54 ++++++++++++++++++++++++++++++++++++---
lib/fips.c | 8 +++---
2 files changed, 53 insertions(+), 9 deletions(-)
diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
index 9d6aca4b49..42f6004030 100644
--- a/lib/crypto-selftests-pk.c
+++ b/lib/crypto-selftests-pk.c
@@ -87,6 +87,24 @@ static const char rsa_2048_sig[] =
"\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07"
"\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb";
+static const char rsa_pss_2048_sig[] =
+ "\x28\x77\x99\x8b\xc6\xe2\x59\x5c\xa5\x5c\x30\x78\x13\xe2\xca\xe1"
+ "\x13\xf5\x5d\xd5\x9a\xd7\x71\xff\x41\x82\xf4\x61\xda\x3a\xb6\x10"
+ "\x20\x87\x63\x5a\x7e\x4e\xc2\x5e\xb1\x85\x0f\x84\x58\xa3\x27\x2d"
+ "\xe5\x03\xcf\x65\x1a\xb2\xe6\x8b\xcc\x28\xd8\xcc\x1a\x64\x2a\x2d"
+ "\x9a\x0b\xb7\x32\xfe\x03\x57\x8c\xa0\x9b\xf5\xd0\x51\xb5\x6c\x65"
+ "\xfe\xf9\xf3\xa4\xba\x09\x43\x80\x31\xc1\x02\x88\x78\xaa\x65\x87"
+ "\x8d\xb8\x51\xba\x76\x57\xa6\x55\x18\x45\x95\x4e\x22\x82\xb6\xfd"
+ "\xc9\x04\xf9\xb0\x56\x24\x31\x84\x2b\x70\x91\x55\x7d\x05\x1a\xd0"
+ "\x30\xae\x5c\xfd\x11\x0a\x2e\x86\x09\x05\x44\x9a\xb5\xaf\x30\x8a"
+ "\xb6\xa8\x65\x54\xaf\xdf\xf8\x9a\xca\xa0\x96\x26\x45\x09\x41\x33"
+ "\xf3\x44\x71\xe1\x31\x31\x4c\x53\x60\xcb\x7f\x0b\x02\x08\x39\xf9"
+ "\xe4\xb2\x43\xa6\x07\x1b\x7e\x15\x32\x36\x3d\xc6\x78\x0b\xf1\x9a"
+ "\x33\xe3\xee\x8c\x48\xd4\x7e\xcb\xd1\xe6\x93\x29\x13\x04\x40\x8c"
+ "\x72\xc6\x39\xab\xa1\x76\x4e\x87\x3b\x91\x06\xdf\x1d\x1e\x07\x5e"
+ "\xc2\x26\x7c\xd6\x38\x5d\xba\x9b\x50\x38\x44\x63\x91\x2a\x98\xd2"
+ "\x30\x3f\xfb\x79\x15\x5f\x2e\xd2\x3f\xb7\xc4\x69\xc2\x2d\x79\x8d";
+
#ifdef ENABLE_DSA
/* DSA 2048 private key and signature */
static const char dsa_2048_privkey[] =
@@ -532,6 +550,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
gnutls_privkey_t key;
char param_name[32];
unsigned vflags = 0;
+ gnutls_x509_spki_t spki = NULL;
if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 ||
pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512 ||
@@ -564,6 +583,22 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
goto cleanup;
}
+ if (pk == GNUTLS_PK_RSA_PSS) {
+ ret = gnutls_x509_spki_init(&spki);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ gnutls_x509_spki_set_rsa_pss_params(spki, dig, 32);
+
+ ret = gnutls_privkey_set_spki(key, spki, 0);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+
if (pk != (unsigned)gnutls_privkey_get_pk_algorithm(key, NULL)) {
ret = GNUTLS_E_SELF_TEST_ERROR;
goto cleanup;
@@ -629,10 +664,12 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
ret = 0;
cleanup:
- gnutls_free(sig.data);
- if (pub != 0)
+ if (spki != NULL)
+ gnutls_x509_spki_deinit(spki);
+ if (pub != NULL)
gnutls_pubkey_deinit(pub);
gnutls_privkey_deinit(key);
+ gnutls_free(sig.data);
if (ret == 0)
_gnutls_debug_log("%s-%s-known-sig self test succeeded\n",
@@ -1026,8 +1063,17 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
FALLTHROUGH;
case GNUTLS_PK_RSA_PSS:
- PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048,
- GNUTLS_SIGN_RSA_PSS_RSAE_SHA256);
+ /* In POST, we switch the RNG to deterministic one so
+ * the KAT for RSA-PSS work. */
+ if (is_post) {
+ PK_KNOWN_TEST(GNUTLS_PK_RSA_PSS, 2048,
+ GNUTLS_DIG_SHA256, rsa_2048_privkey,
+ rsa_pss_2048_sig,
+ GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS);
+ } else {
+ PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048,
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA256);
+ }
if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
return 0;
diff --git a/lib/fips.c b/lib/fips.c
index 63306705aa..84a70b5619 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -622,11 +622,9 @@ int _gnutls_fips_perform_self_checks2(void)
}
/* PK */
- if (_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
- ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
- if (ret < 0) {
- return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
- }
+ ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA_PSS);
+ if (ret < 0) {
+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
}
ret = gnutls_pk_self_test(0, GNUTLS_PK_EC);
--
2.49.0
From f653b2c15f4dd550f7937cf86d255a3c96bdb236 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 12 Feb 2025 07:23:59 +0900
Subject: [PATCH 3/6] pk: sprinkle SPKI over encryption functions
Similarly to signing, the encrypt/decrypt/decrypt2 functions defined
in gnutls_crypto_pk_st now take SPKI as an additional parameter, so
the encryption/decryption behavior can be overridden.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/auth/rsa.c | 2 +-
lib/auth/rsa_psk.c | 2 +-
lib/crypto-backend.h | 9 ++++++---
lib/nettle/pk.c | 40 ++++++++++++++++++++++++----------------
lib/pk.h | 17 +++++++++++------
lib/pkcs11/p11_pk.c | 23 +++++++++++++----------
lib/privkey.c | 6 ++++--
lib/pubkey.c | 2 +-
8 files changed, 61 insertions(+), 40 deletions(-)
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
index b5ecc092f8..4d181327ba 100644
--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
@@ -280,7 +280,7 @@ int _gnutls_gen_rsa_client_kx(gnutls_session_t session, gnutls_buffer_st *data)
}
ret = _gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &session->key.key,
- &params);
+ &params, &params.spki);
gnutls_pk_params_release(&params);
diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
index 399fb4da14..9f97569c5b 100644
--- a/lib/auth/rsa_psk.c
+++ b/lib/auth/rsa_psk.c
@@ -178,7 +178,7 @@ static int _gnutls_gen_rsa_psk_client_kx(gnutls_session_t session,
/* Encrypt premaster secret */
if ((ret = _gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &premaster_secret,
- &params)) < 0) {
+ &params, &params.spki)) < 0) {
gnutls_assert();
return ret;
}
diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
index 74e29a7cb9..24cbb60f77 100644
--- a/lib/crypto-backend.h
+++ b/lib/crypto-backend.h
@@ -386,13 +386,16 @@ typedef struct gnutls_crypto_pk {
* parameters, depending on the operation */
int (*encrypt)(gnutls_pk_algorithm_t, gnutls_datum_t *ciphertext,
const gnutls_datum_t *plaintext,
- const gnutls_pk_params_st *pub);
+ const gnutls_pk_params_st *pub,
+ const gnutls_x509_spki_st *encrypt);
int (*decrypt)(gnutls_pk_algorithm_t, gnutls_datum_t *plaintext,
const gnutls_datum_t *ciphertext,
- const gnutls_pk_params_st *priv);
+ const gnutls_pk_params_st *priv,
+ const gnutls_x509_spki_st *encrypt);
int (*decrypt2)(gnutls_pk_algorithm_t, const gnutls_datum_t *ciphertext,
unsigned char *plaintext, size_t paintext_size,
- const gnutls_pk_params_st *priv);
+ const gnutls_pk_params_st *priv,
+ const gnutls_x509_spki_st *encrypt);
int (*sign)(gnutls_pk_algorithm_t, gnutls_datum_t *signature,
const gnutls_datum_t *data, const gnutls_pk_params_st *priv,
const gnutls_x509_spki_st *sign);
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 7baf003f41..ffd7493748 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -1018,7 +1018,8 @@ static inline int _rsa_oaep_encrypt(gnutls_digest_algorithm_t dig,
static int _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
gnutls_datum_t *ciphertext,
const gnutls_datum_t *plaintext,
- const gnutls_pk_params_st *pk_params)
+ const gnutls_pk_params_st *pk_params,
+ const gnutls_x509_spki_st *encrypt_params)
{
int ret;
bool not_approved = false;
@@ -1094,10 +1095,10 @@ static int _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
goto cleanup;
}
- ret = _rsa_oaep_encrypt(pk_params->spki.rsa_oaep_dig, &pub,
+ ret = _rsa_oaep_encrypt(encrypt_params->rsa_oaep_dig, &pub,
NULL, random_func,
- pk_params->spki.rsa_oaep_label.size,
- pk_params->spki.rsa_oaep_label.data,
+ encrypt_params->rsa_oaep_label.size,
+ encrypt_params->rsa_oaep_label.data,
plaintext->size, plaintext->data, buf);
if (ret == 0 || HAVE_LIB_ERROR()) {
ret = gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED);
@@ -1192,7 +1193,8 @@ static inline int _rsa_oaep_decrypt(gnutls_digest_algorithm_t dig,
static int _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
gnutls_datum_t *plaintext,
const gnutls_datum_t *ciphertext,
- const gnutls_pk_params_st *pk_params)
+ const gnutls_pk_params_st *pk_params,
+ const gnutls_x509_spki_st *encrypt_params)
{
int ret;
bool not_approved = false;
@@ -1200,7 +1202,7 @@ static int _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
FAIL_IF_LIB_ERROR;
- if (algo == GNUTLS_PK_RSA && pk_params->spki.pk == GNUTLS_PK_RSA_OAEP) {
+ if (algo == GNUTLS_PK_RSA && encrypt_params->pk == GNUTLS_PK_RSA_OAEP) {
algo = GNUTLS_PK_RSA_OAEP;
}
@@ -1285,10 +1287,10 @@ static int _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
random_func = rnd_nonce_func_fallback;
else
random_func = rnd_nonce_func;
- ret = _rsa_oaep_decrypt(pk_params->spki.rsa_oaep_dig, &pub,
+ ret = _rsa_oaep_decrypt(encrypt_params->rsa_oaep_dig, &pub,
&priv, NULL, random_func,
- pk_params->spki.rsa_oaep_label.size,
- pk_params->spki.rsa_oaep_label.data,
+ encrypt_params->rsa_oaep_label.size,
+ encrypt_params->rsa_oaep_label.data,
&length, buf, ciphertext->data);
if (ret == 0 || HAVE_LIB_ERROR()) {
@@ -1354,7 +1356,8 @@ static int _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
const gnutls_datum_t *ciphertext,
unsigned char *plaintext,
size_t plaintext_size,
- const gnutls_pk_params_st *pk_params)
+ const gnutls_pk_params_st *pk_params,
+ const gnutls_x509_spki_st *encrypt_params)
{
struct rsa_private_key priv;
struct rsa_public_key pub;
@@ -1370,7 +1373,7 @@ static int _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
goto fail;
}
- if (pk_params->spki.pk == GNUTLS_PK_RSA_OAEP) {
+ if (encrypt_params->pk == GNUTLS_PK_RSA_OAEP) {
algo = GNUTLS_PK_RSA_OAEP;
}
@@ -1407,10 +1410,10 @@ static int _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
ciphertext->data);
break;
case GNUTLS_PK_RSA_OAEP:
- ret = _rsa_oaep_decrypt(pk_params->spki.rsa_oaep_dig, &pub,
+ ret = _rsa_oaep_decrypt(encrypt_params->rsa_oaep_dig, &pub,
&priv, NULL, random_func,
- pk_params->spki.rsa_oaep_label.size,
- pk_params->spki.rsa_oaep_label.data,
+ encrypt_params->rsa_oaep_label.size,
+ encrypt_params->rsa_oaep_label.data,
&plaintext_size, plaintext,
ciphertext->data);
break;
@@ -3255,6 +3258,11 @@ static int pct_test(gnutls_pk_algorithm_t algo,
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
goto cleanup;
}
+ } else if (algo == GNUTLS_PK_RSA_OAEP) {
+ if (spki.rsa_oaep_dig == GNUTLS_DIG_UNKNOWN)
+ spki.rsa_oaep_dig = GNUTLS_DIG_SHA256;
+ ddata.data = (void *)const_data;
+ ddata.size = sizeof(const_data);
} else {
ddata.data = (void *)const_data;
ddata.size = sizeof(const_data);
@@ -3280,7 +3288,7 @@ static int pct_test(gnutls_pk_algorithm_t algo,
}
}
- ret = _gnutls_pk_encrypt(algo, &sig, &ddata, params);
+ ret = _gnutls_pk_encrypt(algo, &sig, &ddata, params, &spki);
if (ret < 0) {
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
}
@@ -3289,7 +3297,7 @@ static int pct_test(gnutls_pk_algorithm_t algo,
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
}
if (ret == 0 &&
- _gnutls_pk_decrypt(algo, &tmp, &sig, params) < 0) {
+ _gnutls_pk_decrypt(algo, &tmp, &sig, params, &spki) < 0) {
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
}
if (ret == 0 &&
diff --git a/lib/pk.h b/lib/pk.h
index 6969b534de..246d6e0299 100644
--- a/lib/pk.h
+++ b/lib/pk.h
@@ -27,13 +27,18 @@
extern int crypto_pk_prio;
-#define _gnutls_pk_encrypt(algo, ciphertext, plaintext, params) \
- _gnutls_pk_backend()->encrypt(algo, ciphertext, plaintext, params)
-#define _gnutls_pk_decrypt(algo, ciphertext, plaintext, params) \
- _gnutls_pk_backend()->decrypt(algo, ciphertext, plaintext, params)
-#define _gnutls_pk_decrypt2(algo, ciphertext, plaintext, size, params) \
+#define _gnutls_pk_encrypt(algo, ciphertext, plaintext, params, \
+ encrypt_params) \
+ _gnutls_pk_backend()->encrypt(algo, ciphertext, plaintext, params, \
+ encrypt_params)
+#define _gnutls_pk_decrypt(algo, ciphertext, plaintext, params, \
+ encrypt_params) \
+ _gnutls_pk_backend()->decrypt(algo, ciphertext, plaintext, params, \
+ encrypt_params)
+#define _gnutls_pk_decrypt2(algo, ciphertext, plaintext, size, params, \
+ encrypt_params) \
_gnutls_pk_backend()->decrypt2(algo, ciphertext, plaintext, size, \
- params)
+ params, encrypt_params)
#define _gnutls_pk_sign(algo, sig, data, params, sign_params) \
_gnutls_pk_backend()->sign(algo, sig, data, params, sign_params)
#define _gnutls_pk_verify(algo, data, sig, params, sign_params) \
diff --git a/lib/pkcs11/p11_pk.c b/lib/pkcs11/p11_pk.c
index 34a9cd24bc..8227998a2f 100644
--- a/lib/pkcs11/p11_pk.c
+++ b/lib/pkcs11/p11_pk.c
@@ -228,9 +228,9 @@ cleanup:
}
static bool init_rsa_oaep_param(CK_RSA_PKCS_OAEP_PARAMS *param,
- const gnutls_pk_params_st *pk_params)
+ const gnutls_x509_spki_st *encrypt_params)
{
- switch (pk_params->spki.rsa_oaep_dig) {
+ switch (encrypt_params->rsa_oaep_dig) {
case GNUTLS_DIG_SHA256:
param->hashAlg = CKM_SHA256;
param->mgf = CKG_MGF1_SHA256;
@@ -247,8 +247,8 @@ static bool init_rsa_oaep_param(CK_RSA_PKCS_OAEP_PARAMS *param,
return false;
}
param->source = CKZ_DATA_SPECIFIED;
- param->pSourceData = pk_params->spki.rsa_oaep_label.data;
- param->ulSourceDataLen = pk_params->spki.rsa_oaep_label.size;
+ param->pSourceData = encrypt_params->rsa_oaep_label.data;
+ param->ulSourceDataLen = encrypt_params->rsa_oaep_label.size;
return true;
}
@@ -706,7 +706,8 @@ static int derive_ecdh_secret(CK_SESSION_HANDLE session,
static int _wrap_p11_pk_encrypt(gnutls_pk_algorithm_t algo,
gnutls_datum_t *ciphertext,
const gnutls_datum_t *plaintext,
- const gnutls_pk_params_st *pk_params)
+ const gnutls_pk_params_st *pk_params,
+ const gnutls_x509_spki_st *encrypt_params)
{
int ret = 0;
CK_RV rv;
@@ -742,7 +743,7 @@ static int _wrap_p11_pk_encrypt(gnutls_pk_algorithm_t algo,
mech.pParameter = &param_rsa_oaep;
mech.ulParameterLen = sizeof(param_rsa_oaep);
- if (!init_rsa_oaep_param(&param_rsa_oaep, pk_params)) {
+ if (!init_rsa_oaep_param(&param_rsa_oaep, encrypt_params)) {
ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
goto cleanup;
}
@@ -798,7 +799,8 @@ cleanup:
static int _wrap_p11_pk_decrypt(gnutls_pk_algorithm_t algo,
gnutls_datum_t *plaintext,
const gnutls_datum_t *ciphertext,
- const gnutls_pk_params_st *pk_params)
+ const gnutls_pk_params_st *pk_params,
+ const gnutls_x509_spki_st *encrypt_params)
{
int ret = 0;
CK_RV rv;
@@ -834,7 +836,7 @@ static int _wrap_p11_pk_decrypt(gnutls_pk_algorithm_t algo,
mech.pParameter = &param_rsa_oaep;
mech.ulParameterLen = sizeof(param_rsa_oaep);
- if (!init_rsa_oaep_param(&param_rsa_oaep, pk_params)) {
+ if (!init_rsa_oaep_param(&param_rsa_oaep, encrypt_params)) {
ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
goto cleanup;
}
@@ -890,7 +892,8 @@ static int _wrap_p11_pk_decrypt2(gnutls_pk_algorithm_t algo,
const gnutls_datum_t *ciphertext,
unsigned char *plaintext,
size_t plaintext_size,
- const gnutls_pk_params_st *pk_params)
+ const gnutls_pk_params_st *pk_params,
+ const gnutls_x509_spki_st *encrypt_params)
{
int ret = 0;
uint32_t is_err;
@@ -928,7 +931,7 @@ static int _wrap_p11_pk_decrypt2(gnutls_pk_algorithm_t algo,
mech.pParameter = &param_rsa_oaep;
mech.ulParameterLen = sizeof(param_rsa_oaep);
- if (!init_rsa_oaep_param(&param_rsa_oaep, pk_params)) {
+ if (!init_rsa_oaep_param(&param_rsa_oaep, encrypt_params)) {
ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
goto cleanup;
}
diff --git a/lib/privkey.c b/lib/privkey.c
index 84e984f6b9..05a3804c25 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -1590,7 +1590,8 @@ int gnutls_privkey_decrypt_data(gnutls_privkey_t key, unsigned int flags,
switch (key->type) {
case GNUTLS_PRIVKEY_X509:
return _gnutls_pk_decrypt(key->pk_algorithm, plaintext,
- ciphertext, &key->key.x509->params);
+ ciphertext, &key->key.x509->params,
+ &key->key.x509->params.spki);
#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
return _gnutls_pkcs11_privkey_decrypt_data(
@@ -1657,7 +1658,8 @@ int gnutls_privkey_decrypt_data2(gnutls_privkey_t key, unsigned int flags,
case GNUTLS_PRIVKEY_X509:
return _gnutls_pk_decrypt2(key->pk_algorithm, ciphertext,
plaintext, plaintext_size,
- &key->key.x509->params);
+ &key->key.x509->params,
+ &key->key.x509->params.spki);
#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
return _gnutls_pkcs11_privkey_decrypt_data2(key->key.pkcs11,
diff --git a/lib/pubkey.c b/lib/pubkey.c
index 02a08b8163..73dd9e16b0 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -2336,7 +2336,7 @@ int gnutls_pubkey_encrypt_data(gnutls_pubkey_t key, unsigned int flags,
}
return _gnutls_pk_encrypt(key->params.algo, ciphertext, plaintext,
- &key->params);
+ &key->params, &key->params.spki);
}
static int pubkey_supports_sig(gnutls_pubkey_t pubkey,
--
2.49.0
From e1be1e6b805b50a43ada57757ffe9cdf201289b5 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 12 Feb 2025 12:13:47 +0900
Subject: [PATCH 4/6] pk: exercise decrypt2 in PCT
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/nettle/pk.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index ffd7493748..e4ad772842 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -1368,7 +1368,8 @@ static int _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
FAIL_IF_LIB_ERROR;
- if (algo != GNUTLS_PK_RSA || plaintext == NULL) {
+ if ((algo != GNUTLS_PK_RSA && algo != GNUTLS_PK_RSA_OAEP) ||
+ plaintext == NULL) {
ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
goto fail;
}
@@ -3305,6 +3306,16 @@ static int pct_test(gnutls_pk_algorithm_t algo,
memcmp(tmp.data, ddata.data, tmp.size) == 0)) {
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
}
+ if (ret == 0 &&
+ _gnutls_pk_decrypt2(algo, &sig, tmp.data, tmp.size, params,
+ &spki) < 0) {
+ ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+ }
+ if (ret == 0 &&
+ !(tmp.size == ddata.size &&
+ memcmp(tmp.data, ddata.data, tmp.size) == 0)) {
+ ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+ }
if (algo == GNUTLS_PK_RSA) {
if (unlikely(gnutls_fips140_pop_context() < 0)) {
--
2.49.0
From 4e7b9e800f17bb0655e6d4de8f101d8a3b601fbc Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 27 Jan 2025 16:36:41 +0900
Subject: [PATCH 5/6] fips: perform both PCTs for unrestricted RSA key
As PKCS#1 v1.5-padding is no longer allowed, exercise PCT with both
RSA-PSS and RSA-OAEP for unrestricted RSA keys. Note that, it is no
longer possible to create 512-bit RSA key under FIPS mode, because
there is a restriction of message size in RSA-OAEP based on the key
size, i.e., mLen > k - 2hLen - 2.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/nettle/pk.c | 50 +++++++++++++-------------------------
tests/fips-override-test.c | 4 +--
tests/fips-rsa-sizes.c | 6 -----
3 files changed, 19 insertions(+), 41 deletions(-)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index e4ad772842..f7f7c0637b 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -3213,7 +3213,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,
gnutls_datum_t ddata, tmp = { NULL, 0 };
char *gen_data = NULL;
gnutls_x509_spki_st spki;
- gnutls_fips140_context_t context;
ret = _gnutls_x509_spki_copy(&spki, &params->spki);
if (ret < 0) {
@@ -3271,25 +3270,23 @@ static int pct_test(gnutls_pk_algorithm_t algo,
switch (algo) {
case GNUTLS_PK_RSA:
- case GNUTLS_PK_RSA_OAEP:
- if (algo == GNUTLS_PK_RSA) {
- /* Push a temporary FIPS context because _gnutls_pk_encrypt and
- * _gnutls_pk_decrypt below will mark RSAES-PKCS1-v1_5 operation
- * non-approved */
- if (gnutls_fips140_context_init(&context) < 0) {
- ret = gnutls_assert_val(
- GNUTLS_E_PK_GENERATION_ERROR);
- goto cleanup;
- }
- if (gnutls_fips140_push_context(context) < 0) {
- ret = gnutls_assert_val(
- GNUTLS_E_PK_GENERATION_ERROR);
- gnutls_fips140_context_deinit(context);
- goto cleanup;
- }
+ /* To comply with FIPS 140-3 IG 10.3.A, additional comment 1,
+ * Perform both key transport and signature PCTs for
+ * unrestricted RSA key. */
+ ret = pct_test(GNUTLS_PK_RSA_OAEP, params);
+ if (ret < 0) {
+ gnutls_assert();
+ break;
}
-
- ret = _gnutls_pk_encrypt(algo, &sig, &ddata, params, &spki);
+ ret = pct_test(GNUTLS_PK_RSA_PSS, params);
+ if (ret < 0) {
+ gnutls_assert();
+ break;
+ }
+ break;
+ case GNUTLS_PK_RSA_OAEP:
+ ret = _gnutls_pk_encrypt(GNUTLS_PK_RSA_OAEP, &sig, &ddata,
+ params, &spki);
if (ret < 0) {
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
}
@@ -3317,14 +3314,6 @@ static int pct_test(gnutls_pk_algorithm_t algo,
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
}
- if (algo == GNUTLS_PK_RSA) {
- if (unlikely(gnutls_fips140_pop_context() < 0)) {
- ret = gnutls_assert_val(
- GNUTLS_E_PK_GENERATION_ERROR);
- }
- gnutls_fips140_context_deinit(context);
- }
-
if (ret < 0) {
goto cleanup;
}
@@ -3332,12 +3321,7 @@ static int pct_test(gnutls_pk_algorithm_t algo,
free(sig.data);
sig.data = NULL;
- /* RSA-OAEP can't be used for signing */
- if (algo == GNUTLS_PK_RSA_OAEP) {
- break;
- }
-
- FALLTHROUGH;
+ break;
case GNUTLS_PK_EC: /* we only do keys for ECDSA */
case GNUTLS_PK_EDDSA_ED25519:
case GNUTLS_PK_EDDSA_ED448:
diff --git a/tests/fips-override-test.c b/tests/fips-override-test.c
index 82db3c0c79..6fbd444d47 100644
--- a/tests/fips-override-test.c
+++ b/tests/fips-override-test.c
@@ -67,9 +67,9 @@ static void try_crypto(void)
}
assert(gnutls_x509_privkey_init(&privkey) == 0);
- ret = gnutls_x509_privkey_generate(privkey, GNUTLS_PK_RSA, 512, 0);
+ ret = gnutls_x509_privkey_generate(privkey, GNUTLS_PK_RSA, 768, 0);
if (ret < 0) {
- fail("gnutls_x509_privkey_generate failed for 512-bit key\n");
+ fail("gnutls_x509_privkey_generate failed for 768-bit key\n");
}
gnutls_x509_privkey_deinit(privkey);
}
diff --git a/tests/fips-rsa-sizes.c b/tests/fips-rsa-sizes.c
index 61a76d3c09..2963ccd531 100644
--- a/tests/fips-rsa-sizes.c
+++ b/tests/fips-rsa-sizes.c
@@ -250,12 +250,6 @@ void doit(void)
assert(gnutls_fips140_context_init(&fips_context) == 0);
- generate_unsuccessfully(&privkey, &pubkey, 512);
- sign_verify_unsuccessfully(privkey, pubkey);
- generate_unsuccessfully(&privkey, &pubkey, 512);
- sign_verify_unsuccessfully(privkey, pubkey);
- generate_unsuccessfully(&privkey, &pubkey, 600);
- sign_verify_unsuccessfully(privkey, pubkey);
generate_unsuccessfully(&privkey, &pubkey, 768);
sign_verify_unsuccessfully(privkey, pubkey);
generate_unsuccessfully(&privkey, &pubkey, 1024);
--
2.49.0
From 7b5f1bddcd77d61531fdb5c084c43947786b27ab Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 10 Feb 2025 15:57:39 +0900
Subject: [PATCH 6/6] tests: do not assume RSAES-PKCS1-v1_5 is enabled in
system config
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/system-override-allow-rsa-pkcs1-encrypt.sh | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
index 714d0af946..30cb77ca50 100755
--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
@@ -56,14 +56,4 @@ if [ $? = 0 ]; then
fi
echo "RSAES-PKCS1-v1_5 successfully disabled"
-unset GNUTLS_SYSTEM_PRIORITY_FILE
-unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
-
-${TEST}
-if [ $? != 0 ]; then
- echo "${TEST} expected to succeed by default"
- exit 1
-fi
-echo "RSAES-PKCS1-v1_5 successfully enabled by default"
-
exit 0
--
2.49.0

34
gnutls-3.8.9-fips-mldsa.patch Normal file
View File

@ -0,0 +1,34 @@
From 5eec368c91f49e5c9aa6422a8ca163644807b9fd Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 25 Jun 2025 13:12:51 +0900
Subject: [PATCH] gnutls-3.8.9-fips-mldsa.patch
---
lib/nettle/pk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index cd40eb3..a352331 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -2560,7 +2560,7 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
case GNUTLS_PK_MLDSA44:
case GNUTLS_PK_MLDSA65:
case GNUTLS_PK_MLDSA87:
-#if !defined(HAVE_LEANCRYPTO) && defined(HAVE_LIBOQS)
+#if defined(HAVE_LEANCRYPTO) || defined(HAVE_LIBOQS)
/* As of liboqs 0.12.0, liboqs implementation lacks
* sufficient checks for ML-DSA.
*/
@@ -2939,7 +2939,7 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
case GNUTLS_PK_MLDSA44:
case GNUTLS_PK_MLDSA65:
case GNUTLS_PK_MLDSA87:
-#if !defined(HAVE_LEANCRYPTO) && defined(HAVE_LIBOQS)
+#if defined(HAVE_LEANCRYPTO) || defined(HAVE_LIBOQS)
/* As of liboqs 0.12.0, liboqs implementation lacks
* sufficient checks for ML-DSA.
*/
--
2.49.0

1044
gnutls-3.8.9-tls-mldsa.patch Normal file
View File

File diff suppressed because it is too large Load Diff

708
gnutls.spec Normal file
View File

@ -0,0 +1,708 @@
%define srpmhash() %{lua:
local files = rpm.expand("%_specdir/gnutls.spec")
for i, p in ipairs(patches) do
files = files.." "..p
end
for i, p in ipairs(sources) do
files = files.." "..p
end
local sha256sum = assert(io.popen("cat "..files.."| sha256sum"))
local hash = sha256sum:read("*a")
sha256sum:close()
print(string.sub(hash, 0, 16))
}
Version: 3.8.10
Release: %{?autorelease}%{!?autorelease:1%{?dist}}
# not upstreamed: can we drop this as configure is regenerated when bootstrapping?
Patch: gnutls-3.2.7-rpath.patch
# not upstreamed: modifies the generated code
Patch: gnutls-3.7.2-enable-intel-cet.patch
# not upstreamed: to ignore GNUTLS_NO_EXPLICIT_INIT, for long-term support purposes
Patch: gnutls-3.7.2-no-explicit-init.patch
# not upstreamed: to avoid any inconsistency between algorithms enabled through API vs the ones enabled through config file, for long-term support purposes
Patch: gnutls-3.7.3-disable-config-reload.patch
# not upstreamed, reseed source DRBG for prediction resistance
Patch: gnutls-3.7.6-drbg-reseed.patch
# not upstreamed: see https://gitlab.com/gnutls/gnutls/-/issues/1443
Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch
# not upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932
Patch: gnutls-3.8.9-allow-rsa-pkcs1-encrypt.patch
# usptreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1980
Patch: gnutls-3.8.10-tests-ktls.patch
# upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1980
Patch: gnutls-3.8.10-tests-mldsa.patch
# not yet upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1990/diffs?commit_id=993a8055c03b60c95fc65962ed82adc80b049a9a
Patch: gnutls-3.8.10-keyupdate.patch
# CVE fixes backported from 3.8.12 release
# upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/2041
Patch: gnutls-3.8.10-CVE-2025-9820.patch
# upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/2062
Patch: gnutls-3.8.10-CVE-2025-14831.patch
# intentionally omitted: CVE-2026-1584, since 3.8.10 is not vulnerable
# CVE fixes backported from 3.8.13 release
# (https://gitlab.com/gnutls/gnutls/-/merge_requests/2102)
Patch: gnutls-3.8.10-CVE-2026-33846-dtls-len.patch
Patch: gnutls-3.8.10-CVE-2026-42009-dtls-qsort.patch
Patch: gnutls-3.8.10-CVE-2026-33845-dtls-uflow.patch
Patch: gnutls-3.8.10-CVE-2026-42010-psk-nul.patch
Patch: gnutls-3.8.10-CVE-2026-3833-nc-case.patch
Patch: gnutls-3.8.10-CVE-2026-42011-nc-intersect.patch
Patch: gnutls-3.8.10-CVE-2026-42012-url-san-cn.patch
Patch: gnutls-3.8.10-CVE-2026-42013-oversized-san.patch
Patch: gnutls-3.8.10-CVE-2026-42014-so-pin-uaf.patch
Patch: gnutls-3.8.10-CVE-2026-5260-p11-rsa-overread.patch
Patch: gnutls-3.8.10-CVE-2026-42015-p12-bag32.patch
Patch: gnutls-3.8.10-CVE-2026-3832-ocsp-rev-0.patch
Patch: gnutls-3.8.10-CVE-2026-5419-p7-constant-time.patch
# non-CVE security fixes from the same release
Patch: gnutls-3.8.10-1808-psk-rehandshake.patch
Patch: gnutls-3.8.10-1810-ocsp-truncated-eku.patch
Patch: gnutls-3.8.10-1813-p11p-aes-ephemeral.patch
Patch: gnutls-3.8.10-1818-rsa-coprime.patch
Patch: gnutls-3.8.10-1818-pem-parsing.patch
Patch: gnutls-3.8.10-1819-dblfree-mid-import.patch
Patch: gnutls-3.8.10-1822-sct-overread.patch
Patch: gnutls-3.8.10-1841-hybrid-kx-zeroize.patch
Patch: gnutls-3.8.10-1823-cfg-clear-options.patch
Patch: gnutls-3.8.10-1817-security-parameters.patch
Patch: gnutls-3.8.10-1820-p11p-kdf.patch
%bcond_without bootstrap
%bcond_without dane
%bcond_without fips
%bcond_with tpm12
%bcond_without tpm2
%if 0%{?rhel} >= 9
%bcond_with gost
%else
%bcond_without gost
%endif
%bcond_without certificate_compression
%bcond_without leancrypto
%bcond_without tests
%if 0%{?fedora} && 0%{?fedora} < 38
%bcond_without srp
%else
%bcond_with srp
%endif
%if 0%{?fedora}
%bcond_without mingw
%else
%bcond_with mingw
%endif
%if 0%{?rhel} >= 9 && %{with fips}
%bcond_without bundled_gmp
%else
%bcond_with bundled_gmp
%endif
%if 0%{?rhel} >= 10 && %{with fips}
%bcond_without bundled_nettle
%else
%bcond_with bundled_nettle
%endif
%define fips_requires() %{lua:
local f = assert(io.popen("rpm -q --queryformat '%{EVR}' --whatprovides "..rpm.expand("'%1%{?_isa}'")))
local v = f:read("*all")
f:close()
print("Requires: "..rpm.expand("%1%{?_isa}").." = "..v.."\\n")
}
Summary: A TLS protocol implementation
Name: gnutls
# The libraries are LGPLv2.1+, utilities are GPLv3+
License: GPL-3.0-or-later AND LGPL-2.1-or-later
BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel
BuildRequires: readline-devel, libtasn1-devel >= 4.3
%if %{with certificate_compression}
BuildRequires: zlib-devel, brotli-devel, libzstd-devel
%endif
%if %{with bootstrap}
BuildRequires: automake, autoconf, gperf, libtool, texinfo
%endif
%if !%{with bundled_nettle}
BuildRequires: nettle-devel >= 3.10.1
%endif
%if %{with leancrypto}
BuildRequires: meson
%endif
%if %{with tpm12}
BuildRequires: trousers-devel >= 0.3.11.2
%endif
%if %{with tpm2}
BuildRequires: tpm2-tss-devel >= 3.0.3
%endif
BuildRequires: libidn2-devel
BuildRequires: libunistring-devel
BuildRequires: net-tools, softhsm, gcc, gcc-c++
BuildRequires: gnupg2
BuildRequires: git-core
# for a sanity check on cert loading
BuildRequires: p11-kit-trust, ca-certificates
Requires: crypto-policies
Requires: p11-kit-trust
Requires: libtasn1 >= 4.3
%if !%{with bundled_nettle}
# always bump when a nettle release is packaged
Requires: nettle >= 3.10.1
%endif
%if %{with tpm12}
Recommends: trousers >= 0.3.11.2
%endif
%if %{with dane}
BuildRequires: unbound-devel unbound-libs
%endif
BuildRequires: make gtk-doc
%if %{with mingw}
BuildRequires: mingw32-filesystem >= 95
BuildRequires: mingw32-gcc
BuildRequires: mingw32-gcc-c++
BuildRequires: mingw32-libtasn1 >= 4.3
BuildRequires: mingw32-readline
BuildRequires: mingw32-zlib
BuildRequires: mingw32-p11-kit >= 0.23.1
BuildRequires: mingw32-nettle >= 3.6
BuildRequires: mingw64-filesystem >= 95
BuildRequires: mingw64-gcc
BuildRequires: mingw64-gcc-c++
BuildRequires: mingw64-libtasn1 >= 4.3
BuildRequires: mingw64-readline
BuildRequires: mingw64-zlib
BuildRequires: mingw64-p11-kit >= 0.23.1
BuildRequires: mingw64-nettle >= 3.6
%endif
URL: http://www.gnutls.org/
%define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1)
Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz
Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz.sig
Source2: https://gnutls.org/gnutls-release-keyring.gpg
%if %{with bundled_gmp}
Source100: gmp-6.2.1.tar.xz
# Taken from the main gmp package
Source101: gmp-6.2.1-intel-cet.patch
%endif
%if %{with bundled_nettle}
Source200: nettle-3.10.1.tar.gz
Source201: nettle-3.10.1.tar.gz.sig
Source202: nettle-release-keyring.gpg
# Taken from the main nettle package
Source203: nettle-3.8-zeroize-stack.patch
Source204: nettle-3.10-hobble-to-configure.patch
%endif
%if %{with leancrypto}
Source300: leancrypto-1.5.0.tar.gz
%endif
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
Provides: bundled(gnulib) = 20130424
%package c++
Summary: The C++ interface to GnuTLS
Requires: %{name}%{?_isa} = %{version}-%{release}
%package devel
Summary: Development files for the %{name} package
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-c++%{?_isa} = %{version}-%{release}
%if %{with dane}
Requires: %{name}-dane%{?_isa} = %{version}-%{release}
%endif
Requires: pkgconfig
%package utils
License: GPL-3.0-or-later
Summary: Command line tools for TLS protocol
Requires: %{name}%{?_isa} = %{version}-%{release}
%if %{with dane}
Requires: %{name}-dane%{?_isa} = %{version}-%{release}
%endif
%if %{with dane}
%package dane
Summary: A DANE protocol implementation for GnuTLS
Requires: %{name}%{?_isa} = %{version}-%{release}
%endif
%if %{with fips}
%package fips
Summary: Virtual package to install packages required to use %{name} under FIPS mode
Requires: %{name}%{?_isa} = %{version}-%{release}
%if !%{with bundled_nettle}
%{fips_requires nettle}
%endif
%if !%{with bundled_gmp}
%{fips_requires gmp}
%endif
%endif
%description
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
%description c++
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
%description devel
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains files needed for developing applications with
the GnuTLS library.
%description utils
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains command line TLS client and server and certificate
manipulation tools.
%if %{with dane}
%description dane
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains library that implements the DANE protocol for verifying
TLS certificates through DNSSEC.
%endif
%if %{with fips}
%description fips
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package does not contain any file, but installs required packages
to use GnuTLS under FIPS mode.
%endif
%if %{with mingw}
%package -n mingw32-%{name}
Summary: MinGW GnuTLS TLS/SSL encryption library
Requires: pkgconfig
Requires: mingw32-libtasn1 >= 4.3
BuildArch: noarch
%description -n mingw32-gnutls
GnuTLS TLS/SSL encryption library. This library is cross-compiled
for MinGW.
%package -n mingw64-%{name}
Summary: MinGW GnuTLS TLS/SSL encryption library
Requires: pkgconfig
Requires: mingw64-libtasn1 >= 4.3
BuildArch: noarch
%description -n mingw64-gnutls
GnuTLS TLS/SSL encryption library. This library is cross-compiled
for MinGW.
%{?mingw_debug_package}
%endif
%prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -p1 -S git
%if %{with bundled_gmp}
mkdir -p bundled_gmp
pushd bundled_gmp
tar --strip-components=1 -xf %{SOURCE100}
patch -p1 < %{SOURCE101}
popd
%endif
%if %{with bundled_nettle}
%{gpgverify} --keyring='%{SOURCE202}' --signature='%{SOURCE201}' --data='%{SOURCE200}'
mkdir -p bundled_nettle
pushd bundled_nettle
tar --strip-components=1 -xf %{SOURCE200}
patch -p1 < %{SOURCE203}
patch -p1 < %{SOURCE204}
popd
%endif
%if %{with leancrypto}
mkdir -p bundled_leancrypto
pushd bundled_leancrypto
tar --strip-components=1 -xf %{SOURCE300}
popd
%endif
%if %{with bundled_gmp}
sed -i 's/@GMP_LIBS@//' lib/gnutls.pc.in
%endif
%build
%define _lto_cflags %{nil}
%if %{with bundled_gmp}
pushd bundled_gmp
autoreconf -ifv
%configure --disable-cxx --disable-shared --enable-fat --with-pic
%make_build
popd
export GMP_DIR="$PWD/bundled_gmp"
export GMP_CFLAGS="-I$GMP_DIR"
export GMP_LIBS="$GMP_DIR/.libs/libgmp.a"
%endif
%if %{with bundled_nettle}
pushd bundled_nettle
./.bootstrap
# Disable -ggdb3 which makes debugedit unhappy
sed s/ggdb3/g/ -i configure
autoreconf -ifv
# For annocheck
export ASM_FLAGS="-Wa,--generate-missing-build-notes=yes"
%configure --disable-shared --enable-fat \
--disable-sm3 --disable-sm4 \
--disable-ecc-secp192r1 --disable-ecc-secp224r1 \
--disable-documentation \
--with-include-path="$GMP_DIR" \
--with-lib-path="$GMP_DIR/.libs" \
%{nil}
%make_build
ln -s . nettle
popd
export NETTLE_DIR="$PWD/bundled_nettle"
export NETTLE_CFLAGS="-I$NETTLE_DIR"
export NETTLE_LIBS="$NETTLE_DIR/libnettle.a"
export HOGWEED_CFLAGS="-I$NETTLE_DIR"
export HOGWEED_LIBS="$NETTLE_DIR/libhogweed.a $NETTLE_LIBS $GMP_LIBS"
%endif
%if %{with leancrypto}
pushd bundled_leancrypto
%set_build_flags
meson setup -Dprefix="$PWD/install" -Dlibdir="$PWD/install/lib" \
-Ddefault_library=static \
-Dascon=disabled -Dascon_keccak=disabled \
-Dbike_5=disabled -Dbike_3=disabled -Dbike_1=disabled \
-Dkyber_x25519=disabled -Ddilithium_ed25519=disabled \
-Dx509_parser=disabled -Dx509_generator=disabled \
-Dpkcs7_parser=disabled -Dpkcs7_generator=disabled \
-Dsha2-256=disabled \
-Dchacha20=disabled -Dchacha20_drng=disabled \
-Ddrbg_hash=disabled -Ddrbg_hmac=disabled \
-Dhash_crypt=disabled \
-Dhmac=disabled -Dhkdf=disabled \
-Dkdf_ctr=disabled -Dkdf_fb=disabled -Dkdf_dpi=disabled \
-Dpbkdf2=disabled \
-Dkmac_drng=disabled -Dcshake_drng=disabled \
-Dhotp=disabled -Dtotp=disabled \
-Daes_block=disabled -Daes_cbc=disabled -Daes_ctr=disabled \
-Daes_kw=disabled -Dapps=disabled \
_build
meson compile -v -C _build
meson install -C _build
popd
export LEANCRYPTO_DIR="$PWD/bundled_leancrypto/install"
export LEANCRYPTO_CFLAGS="-I$LEANCRYPTO_DIR/include"
export LEANCRYPTO_LIBS="$LEANCRYPTO_DIR/lib/libleancrypto.a"
%endif
%if %{with bootstrap}
autoreconf -fi
%endif
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
echo "SYSTEM=NORMAL" >> tests/system.prio
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
export CCASFLAGS
%if %{with fips}
eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release)
export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
%endif
mkdir native_build
pushd native_build
%global _configure ../configure
%configure \
%if %{with fips}
--enable-fips140-mode \
--with-fips140-module-name="$FIPS_MODULE_NAME" \
--with-fips140-module-version=%{version}-%{srpmhash} \
%endif
%if %{with gost}
--enable-gost \
%else
--disable-gost \
%endif
%if %{with srp}
--enable-srp-authentication \
%endif
%ifarch %{ix86}
--disable-year2038 \
%endif
--enable-sha1-support \
--disable-static \
--disable-openssl-compatibility \
--disable-non-suiteb-curves \
--with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
--with-default-trust-store-pkcs11="pkcs11:" \
%if %{with tpm12}
--with-trousers-lib=%{_libdir}/libtspi.so.1 \
%else
--without-tpm \
%endif
%if %{with tpm2}
--with-tpm2 \
%else
--without-tpm2 \
%endif
--enable-ktls \
--htmldir=%{_docdir}/manual \
%if %{with dane}
--with-unbound-root-key-file=/var/lib/unbound/root.key \
--enable-libdane \
%else
--disable-libdane \
%endif
%if %{with certificate_compression}
--with-zlib --with-brotli --with-zstd \
%else
--without-zlib --without-brotli --without-zstd \
%endif
%if %{with leancrypto}
--with-leancrypto \
%else
--without-leancrypto \
%endif
--disable-rpath \
--with-default-priority-string="@SYSTEM"
%make_build
%if %{with bundled_nettle}
sed -i '/^Requires.private:/s/\(nettle\|hogweed\)[ ,]*//g' lib/gnutls.pc
%endif
%if %{with leancrypto}
sed -i '/^Requires.private:/s/leancrypto[ ,]*//g' lib/gnutls.pc
%endif
popd
%if %{with mingw}
# MinGW does not support CCASFLAGS
export CCASFLAGS=""
%mingw_configure \
%if %{with srp}
--enable-srp-authentication \
%endif
--enable-sha1-support \
--disable-static \
--disable-openssl-compatibility \
--disable-non-suiteb-curves \
--disable-libdane \
--disable-rpath \
--disable-nls \
--disable-cxx \
--enable-shared \
--without-tpm \
--with-included-unistring \
--disable-doc \
--with-default-priority-string="@SYSTEM"
%mingw_make %{?_smp_mflags}
%endif
%install
%make_install -C native_build
pushd native_build
make -C doc install-html DESTDIR=$RPM_BUILD_ROOT
rm -f $RPM_BUILD_ROOT%{_infodir}/dir
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
%if %{without dane}
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
%endif
%if %{with fips}
# doing it twice should be a no-op the second time,
# and this way we avoid redefining it and missing a future change
%global __debug_package 1
%{__spec_install_post}
fname=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.*`
./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
sed -i "s^$RPM_BUILD_ROOT/usr^^" "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac"
%endif
%if %{with fips}
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
%{nil}
%endif
%find_lang gnutls
popd
%if %{with mingw}
%mingw_make_install
# Remove .la files
rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/*.la
# The .def files aren't interesting for other binaries
rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.def
rm -f $RPM_BUILD_ROOT%{mingw64_bindir}/*.def
# Remove info and man pages which duplicate stuff in Fedora already.
rm -rf $RPM_BUILD_ROOT%{mingw32_infodir}
rm -rf $RPM_BUILD_ROOT%{mingw32_mandir}
rm -rf $RPM_BUILD_ROOT%{mingw32_docdir}/gnutls
rm -rf $RPM_BUILD_ROOT%{mingw64_infodir}
rm -rf $RPM_BUILD_ROOT%{mingw64_mandir}
rm -rf $RPM_BUILD_ROOT%{mingw64_docdir}/gnutls
# Remove test libraries
rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/crypt32.dll*
rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/ncrypt.dll*
rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/crypt32.dll*
rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/ncrypt.dll*
%mingw_debug_install_post
%endif
%check
%if %{with tests}
pushd native_build
make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { cat tests/test-suite.log tests/cert-tests/test-suite.log tests/slow/test-suite.log src/gl/tests/test-suite.log; exit 1; }
popd
%endif
%files -f native_build/gnutls.lang
%{_libdir}/libgnutls.so.30*
%if %{with fips}
%{_libdir}/.libgnutls.so.30*.hmac
%endif
%doc README.md AUTHORS NEWS THANKS
%license COPYING COPYING.LESSERv2
%files c++
%{_libdir}/libgnutlsxx.so.*
%files devel
%{_includedir}/*
%{_libdir}/libgnutls*.so
%{_libdir}/pkgconfig/*.pc
%{_mandir}/man3/*
%{_infodir}/gnutls*
%{_infodir}/pkcs11-vision*
%{_docdir}/manual/*
%files utils
%{_bindir}/certtool
%if %{with tpm12}
%{_bindir}/tpmtool
%endif
%{_bindir}/ocsptool
%{_bindir}/psktool
%{_bindir}/p11tool
%if %{with srp}
%{_bindir}/srptool
%endif
%if %{with dane}
%{_bindir}/danetool
%endif
%{_bindir}/gnutls*
%{_mandir}/man1/*
%doc doc/certtool.cfg
%if %{with dane}
%files dane
%{_libdir}/libgnutls-dane.so.*
%endif
%if %{with fips}
%files fips
%endif
%if %{with mingw}
%files -n mingw32-%{name}
%license COPYING COPYING.LESSERv2
%{mingw32_bindir}/certtool.exe
%{mingw32_bindir}/gnutls-cli-debug.exe
%{mingw32_bindir}/gnutls-cli.exe
%{mingw32_bindir}/gnutls-serv.exe
%{mingw32_bindir}/libgnutls-30.dll
%{mingw32_bindir}/ocsptool.exe
%{mingw32_bindir}/p11tool.exe
%{mingw32_bindir}/psktool.exe
%if %{with srp}
%{mingw32_bindir}/srptool.exe
%endif
%{mingw32_libdir}/libgnutls.dll.a
%{mingw32_libdir}/libgnutls-30.def
%{mingw32_libdir}/pkgconfig/gnutls.pc
%{mingw32_includedir}/gnutls/
%files -n mingw64-%{name}
%license COPYING COPYING.LESSERv2
%{mingw64_bindir}/certtool.exe
%{mingw64_bindir}/gnutls-cli-debug.exe
%{mingw64_bindir}/gnutls-cli.exe
%{mingw64_bindir}/gnutls-serv.exe
%{mingw64_bindir}/libgnutls-30.dll
%{mingw64_bindir}/ocsptool.exe
%{mingw64_bindir}/p11tool.exe
%{mingw64_bindir}/psktool.exe
%if %{with srp}
%{mingw64_bindir}/srptool.exe
%endif
%{mingw64_libdir}/libgnutls.dll.a
%{mingw64_libdir}/libgnutls-30.def
%{mingw64_libdir}/pkgconfig/gnutls.pc
%{mingw64_includedir}/gnutls/
%endif
%changelog
%autochangelog

8
hobble-gnutls Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
set -x
if [ "$1" = "-e" ] ; then
CMD="cat < /dev/null >"
else
CMD="rm -f"
fi

749
nettle-3.10-hobble-to-configure.patch Normal file
View File

@ -0,0 +1,749 @@
From 499fab03ff0b46c2328992595b057ae8db63d544 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 24 Jul 2024 15:19:01 +0900
Subject: [PATCH 1/3] Add --disable-sm3 configure option
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
Makefile.in | 8 +++++---
configure.ac | 14 ++++++++++++++
examples/nettle-benchmark.c | 8 +++++++-
nettle-meta-hashes.c | 2 ++
nettle-meta-macs.c | 2 ++
testsuite/Makefile.in | 4 +++-
testsuite/hmac-test.c | 2 ++
testsuite/meta-hash-test.c | 2 ++
testsuite/meta-mac-test.c | 2 ++
9 files changed, 39 insertions(+), 5 deletions(-)
diff --git a/Makefile.in b/Makefile.in
index 71ad761e..cb7b3d99 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -123,11 +123,11 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c aes-decrypt-table.c \
gost28147.c gosthash94.c gosthash94-meta.c \
hmac.c hmac-gosthash94.c hmac-md5.c hmac-ripemd160.c \
hmac-sha1.c hmac-sha224.c hmac-sha256.c hmac-sha384.c \
- hmac-sha512.c hmac-streebog.c hmac-sm3.c \
+ hmac-sha512.c hmac-streebog.c \
hmac-md5-meta.c hmac-ripemd160-meta.c hmac-sha1-meta.c \
hmac-sha224-meta.c hmac-sha256-meta.c hmac-sha384-meta.c \
hmac-sha512-meta.c hmac-gosthash94-meta.c \
- hmac-streebog-meta.c hmac-sm3-meta.c \
+ hmac-streebog-meta.c \
knuth-lfib.c hkdf.c \
md2.c md2-meta.c md4.c md4-meta.c \
md5.c md5-compat.c md5-meta.c \
@@ -153,7 +153,6 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c aes-decrypt-table.c \
sha3-224.c sha3-224-meta.c sha3-256.c sha3-256-meta.c \
sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c \
sha3-shake.c shake128.c shake256.c \
- sm3.c sm3-meta.c \
serpent-set-key.c serpent-encrypt.c serpent-decrypt.c \
serpent-meta.c \
streebog.c streebog-meta.c \
@@ -228,6 +227,9 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ed448-shake256.c ed448-shake256-pubkey.c \
ed448-shake256-sign.c ed448-shake256-verify.c
+
+nettle_SOURCES += @IF_SM3@ hmac-sm3.c hmac-sm3-meta.c sm3.c sm3-meta.c
+
OPT_SOURCES = fat-arm.c fat-arm64.c fat-ppc.c fat-s390x.c fat-x86_64.c mini-gmp.c
HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h balloon.h \
diff --git a/configure.ac b/configure.ac
index 7c003bb7..fe174919 100644
--- a/configure.ac
+++ b/configure.ac
@@ -124,6 +124,10 @@ AC_ARG_ENABLE(mini-gmp,
AS_HELP_STRING([--enable-mini-gmp], [Enable mini-gmp, used instead of libgmp.]),,
[enable_mini_gmp=no])
+AC_ARG_ENABLE(sm3,
+ AS_HELP_STRING([--disable-sm3], [Disable SM3 hash algorithm]),,
+ [enable_sm3=yes])
+
AC_ARG_VAR(ASM_FLAGS, [Extra flags for processing assembly source files])
if test "x$enable_mini_gmp" = xyes ; then
@@ -1157,6 +1161,15 @@ else
IF_MINI_GMP='#'
fi
+AH_TEMPLATE([WITH_SM3], [Defined if SM3 hash algorithm is enabled])
+
+if test "x$enable_sm3" = xyes ; then
+ AC_DEFINE(WITH_SM3)
+ IF_SM3=''
+else
+ IF_SM3='#'
+fi
+
AC_SUBST(IF_HOGWEED)
AC_SUBST(IF_STATIC)
AC_SUBST(IF_SHARED)
@@ -1165,6 +1178,7 @@ AC_SUBST(IF_DLOPEN_TEST)
AC_SUBST(IF_DOCUMENTATION)
AC_SUBST(IF_DLL)
AC_SUBST(IF_MINI_GMP)
+AC_SUBST(IF_SM3)
OPENSSL_LIBFLAGS=''
diff --git a/examples/nettle-benchmark.c b/examples/nettle-benchmark.c
index 2a11a694..36835854 100644
--- a/examples/nettle-benchmark.c
+++ b/examples/nettle-benchmark.c
@@ -901,6 +901,12 @@ bench_ghash_update(void)
# define OPENSSL(x)
#endif
+#if WITH_SM3
+# define SM3(x) x,
+#else
+# define SM3(x)
+#endif
+
int
main(int argc, char **argv)
{
@@ -920,7 +926,7 @@ main(int argc, char **argv)
&nettle_sha3_384, &nettle_sha3_512,
&nettle_ripemd160, &nettle_gosthash94,
&nettle_gosthash94cp, &nettle_streebog256,
- &nettle_streebog512, &nettle_sm3,
+ &nettle_streebog512, SM3(&nettle_sm3)
NULL
};
diff --git a/nettle-meta-hashes.c b/nettle-meta-hashes.c
index 2245dfb7..6d4563d9 100644
--- a/nettle-meta-hashes.c
+++ b/nettle-meta-hashes.c
@@ -57,7 +57,9 @@ const struct nettle_hash * const _nettle_hashes[] = {
&nettle_sha3_512,
&nettle_streebog256,
&nettle_streebog512,
+#if WITH_SM3
&nettle_sm3,
+#endif
NULL
};
diff --git a/nettle-meta-macs.c b/nettle-meta-macs.c
index 48b2176e..866f0766 100644
--- a/nettle-meta-macs.c
+++ b/nettle-meta-macs.c
@@ -52,7 +52,9 @@ const struct nettle_mac * const _nettle_macs[] = {
&nettle_hmac_sha512,
&nettle_hmac_streebog256,
&nettle_hmac_streebog512,
+#if WITH_SM3
&nettle_hmac_sm3,
+#endif
NULL
};
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in
index 0699fa0d..a45ddf77 100644
--- a/testsuite/Makefile.in
+++ b/testsuite/Makefile.in
@@ -25,7 +25,7 @@ TS_NETTLE_SOURCES = aes-test.c aes-keywrap-test.c arcfour-test.c arctwo-test.c \
sha3-permute-test.c sha3-224-test.c sha3-256-test.c \
sha3-384-test.c sha3-512-test.c \
shake128-test.c shake256-test.c \
- streebog-test.c sm3-test.c sm4-test.c \
+ streebog-test.c sm4-test.c \
serpent-test.c twofish-test.c version-test.c \
knuth-lfib-test.c \
cbc-test.c cfb-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \
@@ -60,6 +60,8 @@ TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \
gostdsa-sign-test.c gostdsa-verify-test.c \
gostdsa-keygen-test.c gostdsa-vko-test.c
+TS_NETTLE_SOURCES += @IF_SM3@ sm3-test.c
+
TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES)
CXX_SOURCES = cxx-test.cxx
diff --git a/testsuite/hmac-test.c b/testsuite/hmac-test.c
index d7af2475..d34127bf 100644
--- a/testsuite/hmac-test.c
+++ b/testsuite/hmac-test.c
@@ -949,9 +949,11 @@ test_main (void)
SHEX("a1aa5f7de402d7b3d323f2991c8d4534"
"013137010a83754fd0af6d7cd4922ed9"));
+#if WITH_SM3
test_mac (&nettle_hmac_sm3, (nettle_hash_update_func*) hmac_sm3_set_key,
SDATA("monkey monkey monkey monkey"),
SDATA("abc"),
SHEX("7a9388e2ca5343b5d76e7c2c3d84f239"
"f306c0b60d5e0dc4d2771e42860a6a2b"));
+#endif
}
diff --git a/testsuite/meta-hash-test.c b/testsuite/meta-hash-test.c
index ec4e0d1e..8427e0a1 100644
--- a/testsuite/meta-hash-test.c
+++ b/testsuite/meta-hash-test.c
@@ -24,7 +24,9 @@ const char* hashes[] = {
"sha3_512",
"streebog256",
"streebog512",
+#if WITH_SM3
"sm3",
+#endif
};
void
diff --git a/testsuite/meta-mac-test.c b/testsuite/meta-mac-test.c
index 6c848a88..c00efd3c 100644
--- a/testsuite/meta-mac-test.c
+++ b/testsuite/meta-mac-test.c
@@ -16,7 +16,9 @@ const char* macs[] = {
"hmac_sha512",
"hmac_streebog256",
"hmac_streebog512",
+#if WITH_SM3
"hmac_sm3",
+#endif
};
void
--
2.48.1
From 04ef86ac0ad034f44b325cd6b0ff7880d64f762f Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 24 Jul 2024 15:28:13 +0900
Subject: [PATCH 2/3] Add --disable-sm4 configure option
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
Makefile.in | 3 +--
configure.ac | 14 ++++++++++++++
examples/nettle-benchmark.c | 8 +++++++-
nettle-meta-aeads.c | 2 ++
nettle-meta-ciphers.c | 2 ++
testsuite/Makefile.in | 3 ++-
testsuite/gcm-test.c | 2 ++
testsuite/meta-aead-test.c | 2 ++
testsuite/meta-cipher-test.c | 4 +++-
9 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/Makefile.in b/Makefile.in
index cb7b3d99..9c8b8b59 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -117,7 +117,6 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c aes-decrypt-table.c \
gcm-aes256.c gcm-aes256-meta.c \
gcm-camellia128.c gcm-camellia128-meta.c \
gcm-camellia256.c gcm-camellia256-meta.c \
- gcm-sm4.c gcm-sm4-meta.c \
cmac.c cmac64.c cmac-aes128.c cmac-aes256.c cmac-des3.c \
cmac-aes128-meta.c cmac-aes256-meta.c cmac-des3-meta.c \
gost28147.c gosthash94.c gosthash94-meta.c \
@@ -157,7 +156,6 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c aes-decrypt-table.c \
serpent-meta.c \
streebog.c streebog-meta.c \
twofish.c twofish-meta.c \
- sm4.c sm4-meta.c \
umac-nh.c umac-nh-n.c umac-l2.c umac-l3.c \
umac-poly64.c umac-poly128.c umac-set-key.c \
umac32.c umac64.c umac96.c umac128.c \
@@ -229,6 +227,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
nettle_SOURCES += @IF_SM3@ hmac-sm3.c hmac-sm3-meta.c sm3.c sm3-meta.c
+nettle_SOURCES += @IF_SM4@ gcm-sm4.c gcm-sm4-meta.c sm4.c sm4-meta.c
OPT_SOURCES = fat-arm.c fat-arm64.c fat-ppc.c fat-s390x.c fat-x86_64.c mini-gmp.c
diff --git a/configure.ac b/configure.ac
index fe174919..494c7d2c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -128,6 +128,10 @@ AC_ARG_ENABLE(sm3,
AS_HELP_STRING([--disable-sm3], [Disable SM3 hash algorithm]),,
[enable_sm3=yes])
+AC_ARG_ENABLE(sm4,
+ AS_HELP_STRING([--disable-sm4], [Disable SM4 symmetric cipher algorithm]),,
+ [enable_sm4=yes])
+
AC_ARG_VAR(ASM_FLAGS, [Extra flags for processing assembly source files])
if test "x$enable_mini_gmp" = xyes ; then
@@ -1170,6 +1174,15 @@ else
IF_SM3='#'
fi
+AH_TEMPLATE([WITH_SM4], [Defined if SM4 symmetric cipher is enabled])
+
+if test "x$enable_sm4" = xyes ; then
+ AC_DEFINE(WITH_SM4)
+ IF_SM4=''
+else
+ IF_SM4='#'
+fi
+
AC_SUBST(IF_HOGWEED)
AC_SUBST(IF_STATIC)
AC_SUBST(IF_SHARED)
@@ -1179,6 +1192,7 @@ AC_SUBST(IF_DOCUMENTATION)
AC_SUBST(IF_DLL)
AC_SUBST(IF_MINI_GMP)
AC_SUBST(IF_SM3)
+AC_SUBST(IF_SM4)
OPENSSL_LIBFLAGS=''
diff --git a/examples/nettle-benchmark.c b/examples/nettle-benchmark.c
index 36835854..66f92f6e 100644
--- a/examples/nettle-benchmark.c
+++ b/examples/nettle-benchmark.c
@@ -907,6 +907,12 @@ bench_ghash_update(void)
# define SM3(x)
#endif
+#if WITH_SM4
+# define SM4(x) x,
+#else
+# define SM4(x)
+#endif
+
int
main(int argc, char **argv)
{
@@ -943,7 +949,7 @@ main(int argc, char **argv)
&nettle_des3,
&nettle_serpent256,
&nettle_twofish128, &nettle_twofish192, &nettle_twofish256,
- &nettle_sm4,
+ SM4(&nettle_sm4)
NULL
};
diff --git a/nettle-meta-aeads.c b/nettle-meta-aeads.c
index 78f38a3c..c94fecd5 100644
--- a/nettle-meta-aeads.c
+++ b/nettle-meta-aeads.c
@@ -43,7 +43,9 @@ const struct nettle_aead * const _nettle_aeads[] = {
&nettle_gcm_aes256,
&nettle_gcm_camellia128,
&nettle_gcm_camellia256,
+#if WITH_SM4
&nettle_gcm_sm4,
+#endif
&nettle_eax_aes128,
&nettle_chacha_poly1305,
NULL
diff --git a/nettle-meta-ciphers.c b/nettle-meta-ciphers.c
index f8d691cf..6a84a43a 100644
--- a/nettle-meta-ciphers.c
+++ b/nettle-meta-ciphers.c
@@ -54,7 +54,9 @@ const struct nettle_cipher * const _nettle_ciphers[] = {
&nettle_arctwo64,
&nettle_arctwo128,
&nettle_arctwo_gutmann128,
+#if WITH_SM4
&nettle_sm4,
+#endif
NULL
};
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in
index a45ddf77..3483f409 100644
--- a/testsuite/Makefile.in
+++ b/testsuite/Makefile.in
@@ -25,7 +25,7 @@ TS_NETTLE_SOURCES = aes-test.c aes-keywrap-test.c arcfour-test.c arctwo-test.c \
sha3-permute-test.c sha3-224-test.c sha3-256-test.c \
sha3-384-test.c sha3-512-test.c \
shake128-test.c shake256-test.c \
- streebog-test.c sm4-test.c \
+ streebog-test.c \
serpent-test.c twofish-test.c version-test.c \
knuth-lfib-test.c \
cbc-test.c cfb-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \
@@ -61,6 +61,7 @@ TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \
gostdsa-keygen-test.c gostdsa-vko-test.c
TS_NETTLE_SOURCES += @IF_SM3@ sm3-test.c
+TS_NETTLE_SOURCES += @IF_SM4@ sm4-test.c
TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES)
CXX_SOURCES = cxx-test.cxx
diff --git a/testsuite/gcm-test.c b/testsuite/gcm-test.c
index e8228ed7..fad9184a 100644
--- a/testsuite/gcm-test.c
+++ b/testsuite/gcm-test.c
@@ -825,6 +825,7 @@ test_main(void)
"16aedbf5a0de6a57 a637b39b"), /* iv */
SHEX("5791883f822013f8bd136fc36fb9946b")); /* tag */
+#if WITH_SM4
/*
* GCM-SM4 Test Vectors from
* https://datatracker.ietf.org/doc/html/rfc8998
@@ -842,6 +843,7 @@ test_main(void)
"A56834CBCF98C397B4024A2691233B8D"),
SHEX("00001234567800000000ABCD"),
SHEX("83DE3541E4C2B58177E065A9BF7B62EC"));
+#endif
/* Test gcm_hash, with varying message size, keys and iv all zero.
Not compared to any other implementation. */
diff --git a/testsuite/meta-aead-test.c b/testsuite/meta-aead-test.c
index ceeca227..d1a3193f 100644
--- a/testsuite/meta-aead-test.c
+++ b/testsuite/meta-aead-test.c
@@ -8,7 +8,9 @@ const char* aeads[] = {
"gcm_aes256",
"gcm_camellia128",
"gcm_camellia256",
+#if WITH_SM4
"gcm_sm4",
+#endif
"eax_aes128",
"chacha_poly1305",
};
diff --git a/testsuite/meta-cipher-test.c b/testsuite/meta-cipher-test.c
index 912fac5a..b57fcbe1 100644
--- a/testsuite/meta-cipher-test.c
+++ b/testsuite/meta-cipher-test.c
@@ -20,7 +20,9 @@ const char* ciphers[] = {
"twofish128",
"twofish192",
"twofish256",
- "sm4"
+#if WITH_SM4
+ "sm4",
+#endif
};
void
--
2.48.1
From cef5228a90257430d4151163c259bc83fd2f7900 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 22 Aug 2024 10:49:46 +0900
Subject: [PATCH 3/3] Add --disable-ecc-{secp192r1,secp224r1} configure option
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
Makefile.in | 5 ++++-
configure.ac | 36 ++++++++++++++++++++++++++++++++++-
examples/ecc-benchmark.c | 4 ++++
examples/hogweed-benchmark.c | 6 ++++++
testsuite/ecdh-test.c | 4 ++++
testsuite/ecdsa-sign-test.c | 6 ++++++
testsuite/ecdsa-verify-test.c | 4 ++++
testsuite/testutils.c | 10 +++++++++-
8 files changed, 72 insertions(+), 3 deletions(-)
diff --git a/Makefile.in b/Makefile.in
index 9c8b8b59..1e9ed61c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -202,7 +202,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
ecc-curve25519.c ecc-curve448.c \
ecc-gost-gc256b.c ecc-gost-gc512a.c \
- ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
+ ecc-secp256r1.c \
ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c ecc-nonsec-add-jjj.c \
@@ -229,6 +229,9 @@ hogweed_SOURCES = sexp.c sexp-format.c \
nettle_SOURCES += @IF_SM3@ hmac-sm3.c hmac-sm3-meta.c sm3.c sm3-meta.c
nettle_SOURCES += @IF_SM4@ gcm-sm4.c gcm-sm4-meta.c sm4.c sm4-meta.c
+hogweed_SOURCES += @IF_ECC_SECP192R1@ ecc-secp192r1.c
+hogweed_SOURCES += @IF_ECC_SECP224R1@ ecc-secp224r1.c
+
OPT_SOURCES = fat-arm.c fat-arm64.c fat-ppc.c fat-s390x.c fat-x86_64.c mini-gmp.c
HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h balloon.h \
diff --git a/configure.ac b/configure.ac
index 494c7d2c..105640e1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -132,6 +132,14 @@ AC_ARG_ENABLE(sm4,
AS_HELP_STRING([--disable-sm4], [Disable SM4 symmetric cipher algorithm]),,
[enable_sm4=yes])
+AC_ARG_ENABLE(ecc-secp192r1,
+ AS_HELP_STRING([--disable-ecc-secp192r1], [Disable NIST secp192r1 curve]),,
+ [enable_ecc_secp192r1=yes])
+
+AC_ARG_ENABLE(ecc-secp224r1,
+ AS_HELP_STRING([--disable-ecc-secp224r1], [Disable NIST secp224r1 curve]),,
+ [enable_ecc_secp224r1=yes])
+
AC_ARG_VAR(ASM_FLAGS, [Extra flags for processing assembly source files])
if test "x$enable_mini_gmp" = xyes ; then
@@ -624,9 +632,15 @@ asm_nettle_optional_list="cpuid.asm cpu-facility.asm \
asm_hogweed_optional_list=""
if test "x$enable_public_key" = "xyes" ; then
- asm_hogweed_optional_list="ecc-secp192r1-modp.asm ecc-secp224r1-modp.asm \
+ asm_hogweed_optional_list="\
ecc-secp256r1-redc.asm ecc-secp384r1-modp.asm ecc-secp521r1-modp.asm \
ecc-curve25519-modp.asm ecc-curve448-modp.asm"
+ if test "x$enable_ecc_secp192r1" = "xyes" ; then
+ asm_hogweed_optional_list="ecc-secp192r1-modp.asm $asm_hogweed_optional_list"
+ fi
+ if test "x$enable_ecc_secp224r1" = "xyes" ; then
+ asm_hogweed_optional_list="ecc-secp224r1-modp.asm $asm_hogweed_optional_list"
+ fi
fi
OPT_NETTLE_OBJS=""
@@ -1183,6 +1197,24 @@ else
IF_SM4='#'
fi
+AH_TEMPLATE([WITH_ECC_SECP192R1], [Defined if NIST secp192r1 curve is enabled])
+
+if test "x$enable_ecc_secp192r1" = xyes ; then
+ AC_DEFINE(WITH_ECC_SECP192R1)
+ IF_ECC_SECP192R1=''
+else
+ IF_ECC_SECP192R1='#'
+fi
+
+AH_TEMPLATE([WITH_ECC_SECP224R1], [Defined if NIST secp224r1 curve is enabled])
+
+if test "x$enable_ecc_secp224r1" = xyes ; then
+ AC_DEFINE(WITH_ECC_SECP224R1)
+ IF_ECC_SECP224R1=''
+else
+ IF_ECC_SECP224R1='#'
+fi
+
AC_SUBST(IF_HOGWEED)
AC_SUBST(IF_STATIC)
AC_SUBST(IF_SHARED)
@@ -1193,6 +1225,8 @@ AC_SUBST(IF_DLL)
AC_SUBST(IF_MINI_GMP)
AC_SUBST(IF_SM3)
AC_SUBST(IF_SM4)
+AC_SUBST(IF_ECC_SECP192R1)
+AC_SUBST(IF_ECC_SECP224R1)
OPENSSL_LIBFLAGS=''
diff --git a/examples/ecc-benchmark.c b/examples/ecc-benchmark.c
index 7e857f80..ebcced65 100644
--- a/examples/ecc-benchmark.c
+++ b/examples/ecc-benchmark.c
@@ -314,8 +314,12 @@ bench_curve (const struct ecc_curve *ecc)
}
const struct ecc_curve * const curves[] = {
+#if WITH_ECC_SECP192R1
&_nettle_secp_192r1,
+#endif
+#if WITH_ECC_SECP224R1
&_nettle_secp_224r1,
+#endif
&_nettle_curve25519,
&_nettle_secp_256r1,
&_nettle_secp_384r1,
diff --git a/examples/hogweed-benchmark.c b/examples/hogweed-benchmark.c
index 3f858833..df608ffa 100644
--- a/examples/hogweed-benchmark.c
+++ b/examples/hogweed-benchmark.c
@@ -410,6 +410,7 @@ bench_ecdsa_init (unsigned size)
switch (size)
{
+#if WITH_ECC_SECP192R1
case 192:
ecc = &_nettle_secp_192r1;
xs = "8e8e07360350fb6b7ad8370cfd32fa8c6bba785e6e200599";
@@ -418,6 +419,8 @@ bench_ecdsa_init (unsigned size)
ctx->digest = hash_string (&nettle_sha1, "abc");
ctx->digest_size = 20;
break;
+#endif
+#if WITH_ECC_SECP224R1
case 224:
ecc = &_nettle_secp_224r1;
xs = "993bf363f4f2bc0f255f22563980449164e9c894d9efd088d7b77334";
@@ -426,6 +429,7 @@ bench_ecdsa_init (unsigned size)
ctx->digest = hash_string (&nettle_sha224, "abc");
ctx->digest_size = 28;
break;
+#endif
/* From RFC 4754 */
case 256:
@@ -864,7 +868,9 @@ struct alg alg_list[] = {
#if 0
{ "dsa",2048, bench_dsa_init, bench_dsa_sign, bench_dsa_verify, bench_dsa_clear },
#endif
+#if WITH_ECC_SECP192R1
{ "ecdsa", 192, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear },
+#endif
{ "ecdsa", 224, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear },
{ "ecdsa", 256, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear },
{ "ecdsa", 384, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear },
diff --git a/testsuite/ecdh-test.c b/testsuite/ecdh-test.c
index ff4f7233..f852d813 100644
--- a/testsuite/ecdh-test.c
+++ b/testsuite/ecdh-test.c
@@ -159,6 +159,7 @@ test_public_key (const char *label, const struct ecc_curve *ecc,
void
test_main(void)
{
+#if WITH_ECC_SECP192R1
test_public_key ("(0,0) with secp-192r1", &_nettle_secp_192r1, "0", "0", 0);
test_public_key (
"(P,0) with secp-192r1", &_nettle_secp_192r1,
@@ -188,7 +189,9 @@ test_main(void)
"293088185788565313717816218507714888251468410990708684573",
"149293809021051532782730990145509724807636529827149481690",
"2891131861147398318714693938158856874319184314120776776192");
+#endif
+#if WITH_ECC_SECP224R1
test_dh ("secp-224r1", &_nettle_secp_224r1,
"1321072106881784386340709783538698930880431939595776773514895067682",
"6768311794185371282972144247871764855860666277647541840973645586477",
@@ -198,6 +201,7 @@ test_main(void)
"24223309755162432227459925493224336241652868856405241018762887667883",
"8330362698029245839097779050425944245826040430538860338085968752913",
"24167244512472228715617822000878192535267113543393576038737592837010");
+#endif
test_dh ("secp-256r1", &_nettle_secp_256r1,
"94731533361265297353914491124013058635674217345912524033267198103710636378786",
diff --git a/testsuite/ecdsa-sign-test.c b/testsuite/ecdsa-sign-test.c
index 46fc2738..aa44adb5 100644
--- a/testsuite/ecdsa-sign-test.c
+++ b/testsuite/ecdsa-sign-test.c
@@ -74,6 +74,7 @@ test_main (void)
if (test_side_channel)
SKIP();
#endif
+#if WITH_ECC_SECP224R1
/* Producing the signature for corresponding test in
ecdsa-verify-test.c, with special u1 and u2. */
test_ecdsa (&_nettle_secp_224r1,
@@ -86,6 +87,7 @@ test_main (void)
"d16dc18032d268fd1a704fa6", /* r */
"3a41e1423b1853e8aa89747b1f987364"
"44705d6d6d8371ea1f578f2e"); /* s */
+#endif
/* Produce a signature where verify operation results in a point duplication. */
test_ecdsa (&_nettle_secp_256r1,
@@ -99,6 +101,7 @@ test_main (void)
"53f097727a0e0dc284a0daa0da0ab77d"
"5792ae67ed075d1f8d5bda0f853fa093"); /* s */
+#if WITH_ECC_SECP192R1
/* Test cases for the smaller groups, verified with a
proof-of-concept implementation done for Yubico AB. */
test_ecdsa (&_nettle_secp_192r1,
@@ -116,7 +119,9 @@ test_main (void)
"a91fb738f9f175d72f9c98527e881c36"
"8de68cb55ffe589"); /* s */
+#endif
+#if WITH_ECC_SECP224R1
test_ecdsa (&_nettle_secp_224r1,
"446df0a771ed58403ca9cb316e617f6b"
"158420465d00a69601e22858", /* z */
@@ -132,6 +137,7 @@ test_main (void)
"d0f069fd0f108eb07b7bbc54c8d6c88d"
"f2715c38a95c31a2b486995f"); /* s */
+#endif
/* From RFC 4754 */
test_ecdsa (&_nettle_secp_256r1,
diff --git a/testsuite/ecdsa-verify-test.c b/testsuite/ecdsa-verify-test.c
index 8d527000..1fa69f09 100644
--- a/testsuite/ecdsa-verify-test.c
+++ b/testsuite/ecdsa-verify-test.c
@@ -81,6 +81,7 @@ test_ecdsa (const struct ecc_curve *ecc,
void
test_main (void)
{
+#if WITH_ECC_SECP224R1
/* Corresponds to nonce k = 2 and private key z =
0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
hash are chosen so that intermediate scalars in the verify
@@ -100,7 +101,9 @@ test_main (void)
"d16dc18032d268fd1a704fa6", /* r */
"3a41e1423b1853e8aa89747b1f987364"
"44705d6d6d8371ea1f578f2e"); /* s */
+#endif
+#if WITH_ECC_SECP192R1
/* Test case provided by Guido Vranken, from oss-fuzz */
test_ecdsa (&_nettle_secp_192r1,
"14683086 f1734c6d e68743a6 48181b54 a74d4c5b 383eb6a8", /* x */
@@ -108,6 +111,7 @@ test_main (void)
SHEX("00"), /* h == 0 corner case*/
"952800792ed19341fdeeec047f2514f3b0f150d6066151fb", /* r */
"ec5971222014878b50d7a19d8954bc871e7e65b00b860ffb"); /* s */
+#endif
/* Test case provided by Guido Vranken, from oss-fuzz. Triggers
point duplication in the verify operation by using private key =
diff --git a/testsuite/testutils.c b/testsuite/testutils.c
index 76aa5563..5b7c7deb 100644
--- a/testsuite/testutils.c
+++ b/testsuite/testutils.c
@@ -2230,8 +2230,12 @@ test_dsa_key(const struct dsa_params *params,
}
const struct ecc_curve * const ecc_curves[] = {
+#if WITH_ECC_SECP192R1
&_nettle_secp_192r1,
+#endif
+#if WITH_ECC_SECP224R1
&_nettle_secp_224r1,
+#endif
&_nettle_secp_256r1,
&_nettle_secp_384r1,
&_nettle_secp_521r1,
@@ -2355,7 +2359,8 @@ test_ecc_point (const struct ecc_curve *ecc,
}
/* For each curve, the points g, 2 g, 3 g and 4 g */
-static const struct ecc_ref_point ecc_ref[9][4] = {
+static const struct ecc_ref_point ecc_ref[][4] = {
+#if WITH_ECC_SECP192R1
{ { "188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012",
"07192b95ffc8da78631011ed6b24cdd573f977a11e794811" },
{ "dafebf5828783f2ad35534631588a3f629a70fb16982a888",
@@ -2365,6 +2370,8 @@ static const struct ecc_ref_point ecc_ref[9][4] = {
{ "35433907297cc378b0015703374729d7a4fe46647084e4ba",
"a2649984f2135c301ea3acb0776cd4f125389b311db3be32" }
},
+#endif
+#if WITH_ECC_SECP224R1
{ { "b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21",
"bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34" },
{ "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6",
@@ -2374,6 +2381,7 @@ static const struct ecc_ref_point ecc_ref[9][4] = {
{ "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301",
"482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9" },
},
+#endif
{ { "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
"4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" },
{ "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978",
--
2.48.1

334
nettle-3.8-zeroize-stack.patch Normal file
View File

@ -0,0 +1,334 @@
From 24a4cb910a51f35dff89842e8cce27f88e8e78c3 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 24 Aug 2022 17:19:57 +0900
Subject: [PATCH] Clear any intermediate data allocate on stack
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
cbc.c | 3 +++
cfb.c | 13 +++++++++++++
ctr.c | 4 ++++
ctr16.c | 2 ++
ecc-random.c | 3 +++
ecdsa-keygen.c | 2 ++
ecdsa-sign.c | 2 ++
ed25519-sha512-sign.c | 2 ++
ed448-shake256-sign.c | 2 ++
gostdsa-sign.c | 2 ++
hmac.c | 10 +++++++---
nettle-internal.h | 5 +++++
pbkdf2.c | 5 ++++-
pss-mgf1.c | 5 ++++-
pss.c | 4 ++++
15 files changed, 59 insertions(+), 5 deletions(-)
diff --git a/cbc.c b/cbc.c
index 76b6492d..b9da3aa0 100644
--- a/cbc.c
+++ b/cbc.c
@@ -128,6 +128,9 @@ cbc_decrypt(const void *ctx, nettle_cipher_func *f,
length - block_size);
/* Writes first block. */
memxor3(dst, buffer, initial_iv, block_size);
+
+ TMP_CLEAR(buffer, buffer_size);
+ TMP_CLEAR(initial_iv, block_size);
}
}
diff --git a/cfb.c b/cfb.c
index b9da3159..b1b01b9e 100644
--- a/cfb.c
+++ b/cfb.c
@@ -83,6 +83,8 @@ cfb_encrypt(const void *ctx, nettle_cipher_func *f,
/* We do not care about updating IV here. This is the last call in
* message sequence and one has to set IV afterwards anyway */
}
+
+ TMP_CLEAR(buffer, block_size);
}
/* Don't allocate any more space than this on the stack */
@@ -115,6 +117,8 @@ cfb_decrypt(const void *ctx, nettle_cipher_func *f,
f(ctx, block_size, buffer, iv);
memxor3(dst + length, src + length, buffer, left);
+
+ TMP_CLEAR(buffer, block_size);
}
}
else
@@ -160,6 +164,9 @@ cfb_decrypt(const void *ctx, nettle_cipher_func *f,
f(ctx, block_size, buffer, iv);
memxor(dst, buffer, left);
}
+
+ TMP_CLEAR(buffer, buffer_size);
+ TMP_CLEAR(initial_iv, block_size);
}
}
@@ -196,6 +203,9 @@ cfb8_encrypt(const void *ctx, nettle_cipher_func *f,
pos ++;
}
memcpy(iv, buffer + pos, block_size);
+
+ TMP_CLEAR(buffer, block_size * 2);
+ TMP_CLEAR(outbuf, block_size);
}
void
@@ -235,4 +245,7 @@ cfb8_decrypt(const void *ctx, nettle_cipher_func *f,
}
memcpy(iv, buffer + i, block_size);
+
+ TMP_CLEAR(buffer, block_size * 2);
+ TMP_CLEAR(outbuf, block_size * 2);
}
diff --git a/ctr.c b/ctr.c
index 8c6b4626..217d1abb 100644
--- a/ctr.c
+++ b/ctr.c
@@ -137,6 +137,8 @@ ctr_crypt(const void *ctx, nettle_cipher_func *f,
f(ctx, block_size, block, ctr);
INCREMENT(block_size, ctr);
memxor3(dst + filled, src + filled, block, length - filled);
+
+ TMP_CLEAR(block, block_size);
}
}
else
@@ -173,5 +175,7 @@ ctr_crypt(const void *ctx, nettle_cipher_func *f,
INCREMENT(block_size, ctr);
memxor(dst, buffer, length);
}
+
+ TMP_CLEAR(buffer, buffer_size);
}
}
diff --git a/ctr16.c b/ctr16.c
index d744d2a9..ec0abd72 100644
--- a/ctr16.c
+++ b/ctr16.c
@@ -102,5 +102,7 @@ _nettle_ctr_crypt16(const void *ctx, nettle_cipher_func *f,
done:
memxor3 (dst + i, src + i, buffer->b, length - i);
}
+
+ TMP_CLEAR(buffer, MIN(blocks, CTR_BUFFER_LIMIT / 16));
}
}
diff --git a/ecc-random.c b/ecc-random.c
index a7b48d6a..676f5933 100644
--- a/ecc-random.c
+++ b/ecc-random.c
@@ -36,6 +36,7 @@
#endif
#include <assert.h>
+#include <string.h>
#include "ecc.h"
#include "ecc-internal.h"
@@ -79,4 +80,6 @@ ecc_scalar_random (struct ecc_scalar *x,
TMP_ALLOC (scratch, ECC_MOD_RANDOM_ITCH (x->ecc->q.size));
ecc_mod_random (&x->ecc->q, x->p, random_ctx, random, scratch);
+
+ TMP_CLEAR (scratch, ECC_MOD_RANDOM_ITCH (x->ecc->q.size));
}
diff --git a/ecdsa-keygen.c b/ecdsa-keygen.c
index 870282b0..05dd827a 100644
--- a/ecdsa-keygen.c
+++ b/ecdsa-keygen.c
@@ -59,4 +59,6 @@ ecdsa_generate_keypair (struct ecc_point *pub,
ecc_mod_random (&ecc->q, key->p, random_ctx, random, p);
ecc->mul_g (ecc, p, key->p, p + 3*ecc->p.size);
ecc->h_to_a (ecc, 0, pub->p, p, p + 3*ecc->p.size);
+
+ TMP_CLEAR (p, itch);
}
diff --git a/ecdsa-sign.c b/ecdsa-sign.c
index e6fb3287..e6b960bf 100644
--- a/ecdsa-sign.c
+++ b/ecdsa-sign.c
@@ -68,4 +68,6 @@ ecdsa_sign (const struct ecc_scalar *key,
mpz_limbs_finish (signature->s, size);
}
while (mpz_sgn (signature->r) == 0 || mpz_sgn (signature->s) == 0);
+
+ TMP_CLEAR (k, size + ECC_ECDSA_SIGN_ITCH (size));
}
diff --git a/ed25519-sha512-sign.c b/ed25519-sha512-sign.c
index 389a157e..52a46ea5 100644
--- a/ed25519-sha512-sign.c
+++ b/ed25519-sha512-sign.c
@@ -38,6 +38,7 @@
#include "ecc-internal.h"
#include "sha2.h"
+#include <string.h>
void
ed25519_sha512_sign (const uint8_t *pub,
@@ -61,6 +62,7 @@ ed25519_sha512_sign (const uint8_t *pub,
length, msg, signature, scratch_out);
gmp_free_limbs (scratch, itch);
+ explicit_bzero (digest, sizeof(digest));
#undef k1
#undef k2
#undef scratch_out
diff --git a/ed448-shake256-sign.c b/ed448-shake256-sign.c
index c524593d..01abf457 100644
--- a/ed448-shake256-sign.c
+++ b/ed448-shake256-sign.c
@@ -39,6 +39,7 @@
#include "ecc-internal.h"
#include "eddsa-internal.h"
#include "sha3.h"
+#include <string.h>
void
ed448_shake256_sign (const uint8_t *pub,
@@ -63,6 +64,7 @@ ed448_shake256_sign (const uint8_t *pub,
length, msg, signature, scratch_out);
gmp_free_limbs (scratch, itch);
+ explicit_bzero (digest, sizeof(digest));
#undef k1
#undef k2
#undef scratch_out
diff --git a/gostdsa-sign.c b/gostdsa-sign.c
index 892c0742..a7e0c21d 100644
--- a/gostdsa-sign.c
+++ b/gostdsa-sign.c
@@ -71,4 +71,6 @@ gostdsa_sign (const struct ecc_scalar *key,
mpz_limbs_finish (signature->s, size);
}
while (mpz_sgn (signature->r) == 0 || mpz_sgn (signature->s) == 0);
+
+ TMP_CLEAR (k, size + ECC_GOSTDSA_SIGN_ITCH (size));
}
diff --git a/hmac.c b/hmac.c
index ea356970..6a55551b 100644
--- a/hmac.c
+++ b/hmac.c
@@ -53,6 +53,8 @@ hmac_set_key(void *outer, void *inner, void *state,
{
TMP_DECL(pad, uint8_t, NETTLE_MAX_HASH_BLOCK_SIZE);
TMP_ALLOC(pad, hash->block_size);
+ TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE);
+ TMP_ALLOC(digest, hash->digest_size);
hash->init(outer);
hash->init(inner);
@@ -62,9 +64,6 @@ hmac_set_key(void *outer, void *inner, void *state,
/* Reduce key to the algorithm's hash size. Use the area pointed
* to by state for the temporary state. */
- TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE);
- TMP_ALLOC(digest, hash->digest_size);
-
hash->init(state);
hash->update(state, key_length, key);
hash->digest(state, hash->digest_size, digest);
@@ -86,6 +85,9 @@ hmac_set_key(void *outer, void *inner, void *state,
hash->update(inner, hash->block_size, pad);
memcpy(state, inner, hash->context_size);
+
+ TMP_CLEAR(pad, hash->block_size);
+ TMP_CLEAR(digest, hash->digest_size);
}
void
@@ -112,4 +114,6 @@ hmac_digest(const void *outer, const void *inner, void *state,
hash->digest(state, length, dst);
memcpy(state, inner, hash->context_size);
+
+ TMP_CLEAR(digest, hash->digest_size);
}
diff --git a/nettle-internal.h b/nettle-internal.h
index c41f3ee0..62b89e11 100644
--- a/nettle-internal.h
+++ b/nettle-internal.h
@@ -76,6 +76,11 @@
do { assert((size_t)(size) <= (sizeof(name))); } while (0)
#endif
+#include <string.h> /* explicit_bzero */
+
+#define TMP_CLEAR(name, size) (explicit_bzero (name, sizeof (*name) * (size)))
+#define TMP_CLEAR_ALIGN(name, size) (explicit_bzero (name, size))
+
/* Limits that apply to systems that don't have alloca */
#define NETTLE_MAX_HASH_BLOCK_SIZE 144 /* For sha3_224*/
#define NETTLE_MAX_HASH_DIGEST_SIZE 64
diff --git a/pbkdf2.c b/pbkdf2.c
index 291d138a..a8ecba5b 100644
--- a/pbkdf2.c
+++ b/pbkdf2.c
@@ -92,8 +92,11 @@ pbkdf2 (void *mac_ctx,
if (length <= digest_size)
{
memcpy (dst, T, length);
- return;
+ break;
}
memcpy (dst, T, digest_size);
}
+
+ TMP_CLEAR (U, digest_size);
+ TMP_CLEAR (T, digest_size);
}
diff --git a/pss-mgf1.c b/pss-mgf1.c
index 3f5e204b..3644c642 100644
--- a/pss-mgf1.c
+++ b/pss-mgf1.c
@@ -66,8 +66,11 @@ pss_mgf1(const void *seed, const struct nettle_hash *hash,
if (length <= hash->digest_size)
{
hash->digest(state, length, mask);
- return;
+ break;
}
hash->digest(state, hash->digest_size, mask);
}
+
+ TMP_CLEAR(h, hash->digest_size);
+ TMP_CLEAR_ALIGN(state, hash->context_size);
}
diff --git a/pss.c b/pss.c
index d28e7b13..8106ebf2 100644
--- a/pss.c
+++ b/pss.c
@@ -77,6 +77,7 @@ pss_encode_mgf1(mpz_t m, size_t bits,
if (key_size < hash->digest_size + salt_length + 2)
{
TMP_GMP_FREE(em);
+ TMP_CLEAR_ALIGN(state, hash->context_size);
return 0;
}
@@ -111,6 +112,7 @@ pss_encode_mgf1(mpz_t m, size_t bits,
nettle_mpz_set_str_256_u(m, key_size, em);
TMP_GMP_FREE(em);
+ TMP_CLEAR_ALIGN(state, hash->context_size);
return 1;
}
@@ -194,5 +196,7 @@ pss_verify_mgf1(const mpz_t m, size_t bits,
ret = 1;
cleanup:
TMP_GMP_FREE(em);
+ TMP_CLEAR(h2, hash->digest_size);
+ TMP_CLEAR_ALIGN(state, hash->context_size);
return ret;
}
--
2.41.0

7
plans/ci.fmf Normal file
View File

@ -0,0 +1,7 @@
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/gnutls
ref: private-omoris-ci-update
name: /plans/ci/
importing: become-parent
scope: all-plans

4
plans/fips-smoke.fmf Normal file
View File

@ -0,0 +1,4 @@
summary: Runs FIPS library integrity checks.
name: fips-smoke
execute:
script: if [[ $(GNUTLS_DEBUG_LEVEL=99 GNUTLS_FORCE_FIPS_MODE=1 certtool 2>&1 | grep "Error") ]]; then exit 1; else exit 0; fi;

10
plans/nss-2way.fmf Normal file
View File

@ -0,0 +1,10 @@
summary: Upstreamed gnutls-openssl interop-2way tests
contact: Stanislav Zidek <szidek@redhat.com>
discover:
# upstreamed tests (public)
- name: interop-nss-2way
how: fmf
url: https://gitlab.com/redhat-crypto/tests/interop.git
filter: 'tag: interop-gnutls & tag: interop-nss & tag: interop-2way'
execute:
how: tmt

10
plans/openssl-2way.fmf Normal file
View File

@ -0,0 +1,10 @@
summary: Upstreamed gnutls-openssl interop-2way tests
contact: Stanislav Zidek <szidek@redhat.com>
discover:
# upstreamed tests (public)
- name: interop-openssl-2way
how: fmf
url: https://gitlab.com/redhat-crypto/tests/interop.git
filter: 'tag: interop-gnutls & tag: interop-openssl & tag: interop-2way'
execute:
how: tmt

10
plans/short-interop-tests.fmf Normal file
View File

@ -0,0 +1,10 @@
summary: Upstreamed gnutls interop tests - short tests which do not need to run in parallel
contact: Stanislav Zidek <szidek@redhat.com>
discover:
# upstreamed tests (public)
- name: interop-gnutls-short
how: fmf
url: https://gitlab.com/redhat-crypto/tests/interop.git
filter: 'tag: interop-gnutls & tag: -interop-slow'
execute:
how: tmt

8
sources Normal file
View File

@ -0,0 +1,8 @@
SHA512 (gnutls-3.8.10.tar.xz) = d453bd4527af95cb3905ce8753ceafd969e3f442ad1d148544a233ebf13285b999930553a805a0511293cc25390bb6a040260df5544a7c55019640f920ad3d92
SHA512 (gnutls-3.8.10.tar.xz.sig) = 72d6dd2c23f768f5041c3dca0f49b3f60cd01fc960ce77f097094a2aae6d76fddeb6295c425e3750c711d5f700957a62268aecc4873e53c31abb60eecf0fd4a8
SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a
SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84
SHA512 (nettle-3.10.1.tar.gz) = e8673bbcde9cde859ccae75ed6c9c30591e68a995a7c6d724106cfd67a5a5bd45b3468d742443b6565628849d0fd29505a28ca5ee4e89dd13197cdb51429f96c
SHA512 (nettle-3.10.1.tar.gz.sig) = d074a921df31070a6e6562a9f7e213e67b8e6ce331e2683e8180f387aca92058a5fe8610800817a0aa5098b47176dfcb42b52d617648c84cc6262a09ef557eb8
SHA512 (nettle-release-keyring.gpg) = 0e59447eb74017439c8b5b5b05173c0ffd710705d2a9c1f74833b7034fad1608fa1bdd2c308e6c42214553cd648606b6a07044ea39677b1b3452cb4d07bf889b
SHA512 (leancrypto-1.5.0.tar.gz) = 1170a502f58c9bce424578cece64a3ebf856620adc02f390b8877981bccf0c2bf35e64b1628094a06c069ec38a3be5889be22516d45d85f4e75b40085d9001c9