Compare commits
No commits in common. "c8" and "imports/c8s/gnutls-3.6.16-4.el8" have entirely different histories.
c8
...
imports/c8
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,3 +1,2 @@
|
|||||||
SOURCES/gnutls-3.6.16.tar.xz
|
SOURCES/gnutls-3.6.16.tar.xz
|
||||||
SOURCES/gnutls-3.6.16.tar.xz.sig
|
|
||||||
SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
|
SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
|
||||||
|
@ -1,3 +1,2 @@
|
|||||||
6ba8fb898dcf4b4046b60662ba97df835593e687 SOURCES/gnutls-3.6.16.tar.xz
|
6ba8fb898dcf4b4046b60662ba97df835593e687 SOURCES/gnutls-3.6.16.tar.xz
|
||||||
b41ac56ff6cca4539c8b084db2c84e8bc21d60ac SOURCES/gnutls-3.6.16.tar.xz.sig
|
|
||||||
648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
|
648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
|
||||||
|
@ -1,247 +0,0 @@
|
|||||||
From 300c6315d2e644ae81b43fa2dd7bbf68b3afb5b2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Thu, 18 Nov 2021 19:02:03 +0100
|
|
||||||
Subject: [PATCH 1/2] accelerated: fix CPU feature detection for Intel CPUs
|
|
||||||
|
|
||||||
This fixes read_cpuid_vals to correctly read the CPUID quadruple, as
|
|
||||||
well as to set the bit the ustream CRYPTOGAMS uses to identify Intel
|
|
||||||
CPUs.
|
|
||||||
|
|
||||||
Suggested by Rafael Gieschke in:
|
|
||||||
https://gitlab.com/gnutls/gnutls/-/issues/1282
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/accelerated/x86/x86-common.c | 91 +++++++++++++++++++++++++-------
|
|
||||||
1 file changed, 71 insertions(+), 20 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
|
|
||||||
index 3845c6b4c9..cf615ef24f 100644
|
|
||||||
--- a/lib/accelerated/x86/x86-common.c
|
|
||||||
+++ b/lib/accelerated/x86/x86-common.c
|
|
||||||
@@ -81,15 +81,38 @@ unsigned int _gnutls_x86_cpuid_s[4];
|
|
||||||
# define bit_AVX 0x10000000
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#ifndef OSXSAVE_MASK
|
|
||||||
-/* OSXSAVE|FMA|MOVBE */
|
|
||||||
-# define OSXSAVE_MASK (0x8000000|0x1000|0x400000)
|
|
||||||
+#ifndef bit_AVX2
|
|
||||||
+# define bit_AVX2 0x00000020
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifndef bit_AVX512F
|
|
||||||
+# define bit_AVX512F 0x00010000
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifndef bit_AVX512IFMA
|
|
||||||
+# define bit_AVX512IFMA 0x00200000
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifndef bit_AVX512BW
|
|
||||||
+# define bit_AVX512BW 0x40000000
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifndef bit_AVX512VL
|
|
||||||
+# define bit_AVX512VL 0x80000000
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifndef bit_OSXSAVE
|
|
||||||
+# define bit_OSXSAVE 0x8000000
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef bit_MOVBE
|
|
||||||
# define bit_MOVBE 0x00400000
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifndef OSXSAVE_MASK
|
|
||||||
+# define OSXSAVE_MASK (bit_OSXSAVE|bit_MOVBE)
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#define via_bit_PADLOCK (0x3 << 6)
|
|
||||||
#define via_bit_PADLOCK_PHE (0x3 << 10)
|
|
||||||
#define via_bit_PADLOCK_PHE_SHA512 (0x3 << 25)
|
|
||||||
@@ -127,7 +150,7 @@ static unsigned read_cpuid_vals(unsigned int vals[4])
|
|
||||||
unsigned t1, t2, t3;
|
|
||||||
vals[0] = vals[1] = vals[2] = vals[3] = 0;
|
|
||||||
|
|
||||||
- if (!__get_cpuid(1, &t1, &vals[0], &vals[1], &t2))
|
|
||||||
+ if (!__get_cpuid(1, &t1, &t2, &vals[1], &vals[0]))
|
|
||||||
return 0;
|
|
||||||
/* suppress AVX512; it works conditionally on certain CPUs on the original code */
|
|
||||||
vals[1] &= 0xfffff7ff;
|
|
||||||
@@ -145,7 +168,7 @@ static unsigned check_4th_gen_intel_features(unsigned ecx)
|
|
||||||
{
|
|
||||||
uint32_t xcr0;
|
|
||||||
|
|
||||||
- if ((ecx & OSXSAVE_MASK) != OSXSAVE_MASK)
|
|
||||||
+ if ((ecx & bit_OSXSAVE) != bit_OSXSAVE)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
#if defined(_MSC_VER) && !defined(__clang__)
|
|
||||||
@@ -233,10 +256,7 @@ static unsigned check_sha(void)
|
|
||||||
#ifdef ASM_X86_64
|
|
||||||
static unsigned check_avx_movbe(void)
|
|
||||||
{
|
|
||||||
- if (check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1]) == 0)
|
|
||||||
- return 0;
|
|
||||||
-
|
|
||||||
- return ((_gnutls_x86_cpuid_s[1] & bit_AVX));
|
|
||||||
+ return (_gnutls_x86_cpuid_s[1] & bit_AVX);
|
|
||||||
}
|
|
||||||
|
|
||||||
static unsigned check_pclmul(void)
|
|
||||||
@@ -514,33 +534,47 @@ void register_x86_padlock_crypto(unsigned capabilities)
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-static unsigned check_intel_or_amd(void)
|
|
||||||
+enum x86_cpu_vendor {
|
|
||||||
+ X86_CPU_VENDOR_OTHER,
|
|
||||||
+ X86_CPU_VENDOR_INTEL,
|
|
||||||
+ X86_CPU_VENDOR_AMD,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static enum x86_cpu_vendor check_x86_cpu_vendor(void)
|
|
||||||
{
|
|
||||||
unsigned int a, b, c, d;
|
|
||||||
|
|
||||||
- if (!__get_cpuid(0, &a, &b, &c, &d))
|
|
||||||
- return 0;
|
|
||||||
+ if (!__get_cpuid(0, &a, &b, &c, &d)) {
|
|
||||||
+ return X86_CPU_VENDOR_OTHER;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if ((memcmp(&b, "Genu", 4) == 0 &&
|
|
||||||
- memcmp(&d, "ineI", 4) == 0 &&
|
|
||||||
- memcmp(&c, "ntel", 4) == 0) ||
|
|
||||||
- (memcmp(&b, "Auth", 4) == 0 &&
|
|
||||||
- memcmp(&d, "enti", 4) == 0 && memcmp(&c, "cAMD", 4) == 0)) {
|
|
||||||
- return 1;
|
|
||||||
+ if (memcmp(&b, "Genu", 4) == 0 &&
|
|
||||||
+ memcmp(&d, "ineI", 4) == 0 &&
|
|
||||||
+ memcmp(&c, "ntel", 4) == 0) {
|
|
||||||
+ return X86_CPU_VENDOR_INTEL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- return 0;
|
|
||||||
+ if (memcmp(&b, "Auth", 4) == 0 &&
|
|
||||||
+ memcmp(&d, "enti", 4) == 0 &&
|
|
||||||
+ memcmp(&c, "cAMD", 4) == 0) {
|
|
||||||
+ return X86_CPU_VENDOR_AMD;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return X86_CPU_VENDOR_OTHER;
|
|
||||||
}
|
|
||||||
|
|
||||||
static
|
|
||||||
void register_x86_intel_crypto(unsigned capabilities)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
+ enum x86_cpu_vendor vendor;
|
|
||||||
|
|
||||||
memset(_gnutls_x86_cpuid_s, 0, sizeof(_gnutls_x86_cpuid_s));
|
|
||||||
|
|
||||||
- if (check_intel_or_amd() == 0)
|
|
||||||
+ vendor = check_x86_cpu_vendor();
|
|
||||||
+ if (vendor == X86_CPU_VENDOR_OTHER) {
|
|
||||||
return;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (capabilities == 0) {
|
|
||||||
if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
|
|
||||||
@@ -549,6 +583,23 @@ void register_x86_intel_crypto(unsigned capabilities)
|
|
||||||
capabilities_to_intel_cpuid(capabilities);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* CRYPTOGAMS uses the (1 << 30) bit as an indicator of Intel CPUs */
|
|
||||||
+ if (vendor == X86_CPU_VENDOR_INTEL) {
|
|
||||||
+ _gnutls_x86_cpuid_s[0] |= 1 << 30;
|
|
||||||
+ } else {
|
|
||||||
+ _gnutls_x86_cpuid_s[0] &= ~(1 << 30);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
|
|
||||||
+ _gnutls_x86_cpuid_s[1] &= ~bit_AVX;
|
|
||||||
+
|
|
||||||
+ /* Clear AVX2 bits as well, according to what OpenSSL does.
|
|
||||||
+ * Should we clear bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER, and
|
|
||||||
+ * bit_AVX512CD? */
|
|
||||||
+ _gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|bit_AVX512F|bit_AVX512IFMA|
|
|
||||||
+ bit_AVX512BW|bit_AVX512BW);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (check_ssse3()) {
|
|
||||||
_gnutls_debug_log("Intel SSSE3 was detected\n");
|
|
||||||
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
||||||
|
|
||||||
From cd509dac9e6d1bf76fd12c72c1fd61f1708c254a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Mon, 15 Aug 2022 09:39:18 +0900
|
|
||||||
Subject: [PATCH 2/2] accelerated: clear AVX bits if it cannot be queried
|
|
||||||
through XSAVE
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The algorithm to detect AVX is described in 14.3 of "Intel® 64 and IA-32
|
|
||||||
Architectures Software Developer’s Manual".
|
|
||||||
|
|
||||||
GnuTLS previously only followed that algorithm when registering the
|
|
||||||
crypto backend, while the CRYPTOGAMS derived SHA code assembly expects
|
|
||||||
that the extension bits are propagated to _gnutls_x86_cpuid_s.
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/accelerated/x86/x86-common.c | 18 ++++++++++++++++--
|
|
||||||
1 file changed, 16 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
|
|
||||||
index cf615ef24f..655d0c65f2 100644
|
|
||||||
--- a/lib/accelerated/x86/x86-common.c
|
|
||||||
+++ b/lib/accelerated/x86/x86-common.c
|
|
||||||
@@ -210,7 +210,8 @@ static void capabilities_to_intel_cpuid(unsigned capabilities)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (capabilities & INTEL_AVX) {
|
|
||||||
- if ((a[1] & bit_AVX) && check_4th_gen_intel_features(a[1])) {
|
|
||||||
+ if ((a[1] & bit_AVX) && (a[1] & bit_MOVBE) &&
|
|
||||||
+ check_4th_gen_intel_features(a[1])) {
|
|
||||||
_gnutls_x86_cpuid_s[1] |= bit_AVX|bit_MOVBE;
|
|
||||||
} else {
|
|
||||||
_gnutls_debug_log
|
|
||||||
@@ -256,7 +257,7 @@ static unsigned check_sha(void)
|
|
||||||
#ifdef ASM_X86_64
|
|
||||||
static unsigned check_avx_movbe(void)
|
|
||||||
{
|
|
||||||
- return (_gnutls_x86_cpuid_s[1] & bit_AVX);
|
|
||||||
+ return (_gnutls_x86_cpuid_s[1] & (bit_AVX|bit_MOVBE)) == (bit_AVX|bit_MOVBE);
|
|
||||||
}
|
|
||||||
|
|
||||||
static unsigned check_pclmul(void)
|
|
||||||
@@ -579,6 +580,19 @@ void register_x86_intel_crypto(unsigned capabilities)
|
|
||||||
if (capabilities == 0) {
|
|
||||||
if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
|
|
||||||
return;
|
|
||||||
+ if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
|
|
||||||
+ _gnutls_x86_cpuid_s[1] &= ~bit_AVX;
|
|
||||||
+
|
|
||||||
+ /* Clear AVX2 bits as well, according to what
|
|
||||||
+ * OpenSSL does. Should we clear
|
|
||||||
+ * bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER,
|
|
||||||
+ * and bit_AVX512CD? */
|
|
||||||
+ _gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|
|
|
||||||
+ bit_AVX512F|
|
|
||||||
+ bit_AVX512IFMA|
|
|
||||||
+ bit_AVX512BW|
|
|
||||||
+ bit_AVX512BW);
|
|
||||||
+ }
|
|
||||||
} else {
|
|
||||||
capabilities_to_intel_cpuid(capabilities);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
@ -1,474 +0,0 @@
|
|||||||
From 0d39e4120bc5ece53c86c5802c546259b8ca286a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Fri, 12 Jan 2024 17:56:58 +0900
|
|
||||||
Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA
|
|
||||||
|
|
||||||
This removes function calls that potentially leak bit-length of a
|
|
||||||
private key used to calculate a nonce in deterministic ECDSA. Namely:
|
|
||||||
|
|
||||||
- _gnutls_dsa_compute_k has been rewritten to work on always
|
|
||||||
zero-padded mp_limb_t arrays instead of mpz_t
|
|
||||||
- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
|
|
||||||
by a byte array instead of an mpz_t value
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/nettle/int/dsa-compute-k.c | 84 +++++++++++++++++++------------
|
|
||||||
lib/nettle/int/dsa-compute-k.h | 31 +++++++++---
|
|
||||||
lib/nettle/int/ecdsa-compute-k.c | 71 +++++++++-----------------
|
|
||||||
lib/nettle/int/ecdsa-compute-k.h | 8 +--
|
|
||||||
lib/nettle/pk.c | 79 ++++++++++++++++++++---------
|
|
||||||
tests/sign-verify-deterministic.c | 2 +-
|
|
||||||
6 files changed, 158 insertions(+), 117 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
|
|
||||||
index 17d63318c4..ddeb6f6d1e 100644
|
|
||||||
--- a/lib/nettle/int/dsa-compute-k.c
|
|
||||||
+++ b/lib/nettle/int/dsa-compute-k.c
|
|
||||||
@@ -31,33 +31,37 @@
|
|
||||||
#include "mpn-base256.h"
|
|
||||||
#include <string.h>
|
|
||||||
|
|
||||||
-#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
|
|
||||||
-
|
|
||||||
-/* The maximum size of q, choosen from the fact that we support
|
|
||||||
- * 521-bit elliptic curve generator and 512-bit DSA subgroup at
|
|
||||||
- * maximum. */
|
|
||||||
-#define MAX_Q_BITS 521
|
|
||||||
-#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
|
|
||||||
-#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
|
|
||||||
-
|
|
||||||
-#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
|
|
||||||
-#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
|
|
||||||
-
|
|
||||||
-int
|
|
||||||
-_gnutls_dsa_compute_k(mpz_t k,
|
|
||||||
- const mpz_t q,
|
|
||||||
- const mpz_t x,
|
|
||||||
- gnutls_mac_algorithm_t mac,
|
|
||||||
- const uint8_t *digest,
|
|
||||||
- size_t length)
|
|
||||||
+/* For mini-gmp */
|
|
||||||
+#ifndef GMP_LIMB_BITS
|
|
||||||
+#define GMP_LIMB_BITS GMP_NUMB_BITS
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+static inline int is_zero_limb(mp_limb_t x)
|
|
||||||
+{
|
|
||||||
+ x |= (x << 1);
|
|
||||||
+ return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
|
|
||||||
+{
|
|
||||||
+ volatile mp_limb_t w;
|
|
||||||
+ mp_size_t i;
|
|
||||||
+
|
|
||||||
+ for (i = 0, w = 0; i < n; i++)
|
|
||||||
+ w |= ap[i];
|
|
||||||
+
|
|
||||||
+ return is_zero_limb(w);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
|
|
||||||
+ mp_size_t qn, mp_bitcnt_t q_bits,
|
|
||||||
+ gnutls_mac_algorithm_t mac, const uint8_t *digest,
|
|
||||||
+ size_t length)
|
|
||||||
{
|
|
||||||
uint8_t V[MAX_HASH_SIZE];
|
|
||||||
uint8_t K[MAX_HASH_SIZE];
|
|
||||||
uint8_t xp[MAX_Q_SIZE];
|
|
||||||
uint8_t tp[MAX_Q_SIZE];
|
|
||||||
- mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
|
|
||||||
- mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2);
|
|
||||||
- mp_size_t qn = mpz_size(q);
|
|
||||||
mp_bitcnt_t h_bits = length * 8;
|
|
||||||
mp_size_t hn = BITS_TO_LIMBS(h_bits);
|
|
||||||
size_t nbytes = (q_bits + 7) / 8;
|
|
||||||
@@ -66,6 +70,7 @@ _gnutls_dsa_compute_k(mpz_t k,
|
|
||||||
mp_limb_t cy;
|
|
||||||
gnutls_hmac_hd_t hd;
|
|
||||||
int ret = 0;
|
|
||||||
+ mp_limb_t scratch[MAX_Q_LIMBS];
|
|
||||||
|
|
||||||
if (unlikely(q_bits > MAX_Q_BITS))
|
|
||||||
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
||||||
@@ -73,7 +78,7 @@ _gnutls_dsa_compute_k(mpz_t k,
|
|
||||||
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
||||||
|
|
||||||
/* int2octets(x) */
|
|
||||||
- mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
|
|
||||||
+ mpn_get_base256(xp, nbytes, x, qn);
|
|
||||||
|
|
||||||
/* bits2octets(h) */
|
|
||||||
mpn_set_base256(h, hn, digest, length);
|
|
||||||
@@ -97,12 +102,12 @@ _gnutls_dsa_compute_k(mpz_t k,
|
|
||||||
mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
|
|
||||||
}
|
|
||||||
|
|
||||||
- cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
|
|
||||||
+ cy = mpn_sub_n(h, h, q, qn);
|
|
||||||
/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
|
|
||||||
#ifdef mpn_cnd_add_n
|
|
||||||
- mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
|
|
||||||
+ mpn_cnd_add_n(cy, h, h, q, qn);
|
|
||||||
#else
|
|
||||||
- mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
|
|
||||||
+ mpn_addmul_1(h, q, qn, cy != 0);
|
|
||||||
#endif
|
|
||||||
mpn_get_base256(tp, nbytes, h, qn);
|
|
||||||
|
|
||||||
@@ -178,12 +183,8 @@ _gnutls_dsa_compute_k(mpz_t k,
|
|
||||||
if (tlen * 8 > q_bits)
|
|
||||||
mpn_rshift (h, h, qn, tlen * 8 - q_bits);
|
|
||||||
/* Check if k is in [1,q-1] */
|
|
||||||
- if (!mpn_zero_p (h, qn) &&
|
|
||||||
- mpn_cmp (h, mpz_limbs_read(q), qn) < 0) {
|
|
||||||
- mpn_copyi(mpz_limbs_write(k, qn), h, qn);
|
|
||||||
- mpz_limbs_finish(k, qn);
|
|
||||||
+ if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn))
|
|
||||||
break;
|
|
||||||
- }
|
|
||||||
|
|
||||||
ret = gnutls_hmac_init(&hd, mac, K, length);
|
|
||||||
if (ret < 0)
|
|
||||||
@@ -207,3 +208,24 @@ _gnutls_dsa_compute_k(mpz_t k,
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+/* cancel-out dsa_sign's addition of 1 to random data */
|
|
||||||
+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
|
||||||
+ mp_size_t n)
|
|
||||||
+{
|
|
||||||
+ /* Fall back to sub_1, if nettle is linked with mini-gmp. */
|
|
||||||
+#ifdef mpn_sec_sub_1
|
|
||||||
+ mp_limb_t t[MAX_Q_LIMBS];
|
|
||||||
+
|
|
||||||
+ mpn_sec_sub_1(h, h, n, 1, t);
|
|
||||||
+#else
|
|
||||||
+ mpn_sub_1(h, h, n, 1);
|
|
||||||
+#endif
|
|
||||||
+ mpn_get_base256(k, nbytes, h, n);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
|
||||||
+ mp_size_t n)
|
|
||||||
+{
|
|
||||||
+ mpn_get_base256(k, nbytes, h, n);
|
|
||||||
+}
|
|
||||||
diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
|
|
||||||
index 64e90e0ca2..e88fce0a6d 100644
|
|
||||||
--- a/lib/nettle/int/dsa-compute-k.h
|
|
||||||
+++ b/lib/nettle/int/dsa-compute-k.h
|
|
||||||
@@ -26,12 +26,29 @@
|
|
||||||
#include <gnutls/gnutls.h>
|
|
||||||
#include <nettle/bignum.h> /* includes gmp.h */
|
|
||||||
|
|
||||||
-int
|
|
||||||
-_gnutls_dsa_compute_k(mpz_t k,
|
|
||||||
- const mpz_t q,
|
|
||||||
- const mpz_t x,
|
|
||||||
- gnutls_mac_algorithm_t mac,
|
|
||||||
- const uint8_t *digest,
|
|
||||||
- size_t length);
|
|
||||||
+#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
|
|
||||||
+
|
|
||||||
+/* The maximum size of q, chosen from the fact that we support
|
|
||||||
+ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
|
|
||||||
+ * maximum. */
|
|
||||||
+#define MAX_Q_BITS 521
|
|
||||||
+#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
|
|
||||||
+#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
|
|
||||||
+
|
|
||||||
+#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
|
|
||||||
+#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
|
|
||||||
+
|
|
||||||
+#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)
|
|
||||||
+
|
|
||||||
+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
|
|
||||||
+ mp_size_t qn, mp_bitcnt_t q_bits,
|
|
||||||
+ gnutls_mac_algorithm_t mac, const uint8_t *digest,
|
|
||||||
+ size_t length);
|
|
||||||
+
|
|
||||||
+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
|
||||||
+ mp_size_t n);
|
|
||||||
+
|
|
||||||
+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
|
||||||
+ mp_size_t n);
|
|
||||||
|
|
||||||
#endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
|
|
||||||
diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
|
|
||||||
index 94914ebdfa..819302c1c7 100644
|
|
||||||
--- a/lib/nettle/int/ecdsa-compute-k.c
|
|
||||||
+++ b/lib/nettle/int/ecdsa-compute-k.c
|
|
||||||
@@ -29,67 +29,46 @@
|
|
||||||
#include "dsa-compute-k.h"
|
|
||||||
#include "gnutls_int.h"
|
|
||||||
|
|
||||||
-static inline int
|
|
||||||
-_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
|
|
||||||
+int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve)
|
|
||||||
{
|
|
||||||
switch (curve) {
|
|
||||||
#ifdef ENABLE_NON_SUITEB_CURVES
|
|
||||||
case GNUTLS_ECC_CURVE_SECP192R1:
|
|
||||||
- mpz_init_set_str(*q,
|
|
||||||
- "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
|
|
||||||
- "146BC9B1B4D22831",
|
|
||||||
- 16);
|
|
||||||
+ mpz_set_str(q,
|
|
||||||
+ "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
|
|
||||||
+ "146BC9B1B4D22831",
|
|
||||||
+ 16);
|
|
||||||
return 0;
|
|
||||||
case GNUTLS_ECC_CURVE_SECP224R1:
|
|
||||||
- mpz_init_set_str(*q,
|
|
||||||
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
|
|
||||||
- "E0B8F03E13DD29455C5C2A3D",
|
|
||||||
- 16);
|
|
||||||
+ mpz_set_str(q,
|
|
||||||
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
|
|
||||||
+ "E0B8F03E13DD29455C5C2A3D",
|
|
||||||
+ 16);
|
|
||||||
return 0;
|
|
||||||
#endif
|
|
||||||
case GNUTLS_ECC_CURVE_SECP256R1:
|
|
||||||
- mpz_init_set_str(*q,
|
|
||||||
- "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
|
|
||||||
- "BCE6FAADA7179E84F3B9CAC2FC632551",
|
|
||||||
- 16);
|
|
||||||
+ mpz_set_str(q,
|
|
||||||
+ "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
|
|
||||||
+ "BCE6FAADA7179E84F3B9CAC2FC632551",
|
|
||||||
+ 16);
|
|
||||||
return 0;
|
|
||||||
case GNUTLS_ECC_CURVE_SECP384R1:
|
|
||||||
- mpz_init_set_str(*q,
|
|
||||||
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
||||||
- "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
|
|
||||||
- "581A0DB248B0A77AECEC196ACCC52973",
|
|
||||||
- 16);
|
|
||||||
+ mpz_set_str(q,
|
|
||||||
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
||||||
+ "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
|
|
||||||
+ "581A0DB248B0A77AECEC196ACCC52973",
|
|
||||||
+ 16);
|
|
||||||
return 0;
|
|
||||||
case GNUTLS_ECC_CURVE_SECP521R1:
|
|
||||||
- mpz_init_set_str(*q,
|
|
||||||
- "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
||||||
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
||||||
- "FFA51868783BF2F966B7FCC0148F709A"
|
|
||||||
- "5D03BB5C9B8899C47AEBB6FB71E91386"
|
|
||||||
- "409",
|
|
||||||
- 16);
|
|
||||||
+ mpz_set_str(q,
|
|
||||||
+ "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
||||||
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
||||||
+ "FFA51868783BF2F966B7FCC0148F709A"
|
|
||||||
+ "5D03BB5C9B8899C47AEBB6FB71E91386"
|
|
||||||
+ "409",
|
|
||||||
+ 16);
|
|
||||||
return 0;
|
|
||||||
default:
|
|
||||||
return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
-
|
|
||||||
-int
|
|
||||||
-_gnutls_ecdsa_compute_k (mpz_t k,
|
|
||||||
- gnutls_ecc_curve_t curve,
|
|
||||||
- const mpz_t x,
|
|
||||||
- gnutls_mac_algorithm_t mac,
|
|
||||||
- const uint8_t *digest,
|
|
||||||
- size_t length)
|
|
||||||
-{
|
|
||||||
- mpz_t q;
|
|
||||||
- int ret;
|
|
||||||
-
|
|
||||||
- ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
|
|
||||||
- if (ret < 0)
|
|
||||||
- return gnutls_assert_val(ret);
|
|
||||||
-
|
|
||||||
- ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length);
|
|
||||||
- mpz_clear(q);
|
|
||||||
- return ret;
|
|
||||||
-}
|
|
||||||
diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
|
|
||||||
index 7ca401d6e4..a7e612bcab 100644
|
|
||||||
--- a/lib/nettle/int/ecdsa-compute-k.h
|
|
||||||
+++ b/lib/nettle/int/ecdsa-compute-k.h
|
|
||||||
@@ -26,12 +26,6 @@
|
|
||||||
#include <gnutls/gnutls.h>
|
|
||||||
#include <nettle/bignum.h> /* includes gmp.h */
|
|
||||||
|
|
||||||
-int
|
|
||||||
-_gnutls_ecdsa_compute_k (mpz_t k,
|
|
||||||
- gnutls_ecc_curve_t curve,
|
|
||||||
- const mpz_t x,
|
|
||||||
- gnutls_mac_algorithm_t mac,
|
|
||||||
- const uint8_t *digest,
|
|
||||||
- size_t length);
|
|
||||||
+int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve);
|
|
||||||
|
|
||||||
#endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
|
|
||||||
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
|
|
||||||
index 588e9df502..b19fe3804a 100644
|
|
||||||
--- a/lib/nettle/pk.c
|
|
||||||
+++ b/lib/nettle/pk.c
|
|
||||||
@@ -102,10 +102,16 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
|
|
||||||
+static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
|
|
||||||
{
|
|
||||||
- mpz_t *k = _ctx;
|
|
||||||
- nettle_mpz_get_str_256 (length, data, *k);
|
|
||||||
+ gnutls_datum_t *d = ctx;
|
|
||||||
+
|
|
||||||
+ if (length > d->size) {
|
|
||||||
+ memset(data, 0, length - d->size);
|
|
||||||
+ memcpy(data + (length - d->size), d->data, d->size);
|
|
||||||
+ } else {
|
|
||||||
+ memcpy(data, d->data, length);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
|
|
||||||
@@ -976,7 +982,10 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
struct dsa_signature sig;
|
|
||||||
int curve_id = pk_params->curve;
|
|
||||||
const struct ecc_curve *curve;
|
|
||||||
- mpz_t k;
|
|
||||||
+ mpz_t q;
|
|
||||||
+ /* 521-bit elliptic curve generator at maximum */
|
|
||||||
+ uint8_t buf[(521 + 7) / 8];
|
|
||||||
+ gnutls_datum_t k = { NULL, 0 };
|
|
||||||
void *random_ctx;
|
|
||||||
nettle_random_func *random_func;
|
|
||||||
|
|
||||||
@@ -1005,19 +1014,32 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
hash_len = vdata->size;
|
|
||||||
}
|
|
||||||
|
|
||||||
- mpz_init(k);
|
|
||||||
+ mpz_init(q);
|
|
||||||
+
|
|
||||||
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
|
|
||||||
(sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
|
|
||||||
- ret = _gnutls_ecdsa_compute_k(k,
|
|
||||||
- curve_id,
|
|
||||||
- pk_params->params[ECC_K],
|
|
||||||
- DIG_TO_MAC(sign_params->dsa_dig),
|
|
||||||
- vdata->data,
|
|
||||||
- vdata->size);
|
|
||||||
+ mp_limb_t h[DSA_COMPUTE_K_ITCH];
|
|
||||||
+
|
|
||||||
+ ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
|
|
||||||
if (ret < 0)
|
|
||||||
goto ecdsa_cleanup;
|
|
||||||
+
|
|
||||||
+ ret = _gnutls_dsa_compute_k(
|
|
||||||
+ h, mpz_limbs_read(q), priv.p,
|
|
||||||
+ ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
|
|
||||||
+ DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
|
|
||||||
+ vdata->size);
|
|
||||||
+ if (ret < 0)
|
|
||||||
+ goto ecdsa_cleanup;
|
|
||||||
+
|
|
||||||
+ k.data = buf;
|
|
||||||
+ k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
|
|
||||||
+
|
|
||||||
+ _gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
|
|
||||||
+ ecc_size(priv.ecc));
|
|
||||||
+
|
|
||||||
random_ctx = &k;
|
|
||||||
- random_func = rnd_mpz_func;
|
|
||||||
+ random_func = rnd_datum_func;
|
|
||||||
} else {
|
|
||||||
random_ctx = NULL;
|
|
||||||
random_func = rnd_nonce_func;
|
|
||||||
@@ -1038,7 +1060,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
ecdsa_cleanup:
|
|
||||||
dsa_signature_clear(&sig);
|
|
||||||
ecc_scalar_zclear(&priv);
|
|
||||||
- mpz_clear(k);
|
|
||||||
+ mpz_clear(q);
|
|
||||||
|
|
||||||
if (ret < 0) {
|
|
||||||
gnutls_assert();
|
|
||||||
@@ -1051,7 +1073,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
struct dsa_params pub;
|
|
||||||
bigint_t priv;
|
|
||||||
struct dsa_signature sig;
|
|
||||||
- mpz_t k;
|
|
||||||
+ /* 512-bit DSA subgroup at maximum */
|
|
||||||
+ uint8_t buf[(512 + 7) / 8];
|
|
||||||
+ gnutls_datum_t k = { NULL, 0 };
|
|
||||||
void *random_ctx;
|
|
||||||
nettle_random_func *random_func;
|
|
||||||
|
|
||||||
@@ -1074,21 +1098,27 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
hash_len = vdata->size;
|
|
||||||
}
|
|
||||||
|
|
||||||
- mpz_init(k);
|
|
||||||
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
|
|
||||||
(sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
|
|
||||||
- ret = _gnutls_dsa_compute_k(k,
|
|
||||||
- pub.q,
|
|
||||||
- TOMPZ(priv),
|
|
||||||
- DIG_TO_MAC(sign_params->dsa_dig),
|
|
||||||
- vdata->data,
|
|
||||||
- vdata->size);
|
|
||||||
+ mp_limb_t h[DSA_COMPUTE_K_ITCH];
|
|
||||||
+
|
|
||||||
+ ret = _gnutls_dsa_compute_k(
|
|
||||||
+ h, mpz_limbs_read(pub.q),
|
|
||||||
+ mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
|
|
||||||
+ mpz_sizeinbase(pub.q, 2),
|
|
||||||
+ DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
|
|
||||||
+ vdata->size);
|
|
||||||
if (ret < 0)
|
|
||||||
goto dsa_fail;
|
|
||||||
- /* cancel-out dsa_sign's addition of 1 to random data */
|
|
||||||
- mpz_sub_ui (k, k, 1);
|
|
||||||
+
|
|
||||||
+ k.data = buf;
|
|
||||||
+ k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
|
|
||||||
+
|
|
||||||
+ _gnutls_dsa_compute_k_finish(k.data, k.size, h,
|
|
||||||
+ mpz_size(pub.q));
|
|
||||||
+
|
|
||||||
random_ctx = &k;
|
|
||||||
- random_func = rnd_mpz_func;
|
|
||||||
+ random_func = rnd_datum_func;
|
|
||||||
} else {
|
|
||||||
random_ctx = NULL;
|
|
||||||
random_func = rnd_nonce_func;
|
|
||||||
@@ -1108,7 +1138,6 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
|
|
||||||
dsa_fail:
|
|
||||||
dsa_signature_clear(&sig);
|
|
||||||
- mpz_clear(k);
|
|
||||||
|
|
||||||
if (ret < 0) {
|
|
||||||
gnutls_assert();
|
|
||||||
diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
|
|
||||||
index 6e907288ee..25aa553a59 100644
|
|
||||||
--- a/tests/sign-verify-deterministic.c
|
|
||||||
+++ b/tests/sign-verify-deterministic.c
|
|
||||||
@@ -197,7 +197,7 @@ void doit(void)
|
|
||||||
&signature);
|
|
||||||
if (ret < 0)
|
|
||||||
testfail("gnutls_pubkey_verify_data2\n");
|
|
||||||
- success(" - pass");
|
|
||||||
+ success(" - pass\n");
|
|
||||||
|
|
||||||
next:
|
|
||||||
gnutls_free(signature.data);
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,266 +0,0 @@
|
|||||||
From e5dc27d1a457d1b3abc0582cd133910dff0fc309 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Zoltan Fridrich <zfridric@redhat.com>
|
|
||||||
Date: Fri, 22 Jul 2022 12:00:11 +0200
|
|
||||||
Subject: [PATCH] Fix double free during gnutls_pkcs7_verify
|
|
||||||
|
|
||||||
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
|
||||||
---
|
|
||||||
.gitignore | 1 +
|
|
||||||
lib/x509/pkcs7.c | 3 +-
|
|
||||||
tests/Makefile.am | 3 +-
|
|
||||||
tests/pkcs7-verify-double-free.c | 215 +++++++++++++++++++++++++++++++
|
|
||||||
4 files changed, 220 insertions(+), 2 deletions(-)
|
|
||||||
create mode 100644 tests/pkcs7-verify-double-free.c
|
|
||||||
|
|
||||||
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
|
|
||||||
index 0ff55ba04b..878f867862 100644
|
|
||||||
--- a/lib/x509/pkcs7.c
|
|
||||||
+++ b/lib/x509/pkcs7.c
|
|
||||||
@@ -1318,7 +1318,8 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl,
|
|
||||||
issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags);
|
|
||||||
|
|
||||||
if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) {
|
|
||||||
- if (prev) gnutls_x509_crt_deinit(prev);
|
|
||||||
+ if (prev && prev != signer)
|
|
||||||
+ gnutls_x509_crt_deinit(prev);
|
|
||||||
prev = issuer;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
||||||
index b04cb081b4..0563d3c754 100644
|
|
||||||
--- a/tests/Makefile.am
|
|
||||||
+++ b/tests/Makefile.am
|
|
||||||
@@ -220,7 +220,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
|
|
||||||
sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \
|
|
||||||
tls13-without-timeout-func buffer status-request-revoked \
|
|
||||||
set_x509_ocsp_multi_cli kdf-api keylog-func \
|
|
||||||
- dtls_hello_random_value tls_hello_random_value x509cert-dntypes
|
|
||||||
+ dtls_hello_random_value tls_hello_random_value x509cert-dntypes \
|
|
||||||
+ pkcs7-verify-double-free
|
|
||||||
|
|
||||||
if HAVE_SECCOMP_TESTS
|
|
||||||
ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
|
|
||||||
diff --git a/tests/pkcs7-verify-double-free.c b/tests/pkcs7-verify-double-free.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..fadf307829
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/pkcs7-verify-double-free.c
|
|
||||||
@@ -0,0 +1,215 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (C) 2022 Red Hat, Inc.
|
|
||||||
+ *
|
|
||||||
+ * Author: Zoltan Fridrich
|
|
||||||
+ *
|
|
||||||
+ * This file is part of GnuTLS.
|
|
||||||
+ *
|
|
||||||
+ * GnuTLS is free software: you can redistribute it and/or modify it
|
|
||||||
+ * under the terms of the GNU General Public License as published by
|
|
||||||
+ * the Free Software Foundation, either version 3 of the License, or
|
|
||||||
+ * (at your option) any later version.
|
|
||||||
+ *
|
|
||||||
+ * GnuTLS is distributed in the hope that it will be useful, but
|
|
||||||
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
||||||
+ * General Public License for more details.
|
|
||||||
+ *
|
|
||||||
+ * You should have received a copy of the GNU General Public License
|
|
||||||
+ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_CONFIG_H
|
|
||||||
+#include <config.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <gnutls/pkcs7.h>
|
|
||||||
+#include <gnutls/x509.h>
|
|
||||||
+
|
|
||||||
+#include "utils.h"
|
|
||||||
+
|
|
||||||
+static char rca_pem[] =
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
|
|
||||||
+ "cGxlIENBMCAXDTE3MDcyMTE0NDMzNloYDzIyMjIwNzIxMTQ0MzM2WjAVMRMwEQYD\n"
|
|
||||||
+ "VQQKDApFeGFtcGxlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n"
|
|
||||||
+ "v8hnKPJ/IA0SQB/A/a0Uh+npZ67vsgIMrtTQo0r0kJkmkBz5323xO3DVuJfB3QmX\n"
|
|
||||||
+ "v9zvoeCQLuDvWar5Aixfxgm6s5Q+yPvJj9t3NebDrU+Y4+qyewBIJUF8EF/5iBPC\n"
|
|
||||||
+ "ZHONmzbfIRWvQWGGgb2CRcOHp2J7AY/QLB6LsWPaLjs/DHva28Q13JaTTHIpdu8v\n"
|
|
||||||
+ "t6vHr0nXf66DN4MvtoF3N+o+v3snJCMsfXOqASi4tbWR7gtOfCfiz9uBjh0W2Dut\n"
|
|
||||||
+ "/jclBQkJkLe6esNSM+f4YiOpctVDjmfj8yoHCp394vt0wFqhG38wsTFAyVP6qIcf\n"
|
|
||||||
+ "5zoSu9ovEt2cTkhnZHjiiwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n"
|
|
||||||
+ "DwEB/wQEAwIBBjAdBgNVHQ4EFgQUhjeO6Uc5imbjOl2I2ltVA27Hu9YwHwYDVR0j\n"
|
|
||||||
+ "BBgwFoAUhjeO6Uc5imbjOl2I2ltVA27Hu9YwDQYJKoZIhvcNAQELBQADggEBAD+r\n"
|
|
||||||
+ "i/7FsbG0OFKGF2+JOnth6NjJQcMfM8LiglqAuBUijrv7vltoZ0Z3FJH1Vi4OeMXn\n"
|
|
||||||
+ "l7X/9tWUve0uFl75MfjDrf0+lCEdYRY1LCba2BrUgpbbkLywVUdnbsvndehegCgS\n"
|
|
||||||
+ "jss2/zys3Hlo3ZaHlTMQ/NQ4nrxcxkjOvkZSEOqgxJTLpzm6pr7YUts4k6c6lNiB\n"
|
|
||||||
+ "FSiJiDzsJCmWR9C3fBbUlfDfTJYGN3JwqX270KchXDElo8gNoDnF7jBMpLFFSEKm\n"
|
|
||||||
+ "MyfbNLX/srh+CEfZaN/OZV4A3MQ0L8vQEp6M4CJhvRLIuMVabZ2coJ0AzystrOMU\n"
|
|
||||||
+ "LirBWjg89RoAjFQ7bTE=\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n";
|
|
||||||
+
|
|
||||||
+static char ca_pem[] =
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
|
|
||||||
+ "cGxlIENBMCAXDTE3MDcyMTE0NDQzNFoYDzIyMjIwNzIxMTQ0NDM0WjAiMSAwHgYD\n"
|
|
||||||
+ "VQQKDBdFeGFtcGxlIGludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD\n"
|
|
||||||
+ "ggEPADCCAQoCggEBAKb9ACB8u//sP6MfNU1OsVw68xz3eTPLgKxS0vpqexm6iGVg\n"
|
|
||||||
+ "ug/o9uYRLzqiEukv/eyz9WzHmY7sqlOJjOFdv92+SaNg79Jc51WHPFXgea4/qyfr\n"
|
|
||||||
+ "4y14PGs0SNxm6T44sXurUs7cXydQVUgnq2VCaWFOTUdxXoAWkV8r8GaUoPD/klVz\n"
|
|
||||||
+ "RqxSZVETmX1XBKhsMnnov41kRwVph2C+VfUspsbaUZaz/o/S1/nokhXRACzKsMBr\n"
|
|
||||||
+ "obqiGxbY35uVzsmbAW5ErhQz98AWJL3Bub1fsEMXg6OEMmPH4AtX888dTIYZNw0E\n"
|
|
||||||
+ "bUIESspz1kjJQTtVQDHTprhwz16YiSVeUonlLgMCAwEAAaNjMGEwDwYDVR0TAQH/\n"
|
|
||||||
+ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPBjxDWjMhjXERirKF9O\n"
|
|
||||||
+ "o/5Cllc5MB8GA1UdIwQYMBaAFIY3julHOYpm4zpdiNpbVQNux7vWMA0GCSqGSIb3\n"
|
|
||||||
+ "DQEBCwUAA4IBAQCTm+vv3hBa6lL5IT+Fw8aTxQ2Ne7mZ5oyazhvXYwwfKNMX3SML\n"
|
|
||||||
+ "W2JdPaL64ZwbxxxYvW401o5Z0CEgru3YFrsqB/hEdl0Uf8UWWJmE1rRa+miTmbjt\n"
|
|
||||||
+ "lrLNCWdrs6CiwvsPITTHg7jevB4KyZYsTSxQFcyr3N3xF+6EmOTC4IkhPPnXYXcp\n"
|
|
||||||
+ "248ih+WOavSYoRvzgB/Dip1WnPYU2mfIV3O8JReRryngA0TzWCLPLUoWR3R4jwtC\n"
|
|
||||||
+ "+1uSLoqaenz3qv3F1WEbke37az9YJuXx/5D8CqFQiZ62TUUtI6fYd8mkMBM4Qfh6\n"
|
|
||||||
+ "NW9XrCkI9wlpL5K9HllhuW0BhKeJkuPpyQ2p\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n";
|
|
||||||
+
|
|
||||||
+static char ee_pem[] =
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdFeGFt\n"
|
|
||||||
+ "cGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzdaGA8yMjIyMDcyMTE0\n"
|
|
||||||
+ "NDUzN1owFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEBBQAD\n"
|
|
||||||
+ "ggEPADCCAQoCggEBAMb1uuxppBFY+WVD45iyHUq7DkIJNNOI/JRaybVJfPktWq2E\n"
|
|
||||||
+ "eNe7XhV05KKnqZTbDO2iYqNHqGhZ8pz/IstDRTZP3z/q1vXTG0P9Gx28rEy5TaUY\n"
|
|
||||||
+ "QjtD+ZoFUQm0ORMDBjd8jikqtJ87hKeuOPMH4rzdydotMaPQSm7KLzHBGBr6gg7z\n"
|
|
||||||
+ "g1IxPWkhMyHapoMqqrhjwjzoTY97UIXpZTEoIA+KpEC8f9CciBtL0i1MPBjWozB6\n"
|
|
||||||
+ "Jma9q5iEwZXuRr3cnPYeIPlK2drgDZCMuSFcYiT8ApLw5OhKqY1m2EvfZ2ox2s9R\n"
|
|
||||||
+ "68/HzYdPi3kZwiNEtlBvMlpt5yKBJAflp76d7DkCAwEAAaNuMGwwCwYDVR0PBAQD\n"
|
|
||||||
+ "AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUc+Mi\n"
|
|
||||||
+ "kr8WMCk00SQo+P2iggp/oQkwHwYDVR0jBBgwFoAU8GPENaMyGNcRGKsoX06j/kKW\n"
|
|
||||||
+ "VzkwDQYJKoZIhvcNAQELBQADggEBAKU9+CUR0Jcfybd1+8Aqgh1RH96yQygnVuyt\n"
|
|
||||||
+ "Na9rFz4fM3ij9tGXDHXrkZw8bW1dWLU9quu8zeTxKxc3aiDIw739Alz0tukttDo7\n"
|
|
||||||
+ "dW7YqIb77zsIsWB9p7G9dlxT6ieUy+5IKk69BbeK8KR0vAciAG4KVQxPhuPy/LGX\n"
|
|
||||||
+ "PzqlJIJ4h61s3UOroReHPB1keLZgpORqrvtpClOmABH9TLFRJA/WFg8Q2XYB/p0x\n"
|
|
||||||
+ "l/pWiaoBC+8wK9cDoMUK5yOwXeuCLffCb+UlAD0+z/qxJ2pisE8E9X8rRKRrWI+i\n"
|
|
||||||
+ "G7LtJCEn86EQK8KuRlJxKgj8lClZhoULB0oL4jbblBuNow9WRmM=\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n";
|
|
||||||
+
|
|
||||||
+static char msg_pem[] =
|
|
||||||
+ "-----BEGIN PKCS7-----\n"
|
|
||||||
+ "MIIK2QYJKoZIhvcNAQcCoIIKyjCCCsYCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\n"
|
|
||||||
+ "hvcNAQcBoIIJTzCCAwowggHyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwFTETMBEG\n"
|
|
||||||
+ "A1UECgwKRXhhbXBsZSBDQTAgFw0xNzA3MjExNDQzMjFaGA8yMjIyMDcyMTE0NDMy\n"
|
|
||||||
+ "MVowFTETMBEGA1UECgwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n"
|
|
||||||
+ "ADCCAQoCggEBAL51eyE4j8wAKQKMGlO9HEY2iaGvsdPSJmidSdmCi1jnNK39Lx4Y\n"
|
|
||||||
+ "31h279hSHF5wtI6VM91HHfeLf1mjEZHlKrXXJQzBPLpbHWapD778drHBitOP8e56\n"
|
|
||||||
+ "fDMIfofLV4tkMk8690vPe4cJH1UHGspMyz6EQF9kPRaW80XtMV/6dalgL/9Esmaw\n"
|
|
||||||
+ "XBNPJAS1VutDuXQkJ/3/rWFLmkpYHHtGPjX782YRmT1s+VOVTsLqmKx0TEL8A381\n"
|
|
||||||
+ "bbElHPUAMjPcyWR5qqA8KWnS5Dwqk3LwI0AvuhQytCq0S7Xl4DXauvxwTRXv0UU7\n"
|
|
||||||
+ "W8r3MLAw9DnlnJiD/RFjw5rbGO3wMePk/qUCAwEAAaNjMGEwDwYDVR0TAQH/BAUw\n"
|
|
||||||
+ "AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIh2KRoKJoe2VtpOwWMkRAkR\n"
|
|
||||||
+ "mLWKMB8GA1UdIwQYMBaAFIh2KRoKJoe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEB\n"
|
|
||||||
+ "CwUAA4IBAQBovvlOjoy0MCT5U0eWfcPQQjY4Ssrn3IiPNlVkqSNo+FHX+2baTLVQ\n"
|
|
||||||
+ "5QTHxwXwzdIJiwtjFWDdGEQXqmuIvnFG+u/whGbeg6oQygfnQ5Y+q6epOxCsPgLQ\n"
|
|
||||||
+ "mKKEaF7mvh8DauUx4QSbYCNGCctOZuB1vlN9bJ3/5QbH+2pFPOfCr5CAyPDwHo6S\n"
|
|
||||||
+ "qO3yPcutRwT9xS7gXEHM9HhLp+DmdCGh4eVBPiFilyZm1d92lWxU8oxoSfXgzDT/\n"
|
|
||||||
+ "GCzlMykNZNs4JD9QmiRClP/3U0dQbOhah/Fda+N+L90xaqEgGcvwKKZa3pzo59pl\n"
|
|
||||||
+ "BbkcIP4YPyHeinwkgAn5UVJg9DOxNCS0MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG\n"
|
|
||||||
+ "9w0BAQsFADAVMRMwEQYDVQQKDApFeGFtcGxlIENBMCAXDTE3MDcyMTE0NDQxM1oY\n"
|
|
||||||
+ "DzIyMjIwNzIxMTQ0NDEzWjAiMSAwHgYDVQQKDBdFeGFtcGxlIGludGVybWVkaWF0\n"
|
|
||||||
+ "ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPFDEvDANwvhviu\n"
|
|
||||||
+ "pwXTvaKyxyX94jVu1wgAhIRyQBVRiMbrn8MEufLG8oA0vKd8s92gv/lWe1jFb2rn\n"
|
|
||||||
+ "91jMkZWsjWjiJFD6SzqFfBo+XxOGikEqO1MAf92UqavmSGlXVRG1Vy7T7dWibZP0\n"
|
|
||||||
+ "WODhHYWayR0Y6owSz5IqNfrHXzDME+lSJxHgRFI7pK+b0OgiVmvyXDKFPvyU6GrP\n"
|
|
||||||
+ "lxXDi/XbjyPvC5gpiwtTgm+s8KERwmdlfZUNjkh2PpHx1g1joijHT3wIvO/Pek1E\n"
|
|
||||||
+ "C+Xs6w3XxGgL6TTL7FDuv4AjZVX9KK66/yBhX3aN8bkqAg+hs9XNk3zzWC0XEFOS\n"
|
|
||||||
+ "Qoh2va0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
|
|
||||||
+ "HQYDVR0OBBYEFHwi/7dUWGjkMWJctOm7MCjjQj1cMB8GA1UdIwQYMBaAFIh2KRoK\n"
|
|
||||||
+ "Joe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEBCwUAA4IBAQCF6sHCBdYRwBwvfCve\n"
|
|
||||||
+ "og9cPnmPqZrG4AtmSvtoSsMvgvKb/4z3/gG8oPtTBkeRcAHoMoEp/oA+B2ylwIAc\n"
|
|
||||||
+ "S5U7jx+lYH/Pqih0X/OcOLbaMv8uzGSGQxk+L9LuuIT6E/THfRRIPEvkDkzC+/uk\n"
|
|
||||||
+ "7vUbG17bSEWeF0o/6sjzAY2aH1jnbCDyu0UC78GXkc6bZ5QlH98uLMDMrOmqcZjS\n"
|
|
||||||
+ "JFfvuRDQyKV5yBdBkYaobsIWSQDsgYxJzf/2y8c3r+HXqT+jhrXPWJ3btgMPxpu7\n"
|
|
||||||
+ "E8KmoFgp9EM+48oYlXJ66rk08/KjaVmgN7R+Hm3e2+MFT2kme4fBKalLjcazTe3x\n"
|
|
||||||
+ "0FisMIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdF\n"
|
|
||||||
+ "eGFtcGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzBaGA8yMjIyMDcy\n"
|
|
||||||
+ "MTE0NDUzMVowFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEB\n"
|
|
||||||
+ "BQADggEPADCCAQoCggEBAMjhSqhdD5RjmOm6W3hG7zkgKBP9whRN/SipcdEMlkgc\n"
|
|
||||||
+ "F/U3QMu66qIfKwheNdWalC1JLtruLDWP92ysa6Vw+CCG8aSax1AgB//RKQB7kgPA\n"
|
|
||||||
+ "9js9hi/oCdBmCv2HJxhWSLz+MVoxgzW4C7S9FenI+btxe/99Uw4nOw7kwjsYDLKr\n"
|
|
||||||
+ "tMw8myv7aCW/63CuBYGtohiZupM3RI3kKFcZots+KRPLlZpjv+I2h9xSln8VxKNb\n"
|
|
||||||
+ "XiMrYwGfHB7iX7ghe1TvFjKatEUhsqa7AvIq7nfe/cyq97f0ODQO814njgZtk5iQ\n"
|
|
||||||
+ "JVavXHdhTVaypt1HdAFMuHX5UATylHxx9tRCgSIijUsCAwEAAaNuMGwwCwYDVR0P\n"
|
|
||||||
+ "BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU\n"
|
|
||||||
+ "31+vHl4E/2Jpnwinbzf+d7usshcwHwYDVR0jBBgwFoAUfCL/t1RYaOQxYly06bsw\n"
|
|
||||||
+ "KONCPVwwDQYJKoZIhvcNAQELBQADggEBAAWe63DcNwmleQ3INFGDJZ/m2I/R/cBa\n"
|
|
||||||
+ "nnrxgR5Ey1ljHdA/x1z1JLTGmGVwqGExs5DNG9Q//Pmc9pZ1yPa8J4Xf8AvFcmkY\n"
|
|
||||||
+ "mWoH1HvW0xu/RF1UN5SAoD2PRQ+Vq4OSPD58IlEu/u4o1wZV7Wl91Cv6VNpiAb63\n"
|
|
||||||
+ "j9PA1YacOpOtcRqG59Vuj9HFm9f30ejHVo2+KJcpo290cR3Zg4fOm8mtjeMdt/QS\n"
|
|
||||||
+ "Atq+RqPAQ7yxqvEEv8zPIZj2kAOQm3mh/yYqBrR68lQUD/dBTP7ApIZkhUK3XK6U\n"
|
|
||||||
+ "nf9JvoF6Fn2+Cnqb//FLBgHSnoeqeQNwDLUXTsD02iYxHzJrhokSY4YxggFQMIIB\n"
|
|
||||||
+ "TAIBATAnMCIxIDAeBgNVBAoMF0V4YW1wbGUgaW50ZXJtZWRpYXRlIENBAgEBMAsG\n"
|
|
||||||
+ "CWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQATHg6wNsBcs/Ub1GQfKwTpKCk5\n"
|
|
||||||
+ "8QXuNnZ0u7b6mKgrSY2Gf47fpL2aRgaR+BAQncbctu5EH/IL38pWjaGtOhFAj/5q\n"
|
|
||||||
+ "7luVQW11kuyJN3Bd/dtLqawWOwMmAIEigw6X50l5ZHnEVzFfxt+RKTNhk4XWVtbi\n"
|
|
||||||
+ "2iIlITOplW0rnvxYAwCxKL9ocaB7etK8au7ixMxbFp75Ts4iLX8dhlAFdCuFCk8k\n"
|
|
||||||
+ "B8mi9HHuwr3QYRqMPW61hu1wBL3yB8eoZNOwPXb0gkIh6ZvgptxgQzm/cc+Iw9fP\n"
|
|
||||||
+ "QkR0fTM7ElJ5QZmSV98AUbZDHmDvpmcjcUxfSPMc3IoT8T300usRu7QHqKJi\n"
|
|
||||||
+ "-----END PKCS7-----\n";
|
|
||||||
+
|
|
||||||
+const gnutls_datum_t rca_datum = { (void *)rca_pem, sizeof(rca_pem) - 1 };
|
|
||||||
+const gnutls_datum_t ca_datum = { (void *)ca_pem, sizeof(ca_pem) - 1 };
|
|
||||||
+const gnutls_datum_t ee_datum = { (void *)ee_pem, sizeof(ee_pem) - 1 };
|
|
||||||
+const gnutls_datum_t msg_datum = { (void *)msg_pem, sizeof(msg_pem) - 1 };
|
|
||||||
+
|
|
||||||
+static void tls_log_func(int level, const char *str)
|
|
||||||
+{
|
|
||||||
+ fprintf(stderr, "%s |<%d>| %s", "err", level, str);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define CHECK(X)\
|
|
||||||
+{\
|
|
||||||
+ r = X;\
|
|
||||||
+ if (r < 0)\
|
|
||||||
+ fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\
|
|
||||||
+}\
|
|
||||||
+
|
|
||||||
+void doit(void)
|
|
||||||
+{
|
|
||||||
+ int r;
|
|
||||||
+ gnutls_x509_crt_t rca_cert = NULL;
|
|
||||||
+ gnutls_x509_crt_t ca_cert = NULL;
|
|
||||||
+ gnutls_x509_crt_t ee_cert = NULL;
|
|
||||||
+ gnutls_x509_trust_list_t tlist = NULL;
|
|
||||||
+ gnutls_pkcs7_t pkcs7 = NULL;
|
|
||||||
+ gnutls_datum_t data = { (unsigned char *)"xxx", 3 };
|
|
||||||
+
|
|
||||||
+ if (debug) {
|
|
||||||
+ gnutls_global_set_log_function(tls_log_func);
|
|
||||||
+ gnutls_global_set_log_level(4711);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // Import certificates
|
|
||||||
+ CHECK(gnutls_x509_crt_init(&rca_cert));
|
|
||||||
+ CHECK(gnutls_x509_crt_import(rca_cert, &rca_datum, GNUTLS_X509_FMT_PEM));
|
|
||||||
+ CHECK(gnutls_x509_crt_init(&ca_cert));
|
|
||||||
+ CHECK(gnutls_x509_crt_import(ca_cert, &ca_datum, GNUTLS_X509_FMT_PEM));
|
|
||||||
+ CHECK(gnutls_x509_crt_init(&ee_cert));
|
|
||||||
+ CHECK(gnutls_x509_crt_import(ee_cert, &ee_datum, GNUTLS_X509_FMT_PEM));
|
|
||||||
+
|
|
||||||
+ // Setup trust store
|
|
||||||
+ CHECK(gnutls_x509_trust_list_init(&tlist, 0));
|
|
||||||
+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, rca_cert, "rca", 3, 0));
|
|
||||||
+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ca_cert, "ca", 2, 0));
|
|
||||||
+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ee_cert, "ee", 2, 0));
|
|
||||||
+
|
|
||||||
+ // Setup pkcs7 structure
|
|
||||||
+ CHECK(gnutls_pkcs7_init(&pkcs7));
|
|
||||||
+ CHECK(gnutls_pkcs7_import(pkcs7, &msg_datum, GNUTLS_X509_FMT_PEM));
|
|
||||||
+
|
|
||||||
+ // Signature verification
|
|
||||||
+ gnutls_pkcs7_verify(pkcs7, tlist, NULL, 0, 0, &data, 0);
|
|
||||||
+
|
|
||||||
+ gnutls_x509_crt_deinit(rca_cert);
|
|
||||||
+ gnutls_x509_crt_deinit(ca_cert);
|
|
||||||
+ gnutls_x509_crt_deinit(ee_cert);
|
|
||||||
+ gnutls_x509_trust_list_deinit(tlist, 0);
|
|
||||||
+ gnutls_pkcs7_deinit(pkcs7);
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.37.2
|
|
||||||
|
|
@ -1,242 +0,0 @@
|
|||||||
From 9b50d94bf1c8e749d7dfc593c89e689a161444ae Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Mon, 26 Jun 2023 09:30:03 +0200
|
|
||||||
Subject: [PATCH] gnutls-3.6.16-rehandshake-tickets.patch
|
|
||||||
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
lib/ext/session_ticket.c | 6 ++
|
|
||||||
lib/ext/session_ticket.h | 1 +
|
|
||||||
lib/libgnutls.map | 2 +
|
|
||||||
lib/state.c | 1 +
|
|
||||||
tests/Makefile.am | 3 +-
|
|
||||||
tests/tls12-rehandshake-ticket.c | 152 +++++++++++++++++++++++++++++++
|
|
||||||
6 files changed, 164 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100644 tests/tls12-rehandshake-ticket.c
|
|
||||||
|
|
||||||
diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
|
|
||||||
index 8f22462..8d83a6c 100644
|
|
||||||
--- a/lib/ext/session_ticket.c
|
|
||||||
+++ b/lib/ext/session_ticket.c
|
|
||||||
@@ -618,6 +618,12 @@ gnutls_session_ticket_enable_server(gnutls_session_t session,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+void
|
|
||||||
+_gnutls_session_ticket_disable_server(gnutls_session_t session)
|
|
||||||
+{
|
|
||||||
+ session->internals.flags |= GNUTLS_NO_TICKETS;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Return zero if session tickets haven't been enabled.
|
|
||||||
*/
|
|
||||||
diff --git a/lib/ext/session_ticket.h b/lib/ext/session_ticket.h
|
|
||||||
index da804ec..660c9d3 100644
|
|
||||||
--- a/lib/ext/session_ticket.h
|
|
||||||
+++ b/lib/ext/session_ticket.h
|
|
||||||
@@ -36,5 +36,6 @@ int _gnutls_encrypt_session_ticket(gnutls_session_t session,
|
|
||||||
int _gnutls_decrypt_session_ticket(gnutls_session_t session,
|
|
||||||
const gnutls_datum_t *ticket_data,
|
|
||||||
gnutls_datum_t *state);
|
|
||||||
+void _gnutls_session_ticket_disable_server(gnutls_session_t session);
|
|
||||||
|
|
||||||
#endif /* GNUTLS_LIB_EXT_SESSION_TICKET_H */
|
|
||||||
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
|
|
||||||
index d2f7c0a..6748b3a 100644
|
|
||||||
--- a/lib/libgnutls.map
|
|
||||||
+++ b/lib/libgnutls.map
|
|
||||||
@@ -1432,4 +1432,6 @@ GNUTLS_PRIVATE_3_4 {
|
|
||||||
_gnutls_buffer_unescape;
|
|
||||||
_gnutls_buffer_pop_datum;
|
|
||||||
_gnutls_buffer_clear;
|
|
||||||
+ # needed by tests/tls12-rehandshake-cert-ticket
|
|
||||||
+ _gnutls_session_ticket_disable_server;
|
|
||||||
} GNUTLS_3_4;
|
|
||||||
diff --git a/lib/state.c b/lib/state.c
|
|
||||||
index 817a7b8..f1e9daa 100644
|
|
||||||
--- a/lib/state.c
|
|
||||||
+++ b/lib/state.c
|
|
||||||
@@ -452,6 +452,7 @@ void _gnutls_handshake_internal_state_clear(gnutls_session_t session)
|
|
||||||
session->internals.tfo.connect_addrlen = 0;
|
|
||||||
session->internals.tfo.connect_only = 0;
|
|
||||||
session->internals.early_data_received = 0;
|
|
||||||
+ session->internals.session_ticket_renew = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
||||||
index 0563d3c..7c5f5c4 100644
|
|
||||||
--- a/tests/Makefile.am
|
|
||||||
+++ b/tests/Makefile.am
|
|
||||||
@@ -221,7 +221,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
|
|
||||||
tls13-without-timeout-func buffer status-request-revoked \
|
|
||||||
set_x509_ocsp_multi_cli kdf-api keylog-func \
|
|
||||||
dtls_hello_random_value tls_hello_random_value x509cert-dntypes \
|
|
||||||
- pkcs7-verify-double-free
|
|
||||||
+ pkcs7-verify-double-free \
|
|
||||||
+ tls12-rehandshake-ticket
|
|
||||||
|
|
||||||
if HAVE_SECCOMP_TESTS
|
|
||||||
ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
|
|
||||||
diff --git a/tests/tls12-rehandshake-ticket.c b/tests/tls12-rehandshake-ticket.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..f96e46e
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/tls12-rehandshake-ticket.c
|
|
||||||
@@ -0,0 +1,152 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (C) 2022 Red Hat, Inc.
|
|
||||||
+ *
|
|
||||||
+ * Author: Daiki Ueno
|
|
||||||
+ *
|
|
||||||
+ * This file is part of GnuTLS.
|
|
||||||
+ *
|
|
||||||
+ * GnuTLS is free software; you can redistribute it and/or modify it
|
|
||||||
+ * under the terms of the GNU General Public License as published by
|
|
||||||
+ * the Free Software Foundation; either version 3 of the License, or
|
|
||||||
+ * (at your option) any later version.
|
|
||||||
+ *
|
|
||||||
+ * GnuTLS is distributed in the hope that it will be useful, but
|
|
||||||
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
||||||
+ * General Public License for more details.
|
|
||||||
+ *
|
|
||||||
+ * You should have received a copy of the GNU Lesser General Public License
|
|
||||||
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_CONFIG_H
|
|
||||||
+#include <config.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#include <gnutls/gnutls.h>
|
|
||||||
+#include <assert.h>
|
|
||||||
+#include "cert-common.h"
|
|
||||||
+
|
|
||||||
+#include "utils.h"
|
|
||||||
+#include "eagain-common.h"
|
|
||||||
+
|
|
||||||
+const char *side = "";
|
|
||||||
+
|
|
||||||
+static void tls_log_func(int level, const char *str)
|
|
||||||
+{
|
|
||||||
+ fprintf(stderr, "%s|<%d>| %s", side, level, str);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define MAX_BUF 1024
|
|
||||||
+
|
|
||||||
+void _gnutls_session_ticket_disable_server(gnutls_session_t session);
|
|
||||||
+
|
|
||||||
+static void run(void)
|
|
||||||
+{
|
|
||||||
+ char buffer[MAX_BUF + 1];
|
|
||||||
+ /* Server stuff. */
|
|
||||||
+ gnutls_certificate_credentials_t scred;
|
|
||||||
+ gnutls_session_t server;
|
|
||||||
+ gnutls_datum_t session_ticket_key = { NULL, 0 };
|
|
||||||
+ int sret;
|
|
||||||
+ /* Client stuff. */
|
|
||||||
+ gnutls_certificate_credentials_t ccred;
|
|
||||||
+ gnutls_session_t client;
|
|
||||||
+ int cret;
|
|
||||||
+
|
|
||||||
+ /* General init. */
|
|
||||||
+ global_init();
|
|
||||||
+ gnutls_global_set_log_function(tls_log_func);
|
|
||||||
+ if (debug)
|
|
||||||
+ gnutls_global_set_log_level(9);
|
|
||||||
+
|
|
||||||
+ /* Init server */
|
|
||||||
+ assert(gnutls_certificate_allocate_credentials(&scred) >= 0);
|
|
||||||
+ assert(gnutls_certificate_set_x509_key_mem(scred,
|
|
||||||
+ &server_ca3_localhost_cert,
|
|
||||||
+ &server_ca3_key,
|
|
||||||
+ GNUTLS_X509_FMT_PEM) >= 0);
|
|
||||||
+ assert(gnutls_certificate_set_x509_trust_mem(scred,
|
|
||||||
+ &ca3_cert,
|
|
||||||
+ GNUTLS_X509_FMT_PEM) >= 0);
|
|
||||||
+
|
|
||||||
+ assert(gnutls_init(&server, GNUTLS_SERVER) >= 0);
|
|
||||||
+ gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
|
|
||||||
+ assert(gnutls_priority_set_direct(server,
|
|
||||||
+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2",
|
|
||||||
+ NULL) >= 0);
|
|
||||||
+
|
|
||||||
+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
|
|
||||||
+ gnutls_transport_set_push_function(server, server_push);
|
|
||||||
+ gnutls_transport_set_pull_function(server, server_pull);
|
|
||||||
+ gnutls_transport_set_ptr(server, server);
|
|
||||||
+
|
|
||||||
+ gnutls_session_ticket_key_generate(&session_ticket_key);
|
|
||||||
+ gnutls_session_ticket_enable_server(server, &session_ticket_key);
|
|
||||||
+
|
|
||||||
+ /* Init client */
|
|
||||||
+ assert(gnutls_certificate_allocate_credentials(&ccred) >= 0);
|
|
||||||
+ assert(gnutls_certificate_set_x509_key_mem
|
|
||||||
+ (ccred, &cli_ca3_cert_chain, &cli_ca3_key, GNUTLS_X509_FMT_PEM) >= 0);
|
|
||||||
+ assert(gnutls_certificate_set_x509_trust_mem
|
|
||||||
+ (ccred, &ca3_cert, GNUTLS_X509_FMT_PEM) >= 0);
|
|
||||||
+
|
|
||||||
+ gnutls_init(&client, GNUTLS_CLIENT);
|
|
||||||
+ assert(gnutls_priority_set_direct(client,
|
|
||||||
+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2",
|
|
||||||
+ NULL) >= 0);
|
|
||||||
+
|
|
||||||
+ assert(gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred) >= 0);
|
|
||||||
+
|
|
||||||
+ gnutls_transport_set_push_function(client, client_push);
|
|
||||||
+ gnutls_transport_set_pull_function(client, client_pull);
|
|
||||||
+ gnutls_transport_set_ptr(client, client);
|
|
||||||
+
|
|
||||||
+ HANDSHAKE(client, server);
|
|
||||||
+
|
|
||||||
+ /* Server initiates rehandshake */
|
|
||||||
+ switch_side("server");
|
|
||||||
+ sret = gnutls_rehandshake(server);
|
|
||||||
+ if (sret < 0) {
|
|
||||||
+ fail("Error sending %d byte packet: %s\n",
|
|
||||||
+ (int)sizeof(buffer), gnutls_strerror(sret));
|
|
||||||
+ } else if (debug)
|
|
||||||
+ success("server: starting rehandshake\n");
|
|
||||||
+
|
|
||||||
+ /* Stop sending session ticket */
|
|
||||||
+ _gnutls_session_ticket_disable_server(server);
|
|
||||||
+
|
|
||||||
+ /* Client gets notified with rehandshake */
|
|
||||||
+ switch_side("client");
|
|
||||||
+ do {
|
|
||||||
+ do {
|
|
||||||
+ cret = gnutls_record_recv(client, buffer, MAX_BUF);
|
|
||||||
+ } while (cret == GNUTLS_E_AGAIN || cret == GNUTLS_E_INTERRUPTED);
|
|
||||||
+ } while (cret > 0);
|
|
||||||
+
|
|
||||||
+ if (cret != GNUTLS_E_REHANDSHAKE) {
|
|
||||||
+ fail("client: Error receiving rehandshake: %s\n",
|
|
||||||
+ gnutls_strerror(cret));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ HANDSHAKE(client, server);
|
|
||||||
+
|
|
||||||
+ gnutls_bye(client, GNUTLS_SHUT_WR);
|
|
||||||
+ gnutls_bye(server, GNUTLS_SHUT_WR);
|
|
||||||
+
|
|
||||||
+ gnutls_deinit(client);
|
|
||||||
+ gnutls_deinit(server);
|
|
||||||
+
|
|
||||||
+ gnutls_certificate_free_credentials(scred);
|
|
||||||
+ gnutls_certificate_free_credentials(ccred);
|
|
||||||
+
|
|
||||||
+ gnutls_free(session_ticket_key.data);
|
|
||||||
+
|
|
||||||
+ gnutls_global_deinit();
|
|
||||||
+ reset_buffers();
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void doit(void)
|
|
||||||
+{
|
|
||||||
+ run();
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,121 +0,0 @@
|
|||||||
From fe912c5dba49dcecbd5c32bf8184e60a949af452 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Wed, 10 Jan 2024 19:13:17 +0900
|
|
||||||
Subject: [PATCH] rsa-psk: minimize branching after decryption
|
|
||||||
|
|
||||||
This moves any non-trivial code between gnutls_privkey_decrypt_data2
|
|
||||||
and the function return in _gnutls_proc_rsa_psk_client_kx up until the
|
|
||||||
decryption. This also avoids an extra memcpy to session->key.key.
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
|
|
||||||
1 file changed, 35 insertions(+), 33 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
|
|
||||||
index 93c2dc9998..8f3fe5a4bd 100644
|
|
||||||
--- a/lib/auth/rsa_psk.c
|
|
||||||
+++ b/lib/auth/rsa_psk.c
|
|
||||||
@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
int ret, dsize;
|
|
||||||
ssize_t data_size = _data_size;
|
|
||||||
gnutls_psk_server_credentials_t cred;
|
|
||||||
- gnutls_datum_t premaster_secret = { NULL, 0 };
|
|
||||||
volatile uint8_t ver_maj, ver_min;
|
|
||||||
|
|
||||||
cred = (gnutls_psk_server_credentials_t)
|
|
||||||
@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
ver_maj = _gnutls_get_adv_version_major(session);
|
|
||||||
ver_min = _gnutls_get_adv_version_minor(session);
|
|
||||||
|
|
||||||
- premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
|
|
||||||
- if (premaster_secret.data == NULL) {
|
|
||||||
+ /* Find the key of this username. A random value will be
|
|
||||||
+ * filled in if the key is not found.
|
|
||||||
+ */
|
|
||||||
+ ret =
|
|
||||||
+ _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
|
|
||||||
+ if (ret < 0)
|
|
||||||
+ return gnutls_assert_val(ret);
|
|
||||||
+
|
|
||||||
+ /* Allocate memory for premaster secret, and fill in the
|
|
||||||
+ * fields except the decryption result.
|
|
||||||
+ */
|
|
||||||
+ session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
|
|
||||||
+ session->key.key.data = gnutls_malloc(session->key.key.size);
|
|
||||||
+ if (session->key.key.data == NULL) {
|
|
||||||
gnutls_assert();
|
|
||||||
+ _gnutls_free_key_datum(&pwd_psk);
|
|
||||||
+ /* No need to zeroize, as the secret is not copied in yet */
|
|
||||||
+ _gnutls_free_datum(&session->key.key);
|
|
||||||
return GNUTLS_E_MEMORY_ERROR;
|
|
||||||
}
|
|
||||||
- premaster_secret.size = GNUTLS_MASTER_SIZE;
|
|
||||||
|
|
||||||
/* Fallback value when decryption fails. Needs to be unpredictable. */
|
|
||||||
- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
|
|
||||||
- premaster_secret.size);
|
|
||||||
+ ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
|
|
||||||
+ GNUTLS_MASTER_SIZE);
|
|
||||||
if (ret < 0) {
|
|
||||||
gnutls_assert();
|
|
||||||
- goto cleanup;
|
|
||||||
+ _gnutls_free_key_datum(&pwd_psk);
|
|
||||||
+ /* No need to zeroize, as the secret is not copied in yet */
|
|
||||||
+ _gnutls_free_datum(&session->key.key);
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
|
|
||||||
+ _gnutls_write_uint16(pwd_psk.size,
|
|
||||||
+ &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
|
|
||||||
+ memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2],
|
|
||||||
+ pwd_psk.data, pwd_psk.size);
|
|
||||||
+ _gnutls_free_key_datum(&pwd_psk);
|
|
||||||
+
|
|
||||||
gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
|
|
||||||
- &ciphertext, premaster_secret.data,
|
|
||||||
- premaster_secret.size);
|
|
||||||
+ &ciphertext, session->key.key.data + 2,
|
|
||||||
+ GNUTLS_MASTER_SIZE);
|
|
||||||
/* After this point, any conditional on failure that cause differences
|
|
||||||
* in execution may create a timing or cache access pattern side
|
|
||||||
* channel that can be used as an oracle, so tread carefully */
|
|
||||||
@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
/* This is here to avoid the version check attack
|
|
||||||
* discussed above.
|
|
||||||
*/
|
|
||||||
- premaster_secret.data[0] = ver_maj;
|
|
||||||
- premaster_secret.data[1] = ver_min;
|
|
||||||
-
|
|
||||||
- /* find the key of this username
|
|
||||||
- */
|
|
||||||
- ret =
|
|
||||||
- _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
|
|
||||||
- if (ret < 0) {
|
|
||||||
- gnutls_assert();
|
|
||||||
- goto cleanup;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret =
|
|
||||||
- set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
|
|
||||||
- if (ret < 0) {
|
|
||||||
- gnutls_assert();
|
|
||||||
- goto cleanup;
|
|
||||||
- }
|
|
||||||
+ session->key.key.data[2] = ver_maj;
|
|
||||||
+ session->key.key.data[3] = ver_min;
|
|
||||||
|
|
||||||
- ret = 0;
|
|
||||||
- cleanup:
|
|
||||||
- _gnutls_free_key_datum(&pwd_psk);
|
|
||||||
- _gnutls_free_temp_key_datum(&premaster_secret);
|
|
||||||
-
|
|
||||||
- return ret;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
--
|
|
||||||
2.43.0
|
|
||||||
|
|
@ -1,202 +0,0 @@
|
|||||||
From e007a54432c98618bde500649817d153225abf6b Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Thu, 7 Dec 2023 11:52:08 +0900
|
|
||||||
Subject: [PATCH] gnutls-3.6.16-rsa-psk-timing.patch
|
|
||||||
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
lib/auth/rsa.c | 2 +-
|
|
||||||
lib/auth/rsa_psk.c | 93 +++++++++++++++++-----------------------------
|
|
||||||
lib/gnutls_int.h | 4 --
|
|
||||||
lib/priority.c | 1 -
|
|
||||||
4 files changed, 35 insertions(+), 65 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
|
|
||||||
index 858701f..02b6a34 100644
|
|
||||||
--- a/lib/auth/rsa.c
|
|
||||||
+++ b/lib/auth/rsa.c
|
|
||||||
@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
session->key.key.size);
|
|
||||||
/* After this point, any conditional on failure that cause differences
|
|
||||||
* in execution may create a timing or cache access pattern side
|
|
||||||
- * channel that can be used as an oracle, so treat very carefully */
|
|
||||||
+ * channel that can be used as an oracle, so tread carefully */
|
|
||||||
|
|
||||||
/* Error handling logic:
|
|
||||||
* In case decryption fails then don't inform the peer. Just use the
|
|
||||||
diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
|
|
||||||
index 1a9dab5..93c2dc9 100644
|
|
||||||
--- a/lib/auth/rsa_psk.c
|
|
||||||
+++ b/lib/auth/rsa_psk.c
|
|
||||||
@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
{
|
|
||||||
gnutls_datum_t username;
|
|
||||||
psk_auth_info_t info;
|
|
||||||
- gnutls_datum_t plaintext;
|
|
||||||
gnutls_datum_t ciphertext;
|
|
||||||
gnutls_datum_t pwd_psk = { NULL, 0 };
|
|
||||||
int ret, dsize;
|
|
||||||
- int randomize_key = 0;
|
|
||||||
ssize_t data_size = _data_size;
|
|
||||||
gnutls_psk_server_credentials_t cred;
|
|
||||||
gnutls_datum_t premaster_secret = { NULL, 0 };
|
|
||||||
+ volatile uint8_t ver_maj, ver_min;
|
|
||||||
|
|
||||||
cred = (gnutls_psk_server_credentials_t)
|
|
||||||
_gnutls_get_cred(session, GNUTLS_CRD_PSK);
|
|
||||||
@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
}
|
|
||||||
ciphertext.size = dsize;
|
|
||||||
|
|
||||||
- ret =
|
|
||||||
- gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
|
|
||||||
- &ciphertext, &plaintext);
|
|
||||||
- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
|
|
||||||
- /* In case decryption fails then don't inform
|
|
||||||
- * the peer. Just use a random key. (in order to avoid
|
|
||||||
- * attack against pkcs-1 formatting).
|
|
||||||
- */
|
|
||||||
+ ver_maj = _gnutls_get_adv_version_major(session);
|
|
||||||
+ ver_min = _gnutls_get_adv_version_minor(session);
|
|
||||||
+
|
|
||||||
+ premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
|
|
||||||
+ if (premaster_secret.data == NULL) {
|
|
||||||
gnutls_assert();
|
|
||||||
- _gnutls_debug_log
|
|
||||||
- ("auth_rsa_psk: Possible PKCS #1 format attack\n");
|
|
||||||
- if (ret >= 0) {
|
|
||||||
- gnutls_free(plaintext.data);
|
|
||||||
- }
|
|
||||||
- randomize_key = 1;
|
|
||||||
- } else {
|
|
||||||
- /* If the secret was properly formatted, then
|
|
||||||
- * check the version number.
|
|
||||||
- */
|
|
||||||
- if (_gnutls_get_adv_version_major(session) !=
|
|
||||||
- plaintext.data[0]
|
|
||||||
- || (session->internals.allow_wrong_pms == 0
|
|
||||||
- && _gnutls_get_adv_version_minor(session) !=
|
|
||||||
- plaintext.data[1])) {
|
|
||||||
- /* No error is returned here, if the version number check
|
|
||||||
- * fails. We proceed normally.
|
|
||||||
- * That is to defend against the attack described in the paper
|
|
||||||
- * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
|
|
||||||
- * Ondej Pokorny and Tomas Rosa.
|
|
||||||
- */
|
|
||||||
- gnutls_assert();
|
|
||||||
- _gnutls_debug_log
|
|
||||||
- ("auth_rsa: Possible PKCS #1 version check format attack\n");
|
|
||||||
- }
|
|
||||||
+ return GNUTLS_E_MEMORY_ERROR;
|
|
||||||
}
|
|
||||||
+ premaster_secret.size = GNUTLS_MASTER_SIZE;
|
|
||||||
|
|
||||||
-
|
|
||||||
- if (randomize_key != 0) {
|
|
||||||
- premaster_secret.size = GNUTLS_MASTER_SIZE;
|
|
||||||
- premaster_secret.data =
|
|
||||||
- gnutls_malloc(premaster_secret.size);
|
|
||||||
- if (premaster_secret.data == NULL) {
|
|
||||||
- gnutls_assert();
|
|
||||||
- return GNUTLS_E_MEMORY_ERROR;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* we do not need strong random numbers here.
|
|
||||||
- */
|
|
||||||
- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
|
|
||||||
- premaster_secret.size);
|
|
||||||
- if (ret < 0) {
|
|
||||||
- gnutls_assert();
|
|
||||||
- goto cleanup;
|
|
||||||
- }
|
|
||||||
- } else {
|
|
||||||
- premaster_secret.data = plaintext.data;
|
|
||||||
- premaster_secret.size = plaintext.size;
|
|
||||||
+ /* Fallback value when decryption fails. Needs to be unpredictable. */
|
|
||||||
+ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
|
|
||||||
+ premaster_secret.size);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ gnutls_assert();
|
|
||||||
+ goto cleanup;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
|
|
||||||
+ &ciphertext, premaster_secret.data,
|
|
||||||
+ premaster_secret.size);
|
|
||||||
+ /* After this point, any conditional on failure that cause differences
|
|
||||||
+ * in execution may create a timing or cache access pattern side
|
|
||||||
+ * channel that can be used as an oracle, so tread carefully */
|
|
||||||
+
|
|
||||||
+ /* Error handling logic:
|
|
||||||
+ * In case decryption fails then don't inform the peer. Just use the
|
|
||||||
+ * random key previously generated. (in order to avoid attack against
|
|
||||||
+ * pkcs-1 formatting).
|
|
||||||
+ *
|
|
||||||
+ * If we get version mismatches no error is returned either. We
|
|
||||||
+ * proceed normally. This is to defend against the attack described
|
|
||||||
+ * in the paper "Attacking RSA-based sessions in SSL/TLS" by
|
|
||||||
+ * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
/* This is here to avoid the version check attack
|
|
||||||
* discussed above.
|
|
||||||
*/
|
|
||||||
-
|
|
||||||
- premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
|
|
||||||
- premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
|
|
||||||
+ premaster_secret.data[0] = ver_maj;
|
|
||||||
+ premaster_secret.data[1] = ver_min;
|
|
||||||
|
|
||||||
/* find the key of this username
|
|
||||||
*/
|
|
||||||
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
|
|
||||||
index 31cec5c..815f69b 100644
|
|
||||||
--- a/lib/gnutls_int.h
|
|
||||||
+++ b/lib/gnutls_int.h
|
|
||||||
@@ -971,7 +971,6 @@ struct gnutls_priority_st {
|
|
||||||
bool _no_etm;
|
|
||||||
bool _no_ext_master_secret;
|
|
||||||
bool _allow_key_usage_violation;
|
|
||||||
- bool _allow_wrong_pms;
|
|
||||||
bool _dumbfw;
|
|
||||||
unsigned int _dh_prime_bits; /* old (deprecated) variable */
|
|
||||||
|
|
||||||
@@ -989,7 +988,6 @@ struct gnutls_priority_st {
|
|
||||||
(x)->no_etm = 1; \
|
|
||||||
(x)->no_ext_master_secret = 1; \
|
|
||||||
(x)->allow_key_usage_violation = 1; \
|
|
||||||
- (x)->allow_wrong_pms = 1; \
|
|
||||||
(x)->dumbfw = 1
|
|
||||||
|
|
||||||
#define ENABLE_PRIO_COMPAT(x) \
|
|
||||||
@@ -998,7 +996,6 @@ struct gnutls_priority_st {
|
|
||||||
(x)->_no_etm = 1; \
|
|
||||||
(x)->_no_ext_master_secret = 1; \
|
|
||||||
(x)->_allow_key_usage_violation = 1; \
|
|
||||||
- (x)->_allow_wrong_pms = 1; \
|
|
||||||
(x)->_dumbfw = 1
|
|
||||||
|
|
||||||
/* DH and RSA parameters types.
|
|
||||||
@@ -1123,7 +1120,6 @@ typedef struct {
|
|
||||||
bool no_etm;
|
|
||||||
bool no_ext_master_secret;
|
|
||||||
bool allow_key_usage_violation;
|
|
||||||
- bool allow_wrong_pms;
|
|
||||||
bool dumbfw;
|
|
||||||
|
|
||||||
/* old (deprecated) variable. This is used for both srp_prime_bits
|
|
||||||
diff --git a/lib/priority.c b/lib/priority.c
|
|
||||||
index 0a284ae..67ec887 100644
|
|
||||||
--- a/lib/priority.c
|
|
||||||
+++ b/lib/priority.c
|
|
||||||
@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority)
|
|
||||||
COPY_TO_INTERNALS(no_etm);
|
|
||||||
COPY_TO_INTERNALS(no_ext_master_secret);
|
|
||||||
COPY_TO_INTERNALS(allow_key_usage_violation);
|
|
||||||
- COPY_TO_INTERNALS(allow_wrong_pms);
|
|
||||||
COPY_TO_INTERNALS(dumbfw);
|
|
||||||
COPY_TO_INTERNALS(dh_prime_bits);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.43.0
|
|
||||||
|
|
BIN
SOURCES/gnutls-3.6.16.tar.xz.sig
Normal file
BIN
SOURCES/gnutls-3.6.16.tar.xz.sig
Normal file
Binary file not shown.
@ -1,114 +0,0 @@
|
|||||||
From c149dd0767f32789e391280cb1eb06b7eb7c6bce Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Sosedkin <asosedkin@redhat.com>
|
|
||||||
Date: Tue, 9 Aug 2022 16:05:53 +0200
|
|
||||||
Subject: [PATCH 1/2] auth/rsa: side-step potential side-channel
|
|
||||||
|
|
||||||
Remove branching that depends on secret data.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
|
||||||
Signed-off-by: Hubert Kario <hkario@redhat.com>
|
|
||||||
Tested-by: Hubert Kario <hkario@redhat.com>
|
|
||||||
---
|
|
||||||
lib/auth/rsa.c | 10 ----------
|
|
||||||
1 file changed, 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
|
|
||||||
index 8108ee841d..6b158bacb2 100644
|
|
||||||
--- a/lib/auth/rsa.c
|
|
||||||
+++ b/lib/auth/rsa.c
|
|
||||||
@@ -155,7 +155,6 @@ static int
|
|
||||||
proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
size_t _data_size)
|
|
||||||
{
|
|
||||||
- const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
|
|
||||||
gnutls_datum_t ciphertext;
|
|
||||||
int ret, dsize;
|
|
||||||
ssize_t data_size = _data_size;
|
|
||||||
@@ -235,15 +234,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
|
|
||||||
CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
|
|
||||||
|
|
||||||
- if (ok) {
|
|
||||||
- /* call logging function unconditionally so all branches are
|
|
||||||
- * indistinguishable for timing and cache access when debug
|
|
||||||
- * logging is disabled */
|
|
||||||
- _gnutls_no_log("%s", attack_error);
|
|
||||||
- } else {
|
|
||||||
- _gnutls_debug_log("%s", attack_error);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* This is here to avoid the version check attack
|
|
||||||
* discussed above.
|
|
||||||
*/
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
|
|
||||||
From 7c963102ec2119eecc1789b993aabe5edfd75f3b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Hubert Kario <hkario@redhat.com>
|
|
||||||
Date: Wed, 8 Feb 2023 14:32:09 +0100
|
|
||||||
Subject: [PATCH 2/2] rsa: remove dead code
|
|
||||||
|
|
||||||
since the `ok` variable isn't used any more, we can remove all code
|
|
||||||
used to calculate it
|
|
||||||
|
|
||||||
Signed-off-by: Hubert Kario <hkario@redhat.com>
|
|
||||||
---
|
|
||||||
lib/auth/rsa.c | 20 +++-----------------
|
|
||||||
1 file changed, 3 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
|
|
||||||
index 6b158bacb2..858701fe6e 100644
|
|
||||||
--- a/lib/auth/rsa.c
|
|
||||||
+++ b/lib/auth/rsa.c
|
|
||||||
@@ -159,8 +159,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
int ret, dsize;
|
|
||||||
ssize_t data_size = _data_size;
|
|
||||||
volatile uint8_t ver_maj, ver_min;
|
|
||||||
- volatile uint8_t check_ver_min;
|
|
||||||
- volatile uint32_t ok;
|
|
||||||
|
|
||||||
#ifdef ENABLE_SSL3
|
|
||||||
if (get_num_version(session) == GNUTLS_SSL3) {
|
|
||||||
@@ -186,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
|
|
||||||
ver_maj = _gnutls_get_adv_version_major(session);
|
|
||||||
ver_min = _gnutls_get_adv_version_minor(session);
|
|
||||||
- check_ver_min = (session->internals.allow_wrong_pms == 0);
|
|
||||||
|
|
||||||
session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
|
|
||||||
if (session->key.key.data == NULL) {
|
|
||||||
@@ -205,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret =
|
|
||||||
- gnutls_privkey_decrypt_data2(session->internals.selected_key,
|
|
||||||
- 0, &ciphertext, session->key.key.data,
|
|
||||||
- session->key.key.size);
|
|
||||||
+ gnutls_privkey_decrypt_data2(session->internals.selected_key,
|
|
||||||
+ 0, &ciphertext, session->key.key.data,
|
|
||||||
+ session->key.key.size);
|
|
||||||
/* After this point, any conditional on failure that cause differences
|
|
||||||
* in execution may create a timing or cache access pattern side
|
|
||||||
* channel that can be used as an oracle, so treat very carefully */
|
|
||||||
@@ -224,16 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
|
|
||||||
* Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
|
|
||||||
*/
|
|
||||||
|
|
||||||
- /* ok is 0 in case of error and 1 in case of success. */
|
|
||||||
-
|
|
||||||
- /* if ret < 0 */
|
|
||||||
- ok = CONSTCHECK_EQUAL(ret, 0);
|
|
||||||
- /* session->key.key.data[0] must equal ver_maj */
|
|
||||||
- ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
|
|
||||||
- /* if check_ver_min then session->key.key.data[1] must equal ver_min */
|
|
||||||
- ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
|
|
||||||
- CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
|
|
||||||
-
|
|
||||||
/* This is here to avoid the version check attack
|
|
||||||
* discussed above.
|
|
||||||
*/
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
|||||||
Version: 3.6.16
|
Version: 3.6.16
|
||||||
Release: 8%{?dist}.3
|
Release: 4%{?dist}
|
||||||
Patch1: gnutls-3.2.7-rpath.patch
|
Patch1: gnutls-3.2.7-rpath.patch
|
||||||
Patch2: gnutls-3.6.4-no-now-guile.patch
|
Patch2: gnutls-3.6.4-no-now-guile.patch
|
||||||
Patch3: gnutls-3.6.13-enable-intel-cet.patch
|
Patch3: gnutls-3.6.13-enable-intel-cet.patch
|
||||||
@ -8,13 +8,6 @@ Patch11: gnutls-3.6.14-fips-kdf-selftests.patch
|
|||||||
Patch12: gnutls-3.6.16-tls12-cert-type.patch
|
Patch12: gnutls-3.6.16-tls12-cert-type.patch
|
||||||
Patch13: gnutls-3.6.16-trust-ca-sha1.patch
|
Patch13: gnutls-3.6.16-trust-ca-sha1.patch
|
||||||
Patch14: gnutls-3.6.16-doc-p11tool-ckaid.patch
|
Patch14: gnutls-3.6.16-doc-p11tool-ckaid.patch
|
||||||
Patch15: gnutls-3.6.16-pkcs7-verify.patch
|
|
||||||
Patch16: gnutls-3.6.16-cpuid.patch
|
|
||||||
Patch17: gnutls-3.7.8-rsa-kx-timing.patch
|
|
||||||
Patch18: gnutls-3.6.16-rehandshake-tickets.patch
|
|
||||||
Patch19: gnutls-3.6.16-rsa-psk-timing.patch
|
|
||||||
Patch20: gnutls-3.6.16-rsa-psk-timing-followup.patch
|
|
||||||
Patch21: gnutls-3.6.16-deterministic-ecdsa-fixes.patch
|
|
||||||
%bcond_without dane
|
%bcond_without dane
|
||||||
%if 0%{?rhel}
|
%if 0%{?rhel}
|
||||||
%bcond_with guile
|
%bcond_with guile
|
||||||
@ -160,7 +153,7 @@ This package contains Guile bindings for the library.
|
|||||||
%prep
|
%prep
|
||||||
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
||||||
|
|
||||||
%autosetup -p1 -S git
|
%autosetup -p1
|
||||||
|
|
||||||
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
|
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
|
||||||
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
|
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
|
||||||
@ -172,7 +165,6 @@ echo "SYSTEM=NORMAL" >> tests/system.prio
|
|||||||
# via the crypto policies
|
# via the crypto policies
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -fi
|
|
||||||
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
|
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
|
||||||
export CCASFLAGS
|
export CCASFLAGS
|
||||||
%configure --with-libtasn1-prefix=%{_prefix} \
|
%configure --with-libtasn1-prefix=%{_prefix} \
|
||||||
@ -299,28 +291,6 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Mar 26 2024 Daiki Ueno <dueno@redhat.com> - 3.6.16-8.3
|
|
||||||
- Fix memleak with older GMP (RHEL-28957)
|
|
||||||
|
|
||||||
* Mon Mar 25 2024 Daiki Ueno <dueno@redhat.com> - 3.6.16-8.2
|
|
||||||
- Fix timing side-channel in deterministic ECDSA (RHEL-28957)
|
|
||||||
|
|
||||||
* Thu Jan 18 2024 Daiki Ueno <dueno@redhat.com> - 3.6.16-8.1
|
|
||||||
- auth/rsa-psk: minimize branching after decryption (RHEL-21586)
|
|
||||||
|
|
||||||
* Wed Dec 6 2023 Daiki Ueno <dueno@redhat.com> - 3.6.16-8
|
|
||||||
- auth/rsa_psk: side-step potential side-channel (RHEL-16753)
|
|
||||||
|
|
||||||
* Mon Jun 26 2023 Daiki Ueno <dueno@redhat.com> - 3.6.16-7
|
|
||||||
- Clear server's session ticket indication at rehandshake (#2089817)
|
|
||||||
|
|
||||||
* Thu Feb 23 2023 Zoltan Fridrich <zfridric@redhat.com> - 3.6.16-6
|
|
||||||
- Fix x86_64 CPU feature detection when AVX is not available (#2131152)
|
|
||||||
- Fix timing side-channel in TLS RSA key exchange (#2162598)
|
|
||||||
|
|
||||||
* Mon Aug 29 2022 Daiki Ueno <dueno@redhat.com> - 3.6.16-5
|
|
||||||
- Fix double-free in gnutls_pkcs7_verify (#2109788)
|
|
||||||
|
|
||||||
* Mon Jun 28 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-4
|
* Mon Jun 28 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-4
|
||||||
- p11tool: Document ID reuse behavior when importing certs (#1776250)
|
- p11tool: Document ID reuse behavior when importing certs (#1776250)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user