Sync from SUSE:SLFO:Main gnutls revision fd9267dc71bcb0d2bf242bde6c5a6847
This commit is contained in:
parent
7700a6dcb2
commit
df45cf341d
BIN
gnutls-3.8.3.tar.xz
(Stored with Git LFS)
BIN
gnutls-3.8.3.tar.xz
(Stored with Git LFS)
Binary file not shown.
Binary file not shown.
BIN
gnutls-3.8.8.tar.xz
(Stored with Git LFS)
Normal file
BIN
gnutls-3.8.8.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
gnutls-3.8.8.tar.xz.sig
Normal file
BIN
gnutls-3.8.8.tar.xz.sig
Normal file
Binary file not shown.
@ -1,418 +0,0 @@
|
|||||||
From 1c4701ffc342259fc5965d5a0de90d87f780e3e5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Fri, 12 Jan 2024 17:56:58 +0900
|
|
||||||
Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA
|
|
||||||
|
|
||||||
This removes function calls that potentially leak bit-length of a
|
|
||||||
private key used to calculate a nonce in deterministic ECDSA. Namely:
|
|
||||||
|
|
||||||
- _gnutls_dsa_compute_k has been rewritten to work on always
|
|
||||||
zero-padded mp_limb_t arrays instead of mpz_t
|
|
||||||
- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
|
|
||||||
by a byte array instead of an mpz_t value
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/nettle/int/dsa-compute-k.c | 70 +++++++++++++++++++++----------
|
|
||||||
lib/nettle/int/dsa-compute-k.h | 23 +++++++++-
|
|
||||||
lib/nettle/int/ecdsa-compute-k.c | 28 +++----------
|
|
||||||
lib/nettle/int/ecdsa-compute-k.h | 4 +-
|
|
||||||
lib/nettle/pk.c | 65 +++++++++++++++++++++-------
|
|
||||||
tests/sign-verify-deterministic.c | 2 +-
|
|
||||||
6 files changed, 127 insertions(+), 65 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
|
|
||||||
index 8ff5739c2b..2fcb2bb80e 100644
|
|
||||||
--- a/lib/nettle/int/dsa-compute-k.c
|
|
||||||
+++ b/lib/nettle/int/dsa-compute-k.c
|
|
||||||
@@ -31,19 +31,30 @@
|
|
||||||
#include "mpn-base256.h"
|
|
||||||
#include <string.h>
|
|
||||||
|
|
||||||
-#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
|
|
||||||
+/* For mini-gmp */
|
|
||||||
+#ifndef GMP_LIMB_BITS
|
|
||||||
+#define GMP_LIMB_BITS GMP_NUMB_BITS
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
-/* The maximum size of q, chosen from the fact that we support
|
|
||||||
- * 521-bit elliptic curve generator and 512-bit DSA subgroup at
|
|
||||||
- * maximum. */
|
|
||||||
-#define MAX_Q_BITS 521
|
|
||||||
-#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
|
|
||||||
-#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
|
|
||||||
+static inline int is_zero_limb(mp_limb_t x)
|
|
||||||
+{
|
|
||||||
+ x |= (x << 1);
|
|
||||||
+ return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
|
|
||||||
+{
|
|
||||||
+ volatile mp_limb_t w;
|
|
||||||
+ mp_size_t i;
|
|
||||||
|
|
||||||
-#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
|
|
||||||
-#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
|
|
||||||
+ for (i = 0, w = 0; i < n; i++)
|
|
||||||
+ w |= ap[i];
|
|
||||||
|
|
||||||
-int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
|
|
||||||
+ return is_zero_limb(w);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
|
|
||||||
+ mp_size_t qn, mp_bitcnt_t q_bits,
|
|
||||||
gnutls_mac_algorithm_t mac, const uint8_t *digest,
|
|
||||||
size_t length)
|
|
||||||
{
|
|
||||||
@@ -51,9 +62,6 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
|
|
||||||
uint8_t K[MAX_HASH_SIZE];
|
|
||||||
uint8_t xp[MAX_Q_SIZE];
|
|
||||||
uint8_t tp[MAX_Q_SIZE];
|
|
||||||
- mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
|
|
||||||
- mp_bitcnt_t q_bits = mpz_sizeinbase(q, 2);
|
|
||||||
- mp_size_t qn = mpz_size(q);
|
|
||||||
mp_bitcnt_t h_bits = length * 8;
|
|
||||||
mp_size_t hn = BITS_TO_LIMBS(h_bits);
|
|
||||||
size_t nbytes = (q_bits + 7) / 8;
|
|
||||||
@@ -62,6 +70,7 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
|
|
||||||
mp_limb_t cy;
|
|
||||||
gnutls_hmac_hd_t hd;
|
|
||||||
int ret = 0;
|
|
||||||
+ mp_limb_t scratch[MAX_Q_LIMBS];
|
|
||||||
|
|
||||||
if (unlikely(q_bits > MAX_Q_BITS))
|
|
||||||
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
||||||
@@ -69,7 +78,7 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
|
|
||||||
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
||||||
|
|
||||||
/* int2octets(x) */
|
|
||||||
- mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
|
|
||||||
+ mpn_get_base256(xp, nbytes, x, qn);
|
|
||||||
|
|
||||||
/* bits2octets(h) */
|
|
||||||
mpn_set_base256(h, hn, digest, length);
|
|
||||||
@@ -93,12 +102,12 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
|
|
||||||
mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
|
|
||||||
}
|
|
||||||
|
|
||||||
- cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
|
|
||||||
+ cy = mpn_sub_n(h, h, q, qn);
|
|
||||||
/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
|
|
||||||
#ifdef mpn_cnd_add_n
|
|
||||||
- mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
|
|
||||||
+ mpn_cnd_add_n(cy, h, h, q, qn);
|
|
||||||
#else
|
|
||||||
- mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
|
|
||||||
+ mpn_addmul_1(h, q, qn, cy != 0);
|
|
||||||
#endif
|
|
||||||
mpn_get_base256(tp, nbytes, h, qn);
|
|
||||||
|
|
||||||
@@ -174,12 +183,8 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
|
|
||||||
if (tlen * 8 > q_bits)
|
|
||||||
mpn_rshift(h, h, qn, tlen * 8 - q_bits);
|
|
||||||
/* Check if k is in [1,q-1] */
|
|
||||||
- if (!mpn_zero_p(h, qn) &&
|
|
||||||
- mpn_cmp(h, mpz_limbs_read(q), qn) < 0) {
|
|
||||||
- mpn_copyi(mpz_limbs_write(k, qn), h, qn);
|
|
||||||
- mpz_limbs_finish(k, qn);
|
|
||||||
+ if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn))
|
|
||||||
break;
|
|
||||||
- }
|
|
||||||
|
|
||||||
ret = gnutls_hmac_init(&hd, mac, K, length);
|
|
||||||
if (ret < 0)
|
|
||||||
@@ -203,3 +208,24 @@ out:
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+/* cancel-out dsa_sign's addition of 1 to random data */
|
|
||||||
+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
|
||||||
+ mp_size_t n)
|
|
||||||
+{
|
|
||||||
+ /* Fall back to sub_1, if nettle is linked with mini-gmp. */
|
|
||||||
+#ifdef mpn_sec_sub_1
|
|
||||||
+ mp_limb_t t[MAX_Q_LIMBS];
|
|
||||||
+
|
|
||||||
+ mpn_sec_sub_1(h, h, n, 1, t);
|
|
||||||
+#else
|
|
||||||
+ mpn_sub_1(h, h, n, 1);
|
|
||||||
+#endif
|
|
||||||
+ mpn_get_base256(k, nbytes, h, n);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
|
||||||
+ mp_size_t n)
|
|
||||||
+{
|
|
||||||
+ mpn_get_base256(k, nbytes, h, n);
|
|
||||||
+}
|
|
||||||
diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
|
|
||||||
index 49d243acb4..2f0667a01e 100644
|
|
||||||
--- a/lib/nettle/int/dsa-compute-k.h
|
|
||||||
+++ b/lib/nettle/int/dsa-compute-k.h
|
|
||||||
@@ -26,8 +26,29 @@
|
|
||||||
#include <gnutls/gnutls.h>
|
|
||||||
#include <nettle/bignum.h> /* includes gmp.h */
|
|
||||||
|
|
||||||
-int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
|
|
||||||
+#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
|
|
||||||
+
|
|
||||||
+/* The maximum size of q, chosen from the fact that we support
|
|
||||||
+ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
|
|
||||||
+ * maximum. */
|
|
||||||
+#define MAX_Q_BITS 521
|
|
||||||
+#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
|
|
||||||
+#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
|
|
||||||
+
|
|
||||||
+#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
|
|
||||||
+#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
|
|
||||||
+
|
|
||||||
+#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)
|
|
||||||
+
|
|
||||||
+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
|
|
||||||
+ mp_size_t qn, mp_bitcnt_t q_bits,
|
|
||||||
gnutls_mac_algorithm_t mac, const uint8_t *digest,
|
|
||||||
size_t length);
|
|
||||||
|
|
||||||
+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
|
||||||
+ mp_size_t n);
|
|
||||||
+
|
|
||||||
+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
|
||||||
+ mp_size_t n);
|
|
||||||
+
|
|
||||||
#endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
|
|
||||||
diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
|
|
||||||
index 3b7f886160..4e25235c40 100644
|
|
||||||
--- a/lib/nettle/int/ecdsa-compute-k.c
|
|
||||||
+++ b/lib/nettle/int/ecdsa-compute-k.c
|
|
||||||
@@ -29,38 +29,38 @@
|
|
||||||
#include "dsa-compute-k.h"
|
|
||||||
#include "gnutls_int.h"
|
|
||||||
|
|
||||||
-static inline int _gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
|
|
||||||
+int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve)
|
|
||||||
{
|
|
||||||
switch (curve) {
|
|
||||||
#ifdef ENABLE_NON_SUITEB_CURVES
|
|
||||||
case GNUTLS_ECC_CURVE_SECP192R1:
|
|
||||||
- mpz_init_set_str(*q,
|
|
||||||
+ mpz_init_set_str(q,
|
|
||||||
"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
|
|
||||||
"146BC9B1B4D22831",
|
|
||||||
16);
|
|
||||||
return 0;
|
|
||||||
case GNUTLS_ECC_CURVE_SECP224R1:
|
|
||||||
- mpz_init_set_str(*q,
|
|
||||||
+ mpz_init_set_str(q,
|
|
||||||
"FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
|
|
||||||
"E0B8F03E13DD29455C5C2A3D",
|
|
||||||
16);
|
|
||||||
return 0;
|
|
||||||
#endif
|
|
||||||
case GNUTLS_ECC_CURVE_SECP256R1:
|
|
||||||
- mpz_init_set_str(*q,
|
|
||||||
+ mpz_init_set_str(q,
|
|
||||||
"FFFFFFFF00000000FFFFFFFFFFFFFFFF"
|
|
||||||
"BCE6FAADA7179E84F3B9CAC2FC632551",
|
|
||||||
16);
|
|
||||||
return 0;
|
|
||||||
case GNUTLS_ECC_CURVE_SECP384R1:
|
|
||||||
- mpz_init_set_str(*q,
|
|
||||||
+ mpz_init_set_str(q,
|
|
||||||
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
||||||
"FFFFFFFFFFFFFFFFC7634D81F4372DDF"
|
|
||||||
"581A0DB248B0A77AECEC196ACCC52973",
|
|
||||||
16);
|
|
||||||
return 0;
|
|
||||||
case GNUTLS_ECC_CURVE_SECP521R1:
|
|
||||||
- mpz_init_set_str(*q,
|
|
||||||
+ mpz_init_set_str(q,
|
|
||||||
"1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
||||||
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
||||||
"FFA51868783BF2F966B7FCC0148F709A"
|
|
||||||
@@ -73,19 +73,3 @@ static inline int _gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
|
|
||||||
GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
-
|
|
||||||
-int _gnutls_ecdsa_compute_k(mpz_t k, gnutls_ecc_curve_t curve, const mpz_t x,
|
|
||||||
- gnutls_mac_algorithm_t mac, const uint8_t *digest,
|
|
||||||
- size_t length)
|
|
||||||
-{
|
|
||||||
- mpz_t q;
|
|
||||||
- int ret;
|
|
||||||
-
|
|
||||||
- ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
|
|
||||||
- if (ret < 0)
|
|
||||||
- return gnutls_assert_val(ret);
|
|
||||||
-
|
|
||||||
- ret = _gnutls_dsa_compute_k(k, q, x, mac, digest, length);
|
|
||||||
- mpz_clear(q);
|
|
||||||
- return ret;
|
|
||||||
-}
|
|
||||||
diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
|
|
||||||
index be8beddb5d..207685763f 100644
|
|
||||||
--- a/lib/nettle/int/ecdsa-compute-k.h
|
|
||||||
+++ b/lib/nettle/int/ecdsa-compute-k.h
|
|
||||||
@@ -26,8 +26,6 @@
|
|
||||||
#include <gnutls/gnutls.h>
|
|
||||||
#include <nettle/bignum.h> /* includes gmp.h */
|
|
||||||
|
|
||||||
-int _gnutls_ecdsa_compute_k(mpz_t k, gnutls_ecc_curve_t curve, const mpz_t x,
|
|
||||||
- gnutls_mac_algorithm_t mac, const uint8_t *digest,
|
|
||||||
- size_t length);
|
|
||||||
+int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve);
|
|
||||||
|
|
||||||
#endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
|
|
||||||
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
|
|
||||||
index 305548f4d1..dd6b9936a8 100644
|
|
||||||
--- a/lib/nettle/pk.c
|
|
||||||
+++ b/lib/nettle/pk.c
|
|
||||||
@@ -103,10 +103,16 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t *data)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void rnd_mpz_func(void *_ctx, size_t length, uint8_t *data)
|
|
||||||
+static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
|
|
||||||
{
|
|
||||||
- mpz_t *k = _ctx;
|
|
||||||
- nettle_mpz_get_str_256(length, data, *k);
|
|
||||||
+ gnutls_datum_t *d = ctx;
|
|
||||||
+
|
|
||||||
+ if (length > d->size) {
|
|
||||||
+ memset(data, 0, length - d->size);
|
|
||||||
+ memcpy(data + (length - d->size), d->data, d->size);
|
|
||||||
+ } else {
|
|
||||||
+ memcpy(data, d->data, length);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t *data)
|
|
||||||
@@ -1403,7 +1409,10 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
struct dsa_signature sig;
|
|
||||||
int curve_id = pk_params->curve;
|
|
||||||
const struct ecc_curve *curve;
|
|
||||||
- mpz_t k;
|
|
||||||
+ mpz_t q;
|
|
||||||
+ /* 521-bit elliptic curve generator at maximum */
|
|
||||||
+ uint8_t buf[(521 + 7) / 8];
|
|
||||||
+ gnutls_datum_t k = { NULL, 0 };
|
|
||||||
void *random_ctx;
|
|
||||||
nettle_random_func *random_func;
|
|
||||||
|
|
||||||
@@ -1447,17 +1456,32 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
not_approved = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
- mpz_init(k);
|
|
||||||
+ mpz_init(q);
|
|
||||||
+
|
|
||||||
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
|
|
||||||
(sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
|
|
||||||
- ret = _gnutls_ecdsa_compute_k(
|
|
||||||
- k, curve_id, pk_params->params[ECC_K],
|
|
||||||
+ mp_limb_t h[DSA_COMPUTE_K_ITCH];
|
|
||||||
+
|
|
||||||
+ ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
|
|
||||||
+ if (ret < 0)
|
|
||||||
+ goto ecdsa_cleanup;
|
|
||||||
+
|
|
||||||
+ ret = _gnutls_dsa_compute_k(
|
|
||||||
+ h, mpz_limbs_read(q), priv.p,
|
|
||||||
+ ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
|
|
||||||
DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
|
|
||||||
vdata->size);
|
|
||||||
if (ret < 0)
|
|
||||||
goto ecdsa_cleanup;
|
|
||||||
+
|
|
||||||
+ k.data = buf;
|
|
||||||
+ k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
|
|
||||||
+
|
|
||||||
+ _gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
|
|
||||||
+ ecc_size(priv.ecc));
|
|
||||||
+
|
|
||||||
random_ctx = &k;
|
|
||||||
- random_func = rnd_mpz_func;
|
|
||||||
+ random_func = rnd_datum_func;
|
|
||||||
} else {
|
|
||||||
random_ctx = NULL;
|
|
||||||
random_func = rnd_nonce_func;
|
|
||||||
@@ -1476,7 +1500,7 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
ecdsa_cleanup:
|
|
||||||
dsa_signature_clear(&sig);
|
|
||||||
ecc_scalar_zclear(&priv);
|
|
||||||
- mpz_clear(k);
|
|
||||||
+ mpz_clear(q);
|
|
||||||
|
|
||||||
if (ret < 0) {
|
|
||||||
gnutls_assert();
|
|
||||||
@@ -1488,7 +1512,9 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
struct dsa_params pub;
|
|
||||||
bigint_t priv;
|
|
||||||
struct dsa_signature sig;
|
|
||||||
- mpz_t k;
|
|
||||||
+ /* 512-bit DSA subgroup at maximum */
|
|
||||||
+ uint8_t buf[(512 + 7) / 8];
|
|
||||||
+ gnutls_datum_t k = { NULL, 0 };
|
|
||||||
void *random_ctx;
|
|
||||||
nettle_random_func *random_func;
|
|
||||||
|
|
||||||
@@ -1515,19 +1541,27 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
hash_len = vdata->size;
|
|
||||||
}
|
|
||||||
|
|
||||||
- mpz_init(k);
|
|
||||||
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
|
|
||||||
(sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
|
|
||||||
+ mp_limb_t h[DSA_COMPUTE_K_ITCH];
|
|
||||||
+
|
|
||||||
ret = _gnutls_dsa_compute_k(
|
|
||||||
- k, pub.q, TOMPZ(priv),
|
|
||||||
+ h, mpz_limbs_read(pub.q),
|
|
||||||
+ mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
|
|
||||||
+ mpz_sizeinbase(pub.q, 2),
|
|
||||||
DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
|
|
||||||
vdata->size);
|
|
||||||
if (ret < 0)
|
|
||||||
goto dsa_fail;
|
|
||||||
- /* cancel-out dsa_sign's addition of 1 to random data */
|
|
||||||
- mpz_sub_ui(k, k, 1);
|
|
||||||
+
|
|
||||||
+ k.data = buf;
|
|
||||||
+ k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
|
|
||||||
+
|
|
||||||
+ _gnutls_dsa_compute_k_finish(k.data, k.size, h,
|
|
||||||
+ mpz_size(pub.q));
|
|
||||||
+
|
|
||||||
random_ctx = &k;
|
|
||||||
- random_func = rnd_mpz_func;
|
|
||||||
+ random_func = rnd_datum_func;
|
|
||||||
} else {
|
|
||||||
random_ctx = NULL;
|
|
||||||
random_func = rnd_nonce_func;
|
|
||||||
@@ -1544,7 +1578,6 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
||||||
|
|
||||||
dsa_fail:
|
|
||||||
dsa_signature_clear(&sig);
|
|
||||||
- mpz_clear(k);
|
|
||||||
|
|
||||||
if (ret < 0) {
|
|
||||||
gnutls_assert();
|
|
||||||
diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
|
|
||||||
index 6969b57a11..bdd5a49c7d 100644
|
|
||||||
--- a/tests/sign-verify-deterministic.c
|
|
||||||
+++ b/tests/sign-verify-deterministic.c
|
|
||||||
@@ -198,7 +198,7 @@ void doit(void)
|
|
||||||
&tests[i].msg, &signature);
|
|
||||||
if (ret < 0)
|
|
||||||
testfail("gnutls_pubkey_verify_data2\n");
|
|
||||||
- success(" - pass");
|
|
||||||
+ success(" - pass\n");
|
|
||||||
|
|
||||||
next:
|
|
||||||
gnutls_free(signature.data);
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
@ -1,410 +0,0 @@
|
|||||||
From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Mon, 29 Jan 2024 13:52:46 +0900
|
|
||||||
Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: remove length limit of
|
|
||||||
input
|
|
||||||
|
|
||||||
Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
|
|
||||||
chain verification logic crashed with assertion failure. This patch
|
|
||||||
removes the restriction while keeping the maximum number of
|
|
||||||
retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/gnutls_int.h | 5 +-
|
|
||||||
lib/x509/common.c | 10 +-
|
|
||||||
lib/x509/verify-high.c | 51 ++++++----
|
|
||||||
tests/test-chains.h | 211 ++++++++++++++++++++++++++++++++++++++++-
|
|
||||||
4 files changed, 258 insertions(+), 19 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
|
|
||||||
index d8561ebe3a..8cf9a87157 100644
|
|
||||||
--- a/lib/gnutls_int.h
|
|
||||||
+++ b/lib/gnutls_int.h
|
|
||||||
@@ -232,7 +232,10 @@ typedef enum record_send_state_t {
|
|
||||||
|
|
||||||
#define MAX_PK_PARAM_SIZE 2048
|
|
||||||
|
|
||||||
-/* defaults for verification functions
|
|
||||||
+/* Defaults for verification functions.
|
|
||||||
+ *
|
|
||||||
+ * update many_icas in tests/test-chains.h when increasing
|
|
||||||
+ * DEFAULT_MAX_VERIFY_DEPTH.
|
|
||||||
*/
|
|
||||||
#define DEFAULT_MAX_VERIFY_DEPTH 16
|
|
||||||
#define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE * 8)
|
|
||||||
diff --git a/lib/x509/common.c b/lib/x509/common.c
|
|
||||||
index 2cc83c9155..705aa868bc 100644
|
|
||||||
--- a/lib/x509/common.c
|
|
||||||
+++ b/lib/x509/common.c
|
|
||||||
@@ -1725,7 +1725,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
|
|
||||||
bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */
|
|
||||||
gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
|
|
||||||
|
|
||||||
- assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH);
|
|
||||||
+ /* Limit the number of certificates in the chain, to avoid DoS
|
|
||||||
+ * because of the O(n^2) sorting below. FIXME: Switch to a
|
|
||||||
+ * topological sort algorithm which should be linear to the
|
|
||||||
+ * number of certificates and subject-issuer relationships.
|
|
||||||
+ */
|
|
||||||
+ if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) {
|
|
||||||
+ _gnutls_debug_log("too many certificates; skipping sorting\n");
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) {
|
|
||||||
issuer[i] = -1;
|
|
||||||
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
|
||||||
index 4e7361eb63..aacc24a7d8 100644
|
|
||||||
--- a/lib/x509/verify-high.c
|
|
||||||
+++ b/lib/x509/verify-high.c
|
|
||||||
@@ -25,7 +25,7 @@
|
|
||||||
#include "errors.h"
|
|
||||||
#include <libtasn1.h>
|
|
||||||
#include "global.h"
|
|
||||||
-#include "num.h" /* MAX */
|
|
||||||
+#include "num.h" /* MIN */
|
|
||||||
#include "tls-sig.h"
|
|
||||||
#include "str.h"
|
|
||||||
#include "datum.h"
|
|
||||||
@@ -1361,7 +1361,8 @@ int gnutls_x509_trust_list_verify_crt2(
|
|
||||||
int ret = 0;
|
|
||||||
unsigned int i;
|
|
||||||
size_t hash;
|
|
||||||
- gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
|
|
||||||
+ gnutls_x509_crt_t *cert_list_copy = NULL;
|
|
||||||
+ unsigned int cert_list_max_size = 0;
|
|
||||||
gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH];
|
|
||||||
unsigned int retrieved_size = 0;
|
|
||||||
const char *hostname = NULL, *purpose = NULL, *email = NULL;
|
|
||||||
@@ -1421,16 +1422,28 @@ int gnutls_x509_trust_list_verify_crt2(
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
|
|
||||||
- cert_list = sorted;
|
|
||||||
+ /* Allocate extra for retrieved certificates. */
|
|
||||||
+ if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH,
|
|
||||||
+ &cert_list_max_size))
|
|
||||||
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
||||||
+
|
|
||||||
+ cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size,
|
|
||||||
+ sizeof(gnutls_x509_crt_t));
|
|
||||||
+ if (!cert_list_copy)
|
|
||||||
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
|
||||||
+
|
|
||||||
+ memcpy(cert_list_copy, cert_list,
|
|
||||||
+ cert_list_size * sizeof(gnutls_x509_crt_t));
|
|
||||||
+ cert_list = cert_list_copy;
|
|
||||||
|
|
||||||
records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq,
|
|
||||||
cert_hashcode, NULL, false);
|
|
||||||
- if (records == NULL)
|
|
||||||
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
|
||||||
+ if (records == NULL) {
|
|
||||||
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- for (i = 0; i < cert_list_size &&
|
|
||||||
- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH;) {
|
|
||||||
+ for (i = 0; i < cert_list_size;) {
|
|
||||||
unsigned int sorted_size = 1;
|
|
||||||
unsigned int j, k;
|
|
||||||
gnutls_x509_crt_t issuer;
|
|
||||||
@@ -1442,8 +1455,7 @@ int gnutls_x509_trust_list_verify_crt2(
|
|
||||||
|
|
||||||
assert(sorted_size > 0);
|
|
||||||
|
|
||||||
- /* Remove duplicates. Start with index 1, as the first element
|
|
||||||
- * may be re-checked after issuer retrieval. */
|
|
||||||
+ /* Remove duplicates. */
|
|
||||||
for (j = 0; j < sorted_size; j++) {
|
|
||||||
if (gl_list_search(records, cert_list[i + j])) {
|
|
||||||
if (i + j < cert_list_size - 1) {
|
|
||||||
@@ -1495,13 +1507,15 @@ int gnutls_x509_trust_list_verify_crt2(
|
|
||||||
|
|
||||||
ret = retrieve_issuers(
|
|
||||||
list, cert_list[i - 1], &retrieved[retrieved_size],
|
|
||||||
- DEFAULT_MAX_VERIFY_DEPTH -
|
|
||||||
- MAX(retrieved_size, cert_list_size));
|
|
||||||
+ MIN(DEFAULT_MAX_VERIFY_DEPTH - retrieved_size,
|
|
||||||
+ cert_list_max_size - cert_list_size));
|
|
||||||
if (ret < 0) {
|
|
||||||
break;
|
|
||||||
} else if (ret > 0) {
|
|
||||||
assert((unsigned int)ret <=
|
|
||||||
- DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
|
|
||||||
+ DEFAULT_MAX_VERIFY_DEPTH - retrieved_size);
|
|
||||||
+ assert((unsigned int)ret <=
|
|
||||||
+ cert_list_max_size - cert_list_size);
|
|
||||||
memmove(&cert_list[i + ret], &cert_list[i],
|
|
||||||
(cert_list_size - i) *
|
|
||||||
sizeof(gnutls_x509_crt_t));
|
|
||||||
@@ -1517,8 +1531,10 @@ int gnutls_x509_trust_list_verify_crt2(
|
|
||||||
}
|
|
||||||
|
|
||||||
cert_list_size = shorten_clist(list, cert_list, cert_list_size);
|
|
||||||
- if (cert_list_size <= 0)
|
|
||||||
- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
||||||
+ if (cert_list_size <= 0) {
|
|
||||||
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
hash = hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.data,
|
|
||||||
cert_list[cert_list_size - 1]->raw_issuer_dn.size);
|
|
||||||
@@ -1661,10 +1677,13 @@ int gnutls_x509_trust_list_verify_crt2(
|
|
||||||
}
|
|
||||||
|
|
||||||
cleanup:
|
|
||||||
+ gnutls_free(cert_list_copy);
|
|
||||||
for (i = 0; i < retrieved_size; i++) {
|
|
||||||
gnutls_x509_crt_deinit(retrieved[i]);
|
|
||||||
}
|
|
||||||
- gl_list_free(records);
|
|
||||||
+ if (records) {
|
|
||||||
+ gl_list_free(records);
|
|
||||||
+ }
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/tests/test-chains.h b/tests/test-chains.h
|
|
||||||
index 3e559fecd5..a7fe1cdecc 100644
|
|
||||||
--- a/tests/test-chains.h
|
|
||||||
+++ b/tests/test-chains.h
|
|
||||||
@@ -23,7 +23,7 @@
|
|
||||||
#ifndef GNUTLS_TESTS_TEST_CHAINS_H
|
|
||||||
#define GNUTLS_TESTS_TEST_CHAINS_H
|
|
||||||
|
|
||||||
-#define MAX_CHAIN 10
|
|
||||||
+#define MAX_CHAIN 17
|
|
||||||
|
|
||||||
static const char *chain_with_no_subject_id_in_ca_ok[] = {
|
|
||||||
"-----BEGIN CERTIFICATE-----\n"
|
|
||||||
@@ -4383,6 +4383,213 @@ static const char *cross_signed_ca[] = {
|
|
||||||
NULL
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* This assumes DEFAULT_MAX_VERIFY_DEPTH to be 16 */
|
|
||||||
+static const char *many_icas[] = {
|
|
||||||
+ /* Server */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBqzCCAV2gAwIBAgIUIK3+SD3GmqJlRLZ/ESyhTzkSDL8wBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYD\n"
|
|
||||||
+ "VQQDEw90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQAWGjx45NIJiKFsNBxxRRjm\n"
|
|
||||||
+ "NxUT5KYK7xXr5HPVywwgLaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGC\n"
|
|
||||||
+ "D3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8E\n"
|
|
||||||
+ "BAMCB4AwHQYDVR0OBBYEFKgNAQWZPx76/vXqQOdIi5mTftsaMB8GA1UdIwQYMBaA\n"
|
|
||||||
+ "FDaPsY6WAGuRtrhYJE6Gk/bg5qbdMAUGAytlcANBAMIDh8aGcIIFDTUrzfV7tnkX\n"
|
|
||||||
+ "hHrxyFKBH/cApf6xcJQTfDXm23po627Ibp+WgLaWMY08Fn9Y2V6Ev8ADfqXNbQ8=\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA16 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUSnE0PKdm/dsnZSWBh5Ct4pS6DcwwBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAxq9SI8vp0QH1dDBBuZW+t+bLLROppQbjSQ4O1BEonDOjYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2j7GOlgBrkba4\n"
|
|
||||||
+ "WCROhpP24Oam3TAfBgNVHSMEGDAWgBRvdUKX0aw3nfUIdvivXGSfRO7zyjAFBgMr\n"
|
|
||||||
+ "ZXADQQBsI2Hc7X5hXoHTvk01qMc5a1I27QHAFRARJnvIQ15wxNS2LVLzGk+AUmwr\n"
|
|
||||||
+ "sOhBKAcVfS55uWtYdjoWQ80h238H\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA15 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUQk4XkgQVImnp6OPZas7ctwgBza4wBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAs3yVKLJd3sKbNVmj6Bxy2j1x025rksyQpZZWnCx5a+CjYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRvdUKX0aw3nfUI\n"
|
|
||||||
+ "dvivXGSfRO7zyjAfBgNVHSMEGDAWgBRhGfUXYPh4YQsdtTWYUozLphGgfzAFBgMr\n"
|
|
||||||
+ "ZXADQQBXTtm56x6/pHXdW8dTvZLc/8RufNQrMlc23TCgX0apUnrZdTsNAb7OE4Uu\n"
|
|
||||||
+ "9PBuxK+CC9NL/BL2hXsKvAT+NWME\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA14 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUKfwz7UUYRvYlvqwmnLJlTOS9o1AwBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAXbUetQ08t+F4+IcKL++HpeclqTxXZ7cG4mwqvHmTUEWjYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRhGfUXYPh4YQsd\n"
|
|
||||||
+ "tTWYUozLphGgfzAfBgNVHSMEGDAWgBQYRQqO+V1kefF7QvNnFU1fX5H9+jAFBgMr\n"
|
|
||||||
+ "ZXADQQAiSHNMTLPFP3oa6q13Dj8jSxF9trQDJGM1ArWffFcPZUt2U4/ODHdcMTHx\n"
|
|
||||||
+ "kGwhIj+ghBlu6ykgu6J2wewCUooC\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA13 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUUKOs59gyCPAZzoC7zMZQSh6AnQgwBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAmvqhj5GYqsXIpsr1BXBfD+2mTP/m/TEpKIYSZHM62dijYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQYRQqO+V1kefF7\n"
|
|
||||||
+ "QvNnFU1fX5H9+jAfBgNVHSMEGDAWgBQ27HzvP5hl2xR+LOzRcPfmY5ndXjAFBgMr\n"
|
|
||||||
+ "ZXADQQBrB3NkrYC7EQ74qgeesVOE71rW012dPOOKPAV0laR+JLEgsv9sfus+AdBF\n"
|
|
||||||
+ "WBNwR3KeYBTi/MFDuecxBHU2m5gD\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA12 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUUQooGfH21+sR7/pSgCWm13gg2H4wBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAK2of/B4wMpk6k/KdugC5dMS+jo2fseUM7/PvXkE6HASjYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ27HzvP5hl2xR+\n"
|
|
||||||
+ "LOzRcPfmY5ndXjAfBgNVHSMEGDAWgBSJDHU0Mj1Xr0e8ErCnRK24w7XwTTAFBgMr\n"
|
|
||||||
+ "ZXADQQDY8d2bAZpj7oGhdl2dBsCE48jEWj49da0PbgN12koAj3gf4hjMPd8G7p5z\n"
|
|
||||||
+ "8RsURAwQmCkE8ShvdNw/Qr2tDL0E\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA11 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUW9Dw0hU2pfjXhb5Stip+mk9SndIwBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAn5ISjLVV6RBWsnxDWHDicpye7SjFwGOTwzF01/psiJ2jYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSJDHU0Mj1Xr0e8\n"
|
|
||||||
+ "ErCnRK24w7XwTTAfBgNVHSMEGDAWgBSR9UU27RI0XohiEgHDxNo/9HP4djAFBgMr\n"
|
|
||||||
+ "ZXADQQCfQg6MDHk71vhyrEo4/5PcLb2Li5F/FKURyux7snv2TbkSdInloAqca9UR\n"
|
|
||||||
+ "DtqHSLCNLXCNdSPr5QwIt5p29rsE\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA10 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUR4uTedG8e6MibKViQ3eX7QzXG1swBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAnslX04kSVOL5LAf1e+Ze3ggNnDJcEAxLDk8I/IhyjTyjYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSR9UU27RI0Xohi\n"
|
|
||||||
+ "EgHDxNo/9HP4djAfBgNVHSMEGDAWgBRC7US5gJYnvd5F7EN+C4anMgd2NzAFBgMr\n"
|
|
||||||
+ "ZXADQQDo+jHt07Tvz3T5Lbz6apBrSln8xKYfJk2W1wP85XAnf7sZT9apM1bS4EyD\n"
|
|
||||||
+ "Kckw+KG+9x7myOZz6AXJgZB5OGAO\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA9 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUSIIIRjrNpE+kEPkiJMOqaNAazvQwBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAZKy7p1Gn4W/reRxKJN99+QkHt2q9aELktCKe5PqrX5ejYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRC7US5gJYnvd5F\n"
|
|
||||||
+ "7EN+C4anMgd2NzAfBgNVHSMEGDAWgBSOhR7Ornis2x8g0J+bvTTwMnW60zAFBgMr\n"
|
|
||||||
+ "ZXADQQA0MEcC4FgKZEAfalVpApU2to0G158MVz/WTNcSc7fnl8ifJ/g56dVHL1jr\n"
|
|
||||||
+ "REvC/S28dn/CGAlbVXUAgxnHAbgE\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA8 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUGGFSgD95vOTSj7iFxfXA5vq6vsYwBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAg3W/bTdW0fR32NeZEVMXICpa30d7rSdddLOYDvqqUO+jYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSOhR7Ornis2x8g\n"
|
|
||||||
+ "0J+bvTTwMnW60zAfBgNVHSMEGDAWgBT3zK8Hbn9aVTAOOFY6RSxJ2o5x2jAFBgMr\n"
|
|
||||||
+ "ZXADQQBl4gnzE463iMFg57gPvjHdVzA39sJBpiu0kUGfRcLnoRI/VOaLcx7WnJ9+\n"
|
|
||||||
+ "c3KxPZBec76EdIoQDkTmI6m2FIAM\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA7 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUGktMGXhNuaMhKyAlecymmLD+/GIwBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEA/Z1oc76hOQ0Hi+2hePaGIntnMIDqBlb7RDMjRpYONP2jYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT3zK8Hbn9aVTAO\n"
|
|
||||||
+ "OFY6RSxJ2o5x2jAfBgNVHSMEGDAWgBSPae3JUN3jP0NgUJqDV3eYxcaM3DAFBgMr\n"
|
|
||||||
+ "ZXADQQBMkwKaUZlvG/hax8rv3nnDv8kJOr6KVHBnxSx3hZ+8HIBT7GFm1+YDeYOB\n"
|
|
||||||
+ "jhNg66kyeFPGXXBCe+mvNQFFjCEE\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA6 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUKn3gz5lAUpKqWlHKLKYDbOJ4rygwBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAZ/eD4eTe91ddvHusm7YlLPxU4ByGFc6suAmlP1CxXkWjYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSPae3JUN3jP0Ng\n"
|
|
||||||
+ "UJqDV3eYxcaM3DAfBgNVHSMEGDAWgBT9f/qSI/jhxvGI7aMtkpraDcjBnjAFBgMr\n"
|
|
||||||
+ "ZXADQQAMRnkmRhnLGdmJaY8B42gfyaAsqCMyds/Tw4OHYy+N48XuAxRjKkhf3szC\n"
|
|
||||||
+ "0lY71oU043mNP1yx/dzAuCTrVSgI\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA5 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUEgEYbBXXEyGv3vOq10JQv1SBiUUwBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAs2xEDPw8RVal53nX9GVwUd1blq1wjtVFC8S1V7up7MWjYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT9f/qSI/jhxvGI\n"
|
|
||||||
+ "7aMtkpraDcjBnjAfBgNVHSMEGDAWgBRBVkLu9BmCKz7HNI8md4vPpoE/7jAFBgMr\n"
|
|
||||||
+ "ZXADQQCCufAyLijtzzmeCuO3K50rBSbGvB3FQfep7g6kVsQKM3bw/olWK5/Ji0dD\n"
|
|
||||||
+ "ubJ0cFl1FmfAda7aVxLBtJOvO6MI\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA4 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIULj8GkaHw+92HuOTnXnXlxCy3VrEwBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAiedxh4dvtwDellMAHc/pZH0MAOXobRenTUgF1yj5l12jYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRBVkLu9BmCKz7H\n"
|
|
||||||
+ "NI8md4vPpoE/7jAfBgNVHSMEGDAWgBSDtNRgQ36KwW/ASaMyr6WeDt0STDAFBgMr\n"
|
|
||||||
+ "ZXADQQDL8U2ckzur7CktdrVUNvfLhVCOz33d/62F28vQFHUa8h/4h+Mi1MMbXOKT\n"
|
|
||||||
+ "1bL2TvpFpU7Fx/vcIPXDielVqr4C\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA3 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUQXl74TDDw6MQRMbQUSPa6Qrvba8wBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEA7l0jQ0f4fJRw7Qja/Hz2qn8y91SI7CokxhSf+FT+9M6jYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSDtNRgQ36KwW/A\n"
|
|
||||||
+ "SaMyr6WeDt0STDAfBgNVHSMEGDAWgBQ2inEK4KH6ATftmybxKE1dZUzOozAFBgMr\n"
|
|
||||||
+ "ZXADQQCnP7Oqx1epGnFnO7TrTJwcUukXDEYsINve2GeUsi8HEIeKKlMcLZ2Cnaj7\n"
|
|
||||||
+ "5v9NGuWh3QJpmmSGpEemiv8dJc4A\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA2 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBYTCCAROgAwIBAgIUP7Nmof8H2F1LyDkjqlYIUpGdXE8wBQYDK2VwMB0xGzAZ\n"
|
|
||||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
|
||||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
|
||||||
+ "K2VwAyEAkW9Rod3CXAnha6nlaHkDbCOegq94lgmjqclA9sOIt3yjYzBhMA8GA1Ud\n"
|
|
||||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2inEK4KH6ATft\n"
|
|
||||||
+ "mybxKE1dZUzOozAfBgNVHSMEGDAWgBRPq/CQlK/zuXkjZvTCibu+vejD+jAFBgMr\n"
|
|
||||||
+ "ZXADQQBU+A+uF0yrtO/yv9cRUdCoL3Y1NKM35INg8BQDnkv724cW9zk1x0q9Fuou\n"
|
|
||||||
+ "zvfSVb8S3vT8fF5ZDOxarQs6ZH0C\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ /* ICA1 */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBXTCCAQ+gAwIBAgIUfUWP+AQHpdFTRKTf21mMzjaJsp0wBQYDK2VwMBkxFzAV\n"
|
|
||||||
+ "BgNVBAMTDkdudVRMUyB0ZXN0IENBMCAXDTI0MDMxMjIyNTMzOVoYDzk5OTkxMjMx\n"
|
|
||||||
+ "MjM1OTU5WjAdMRswGQYDVQQDDBJHbnVUTFMgdGVzdCBJQ0EgJGkwKjAFBgMrZXAD\n"
|
|
||||||
+ "IQAVmfBAvLbT+pTD24pQrr6S0jEIFIV/qOv93yYvAUzpzKNjMGEwDwYDVR0TAQH/\n"
|
|
||||||
+ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFE+r8JCUr/O5eSNm9MKJ\n"
|
|
||||||
+ "u7696MP6MB8GA1UdIwQYMBaAFAFpt5wrFsqCtHc4PpluPDvwcxQLMAUGAytlcANB\n"
|
|
||||||
+ "AC6+XZnthjlUD0TbBKRF3qT5if3Pp29Bgvutw8859unzUZW8FkHg5KeDBj9ncgJc\n"
|
|
||||||
+ "O2tFnNH2hV6LDPJzU0rtLQc=\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ NULL
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const char *many_icas_ca[] = {
|
|
||||||
+ /* CA (self-signed) */
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "MIIBNzCB6qADAgECAhRjaokcQwcrtW8tjuVFz3A33F8POjAFBgMrZXAwGTEXMBUG\n"
|
|
||||||
+ "A1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjQwMzEyMjI1MzM5WhgPOTk5OTEyMzEy\n"
|
|
||||||
+ "MzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMCowBQYDK2VwAyEAvoxP\n"
|
|
||||||
+ "TNdbWktxA8qQNNH+25Cx9rzP+DxLGeI/7ODwrQGjQjBAMA8GA1UdEwEB/wQFMAMB\n"
|
|
||||||
+ "Af8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQBabecKxbKgrR3OD6Zbjw78HMU\n"
|
|
||||||
+ "CzAFBgMrZXADQQCP5IUD74M7WrUx20uqzrzuj+s2jnBVmLQfWf/Ucetx+oTRFeq4\n"
|
|
||||||
+ "xZB/adWhycSeJUAB1zKqYUV9hgT8FWHbnHII\n"
|
|
||||||
+ "-----END CERTIFICATE-----\n",
|
|
||||||
+ NULL
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
#if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
|
|
||||||
#pragma GCC diagnostic push
|
|
||||||
#pragma GCC diagnostic ignored "-Wunused-variable"
|
|
||||||
@@ -4696,6 +4903,8 @@ static struct {
|
|
||||||
1620118136, 1 },
|
|
||||||
{ "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0,
|
|
||||||
1704955300 },
|
|
||||||
+ { "many intermediates - ok", many_icas, many_icas_ca, 0, 0, 0,
|
|
||||||
+ 1710284400 },
|
|
||||||
{ NULL, NULL, NULL, 0, 0 }
|
|
||||||
};
|
|
||||||
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
@ -1,8 +1,8 @@
|
|||||||
Index: gnutls-3.8.3/configure.ac
|
Index: gnutls-3.8.8/configure.ac
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/configure.ac
|
--- gnutls-3.8.8.orig/configure.ac
|
||||||
+++ gnutls-3.8.3/configure.ac
|
+++ gnutls-3.8.8/configure.ac
|
||||||
@@ -623,19 +623,19 @@ LT_INIT([disable-static,win32-dll,shared
|
@@ -624,19 +624,19 @@ LT_INIT([disable-static,win32-dll,shared
|
||||||
AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);])
|
AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);])
|
||||||
|
|
||||||
AC_ARG_ENABLE(fips140-mode,
|
AC_ARG_ENABLE(fips140-mode,
|
||||||
@ -25,10 +25,10 @@ Index: gnutls-3.8.3/configure.ac
|
|||||||
|
|
||||||
AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
|
AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
|
||||||
[specify the FIPS140 module name]),
|
[specify the FIPS140 module name]),
|
||||||
Index: gnutls-3.8.3/doc/cha-gtls-app.texi
|
Index: gnutls-3.8.8/doc/cha-gtls-app.texi
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/cha-gtls-app.texi
|
--- gnutls-3.8.8.orig/doc/cha-gtls-app.texi
|
||||||
+++ gnutls-3.8.3/doc/cha-gtls-app.texi
|
+++ gnutls-3.8.8/doc/cha-gtls-app.texi
|
||||||
@@ -222,7 +222,7 @@ CPU. The currently available options are
|
@@ -222,7 +222,7 @@ CPU. The currently available options are
|
||||||
@end itemize
|
@end itemize
|
||||||
|
|
||||||
@ -38,10 +38,10 @@ Index: gnutls-3.8.3/doc/cha-gtls-app.texi
|
|||||||
if set to one it will force the FIPS mode enablement.
|
if set to one it will force the FIPS mode enablement.
|
||||||
|
|
||||||
@end multitable
|
@end multitable
|
||||||
Index: gnutls-3.8.3/doc/cha-internals.texi
|
Index: gnutls-3.8.8/doc/cha-internals.texi
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/cha-internals.texi
|
--- gnutls-3.8.8.orig/doc/cha-internals.texi
|
||||||
+++ gnutls-3.8.3/doc/cha-internals.texi
|
+++ gnutls-3.8.8/doc/cha-internals.texi
|
||||||
@@ -14,7 +14,7 @@ happens inside the black box.
|
@@ -14,7 +14,7 @@ happens inside the black box.
|
||||||
* TLS Hello Extension Handling::
|
* TLS Hello Extension Handling::
|
||||||
* Cryptographic Backend::
|
* Cryptographic Backend::
|
||||||
@ -162,11 +162,11 @@ Index: gnutls-3.8.3/doc/cha-internals.texi
|
|||||||
operation. It can be attached to the current execution thread with
|
operation. It can be attached to the current execution thread with
|
||||||
@funcref{gnutls_fips140_push_context} and its internal state will be
|
@funcref{gnutls_fips140_push_context} and its internal state will be
|
||||||
updated until it is detached with
|
updated until it is detached with
|
||||||
Index: gnutls-3.8.3/doc/enums.texi
|
Index: gnutls-3.8.8/doc/enums.texi
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/enums.texi
|
--- gnutls-3.8.8.orig/doc/enums.texi
|
||||||
+++ gnutls-3.8.3/doc/enums.texi
|
+++ gnutls-3.8.8/doc/enums.texi
|
||||||
@@ -1188,7 +1188,7 @@ application traffic secret is installed
|
@@ -1210,7 +1210,7 @@ application traffic secret is installed
|
||||||
@c gnutls_fips_mode_t
|
@c gnutls_fips_mode_t
|
||||||
@table @code
|
@table @code
|
||||||
@item GNUTLS_@-FIPS140_@-DISABLED
|
@item GNUTLS_@-FIPS140_@-DISABLED
|
||||||
@ -175,7 +175,7 @@ Index: gnutls-3.8.3/doc/enums.texi
|
|||||||
@item GNUTLS_@-FIPS140_@-STRICT
|
@item GNUTLS_@-FIPS140_@-STRICT
|
||||||
The default mode; all forbidden operations will cause an
|
The default mode; all forbidden operations will cause an
|
||||||
operation failure via error code.
|
operation failure via error code.
|
||||||
@@ -1196,8 +1196,8 @@ operation failure via error code.
|
@@ -1218,8 +1218,8 @@ operation failure via error code.
|
||||||
A transient state during library initialization. That state
|
A transient state during library initialization. That state
|
||||||
cannot be set or seen by applications.
|
cannot be set or seen by applications.
|
||||||
@item GNUTLS_@-FIPS140_@-LAX
|
@item GNUTLS_@-FIPS140_@-LAX
|
||||||
@ -186,10 +186,10 @@ Index: gnutls-3.8.3/doc/enums.texi
|
|||||||
application is aware of the followed security policy, and needs
|
application is aware of the followed security policy, and needs
|
||||||
to utilize disallowed operations for other reasons (e.g., compatibility).
|
to utilize disallowed operations for other reasons (e.g., compatibility).
|
||||||
@item GNUTLS_@-FIPS140_@-LOG
|
@item GNUTLS_@-FIPS140_@-LOG
|
||||||
Index: gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode
|
Index: gnutls-3.8.8/doc/functions/gnutls_fips140_set_mode
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/functions/gnutls_fips140_set_mode
|
--- gnutls-3.8.8.orig/doc/functions/gnutls_fips140_set_mode
|
||||||
+++ gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode
|
+++ gnutls-3.8.8/doc/functions/gnutls_fips140_set_mode
|
||||||
@@ -3,7 +3,7 @@
|
@@ -3,7 +3,7 @@
|
||||||
|
|
||||||
|
|
||||||
@ -215,11 +215,11 @@ Index: gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode
|
|||||||
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
|
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
|
||||||
switches to @code{GNUTLS_FIPS140_STRICT} mode.
|
switches to @code{GNUTLS_FIPS140_STRICT} mode.
|
||||||
|
|
||||||
Index: gnutls-3.8.3/doc/gnutls.html
|
Index: gnutls-3.8.8/doc/gnutls.html
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/gnutls.html
|
--- gnutls-3.8.8.orig/doc/gnutls.html
|
||||||
+++ gnutls-3.8.3/doc/gnutls.html
|
+++ gnutls-3.8.8/doc/gnutls.html
|
||||||
@@ -484,7 +484,7 @@ Documentation License”.
|
@@ -485,7 +485,7 @@ Documentation License”.
|
||||||
<li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li>
|
<li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li>
|
||||||
<li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
|
<li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
|
||||||
<li><a id="toc-Random-Number-Generators" href="#Random-Number-Generators_002dinternals">11.6 Random Number Generators</a></li>
|
<li><a id="toc-Random-Number-Generators" href="#Random-Number-Generators_002dinternals">11.6 Random Number Generators</a></li>
|
||||||
@ -228,7 +228,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
</ul></li>
|
</ul></li>
|
||||||
<li><a id="toc-Upgrading-from-previous-versions-1" href="#Upgrading-from-previous-versions">Appendix A Upgrading from previous versions</a></li>
|
<li><a id="toc-Upgrading-from-previous-versions-1" href="#Upgrading-from-previous-versions">Appendix A Upgrading from previous versions</a></li>
|
||||||
<li><a id="toc-Support-1" href="#Support">Appendix B Support</a>
|
<li><a id="toc-Support-1" href="#Support">Appendix B Support</a>
|
||||||
@@ -9035,7 +9035,7 @@ CPU. The currently available options are
|
@@ -9028,7 +9028,7 @@ CPU. The currently available options are
|
||||||
</li><li>0x200000: Enable VIA PHE
|
</li><li>0x200000: Enable VIA PHE
|
||||||
</li><li>0x400000: Enable VIA PHE SHA512
|
</li><li>0x400000: Enable VIA PHE SHA512
|
||||||
</li></ul></td></tr>
|
</li></ul></td></tr>
|
||||||
@ -237,7 +237,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
if set to one it will force the FIPS mode enablement.</td></tr>
|
if set to one it will force the FIPS mode enablement.</td></tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
@@ -18446,7 +18446,7 @@ None:
|
@@ -18452,7 +18452,7 @@ None:
|
||||||
--inline-commands-prefix=str Change the default delimiter for inline commands
|
--inline-commands-prefix=str Change the default delimiter for inline commands
|
||||||
--provider=file Specify the PKCS #11 provider library
|
--provider=file Specify the PKCS #11 provider library
|
||||||
- file must pre-exist
|
- file must pre-exist
|
||||||
@ -246,7 +246,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
--list-config Reports the configuration of the library
|
--list-config Reports the configuration of the library
|
||||||
--logfile=str Redirect informational messages to a specific file
|
--logfile=str Redirect informational messages to a specific file
|
||||||
--keymatexport=str Label used for exporting keying material
|
--keymatexport=str Label used for exporting keying material
|
||||||
@@ -19468,7 +19468,7 @@ happens inside the black box.
|
@@ -19472,7 +19472,7 @@ happens inside the black box.
|
||||||
<li><a href="#TLS-Hello-Extension-Handling" accesskey="4">TLS Extension Handling</a></li>
|
<li><a href="#TLS-Hello-Extension-Handling" accesskey="4">TLS Extension Handling</a></li>
|
||||||
<li><a href="#Cryptographic-Backend" accesskey="5">Cryptographic Backend</a></li>
|
<li><a href="#Cryptographic-Backend" accesskey="5">Cryptographic Backend</a></li>
|
||||||
<li><a href="#Random-Number-Generators_002dinternals" accesskey="6">Random Number Generators</a></li>
|
<li><a href="#Random-Number-Generators_002dinternals" accesskey="6">Random Number Generators</a></li>
|
||||||
@ -262,7 +262,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
-Next: <a href="#FIPS140_002d2-mode" accesskey="n" rel="next">FIPS140-2 mode</a>, Previous: <a href="#Cryptographic-Backend" accesskey="p" rel="prev">Cryptographic Backend</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
|
-Next: <a href="#FIPS140_002d2-mode" accesskey="n" rel="next">FIPS140-2 mode</a>, Previous: <a href="#Cryptographic-Backend" accesskey="p" rel="prev">Cryptographic Backend</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
|
||||||
+Next: <a href="#FIPS140_002d2-mode" accesskey="n" rel="next">FIPS140-3 mode</a>, Previous: <a href="#Cryptographic-Backend" accesskey="p" rel="prev">Cryptographic Backend</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
|
+Next: <a href="#FIPS140_002d2-mode" accesskey="n" rel="next">FIPS140-3 mode</a>, Previous: <a href="#Cryptographic-Backend" accesskey="p" rel="prev">Cryptographic Backend</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
|
||||||
</div>
|
</div>
|
||||||
<h3 class="section" id="Random-Number-Generators">11.6 Random Number Generators</h3>
|
<h3 class="section" id="Random-Number-Generators"><span>11.6 Random Number Generators<a class="copiable-link" href="#Random-Number-Generators"> ¶</a></span></h3>
|
||||||
|
|
||||||
@@ -20005,7 +20005,7 @@ Next: <a href="#FIPS140_002d2-mode" acce
|
@@ -20005,7 +20005,7 @@ Next: <a href="#FIPS140_002d2-mode" acce
|
||||||
|
|
||||||
@ -271,14 +271,14 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
-FIPS140-2 and the system is in FIPS140-2 mode.
|
-FIPS140-2 and the system is in FIPS140-2 mode.
|
||||||
+FIPS140-3 and the system is in FIPS140-3 mode.
|
+FIPS140-3 and the system is in FIPS140-3 mode.
|
||||||
</p>
|
</p>
|
||||||
<h4 class="subheading" id="The-default-generator-_002d-inner-workings">The default generator - inner workings</h4>
|
<h4 class="subheading" id="The-default-generator-_002d-inner-workings"><span>The default generator - inner workings<a class="copiable-link" href="#The-default-generator-_002d-inner-workings"> ¶</a></span></h4>
|
||||||
|
|
||||||
@@ -20142,22 +20142,22 @@ on the above paragraph, all levels are i
|
@@ -20142,22 +20142,22 @@ on the above paragraph, all levels are i
|
||||||
<p>
|
<p>
|
||||||
Previous: <a href="#Random-Number-Generators_002dinternals" accesskey="p" rel="prev">Random Number Generators</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
|
Previous: <a href="#Random-Number-Generators_002dinternals" accesskey="p" rel="prev">Random Number Generators</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
|
||||||
</div>
|
</div>
|
||||||
-<h3 class="section" id="FIPS140_002d2-mode-1">11.7 FIPS140-2 mode</h3>
|
-<h3 class="section" id="FIPS140_002d2-mode-1"><span>11.7 FIPS140-2 mode<a class="copiable-link" href="#FIPS140_002d2-mode-1"> ¶</a></span></h3>
|
||||||
+<h3 class="section" id="FIPS140_002d2-mode-1">11.7 FIPS140-3 mode</h3>
|
+<h3 class="section" id="FIPS140_002d2-mode-1"><span>11.7 FIPS140-3 mode<a class="copiable-link" href="#FIPS140_002d2-mode-1"> ¶</a></span></h3>
|
||||||
|
|
||||||
-<p>GnuTLS can operate in a special mode for FIPS140-2. That mode of operation
|
-<p>GnuTLS can operate in a special mode for FIPS140-2. That mode of operation
|
||||||
-is for the conformance to NIST’s FIPS140-2 publication, which consists of policies
|
-is for the conformance to NIST’s FIPS140-2 publication, which consists of policies
|
||||||
@ -335,8 +335,8 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
+<p>On runtime an application can verify whether the library is in FIPS140-3
|
+<p>On runtime an application can verify whether the library is in FIPS140-3
|
||||||
mode using the <a class="ref" href="#gnutls_005ffips140_005fmode_005fenabled">gnutls_fips140_mode_enabled</a> function.
|
mode using the <a class="ref" href="#gnutls_005ffips140_005fmode_005fenabled">gnutls_fips140_mode_enabled</a> function.
|
||||||
</p>
|
</p>
|
||||||
-<h4 class="subheading" id="Relaxing-FIPS140_002d2-requirements">Relaxing FIPS140-2 requirements</h4>
|
-<h4 class="subheading" id="Relaxing-FIPS140_002d2-requirements"><span>Relaxing FIPS140-2 requirements<a class="copiable-link" href="#Relaxing-FIPS140_002d2-requirements"> ¶</a></span></h4>
|
||||||
+<h4 class="subheading" id="Relaxing-FIPS140_002d2-requirements">Relaxing FIPS140-3 requirements</h4>
|
+<h4 class="subheading" id="Relaxing-FIPS140_002d2-requirements"><span>Relaxing FIPS140-3 requirements<a class="copiable-link" href="#Relaxing-FIPS140_002d2-requirements"> ¶</a></span></h4>
|
||||||
|
|
||||||
<p>The library by default operates in a strict enforcing mode, ensuring that
|
<p>The library by default operates in a strict enforcing mode, ensuring that
|
||||||
-all constraints imposed by the FIPS140-2 specification are enforced. However
|
-all constraints imposed by the FIPS140-2 specification are enforced. However
|
||||||
@ -364,8 +364,8 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
application is aware of the followed security policy, and needs
|
application is aware of the followed security policy, and needs
|
||||||
to utilize disallowed operations for other reasons (e.g., compatibility).
|
to utilize disallowed operations for other reasons (e.g., compatibility).
|
||||||
</p></dd>
|
</p></dd>
|
||||||
@@ -20227,7 +20227,7 @@ to a message to the audit callback funct
|
@@ -20226,7 +20226,7 @@ to a message to the audit callback funct
|
||||||
|
</dl>
|
||||||
<div class="caption"><p><strong class="strong">Figure 11.5: </strong>The <code class="code">gnutls_fips_mode_t</code> enumeration.</p></div></div>
|
<div class="caption"><p><strong class="strong">Figure 11.5: </strong>The <code class="code">gnutls_fips_mode_t</code> enumeration.</p></div></div>
|
||||||
<p>The intention of this API is to be used by applications which may run in
|
<p>The intention of this API is to be used by applications which may run in
|
||||||
-FIPS140-2 mode, while they utilize few algorithms not in the allowed set,
|
-FIPS140-2 mode, while they utilize few algorithms not in the allowed set,
|
||||||
@ -373,7 +373,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
e.g., for non-security related purposes. In these cases applications should
|
e.g., for non-security related purposes. In these cases applications should
|
||||||
wrap the non-compliant code within blocks like the following.
|
wrap the non-compliant code within blocks like the following.
|
||||||
</p>
|
</p>
|
||||||
@@ -20256,9 +20256,9 @@ if (gnutls_fips140_mode_enabled())
|
@@ -20255,9 +20255,9 @@ if (gnutls_fips140_mode_enabled())
|
||||||
<p>The reason of the <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> flag in the
|
<p>The reason of the <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> flag in the
|
||||||
previous calls is to localize the change in the mode. Note also, that
|
previous calls is to localize the change in the mode. Note also, that
|
||||||
such a block has no effect when the library is not operating
|
such a block has no effect when the library is not operating
|
||||||
@ -385,7 +385,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
</p><div class="example">
|
</p><div class="example">
|
||||||
<pre class="example-preformatted">gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
|
<pre class="example-preformatted">gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
|
||||||
</pre></div>
|
</pre></div>
|
||||||
@@ -20281,7 +20281,7 @@ performed within a given context.
|
@@ -20280,7 +20280,7 @@ performed within a given context.
|
||||||
<dt><code class="code"><var class="var">int</var> <a class="ref" href="#gnutls_005ffips140_005fpop_005fcontext">gnutls_fips140_pop_context</a> ( <var class="var">void</var>)</code></dt>
|
<dt><code class="code"><var class="var">int</var> <a class="ref" href="#gnutls_005ffips140_005fpop_005fcontext">gnutls_fips140_pop_context</a> ( <var class="var">void</var>)</code></dt>
|
||||||
</dl>
|
</dl>
|
||||||
|
|
||||||
@ -394,7 +394,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
operation. It can be attached to the current execution thread with
|
operation. It can be attached to the current execution thread with
|
||||||
<a class="ref" href="#gnutls_005ffips140_005fpush_005fcontext">gnutls_fips140_push_context</a> and its internal state will be
|
<a class="ref" href="#gnutls_005ffips140_005fpush_005fcontext">gnutls_fips140_push_context</a> and its internal state will be
|
||||||
updated until it is detached with
|
updated until it is detached with
|
||||||
@@ -20654,8 +20654,8 @@ Previous: <a href="#Contributing" access
|
@@ -20653,8 +20653,8 @@ Previous: <a href="#Contributing" access
|
||||||
to an auditor that the crypto component follows some best practices, such
|
to an auditor that the crypto component follows some best practices, such
|
||||||
as unit testing and reliance on well known crypto primitives.
|
as unit testing and reliance on well known crypto primitives.
|
||||||
</p>
|
</p>
|
||||||
@ -405,16 +405,16 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
</p>
|
</p>
|
||||||
<hr>
|
<hr>
|
||||||
</div>
|
</div>
|
||||||
@@ -24569,7 +24569,7 @@ unusable. This function is not thread-s
|
@@ -24575,7 +24575,7 @@ unusable. This function is not thread-s
|
||||||
<h4 class="subheading" id="gnutls_005ffips140_005fset_005fmode-1">gnutls_fips140_set_mode</h4>
|
<h4 class="subheading" id="gnutls_005ffips140_005fset_005fmode-1"><span>gnutls_fips140_set_mode<a class="copiable-link" href="#gnutls_005ffips140_005fset_005fmode-1"> ¶</a></span></h4>
|
||||||
<a class="anchor" id="gnutls_005ffips140_005fset_005fmode"></a><dl class="first-deftypefn first-deftypefun-alias-first-deftypefn">
|
<a class="anchor" id="gnutls_005ffips140_005fset_005fmode"></a><dl class="first-deftypefn first-deftypefun-alias-first-deftypefn">
|
||||||
<dt class="deftypefn deftypefun-alias-deftypefn" id="index-gnutls_005ffips140_005fset_005fmode"><span class="category-def">Function: </span><span><code class="def-type">void</code> <strong class="def-name">gnutls_fips140_set_mode</strong> <code class="def-code-arguments">(gnutls_fips_mode_t <var class="var">mode</var>, unsigned <var class="var">flags</var>)</code><a class="copiable-link" href='#index-gnutls_005ffips140_005fset_005fmode'> ¶</a></span></dt>
|
<dt class="deftypefn deftypefun-alias-deftypefn" id="index-gnutls_005ffips140_005fset_005fmode"><span class="category-def">Function: </span><span><code class="def-type">void</code> <strong class="def-name">gnutls_fips140_set_mode</strong> <code class="def-code-arguments">(gnutls_fips_mode_t <var class="var">mode</var>, unsigned <var class="var">flags</var>)</code><a class="copiable-link" href="#index-gnutls_005ffips140_005fset_005fmode"> ¶</a></span></dt>
|
||||||
-<dd><p><var class="var">mode</var>: the FIPS140-2 mode to switch to
|
-<dd><p><var class="var">mode</var>: the FIPS140-2 mode to switch to
|
||||||
+<dd><p><var class="var">mode</var>: the FIPS140-3 mode to switch to
|
+<dd><p><var class="var">mode</var>: the FIPS140-3 mode to switch to
|
||||||
</p>
|
</p>
|
||||||
<p><var class="var">flags</var>: should be zero or <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code>
|
<p><var class="var">flags</var>: should be zero or <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code>
|
||||||
</p>
|
</p>
|
||||||
@@ -24578,13 +24578,13 @@ unusable. This function is not thread-s
|
@@ -24584,13 +24584,13 @@ unusable. This function is not thread-s
|
||||||
behavior with no flags after threads are created is undefined.
|
behavior with no flags after threads are created is undefined.
|
||||||
</p>
|
</p>
|
||||||
<p>When the flag <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> is specified
|
<p>When the flag <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> is specified
|
||||||
@ -430,20 +430,20 @@ Index: gnutls-3.8.3/doc/gnutls.html
|
|||||||
values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library
|
values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library
|
||||||
switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode.
|
switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode.
|
||||||
</p>
|
</p>
|
||||||
@@ -46927,7 +46927,7 @@ Next: <a href="#Concept-Index" accesskey
|
@@ -47011,7 +47011,7 @@ Next: <a href="#Concept-Index" accesskey
|
||||||
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
||||||
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
||||||
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
||||||
-<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate"><code>gnutls_fips140_get_operation_state</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#FIPS140_002d2-mode">FIPS140-2 mode</a></td></tr>
|
-<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate"><code>gnutls_fips140_get_operation_state</code></a></td><td class="printindex-index-section"><a href="#FIPS140_002d2-mode">FIPS140-2 mode</a></td></tr>
|
||||||
+<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate"><code>gnutls_fips140_get_operation_state</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#FIPS140_002d2-mode">FIPS140-3 mode</a></td></tr>
|
+<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate"><code>gnutls_fips140_get_operation_state</code></a></td><td class="printindex-index-section"><a href="#FIPS140_002d2-mode">FIPS140-3 mode</a></td></tr>
|
||||||
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
||||||
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
||||||
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a>:</td><td> </td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
|
||||||
Index: gnutls-3.8.3/doc/gnutls.info-3
|
Index: gnutls-3.8.8/doc/gnutls.info-3
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/gnutls.info-3
|
--- gnutls-3.8.8.orig/doc/gnutls.info-3
|
||||||
+++ gnutls-3.8.3/doc/gnutls.info-3
|
+++ gnutls-3.8.8/doc/gnutls.info-3
|
||||||
@@ -2247,7 +2247,7 @@ to ‘more’. Both will exit with a st
|
@@ -2108,7 +2108,7 @@ to ‘more’. Both will exit with a st
|
||||||
--inline-commands-prefix=str Change the default delimiter for inline commands
|
--inline-commands-prefix=str Change the default delimiter for inline commands
|
||||||
--provider=file Specify the PKCS #11 provider library
|
--provider=file Specify the PKCS #11 provider library
|
||||||
- file must pre-exist
|
- file must pre-exist
|
||||||
@ -452,7 +452,7 @@ Index: gnutls-3.8.3/doc/gnutls.info-3
|
|||||||
--list-config Reports the configuration of the library
|
--list-config Reports the configuration of the library
|
||||||
--logfile=str Redirect informational messages to a specific file
|
--logfile=str Redirect informational messages to a specific file
|
||||||
--keymatexport=str Label used for exporting keying material
|
--keymatexport=str Label used for exporting keying material
|
||||||
@@ -3400,7 +3400,7 @@ to know what happens inside the black bo
|
@@ -3261,7 +3261,7 @@ to know what happens inside the black bo
|
||||||
* TLS Hello Extension Handling::
|
* TLS Hello Extension Handling::
|
||||||
* Cryptographic Backend::
|
* Cryptographic Backend::
|
||||||
* Random Number Generators-internals::
|
* Random Number Generators-internals::
|
||||||
@ -461,7 +461,7 @@ Index: gnutls-3.8.3/doc/gnutls.info-3
|
|||||||
|
|
||||||
|
|
||||||
File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS
|
File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS
|
||||||
@@ -3932,7 +3932,7 @@ and abstract key types::.
|
@@ -3789,7 +3789,7 @@ and abstract key types::.
|
||||||
kernel implementation of ‘/dev/crypto’.
|
kernel implementation of ‘/dev/crypto’.
|
||||||
|
|
||||||
|
|
||||||
@ -470,7 +470,7 @@ Index: gnutls-3.8.3/doc/gnutls.info-3
|
|||||||
|
|
||||||
11.6 Random Number Generators
|
11.6 Random Number Generators
|
||||||
=============================
|
=============================
|
||||||
@@ -3942,7 +3942,7 @@ About the generators
|
@@ -3799,7 +3799,7 @@ About the generators
|
||||||
|
|
||||||
GnuTLS provides two random generators. The default, and the AES-DRBG
|
GnuTLS provides two random generators. The default, and the AES-DRBG
|
||||||
random generator which is only used when the library is compiled with
|
random generator which is only used when the library is compiled with
|
||||||
@ -479,7 +479,7 @@ Index: gnutls-3.8.3/doc/gnutls.info-3
|
|||||||
|
|
||||||
The default generator - inner workings
|
The default generator - inner workings
|
||||||
--------------------------------------
|
--------------------------------------
|
||||||
@@ -4174,7 +4174,7 @@ in *note Figure 11.5: gnutls_fips_mode_t
|
@@ -4030,7 +4030,7 @@ in *note Figure 11.5: gnutls_fips_mode_t
|
||||||
Figure 11.5: The ‘gnutls_fips_mode_t’ enumeration.
|
Figure 11.5: The ‘gnutls_fips_mode_t’ enumeration.
|
||||||
|
|
||||||
The intention of this API is to be used by applications which may run in
|
The intention of this API is to be used by applications which may run in
|
||||||
@ -488,7 +488,7 @@ Index: gnutls-3.8.3/doc/gnutls.info-3
|
|||||||
set, e.g., for non-security related purposes. In these cases
|
set, e.g., for non-security related purposes. In these cases
|
||||||
applications should wrap the non-compliant code within blocks like the
|
applications should wrap the non-compliant code within blocks like the
|
||||||
following.
|
following.
|
||||||
@@ -4198,10 +4198,10 @@ are macros to simplify the following seq
|
@@ -4054,10 +4054,10 @@ are macros to simplify the following seq
|
||||||
|
|
||||||
The reason of the ‘GNUTLS_FIPS140_SET_MODE_THREAD’ flag in the previous
|
The reason of the ‘GNUTLS_FIPS140_SET_MODE_THREAD’ flag in the previous
|
||||||
calls is to localize the change in the mode. Note also, that such a
|
calls is to localize the change in the mode. Note also, that such a
|
||||||
@ -501,7 +501,7 @@ Index: gnutls-3.8.3/doc/gnutls.info-3
|
|||||||
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
|
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
|
||||||
|
|
||||||
Service indicator
|
Service indicator
|
||||||
@@ -4683,8 +4683,8 @@ There are certifications from national o
|
@@ -4539,8 +4539,8 @@ There are certifications from national o
|
||||||
practices, such as unit testing and reliance on well known crypto
|
practices, such as unit testing and reliance on well known crypto
|
||||||
primitives.
|
primitives.
|
||||||
|
|
||||||
@ -512,7 +512,7 @@ Index: gnutls-3.8.3/doc/gnutls.info-3
|
|||||||
|
|
||||||
|
|
||||||
File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top
|
File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top
|
||||||
@@ -9151,7 +9151,7 @@ gnutls_fips140_set_mode
|
@@ -9015,7 +9015,7 @@ gnutls_fips140_set_mode
|
||||||
|
|
||||||
-- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE,
|
-- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE,
|
||||||
unsigned FLAGS)
|
unsigned FLAGS)
|
||||||
@ -521,10 +521,10 @@ Index: gnutls-3.8.3/doc/gnutls.info-3
|
|||||||
|
|
||||||
FLAGS: should be zero or ‘GNUTLS_FIPS140_SET_MODE_THREAD’
|
FLAGS: should be zero or ‘GNUTLS_FIPS140_SET_MODE_THREAD’
|
||||||
|
|
||||||
Index: gnutls-3.8.3/doc/invoke-gnutls-cli.texi
|
Index: gnutls-3.8.8/doc/invoke-gnutls-cli.texi
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/invoke-gnutls-cli.texi
|
--- gnutls-3.8.8.orig/doc/invoke-gnutls-cli.texi
|
||||||
+++ gnutls-3.8.3/doc/invoke-gnutls-cli.texi
|
+++ gnutls-3.8.8/doc/invoke-gnutls-cli.texi
|
||||||
@@ -102,7 +102,7 @@ None:
|
@@ -102,7 +102,7 @@ None:
|
||||||
--inline-commands-prefix=str Change the default delimiter for inline commands
|
--inline-commands-prefix=str Change the default delimiter for inline commands
|
||||||
--provider=file Specify the PKCS #11 provider library
|
--provider=file Specify the PKCS #11 provider library
|
||||||
@ -534,10 +534,10 @@ Index: gnutls-3.8.3/doc/invoke-gnutls-cli.texi
|
|||||||
--list-config Reports the configuration of the library
|
--list-config Reports the configuration of the library
|
||||||
--logfile=str Redirect informational messages to a specific file
|
--logfile=str Redirect informational messages to a specific file
|
||||||
--keymatexport=str Label used for exporting keying material
|
--keymatexport=str Label used for exporting keying material
|
||||||
Index: gnutls-3.8.3/doc/manpages/gnutls-cli.1
|
Index: gnutls-3.8.8/doc/manpages/gnutls-cli.1
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/manpages/gnutls-cli.1
|
--- gnutls-3.8.8.orig/doc/manpages/gnutls-cli.1
|
||||||
+++ gnutls-3.8.3/doc/manpages/gnutls-cli.1
|
+++ gnutls-3.8.8/doc/manpages/gnutls-cli.1
|
||||||
@@ -398,7 +398,7 @@ Specify the PKCS #11 provider library.
|
@@ -398,7 +398,7 @@ Specify the PKCS #11 provider library.
|
||||||
This will override the default options in /etc/gnutls/pkcs11.conf
|
This will override the default options in /etc/gnutls/pkcs11.conf
|
||||||
.TP
|
.TP
|
||||||
@ -547,11 +547,11 @@ Index: gnutls-3.8.3/doc/manpages/gnutls-cli.1
|
|||||||
.sp
|
.sp
|
||||||
.TP
|
.TP
|
||||||
.NOP \f\*[B-Font]\-\-list\-config\f[]
|
.NOP \f\*[B-Font]\-\-list\-config\f[]
|
||||||
Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
|
Index: gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/reference/html/gnutls-gnutls.html
|
--- gnutls-3.8.8.orig/doc/reference/html/gnutls-gnutls.html
|
||||||
+++ gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
|
+++ gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
|
||||||
@@ -20866,12 +20866,12 @@ gnutls_fips140_set_mode (<em class="para
|
@@ -20874,12 +20874,12 @@ gnutls_fips140_set_mode (<em class="para
|
||||||
(globally), and should be called prior to creating any threads. Its
|
(globally), and should be called prior to creating any threads. Its
|
||||||
behavior with no flags after threads are created is undefined.</p>
|
behavior with no flags after threads are created is undefined.</p>
|
||||||
<p>When the flag <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SET-MODE-THREAD:CAPS" title="GNUTLS_FIPS140_SET_MODE_THREAD"><code class="literal">GNUTLS_FIPS140_SET_MODE_THREAD</code></a> is specified
|
<p>When the flag <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SET-MODE-THREAD:CAPS" title="GNUTLS_FIPS140_SET_MODE_THREAD"><code class="literal">GNUTLS_FIPS140_SET_MODE_THREAD</code></a> is specified
|
||||||
@ -566,7 +566,7 @@ Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
|
|||||||
values for <em class="parameter"><code>mode</code></em>
|
values for <em class="parameter"><code>mode</code></em>
|
||||||
or to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SELFTESTS:CAPS"><code class="literal">GNUTLS_FIPS140_SELFTESTS</code></a> mode, the library
|
or to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SELFTESTS:CAPS"><code class="literal">GNUTLS_FIPS140_SELFTESTS</code></a> mode, the library
|
||||||
switches to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-STRICT:CAPS"><code class="literal">GNUTLS_FIPS140_STRICT</code></a> mode.</p>
|
switches to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-STRICT:CAPS"><code class="literal">GNUTLS_FIPS140_STRICT</code></a> mode.</p>
|
||||||
@@ -20886,7 +20886,7 @@ switches to <a class="link" href="gnutls
|
@@ -20894,7 +20894,7 @@ switches to <a class="link" href="gnutls
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td class="parameter_name"><p>mode</p></td>
|
<td class="parameter_name"><p>mode</p></td>
|
||||||
@ -575,7 +575,7 @@ Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
|
|||||||
<td class="parameter_annotations"> </td>
|
<td class="parameter_annotations"> </td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@@ -25904,7 +25904,7 @@ encryption</p>
|
@@ -25969,7 +25969,7 @@ encryption</p>
|
||||||
<hr>
|
<hr>
|
||||||
<div class="refsect2">
|
<div class="refsect2">
|
||||||
<a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3>
|
<a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3>
|
||||||
@ -584,7 +584,7 @@ Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
|
|||||||
<div class="refsect3">
|
<div class="refsect3">
|
||||||
<a name="gnutls-fips-mode-t.members"></a><h4>Members</h4>
|
<a name="gnutls-fips-mode-t.members"></a><h4>Members</h4>
|
||||||
<div class="informaltable"><table class="informaltable" width="100%" border="0">
|
<div class="informaltable"><table class="informaltable" width="100%" border="0">
|
||||||
@@ -25917,7 +25917,7 @@ encryption</p>
|
@@ -25982,7 +25982,7 @@ encryption</p>
|
||||||
<tr>
|
<tr>
|
||||||
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td>
|
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td>
|
||||||
<td class="enum_member_description">
|
<td class="enum_member_description">
|
||||||
@ -593,7 +593,7 @@ Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
|
|||||||
</td>
|
</td>
|
||||||
<td class="enum_member_annotations"> </td>
|
<td class="enum_member_annotations"> </td>
|
||||||
</tr>
|
</tr>
|
||||||
@@ -25940,8 +25940,8 @@ operation failure via error code.</p>
|
@@ -26005,8 +26005,8 @@ operation failure via error code.</p>
|
||||||
<tr>
|
<tr>
|
||||||
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td>
|
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td>
|
||||||
<td class="enum_member_description">
|
<td class="enum_member_description">
|
||||||
@ -604,17 +604,17 @@ Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
|
|||||||
application is aware of the followed security policy, and needs
|
application is aware of the followed security policy, and needs
|
||||||
to utilize disallowed operations for other reasons (e.g., compatibility).</p>
|
to utilize disallowed operations for other reasons (e.g., compatibility).</p>
|
||||||
</td>
|
</td>
|
||||||
@@ -27575,4 +27575,4 @@ This is used by <a class="link" href="gn
|
@@ -27646,4 +27646,4 @@ This is used by <a class="link" href="gn
|
||||||
<div class="footer">
|
<div class="footer">
|
||||||
<hr>Generated by GTK-Doc V1.33.1</div>
|
<hr>Generated by GTK-Doc V1.34.0</div>
|
||||||
</body>
|
</body>
|
||||||
-</html>
|
-</html>
|
||||||
\ No newline at end of file
|
\ No newline at end of file
|
||||||
+</html>
|
+</html>
|
||||||
Index: gnutls-3.8.3/lib/fips.c
|
Index: gnutls-3.8.8/lib/fips.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/lib/fips.c
|
--- gnutls-3.8.8.orig/lib/fips.c
|
||||||
+++ gnutls-3.8.3/lib/fips.c
|
+++ gnutls-3.8.8/lib/fips.c
|
||||||
@@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void)
|
@@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -633,7 +633,7 @@ Index: gnutls-3.8.3/lib/fips.c
|
|||||||
ret = GNUTLS_FIPS140_SELFTESTS;
|
ret = GNUTLS_FIPS140_SELFTESTS;
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
@@ -694,7 +694,7 @@ unsigned gnutls_fips140_mode_enabled(voi
|
@@ -740,7 +740,7 @@ unsigned gnutls_fips140_mode_enabled(voi
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* gnutls_fips140_set_mode:
|
* gnutls_fips140_set_mode:
|
||||||
@ -642,7 +642,7 @@ Index: gnutls-3.8.3/lib/fips.c
|
|||||||
* @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD
|
* @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD
|
||||||
*
|
*
|
||||||
* That function is not thread-safe when changing the mode with no flags
|
* That function is not thread-safe when changing the mode with no flags
|
||||||
@@ -702,13 +702,13 @@ unsigned gnutls_fips140_mode_enabled(voi
|
@@ -748,13 +748,13 @@ unsigned gnutls_fips140_mode_enabled(voi
|
||||||
* behavior with no flags after threads are created is undefined.
|
* behavior with no flags after threads are created is undefined.
|
||||||
*
|
*
|
||||||
* When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified
|
* When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified
|
||||||
@ -658,7 +658,7 @@ Index: gnutls-3.8.3/lib/fips.c
|
|||||||
* values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library
|
* values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library
|
||||||
* switches to %GNUTLS_FIPS140_STRICT mode.
|
* switches to %GNUTLS_FIPS140_STRICT mode.
|
||||||
*
|
*
|
||||||
@@ -720,10 +720,10 @@ void gnutls_fips140_set_mode(gnutls_fips
|
@@ -766,10 +766,10 @@ void gnutls_fips140_set_mode(gnutls_fips
|
||||||
gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled();
|
gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled();
|
||||||
if (prev == GNUTLS_FIPS140_DISABLED ||
|
if (prev == GNUTLS_FIPS140_DISABLED ||
|
||||||
prev == GNUTLS_FIPS140_SELFTESTS) {
|
prev == GNUTLS_FIPS140_SELFTESTS) {
|
||||||
@ -671,7 +671,7 @@ Index: gnutls-3.8.3/lib/fips.c
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -736,7 +736,7 @@ void gnutls_fips140_set_mode(gnutls_fips
|
@@ -782,7 +782,7 @@ void gnutls_fips140_set_mode(gnutls_fips
|
||||||
case GNUTLS_FIPS140_SELFTESTS:
|
case GNUTLS_FIPS140_SELFTESTS:
|
||||||
_gnutls_audit_log(
|
_gnutls_audit_log(
|
||||||
NULL,
|
NULL,
|
||||||
@ -680,7 +680,7 @@ Index: gnutls-3.8.3/lib/fips.c
|
|||||||
mode = GNUTLS_FIPS140_STRICT;
|
mode = GNUTLS_FIPS140_STRICT;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
@@ -912,7 +912,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
@@ -958,7 +958,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!_tfips_context) {
|
if (!_tfips_context) {
|
||||||
@ -689,7 +689,7 @@ Index: gnutls-3.8.3/lib/fips.c
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -926,7 +926,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
@@ -972,7 +972,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
||||||
if (mode != GNUTLS_FIPS140_LAX) {
|
if (mode != GNUTLS_FIPS140_LAX) {
|
||||||
_gnutls_audit_log(
|
_gnutls_audit_log(
|
||||||
NULL,
|
NULL,
|
||||||
@ -698,7 +698,7 @@ Index: gnutls-3.8.3/lib/fips.c
|
|||||||
operation_state_to_string(state));
|
operation_state_to_string(state));
|
||||||
}
|
}
|
||||||
_tfips_context->state = state;
|
_tfips_context->state = state;
|
||||||
@@ -937,7 +937,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
@@ -983,7 +983,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
||||||
if (mode != GNUTLS_FIPS140_LAX) {
|
if (mode != GNUTLS_FIPS140_LAX) {
|
||||||
_gnutls_audit_log(
|
_gnutls_audit_log(
|
||||||
NULL,
|
NULL,
|
||||||
@ -707,7 +707,7 @@ Index: gnutls-3.8.3/lib/fips.c
|
|||||||
operation_state_to_string(state));
|
operation_state_to_string(state));
|
||||||
}
|
}
|
||||||
_tfips_context->state = state;
|
_tfips_context->state = state;
|
||||||
@@ -949,7 +949,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
@@ -995,7 +995,7 @@ void _gnutls_switch_fips_state(gnutls_fi
|
||||||
if (mode != GNUTLS_FIPS140_LAX) {
|
if (mode != GNUTLS_FIPS140_LAX) {
|
||||||
_gnutls_audit_log(
|
_gnutls_audit_log(
|
||||||
NULL,
|
NULL,
|
||||||
@ -716,7 +716,7 @@ Index: gnutls-3.8.3/lib/fips.c
|
|||||||
operation_state_to_string(
|
operation_state_to_string(
|
||||||
_tfips_context->state),
|
_tfips_context->state),
|
||||||
operation_state_to_string(state));
|
operation_state_to_string(state));
|
||||||
@@ -1011,7 +1011,7 @@ int gnutls_fips140_run_self_tests(void)
|
@@ -1057,7 +1057,7 @@ int gnutls_fips140_run_self_tests(void)
|
||||||
ret < 0) {
|
ret < 0) {
|
||||||
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
||||||
_gnutls_audit_log(NULL,
|
_gnutls_audit_log(NULL,
|
||||||
@ -725,7 +725,7 @@ Index: gnutls-3.8.3/lib/fips.c
|
|||||||
} else {
|
} else {
|
||||||
/* Restore the previous library state */
|
/* Restore the previous library state */
|
||||||
_gnutls_switch_lib_state(prev_lib_state);
|
_gnutls_switch_lib_state(prev_lib_state);
|
||||||
@@ -1023,7 +1023,7 @@ int gnutls_fips140_run_self_tests(void)
|
@@ -1069,7 +1069,7 @@ int gnutls_fips140_run_self_tests(void)
|
||||||
if (gnutls_fips140_pop_context() < 0) {
|
if (gnutls_fips140_pop_context() < 0) {
|
||||||
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
||||||
_gnutls_audit_log(
|
_gnutls_audit_log(
|
||||||
@ -734,11 +734,11 @@ Index: gnutls-3.8.3/lib/fips.c
|
|||||||
}
|
}
|
||||||
gnutls_fips140_context_deinit(fips_context);
|
gnutls_fips140_context_deinit(fips_context);
|
||||||
}
|
}
|
||||||
Index: gnutls-3.8.3/lib/fips.h
|
Index: gnutls-3.8.8/lib/fips.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/lib/fips.h
|
--- gnutls-3.8.8.orig/lib/fips.h
|
||||||
+++ gnutls-3.8.3/lib/fips.h
|
+++ gnutls-3.8.8/lib/fips.h
|
||||||
@@ -160,7 +160,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
|
@@ -163,7 +163,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef ENABLE_FIPS140
|
#ifdef ENABLE_FIPS140
|
||||||
@ -747,7 +747,7 @@ Index: gnutls-3.8.3/lib/fips.h
|
|||||||
* and return an error if necessary or ignore */
|
* and return an error if necessary or ignore */
|
||||||
#define FIPS_RULE(condition, ret_error, ...) \
|
#define FIPS_RULE(condition, ret_error, ...) \
|
||||||
{ \
|
{ \
|
||||||
@@ -170,10 +170,10 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
|
@@ -173,10 +173,10 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
|
||||||
if (_mode == GNUTLS_FIPS140_LOG) { \
|
if (_mode == GNUTLS_FIPS140_LOG) { \
|
||||||
_gnutls_audit_log( \
|
_gnutls_audit_log( \
|
||||||
NULL, \
|
NULL, \
|
||||||
@ -760,7 +760,7 @@ Index: gnutls-3.8.3/lib/fips.h
|
|||||||
return ret_error; \
|
return ret_error; \
|
||||||
} \
|
} \
|
||||||
} \
|
} \
|
||||||
@@ -188,7 +188,7 @@ inline static bool is_mac_algo_allowed(g
|
@@ -191,7 +191,7 @@ inline static bool is_mac_algo_allowed(g
|
||||||
switch (mode) {
|
switch (mode) {
|
||||||
case GNUTLS_FIPS140_LOG:
|
case GNUTLS_FIPS140_LOG:
|
||||||
_gnutls_audit_log(NULL,
|
_gnutls_audit_log(NULL,
|
||||||
@ -769,7 +769,7 @@ Index: gnutls-3.8.3/lib/fips.h
|
|||||||
gnutls_mac_get_name(algo));
|
gnutls_mac_get_name(algo));
|
||||||
FALLTHROUGH;
|
FALLTHROUGH;
|
||||||
case GNUTLS_FIPS140_DISABLED:
|
case GNUTLS_FIPS140_DISABLED:
|
||||||
@@ -210,7 +210,7 @@ inline static bool is_cipher_algo_allowe
|
@@ -213,7 +213,7 @@ inline static bool is_cipher_algo_allowe
|
||||||
switch (mode) {
|
switch (mode) {
|
||||||
case GNUTLS_FIPS140_LOG:
|
case GNUTLS_FIPS140_LOG:
|
||||||
_gnutls_audit_log(NULL,
|
_gnutls_audit_log(NULL,
|
||||||
@ -778,11 +778,11 @@ Index: gnutls-3.8.3/lib/fips.h
|
|||||||
gnutls_cipher_get_name(algo));
|
gnutls_cipher_get_name(algo));
|
||||||
FALLTHROUGH;
|
FALLTHROUGH;
|
||||||
case GNUTLS_FIPS140_DISABLED:
|
case GNUTLS_FIPS140_DISABLED:
|
||||||
Index: gnutls-3.8.3/lib/global.c
|
Index: gnutls-3.8.8/lib/global.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/lib/global.c
|
--- gnutls-3.8.8.orig/lib/global.c
|
||||||
+++ gnutls-3.8.3/lib/global.c
|
+++ gnutls-3.8.8/lib/global.c
|
||||||
@@ -337,12 +337,12 @@ static int _gnutls_global_init(unsigned
|
@@ -339,12 +339,12 @@ static int _gnutls_global_init(unsigned
|
||||||
|
|
||||||
#ifdef ENABLE_FIPS140
|
#ifdef ENABLE_FIPS140
|
||||||
res = _gnutls_fips_mode_enabled();
|
res = _gnutls_fips_mode_enabled();
|
||||||
@ -797,7 +797,7 @@ Index: gnutls-3.8.3/lib/global.c
|
|||||||
_gnutls_priority_update_fips();
|
_gnutls_priority_update_fips();
|
||||||
|
|
||||||
/* first round of self checks, these are done on the
|
/* first round of self checks, these are done on the
|
||||||
@@ -352,7 +352,7 @@ static int _gnutls_global_init(unsigned
|
@@ -354,7 +354,7 @@ static int _gnutls_global_init(unsigned
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
||||||
_gnutls_audit_log(
|
_gnutls_audit_log(
|
||||||
@ -806,7 +806,7 @@ Index: gnutls-3.8.3/lib/global.c
|
|||||||
if (res != 2) {
|
if (res != 2) {
|
||||||
gnutls_assert();
|
gnutls_assert();
|
||||||
goto out;
|
goto out;
|
||||||
@@ -375,7 +375,7 @@ static int _gnutls_global_init(unsigned
|
@@ -377,7 +377,7 @@ static int _gnutls_global_init(unsigned
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
_gnutls_switch_lib_state(LIB_STATE_ERROR);
|
||||||
_gnutls_audit_log(
|
_gnutls_audit_log(
|
||||||
@ -815,11 +815,11 @@ Index: gnutls-3.8.3/lib/global.c
|
|||||||
if (res != 2) {
|
if (res != 2) {
|
||||||
gnutls_assert();
|
gnutls_assert();
|
||||||
goto out;
|
goto out;
|
||||||
Index: gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
|
Index: gnutls-3.8.8/lib/includes/gnutls/gnutls.h.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/lib/includes/gnutls/gnutls.h.in
|
--- gnutls-3.8.8.orig/lib/includes/gnutls/gnutls.h.in
|
||||||
+++ gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
|
+++ gnutls-3.8.8/lib/includes/gnutls/gnutls.h.in
|
||||||
@@ -3199,16 +3199,16 @@ typedef int (*gnutls_alert_read_func)(gn
|
@@ -3216,16 +3216,16 @@ typedef int (*gnutls_alert_read_func)(gn
|
||||||
void gnutls_alert_set_read_function(gnutls_session_t session,
|
void gnutls_alert_set_read_function(gnutls_session_t session,
|
||||||
gnutls_alert_read_func func);
|
gnutls_alert_read_func func);
|
||||||
|
|
||||||
@ -840,7 +840,7 @@ Index: gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
|
|||||||
* application is aware of the followed security policy, and needs
|
* application is aware of the followed security policy, and needs
|
||||||
* to utilize disallowed operations for other reasons (e.g., compatibility).
|
* to utilize disallowed operations for other reasons (e.g., compatibility).
|
||||||
* @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results
|
* @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results
|
||||||
@@ -3216,7 +3216,7 @@ unsigned gnutls_fips140_mode_enabled(voi
|
@@ -3233,7 +3233,7 @@ unsigned gnutls_fips140_mode_enabled(voi
|
||||||
* @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state
|
* @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state
|
||||||
* cannot be set or seen by applications.
|
* cannot be set or seen by applications.
|
||||||
*
|
*
|
||||||
@ -849,10 +849,10 @@ Index: gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
|
|||||||
*/
|
*/
|
||||||
typedef enum gnutls_fips_mode_t {
|
typedef enum gnutls_fips_mode_t {
|
||||||
GNUTLS_FIPS140_DISABLED = 0,
|
GNUTLS_FIPS140_DISABLED = 0,
|
||||||
Index: gnutls-3.8.3/src/cli.c
|
Index: gnutls-3.8.8/src/cli.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/src/cli.c
|
--- gnutls-3.8.8.orig/src/cli.c
|
||||||
+++ gnutls-3.8.3/src/cli.c
|
+++ gnutls-3.8.8/src/cli.c
|
||||||
@@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char **
|
@@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char **
|
||||||
|
|
||||||
if (HAVE_OPT(FIPS140_MODE)) {
|
if (HAVE_OPT(FIPS140_MODE)) {
|
||||||
@ -866,11 +866,11 @@ Index: gnutls-3.8.3/src/cli.c
|
|||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
Index: gnutls-3.8.3/src/gnutls-cli-options.c
|
Index: gnutls-3.8.8/src/gnutls-cli-options.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/src/gnutls-cli-options.c
|
--- gnutls-3.8.8.orig/src/gnutls-cli-options.c
|
||||||
+++ gnutls-3.8.3/src/gnutls-cli-options.c
|
+++ gnutls-3.8.8/src/gnutls-cli-options.c
|
||||||
@@ -810,7 +810,7 @@ usage (FILE *out, int status)
|
@@ -843,7 +843,7 @@ usage (FILE *out, int status)
|
||||||
" --inline-commands-prefix=str Change the default delimiter for inline commands\n"
|
" --inline-commands-prefix=str Change the default delimiter for inline commands\n"
|
||||||
" --provider=file Specify the PKCS #11 provider library\n"
|
" --provider=file Specify the PKCS #11 provider library\n"
|
||||||
" - file must pre-exist\n"
|
" - file must pre-exist\n"
|
||||||
@ -879,10 +879,10 @@ Index: gnutls-3.8.3/src/gnutls-cli-options.c
|
|||||||
" --list-config Reports the configuration of the library\n"
|
" --list-config Reports the configuration of the library\n"
|
||||||
" --logfile=str Redirect informational messages to a specific file\n"
|
" --logfile=str Redirect informational messages to a specific file\n"
|
||||||
" --keymatexport=str Label used for exporting keying material\n"
|
" --keymatexport=str Label used for exporting keying material\n"
|
||||||
Index: gnutls-3.8.3/tests/cert-tests/gost.sh
|
Index: gnutls-3.8.8/tests/cert-tests/gost.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/tests/cert-tests/gost.sh
|
--- gnutls-3.8.8.orig/tests/cert-tests/gost.sh
|
||||||
+++ gnutls-3.8.3/tests/cert-tests/gost.sh
|
+++ gnutls-3.8.8/tests/cert-tests/gost.sh
|
||||||
@@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then
|
@@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -892,10 +892,10 @@ Index: gnutls-3.8.3/tests/cert-tests/gost.sh
|
|||||||
exit 77
|
exit 77
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Index: gnutls-3.8.3/tests/cert-tests/pkcs12-corner-cases.sh
|
Index: gnutls-3.8.8/tests/cert-tests/pkcs12-corner-cases.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-corner-cases.sh
|
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs12-corner-cases.sh
|
||||||
+++ gnutls-3.8.3/tests/cert-tests/pkcs12-corner-cases.sh
|
+++ gnutls-3.8.8/tests/cert-tests/pkcs12-corner-cases.sh
|
||||||
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -905,10 +905,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs12-corner-cases.sh
|
|||||||
exit 77
|
exit 77
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Index: gnutls-3.8.3/tests/cert-tests/pkcs12-encode.sh
|
Index: gnutls-3.8.8/tests/cert-tests/pkcs12-encode.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-encode.sh
|
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs12-encode.sh
|
||||||
+++ gnutls-3.8.3/tests/cert-tests/pkcs12-encode.sh
|
+++ gnutls-3.8.8/tests/cert-tests/pkcs12-encode.sh
|
||||||
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -918,10 +918,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs12-encode.sh
|
|||||||
exit 77
|
exit 77
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Index: gnutls-3.8.3/tests/cert-tests/pkcs12-gost.sh
|
Index: gnutls-3.8.8/tests/cert-tests/pkcs12-gost.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-gost.sh
|
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs12-gost.sh
|
||||||
+++ gnutls-3.8.3/tests/cert-tests/pkcs12-gost.sh
|
+++ gnutls-3.8.8/tests/cert-tests/pkcs12-gost.sh
|
||||||
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
|
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -931,10 +931,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs12-gost.sh
|
|||||||
exit 77
|
exit 77
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Index: gnutls-3.8.3/tests/cert-tests/pkcs12.sh
|
Index: gnutls-3.8.8/tests/cert-tests/pkcs12.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12.sh
|
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs12.sh
|
||||||
+++ gnutls-3.8.3/tests/cert-tests/pkcs12.sh
|
+++ gnutls-3.8.8/tests/cert-tests/pkcs12.sh
|
||||||
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -944,10 +944,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs12.sh
|
|||||||
exit 77
|
exit 77
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Index: gnutls-3.8.3/tests/cert-tests/pkcs8-decode.sh
|
Index: gnutls-3.8.8/tests/cert-tests/pkcs8-decode.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-decode.sh
|
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs8-decode.sh
|
||||||
+++ gnutls-3.8.3/tests/cert-tests/pkcs8-decode.sh
|
+++ gnutls-3.8.8/tests/cert-tests/pkcs8-decode.sh
|
||||||
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
|
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -957,10 +957,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs8-decode.sh
|
|||||||
exit 77
|
exit 77
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Index: gnutls-3.8.3/tests/cert-tests/pkcs8-eddsa.sh
|
Index: gnutls-3.8.8/tests/cert-tests/pkcs8-eddsa.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-eddsa.sh
|
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs8-eddsa.sh
|
||||||
+++ gnutls-3.8.3/tests/cert-tests/pkcs8-eddsa.sh
|
+++ gnutls-3.8.8/tests/cert-tests/pkcs8-eddsa.sh
|
||||||
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
|
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -970,10 +970,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs8-eddsa.sh
|
|||||||
exit 77
|
exit 77
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Index: gnutls-3.8.3/tests/cert-tests/pkcs8-gost.sh
|
Index: gnutls-3.8.8/tests/cert-tests/pkcs8-gost.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-gost.sh
|
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs8-gost.sh
|
||||||
+++ gnutls-3.8.3/tests/cert-tests/pkcs8-gost.sh
|
+++ gnutls-3.8.8/tests/cert-tests/pkcs8-gost.sh
|
||||||
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -983,10 +983,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs8-gost.sh
|
|||||||
exit 77
|
exit 77
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Index: gnutls-3.8.3/tests/cert-tests/pkcs8.sh
|
Index: gnutls-3.8.8/tests/cert-tests/pkcs8.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8.sh
|
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs8.sh
|
||||||
+++ gnutls-3.8.3/tests/cert-tests/pkcs8.sh
|
+++ gnutls-3.8.8/tests/cert-tests/pkcs8.sh
|
||||||
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -996,10 +996,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs8.sh
|
|||||||
exit 77
|
exit 77
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Index: gnutls-3.8.3/tests/cipher-listings.sh
|
Index: gnutls-3.8.8/tests/cipher-listings.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/tests/cipher-listings.sh
|
--- gnutls-3.8.8.orig/tests/cipher-listings.sh
|
||||||
+++ gnutls-3.8.3/tests/cipher-listings.sh
|
+++ gnutls-3.8.8/tests/cipher-listings.sh
|
||||||
@@ -63,7 +63,7 @@ check()
|
@@ -63,7 +63,7 @@ check()
|
||||||
|
|
||||||
${CLI} --fips140-mode
|
${CLI} --fips140-mode
|
||||||
@ -1009,10 +1009,10 @@ Index: gnutls-3.8.3/tests/cipher-listings.sh
|
|||||||
exit 77
|
exit 77
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Index: gnutls-3.8.3/tests/testpkcs11.sh
|
Index: gnutls-3.8.8/tests/testpkcs11.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/tests/testpkcs11.sh
|
--- gnutls-3.8.8.orig/tests/testpkcs11.sh
|
||||||
+++ gnutls-3.8.3/tests/testpkcs11.sh
|
+++ gnutls-3.8.8/tests/testpkcs11.sh
|
||||||
@@ -26,7 +26,7 @@
|
@@ -26,7 +26,7 @@
|
||||||
RETCODE=0
|
RETCODE=0
|
||||||
|
|
||||||
@ -1022,10 +1022,10 @@ Index: gnutls-3.8.3/tests/testpkcs11.sh
|
|||||||
exit 77
|
exit 77
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Index: gnutls-3.8.3/doc/enums/gnutls_fips_mode_t
|
Index: gnutls-3.8.8/doc/enums/gnutls_fips_mode_t
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/enums/gnutls_fips_mode_t
|
--- gnutls-3.8.8.orig/doc/enums/gnutls_fips_mode_t
|
||||||
+++ gnutls-3.8.3/doc/enums/gnutls_fips_mode_t
|
+++ gnutls-3.8.8/doc/enums/gnutls_fips_mode_t
|
||||||
@@ -3,7 +3,7 @@
|
@@ -3,7 +3,7 @@
|
||||||
@c gnutls_fips_mode_t
|
@c gnutls_fips_mode_t
|
||||||
@table @code
|
@table @code
|
||||||
@ -1046,11 +1046,11 @@ Index: gnutls-3.8.3/doc/enums/gnutls_fips_mode_t
|
|||||||
application is aware of the followed security policy, and needs
|
application is aware of the followed security policy, and needs
|
||||||
to utilize disallowed operations for other reasons (e.g., compatibility).
|
to utilize disallowed operations for other reasons (e.g., compatibility).
|
||||||
@item GNUTLS_@-FIPS140_@-LOG
|
@item GNUTLS_@-FIPS140_@-LOG
|
||||||
Index: gnutls-3.8.3/doc/gnutls-api.texi
|
Index: gnutls-3.8.8/doc/gnutls-api.texi
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/gnutls-api.texi
|
--- gnutls-3.8.8.orig/doc/gnutls-api.texi
|
||||||
+++ gnutls-3.8.3/doc/gnutls-api.texi
|
+++ gnutls-3.8.8/doc/gnutls-api.texi
|
||||||
@@ -3275,7 +3275,7 @@ unusable. This function is not thread-s
|
@@ -3279,7 +3279,7 @@ unusable. This function is not thread-s
|
||||||
@subheading gnutls_fips140_set_mode
|
@subheading gnutls_fips140_set_mode
|
||||||
@anchor{gnutls_fips140_set_mode}
|
@anchor{gnutls_fips140_set_mode}
|
||||||
@deftypefun {void} {gnutls_fips140_set_mode} (gnutls_fips_mode_t @var{mode}, unsigned @var{flags})
|
@deftypefun {void} {gnutls_fips140_set_mode} (gnutls_fips_mode_t @var{mode}, unsigned @var{flags})
|
||||||
@ -1059,7 +1059,7 @@ Index: gnutls-3.8.3/doc/gnutls-api.texi
|
|||||||
|
|
||||||
@var{flags}: should be zero or @code{GNUTLS_FIPS140_SET_MODE_THREAD}
|
@var{flags}: should be zero or @code{GNUTLS_FIPS140_SET_MODE_THREAD}
|
||||||
|
|
||||||
@@ -3284,13 +3284,13 @@ That function is not thread-safe when ch
|
@@ -3288,13 +3288,13 @@ That function is not thread-safe when ch
|
||||||
behavior with no flags after threads are created is undefined.
|
behavior with no flags after threads are created is undefined.
|
||||||
|
|
||||||
When the flag @code{GNUTLS_FIPS140_SET_MODE_THREAD} is specified
|
When the flag @code{GNUTLS_FIPS140_SET_MODE_THREAD} is specified
|
||||||
@ -1075,10 +1075,10 @@ Index: gnutls-3.8.3/doc/gnutls-api.texi
|
|||||||
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
|
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
|
||||||
switches to @code{GNUTLS_FIPS140_STRICT} mode.
|
switches to @code{GNUTLS_FIPS140_STRICT} mode.
|
||||||
|
|
||||||
Index: gnutls-3.8.3/lib/ext/session_ticket.c
|
Index: gnutls-3.8.8/lib/ext/session_ticket.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/lib/ext/session_ticket.c
|
--- gnutls-3.8.8.orig/lib/ext/session_ticket.c
|
||||||
+++ gnutls-3.8.3/lib/ext/session_ticket.c
|
+++ gnutls-3.8.8/lib/ext/session_ticket.c
|
||||||
@@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g
|
@@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g
|
||||||
{
|
{
|
||||||
if (_gnutls_fips_mode_enabled()) {
|
if (_gnutls_fips_mode_enabled()) {
|
||||||
@ -1088,11 +1088,11 @@ Index: gnutls-3.8.3/lib/ext/session_ticket.c
|
|||||||
* some limits on allowed key size, thus it is not
|
* some limits on allowed key size, thus it is not
|
||||||
* used. These limits do not affect this function as
|
* used. These limits do not affect this function as
|
||||||
* it does not generate a "key" but rather key material
|
* it does not generate a "key" but rather key material
|
||||||
Index: gnutls-3.8.3/lib/libgnutls.map
|
Index: gnutls-3.8.8/lib/libgnutls.map
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/lib/libgnutls.map
|
--- gnutls-3.8.8.orig/lib/libgnutls.map
|
||||||
+++ gnutls-3.8.3/lib/libgnutls.map
|
+++ gnutls-3.8.8/lib/libgnutls.map
|
||||||
@@ -1441,7 +1441,7 @@ GNUTLS_FIPS140_3_4 {
|
@@ -1459,7 +1459,7 @@ GNUTLS_FIPS140_3_4 {
|
||||||
gnutls_hkdf_self_test;
|
gnutls_hkdf_self_test;
|
||||||
gnutls_pbkdf2_self_test;
|
gnutls_pbkdf2_self_test;
|
||||||
gnutls_tlsprf_self_test;
|
gnutls_tlsprf_self_test;
|
||||||
@ -1101,11 +1101,11 @@ Index: gnutls-3.8.3/lib/libgnutls.map
|
|||||||
drbg_aes_reseed;
|
drbg_aes_reseed;
|
||||||
drbg_aes_init;
|
drbg_aes_init;
|
||||||
drbg_aes_generate;
|
drbg_aes_generate;
|
||||||
Index: gnutls-3.8.3/lib/nettle/mac.c
|
Index: gnutls-3.8.8/lib/nettle/mac.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/lib/nettle/mac.c
|
--- gnutls-3.8.8.orig/lib/nettle/mac.c
|
||||||
+++ gnutls-3.8.3/lib/nettle/mac.c
|
+++ gnutls-3.8.8/lib/nettle/mac.c
|
||||||
@@ -262,7 +262,7 @@ static void _wrap_gmac_digest(void *_ctx
|
@@ -292,7 +292,7 @@ static void _wrap_gmac_digest(void *_ctx
|
||||||
static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
|
static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
|
||||||
struct nettle_mac_ctx *ctx)
|
struct nettle_mac_ctx *ctx)
|
||||||
{
|
{
|
||||||
@ -1114,20 +1114,20 @@ Index: gnutls-3.8.3/lib/nettle/mac.c
|
|||||||
* gnutls_hash_init() and gnutls_hmac_init() */
|
* gnutls_hash_init() and gnutls_hmac_init() */
|
||||||
|
|
||||||
ctx->set_nonce = NULL;
|
ctx->set_nonce = NULL;
|
||||||
@@ -648,7 +648,7 @@ static void _md5_sha1_digest(void *_ctx,
|
@@ -688,7 +688,7 @@ static void _md5_sha1_init(void *_ctx)
|
||||||
static int _ctx_init(gnutls_digest_algorithm_t algo,
|
static int _ctx_init(gnutls_digest_algorithm_t algo,
|
||||||
struct nettle_hash_ctx *ctx)
|
struct nettle_hash_ctx *ctx)
|
||||||
{
|
{
|
||||||
- /* Any FIPS140-2 related enforcement is performed on
|
- /* Any FIPS140-2 related enforcement is performed on
|
||||||
+ /* Any FIPS140-3 related enforcement is performed on
|
+ /* Any FIPS140-3 related enforcement is performed on
|
||||||
* gnutls_hash_init() and gnutls_hmac_init() */
|
* gnutls_hash_init() and gnutls_hmac_init() */
|
||||||
switch (algo) {
|
|
||||||
case GNUTLS_DIG_MD5:
|
ctx->finished = NULL;
|
||||||
Index: gnutls-3.8.3/config.h.in
|
Index: gnutls-3.8.8/config.h.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/config.h.in
|
--- gnutls-3.8.8.orig/config.h.in
|
||||||
+++ gnutls-3.8.3/config.h.in
|
+++ gnutls-3.8.8/config.h.in
|
||||||
@@ -82,7 +82,7 @@
|
@@ -104,7 +104,7 @@
|
||||||
/* enable DHE */
|
/* enable DHE */
|
||||||
#undef ENABLE_ECDHE
|
#undef ENABLE_ECDHE
|
||||||
|
|
||||||
@ -1136,7 +1136,7 @@ Index: gnutls-3.8.3/config.h.in
|
|||||||
#undef ENABLE_FIPS140
|
#undef ENABLE_FIPS140
|
||||||
|
|
||||||
/* enable GOST */
|
/* enable GOST */
|
||||||
@@ -125,7 +125,7 @@
|
@@ -147,7 +147,7 @@
|
||||||
/* Define this to 1 if F_DUPFD behavior does not match POSIX */
|
/* Define this to 1 if F_DUPFD behavior does not match POSIX */
|
||||||
#undef FCNTL_DUPFD_BUGGY
|
#undef FCNTL_DUPFD_BUGGY
|
||||||
|
|
||||||
@ -1145,11 +1145,11 @@ Index: gnutls-3.8.3/config.h.in
|
|||||||
#undef FIPS_KEY
|
#undef FIPS_KEY
|
||||||
|
|
||||||
/* The FIPS140 module name */
|
/* The FIPS140 module name */
|
||||||
Index: gnutls-3.8.3/configure
|
Index: gnutls-3.8.8/configure
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/configure
|
--- gnutls-3.8.8.orig/configure
|
||||||
+++ gnutls-3.8.3/configure
|
+++ gnutls-3.8.8/configure
|
||||||
@@ -3830,7 +3830,7 @@ Optional Features:
|
@@ -4455,7 +4455,7 @@ Optional Features:
|
||||||
--enable-fast-install[=PKGS]
|
--enable-fast-install[=PKGS]
|
||||||
optimize for fast installation [default=yes]
|
optimize for fast installation [default=yes]
|
||||||
--disable-libtool-lock avoid locking (might break parallel builds)
|
--disable-libtool-lock avoid locking (might break parallel builds)
|
||||||
@ -1158,10 +1158,10 @@ Index: gnutls-3.8.3/configure
|
|||||||
--enable-strict-x509 enable stricter sanity checks for x509 certificates
|
--enable-strict-x509 enable stricter sanity checks for x509 certificates
|
||||||
--disable-non-suiteb-curves
|
--disable-non-suiteb-curves
|
||||||
disable curves not in SuiteB
|
disable curves not in SuiteB
|
||||||
Index: gnutls-3.8.3/doc/cha-support.texi
|
Index: gnutls-3.8.8/doc/cha-support.texi
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/cha-support.texi
|
--- gnutls-3.8.8.orig/doc/cha-support.texi
|
||||||
+++ gnutls-3.8.3/doc/cha-support.texi
|
+++ gnutls-3.8.8/doc/cha-support.texi
|
||||||
@@ -134,5 +134,5 @@ There are certifications from national o
|
@@ -134,5 +134,5 @@ There are certifications from national o
|
||||||
to an auditor that the crypto component follows some best practices, such
|
to an auditor that the crypto component follows some best practices, such
|
||||||
as unit testing and reliance on well known crypto primitives.
|
as unit testing and reliance on well known crypto primitives.
|
||||||
@ -1170,23 +1170,10 @@ Index: gnutls-3.8.3/doc/cha-support.texi
|
|||||||
-See @ref{FIPS140-2 mode} for more information.
|
-See @ref{FIPS140-2 mode} for more information.
|
||||||
+GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
|
+GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
|
||||||
+See @ref{FIPS140-3 mode} for more information.
|
+See @ref{FIPS140-3 mode} for more information.
|
||||||
Index: gnutls-3.8.3/doc/gnutls.info
|
Index: gnutls-3.8.8/src/gnutls-cli-options.json
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.3.orig/doc/gnutls.info
|
--- gnutls-3.8.8.orig/src/gnutls-cli-options.json
|
||||||
+++ gnutls-3.8.3/doc/gnutls.info
|
+++ gnutls-3.8.8/src/gnutls-cli-options.json
|
||||||
@@ -618,7 +618,7 @@ Ref: fig-crypto-layers744471
|
|
||||||
Ref: Cryptographic Backend-Footnote-1747783
|
|
||||||
Ref: Cryptographic Backend-Footnote-2747868
|
|
||||||
Node: Random Number Generators-internals747980
|
|
||||||
-Node: FIPS140-2 mode755450
|
|
||||||
+Node: FIPS140-3 mode755450
|
|
||||||
Ref: gnutls_fips_mode_t758148
|
|
||||||
Node: Upgrading from previous versions761817
|
|
||||||
Node: Support776059
|
|
||||||
Index: gnutls-3.8.3/src/gnutls-cli-options.json
|
|
||||||
===================================================================
|
|
||||||
--- gnutls-3.8.3.orig/src/gnutls-cli-options.json
|
|
||||||
+++ gnutls-3.8.3/src/gnutls-cli-options.json
|
|
||||||
@@ -384,7 +384,7 @@
|
@@ -384,7 +384,7 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1196,3 +1183,58 @@ Index: gnutls-3.8.3/src/gnutls-cli-options.json
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
"long-option": "list-config",
|
"long-option": "list-config",
|
||||||
|
Index: gnutls-3.8.8/tests/pkcs11-tool.sh
|
||||||
|
===================================================================
|
||||||
|
--- gnutls-3.8.8.orig/tests/pkcs11-tool.sh
|
||||||
|
+++ gnutls-3.8.8/tests/pkcs11-tool.sh
|
||||||
|
@@ -30,7 +30,7 @@ set -x
|
||||||
|
: ${DIFF=diff}
|
||||||
|
|
||||||
|
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
||||||
|
- echo "Cannot run in FIPS140-2 mode"
|
||||||
|
+ echo "Cannot run in FIPS140-3 mode"
|
||||||
|
exit 77
|
||||||
|
fi
|
||||||
|
|
||||||
|
Index: gnutls-3.8.8/doc/manpages/gnutls_fips140_set_mode.3
|
||||||
|
===================================================================
|
||||||
|
--- gnutls-3.8.8.orig/doc/manpages/gnutls_fips140_set_mode.3
|
||||||
|
+++ gnutls-3.8.8/doc/manpages/gnutls_fips140_set_mode.3
|
||||||
|
@@ -8,7 +8,7 @@ gnutls_fips140_set_mode \- API function
|
||||||
|
.BI "void gnutls_fips140_set_mode(gnutls_fips_mode_t " mode ", unsigned " flags ");"
|
||||||
|
.SH ARGUMENTS
|
||||||
|
.IP "gnutls_fips_mode_t mode" 12
|
||||||
|
-the FIPS140\-2 mode to switch to
|
||||||
|
+the FIPS140\-3 mode to switch to
|
||||||
|
.IP "unsigned flags" 12
|
||||||
|
should be zero or \fBGNUTLS_FIPS140_SET_MODE_THREAD\fP
|
||||||
|
.SH "DESCRIPTION"
|
||||||
|
@@ -17,13 +17,13 @@ That function is not thread\-safe when c
|
||||||
|
behavior with no flags after threads are created is undefined.
|
||||||
|
|
||||||
|
When the flag \fBGNUTLS_FIPS140_SET_MODE_THREAD\fP is specified
|
||||||
|
-then this call will change the FIPS140\-2 mode for this particular
|
||||||
|
+then this call will change the FIPS140\-3 mode for this particular
|
||||||
|
thread and not for the whole process. That way an application
|
||||||
|
can utilize this function to set and reset mode for specific
|
||||||
|
operations.
|
||||||
|
|
||||||
|
This function never fails but will be a no\-op if used when
|
||||||
|
-the library is not in FIPS140\-2 mode. When asked to switch to unknown
|
||||||
|
+the library is not in FIPS140\-3 mode. When asked to switch to unknown
|
||||||
|
values for \fImode\fP or to \fBGNUTLS_FIPS140_SELFTESTS\fP mode, the library
|
||||||
|
switches to \fBGNUTLS_FIPS140_STRICT\fP mode.
|
||||||
|
.SH "SINCE"
|
||||||
|
Index: gnutls-3.8.8/doc/gnutls.info
|
||||||
|
===================================================================
|
||||||
|
--- gnutls-3.8.8.orig/doc/gnutls.info
|
||||||
|
+++ gnutls-3.8.8/doc/gnutls.info
|
||||||
|
@@ -619,7 +619,7 @@ Ref: fig-crypto-layers743655
|
||||||
|
Ref: Cryptographic Backend-Footnote-1746962
|
||||||
|
Ref: Cryptographic Backend-Footnote-2747047
|
||||||
|
Node: Random Number Generators-internals747159
|
||||||
|
-Node: FIPS140-2 mode754615
|
||||||
|
+Node: FIPS140-3 mode754615
|
||||||
|
Ref: gnutls_fips_mode_t757279
|
||||||
|
Node: Upgrading from previous versions760947
|
||||||
|
Node: Support775185
|
||||||
|
@ -1,112 +1,120 @@
|
|||||||
Index: gnutls-3.8.0/lib/fips.c
|
Index: gnutls-3.8.8/lib/fips.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.0.orig/lib/fips.c
|
--- gnutls-3.8.8.orig/lib/fips.c
|
||||||
+++ gnutls-3.8.0/lib/fips.c
|
+++ gnutls-3.8.8/lib/fips.c
|
||||||
@@ -171,16 +171,28 @@ struct hmac_entry {
|
@@ -349,11 +349,90 @@ static int load_hmac_file(struct hmac_fi
|
||||||
struct hmac_file {
|
}
|
||||||
int version;
|
|
||||||
struct hmac_entry gnutls;
|
|
||||||
+#if 0
|
|
||||||
+ /* Disable nettle, hogweed and gpm HMAC verification as
|
|
||||||
+ * they are calculated during build of the respective
|
|
||||||
+ * packages and can differ from the ones listed here.
|
|
||||||
+ */
|
|
||||||
struct hmac_entry nettle;
|
|
||||||
struct hmac_entry hogweed;
|
|
||||||
struct hmac_entry gmp;
|
|
||||||
+#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
struct lib_paths {
|
|
||||||
char gnutls[GNUTLS_PATH_MAX];
|
|
||||||
+#if 0
|
|
||||||
+ /* Disable nettle, hogweed and gpm HMAC verification as
|
|
||||||
+ * they are calculated during build of the respective
|
|
||||||
+ * packages and can differ from the ones listed here.
|
|
||||||
+ */
|
|
||||||
char nettle[GNUTLS_PATH_MAX];
|
|
||||||
char hogweed[GNUTLS_PATH_MAX];
|
|
||||||
char gmp[GNUTLS_PATH_MAX];
|
|
||||||
+#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -241,12 +253,18 @@ static int handler(void *user, const cha
|
+ * check_dep_lib_hmac:
|
||||||
}
|
+ * @path: path to the library which hmac should be compared
|
||||||
} else if (!strcmp(section, GNUTLS_LIBRARY_NAME)) {
|
+ *
|
||||||
return lib_handler(&p->gnutls, section, name, value);
|
+ * Verify that HMAC of a given library matches the hmac in the file
|
||||||
+#if 0
|
+ * provided by the library, named: .<libname>.so.<soname>.hmac.
|
||||||
+ /* Disable nettle, hogweed and gpm HMAC verification as
|
+ *
|
||||||
+ * they are calculated during build of the respective
|
+ * Returns: 0 on successful HMAC verification, a negative error code otherwise
|
||||||
+ * packages and can differ from the ones listed here.
|
|
||||||
+ */
|
+ */
|
||||||
} else if (!strcmp(section, NETTLE_LIBRARY_NAME)) {
|
+static int check_dep_lib_hmac(const char *path)
|
||||||
return lib_handler(&p->nettle, section, name, value);
|
+{
|
||||||
} else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) {
|
+ int ret;
|
||||||
return lib_handler(&p->hogweed, section, name, value);
|
+ unsigned prev;
|
||||||
} else if (!strcmp(section, GMP_LIBRARY_NAME)) {
|
+ uint8_t hmac[HMAC_SIZE];
|
||||||
return lib_handler(&p->gmp, section, name, value);
|
+ gnutls_datum_t data;
|
||||||
+#endif
|
+ char hmac_path[GNUTLS_PATH_MAX];
|
||||||
} else {
|
+ uint8_t lib_hmac[HMAC_SIZE];
|
||||||
return 0;
|
+ size_t lib_hmac_size;
|
||||||
}
|
+
|
||||||
@@ -391,12 +409,18 @@ static int callback(struct dl_phdr_info
|
+ _gnutls_debug_log("Loading: %s\n", path);
|
||||||
|
+ ret = gnutls_load_file(path, &data);
|
||||||
if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
|
+ if (ret < 0) {
|
||||||
_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
|
+ _gnutls_debug_log("Could not load %s: %s\n", path,
|
||||||
+#if 0
|
+ gnutls_strerror(ret));
|
||||||
+ /* Disable nettle, hogweed and gpm HMAC verification as
|
+ return gnutls_assert_val(ret);
|
||||||
+ * they are calculated during build of the respective
|
+ }
|
||||||
+ * packages and can differ from the ones listed here.
|
+
|
||||||
+ */
|
+ prev = _gnutls_get_lib_state();
|
||||||
else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
|
+ _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL);
|
||||||
_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
|
+ ret = gnutls_hmac_fast(HMAC_ALGO, FIPS_KEY, sizeof(FIPS_KEY) - 1,
|
||||||
else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
|
+ data.data, data.size, hmac);
|
||||||
_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
|
+ _gnutls_switch_lib_state(prev);
|
||||||
else if (!strcmp(soname, GMP_LIBRARY_SONAME))
|
+
|
||||||
_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
|
+ gnutls_free(data.data);
|
||||||
+#endif
|
+ if (ret < 0) {
|
||||||
return 0;
|
+ _gnutls_debug_log("Could not calculate HMAC for %s: %s\n", path,
|
||||||
}
|
+ gnutls_strerror(ret));
|
||||||
|
+ return gnutls_assert_val(ret);
|
||||||
@@ -409,6 +433,11 @@ static int load_lib_paths(struct lib_pat
|
+ }
|
||||||
_gnutls_debug_log("Gnutls library path was not found\n");
|
+
|
||||||
return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
|
+ /* Check now the integrity of the hmac provided by the library */
|
||||||
}
|
+ ret = get_hmac_path(hmac_path, sizeof(hmac_path), path);
|
||||||
+#if 0
|
+ if (ret < 0) {
|
||||||
+ /* Disable nettle, hogweed and gpm HMAC verification as
|
+ _gnutls_debug_log("Could not get hmac file path: %s\n",
|
||||||
+ * they are calculated during build of the respective
|
+ gnutls_strerror(ret));
|
||||||
+ * packages and can differ from the ones listed here.
|
+ return ret;
|
||||||
+ */
|
+ }
|
||||||
if (paths->nettle[0] == '\0') {
|
+ _gnutls_debug_log("Loading: %s\n", hmac_path);
|
||||||
_gnutls_debug_log("Nettle library path was not found\n");
|
+ ret = gnutls_load_file(hmac_path, &data);
|
||||||
return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
|
+ if (ret < 0) {
|
||||||
@@ -421,7 +450,7 @@ static int load_lib_paths(struct lib_pat
|
+ _gnutls_debug_log("Could not load %s: %s\n", hmac_path,
|
||||||
_gnutls_debug_log("Gmp library path was not found\n");
|
+ gnutls_strerror(ret));
|
||||||
return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
|
+ return gnutls_assert_val(ret);
|
||||||
}
|
+ }
|
||||||
-
|
+ lib_hmac_size = hex_data_size(data.size);
|
||||||
+#endif
|
+ /* trim eventual newlines from the end of the data read from file */
|
||||||
return GNUTLS_E_SUCCESS;
|
+ while ((data.size > 0) && (data.data[data.size - 1] == '\n')) {
|
||||||
}
|
+ data.data[data.size - 1] = 0;
|
||||||
|
+ data.size--;
|
||||||
@@ -467,6 +496,11 @@ static int check_binary_integrity(void)
|
+ }
|
||||||
ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
|
+ ret = gnutls_hex_decode(&data, lib_hmac, &lib_hmac_size);
|
||||||
|
+ gnutls_free(data.data);
|
||||||
|
+ if (ret < 0) {
|
||||||
|
+ _gnutls_debug_log("Could not hex decode hmac\n");
|
||||||
|
+ return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
|
||||||
|
+ }
|
||||||
|
+ ret = gnutls_memcmp(lib_hmac, hmac, HMAC_SIZE);
|
||||||
|
+ if (ret){
|
||||||
|
+ _gnutls_debug_log("Calculated MAC for %s does not match\n",
|
||||||
|
+ path);
|
||||||
|
+ gnutls_memset(hmac, 0, HMAC_SIZE);
|
||||||
|
+ gnutls_memset(lib_hmac, 0, HMAC_SIZE);
|
||||||
|
+ return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
|
||||||
|
+ }
|
||||||
|
+ _gnutls_debug_log("Successfully verified MAC for %s\n", path);
|
||||||
|
+ gnutls_memset(hmac, 0, HMAC_SIZE);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* check_lib_hmac:
|
||||||
|
* @entry: hmac file entry
|
||||||
|
* @path: path to the library which hmac should be compared
|
||||||
|
*
|
||||||
|
- * Verify that HMAC from hmac file entry matches HMAC of given library.
|
||||||
|
+ * Verify that HMAC from hmac file entry matches HMAC of gnutls library.
|
||||||
|
*
|
||||||
|
* Returns: 0 on successful HMAC verification, a negative error code otherwise
|
||||||
|
*/
|
||||||
|
@@ -496,17 +575,20 @@ static int check_binary_integrity(void)
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
return ret;
|
return ret;
|
||||||
+# if 0
|
#ifdef NETTLE_LIBRARY_SONAME
|
||||||
+ /* Disable nettle, hogweed and gpm HMAC verification as
|
- ret = check_lib_hmac(&hmac.nettle, paths.nettle);
|
||||||
+ * they are calculated during build of the respective
|
+ //ret = check_lib_hmac(&hmac.nettle, paths.nettle);
|
||||||
+ * packages and can differ from the ones listed here.
|
+ ret = check_dep_lib_hmac(paths.nettle);
|
||||||
+ */
|
|
||||||
ret = check_lib_hmac(&hmac.nettle, paths.nettle);
|
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
return ret;
|
return ret;
|
||||||
@@ -476,6 +510,7 @@ static int check_binary_integrity(void)
|
#endif
|
||||||
ret = check_lib_hmac(&hmac.gmp, paths.gmp);
|
#ifdef HOGWEED_LIBRARY_SONAME
|
||||||
|
- ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
|
||||||
|
+ //ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
|
||||||
|
+ ret = check_dep_lib_hmac(paths.hogweed);
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
return ret;
|
return ret;
|
||||||
+# endif
|
#endif
|
||||||
|
#ifdef GMP_LIBRARY_SONAME
|
||||||
return 0;
|
- ret = check_lib_hmac(&hmac.gmp, paths.gmp);
|
||||||
}
|
+ //ret = check_lib_hmac(&hmac.gmp, paths.gmp);
|
||||||
|
+ ret = check_dep_lib_hmac(paths.gmp);
|
||||||
|
if (ret < 0)
|
||||||
|
return ret;
|
||||||
|
#endif
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
Index: gnutls-3.7.7/lib/fips.c
|
Index: gnutls-3.8.5/lib/fips.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.7.7.orig/lib/fips.c
|
--- gnutls-3.8.5.orig/lib/fips.c
|
||||||
+++ gnutls-3.7.7/lib/fips.c
|
+++ gnutls-3.8.5/lib/fips.c
|
||||||
@@ -517,6 +517,26 @@ int _gnutls_fips_perform_self_checks2(vo
|
@@ -593,6 +593,26 @@ int _gnutls_fips_perform_self_checks2(vo
|
||||||
return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
|
return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -27,5 +27,5 @@ Index: gnutls-3.7.7/lib/fips.c
|
|||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
/* PK */
|
/* PK */
|
||||||
|
if (_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
|
||||||
ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
|
ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
|
||||||
if (ret < 0) {
|
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
Index: gnutls-3.7.3/lib/state.c
|
Index: gnutls-3.8.4/lib/state.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.7.3.orig/lib/state.c
|
--- gnutls-3.8.4.orig/lib/state.c
|
||||||
+++ gnutls-3.7.3/lib/state.c
|
+++ gnutls-3.8.4/lib/state.c
|
||||||
@@ -794,6 +794,12 @@ void gnutls_deinit(gnutls_session_t sess
|
@@ -830,6 +830,12 @@ void gnutls_deinit(gnutls_session_t sess
|
||||||
gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
|
gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
|
||||||
gnutls_mutex_deinit(&session->internals.epoch_lock);
|
gnutls_mutex_deinit(&session->internals.epoch_lock);
|
||||||
|
|
||||||
@ -15,11 +15,11 @@ Index: gnutls-3.7.3/lib/state.c
|
|||||||
gnutls_free(session);
|
gnutls_free(session);
|
||||||
}
|
}
|
||||||
|
|
||||||
Index: gnutls-3.7.3/lib/nettle/rnd.c
|
Index: gnutls-3.8.4/lib/nettle/rnd.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.7.3.orig/lib/nettle/rnd.c
|
--- gnutls-3.8.4.orig/lib/nettle/rnd.c
|
||||||
+++ gnutls-3.7.3/lib/nettle/rnd.c
|
+++ gnutls-3.8.4/lib/nettle/rnd.c
|
||||||
@@ -75,6 +75,12 @@ struct generators_ctx_st {
|
@@ -79,6 +79,12 @@ struct generators_ctx_st {
|
||||||
|
|
||||||
static void wrap_nettle_rnd_deinit(void *_ctx)
|
static void wrap_nettle_rnd_deinit(void *_ctx)
|
||||||
{
|
{
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
Index: gnutls-3.8.1/lib/nettle/sysrng-linux.c
|
Index: gnutls-3.8.6/lib/nettle/sysrng-linux.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.1.orig/lib/nettle/sysrng-linux.c
|
--- gnutls-3.8.6.orig/lib/nettle/sysrng-linux.c
|
||||||
+++ gnutls-3.8.1/lib/nettle/sysrng-linux.c
|
+++ gnutls-3.8.6/lib/nettle/sysrng-linux.c
|
||||||
@@ -49,6 +49,15 @@
|
@@ -49,6 +49,15 @@
|
||||||
get_entropy_func _rnd_get_system_entropy = NULL;
|
get_entropy_func _rnd_get_system_entropy = NULL;
|
||||||
|
|
||||||
@ -158,11 +158,11 @@ Index: gnutls-3.8.1/lib/nettle/sysrng-linux.c
|
|||||||
+#endif
|
+#endif
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
Index: gnutls-3.8.1/lib/nettle/Makefile.in
|
Index: gnutls-3.8.6/lib/nettle/Makefile.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.1.orig/lib/nettle/Makefile.in
|
--- gnutls-3.8.6.orig/lib/nettle/Makefile.in
|
||||||
+++ gnutls-3.8.1/lib/nettle/Makefile.in
|
+++ gnutls-3.8.6/lib/nettle/Makefile.in
|
||||||
@@ -402,7 +402,7 @@ am__v_CC_1 =
|
@@ -497,7 +497,7 @@ am__v_CC_1 =
|
||||||
CCLD = $(CC)
|
CCLD = $(CC)
|
||||||
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
|
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
|
||||||
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
|
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
|
||||||
@ -171,10 +171,10 @@ Index: gnutls-3.8.1/lib/nettle/Makefile.in
|
|||||||
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
|
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
|
||||||
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
|
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
|
||||||
am__v_CCLD_0 = @echo " CCLD " $@;
|
am__v_CCLD_0 = @echo " CCLD " $@;
|
||||||
Index: gnutls-3.8.1/lib/nettle/Makefile.am
|
Index: gnutls-3.8.6/lib/nettle/Makefile.am
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.1.orig/lib/nettle/Makefile.am
|
--- gnutls-3.8.6.orig/lib/nettle/Makefile.am
|
||||||
+++ gnutls-3.8.1/lib/nettle/Makefile.am
|
+++ gnutls-3.8.6/lib/nettle/Makefile.am
|
||||||
@@ -20,7 +20,7 @@
|
@@ -20,7 +20,7 @@
|
||||||
|
|
||||||
include $(top_srcdir)/lib/common.mk
|
include $(top_srcdir)/lib/common.mk
|
||||||
@ -184,10 +184,10 @@ Index: gnutls-3.8.1/lib/nettle/Makefile.am
|
|||||||
|
|
||||||
AM_CPPFLAGS = \
|
AM_CPPFLAGS = \
|
||||||
-I$(srcdir)/int \
|
-I$(srcdir)/int \
|
||||||
Index: gnutls-3.8.1/lib/nettle/rnd-fips.c
|
Index: gnutls-3.8.6/lib/nettle/rnd-fips.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.1.orig/lib/nettle/rnd-fips.c
|
--- gnutls-3.8.6.orig/lib/nettle/rnd-fips.c
|
||||||
+++ gnutls-3.8.1/lib/nettle/rnd-fips.c
|
+++ gnutls-3.8.6/lib/nettle/rnd-fips.c
|
||||||
@@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
|
@@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
|
||||||
uint8_t buffer[DRBG_AES_SEED_SIZE];
|
uint8_t buffer[DRBG_AES_SEED_SIZE];
|
||||||
int ret;
|
int ret;
|
||||||
@ -210,16 +210,16 @@ Index: gnutls-3.8.1/lib/nettle/rnd-fips.c
|
|||||||
ret = get_entropy(fctx, buffer, sizeof(buffer));
|
ret = get_entropy(fctx, buffer, sizeof(buffer));
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
|
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
|
||||||
Index: gnutls-3.8.1/tests/Makefile.am
|
Index: gnutls-3.8.6/tests/Makefile.am
|
||||||
===================================================================
|
===================================================================
|
||||||
--- gnutls-3.8.1.orig/tests/Makefile.am
|
--- gnutls-3.8.6.orig/tests/Makefile.am
|
||||||
+++ gnutls-3.8.1/tests/Makefile.am
|
+++ gnutls-3.8.6/tests/Makefile.am
|
||||||
@@ -208,7 +208,7 @@ ctests += mini-record-2 simple gnutls_hm
|
@@ -209,7 +209,7 @@ ctests += mini-record-2 simple gnutls_hm
|
||||||
dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
|
dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
|
||||||
keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
|
keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
|
||||||
tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \
|
tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \
|
||||||
- set_x509_key_file_ocsp client-fastopen rng-sigint srp rng-pthread \
|
- set_x509_key_file_ocsp client-fastopen rng-sigint srp \
|
||||||
+ set_x509_key_file_ocsp client-fastopen srp rng-pthread \
|
+ set_x509_key_file_ocsp client-fastopen srp \
|
||||||
safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
|
safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
|
||||||
safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
|
safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
|
||||||
rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \
|
rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \
|
||||||
|
142
gnutls.changes
142
gnutls.changes
@ -1,16 +1,103 @@
|
|||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Apr 8 09:11:16 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
Mon Nov 11 10:04:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
- Security fix: [bsc#1221747, CVE-2024-28835]
|
- Update to 3.8.8:
|
||||||
* gnutls: certtool crash when verifying a certificate chain
|
- libgnutls: Experimental support for X25519MLKEM768 and
|
||||||
* Add gnutls-CVE-2024-28835.patch
|
SecP256r1MLKEM768 key exchange in TLS 1.3: The support for
|
||||||
|
post-quantum key exchanges has been extended to cover the final
|
||||||
|
standard of ML-KEM, following draft-kwiatkowski-tls-ecdhe-mlkem.
|
||||||
|
The minimum supported version of liboqs is bumped to 0.11.0.
|
||||||
|
- libgnutls: All records included in an OCSP response are now checked
|
||||||
|
in TLS: Previously, when multiple records are provided in a single
|
||||||
|
OCSP response, only the first record was considered; now all those
|
||||||
|
records are examined until the server certificate matches.
|
||||||
|
- libgnutls: Handling of malformed compress_certificate extension is
|
||||||
|
now more standard compliant: The server behavior of receiving a
|
||||||
|
malformed compress_certificate extension now more strictly follows
|
||||||
|
RFC 8879; return illegal_parameter alert instead of bad_certificate,
|
||||||
|
as well as overlong extension data is properly rejected.
|
||||||
|
- build: More flexible library linking options for compression
|
||||||
|
libraries, TPM, and liboqs support: The configure options,
|
||||||
|
--with-zstd, --with-brotli, --with-zlib, --with-tpm2, and --with-liboqs
|
||||||
|
now take 4 states: yes/link/dlopen/no, to specify how the libraries
|
||||||
|
are linked or loaded.
|
||||||
|
* Rebase gnutls-FIPS-140-3-references.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Apr 8 08:31:25 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
Fri Sep 27 08:02:09 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
- Security fix: [bsc#1221746, CVE-2024-28834]
|
- Build with liboqs to support the X25519Kyber768 post-quantum key
|
||||||
* gnutls: side-channel in the deterministic ECDSA
|
exchange algorithm.
|
||||||
* Add gnutls-CVE-2024-28834.patch
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 5 07:57:42 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- FIPS: Allow to perform the integrity check with the hmac provided
|
||||||
|
by each library [bsc#1226724]
|
||||||
|
* Rebase gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 2 10:09:23 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- Update to 3.8.7:
|
||||||
|
* libgnutls: New configure option to compile out DSA support
|
||||||
|
The --disable-dsa configure option has been added to completely
|
||||||
|
disable DSA algorithm support.
|
||||||
|
* libgnutls: Experimental support for X25519Kyber768Draft00 key
|
||||||
|
exchange in TLS. For testing purposes, the hybrid post-quantum
|
||||||
|
key exchange defined in draft-tls-westerbaan-xyber768d00 has been
|
||||||
|
implemented using liboqs. Since the algorithm is still not finalized,
|
||||||
|
the support of this key exchange is disabled by default and can be
|
||||||
|
enabled with the --with-liboqs configure option.
|
||||||
|
* Rebase patches:
|
||||||
|
- gnutls-FIPS-140-3-references.patch
|
||||||
|
- gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jul 25 08:51:56 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- Update to 3.8.6:
|
||||||
|
* libgnutls: PBMAC1 is now supported as a MAC mechanism for PKCS#12
|
||||||
|
To be compliant with FIPS 140-3, PKCS#12 files with MAC based on
|
||||||
|
PBKDF2 (PBMAC1) is now supported, according to the specification
|
||||||
|
proposed in draft-ietf-lamps-pkcs12-pbmac1.
|
||||||
|
* libgnutls: SHA3 extendable output functions (XOF) are now supported
|
||||||
|
SHA3 XOF, SHAKE128 and SHAKE256, are now usable through a new
|
||||||
|
public API gnutls_hash_squeeze.
|
||||||
|
* API and ABI modifications:
|
||||||
|
- gnutls_pkcs12_generate_mac3: New function
|
||||||
|
- gnutls_pkcs12_flags_t: New enum
|
||||||
|
- gnutls_hash_squeeze: New function
|
||||||
|
* Rebase patches:
|
||||||
|
- gnutls-FIPS-140-3-references.patch
|
||||||
|
- gnutls-FIPS-jitterentropy.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Apr 5 07:28:14 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- Update to 3.8.5:
|
||||||
|
* libgnutls: Due to majority of usages and implementations of
|
||||||
|
RSA decryption with PKCS#1 v1.5 padding being incorrect,
|
||||||
|
leaving them vulnerable to Marvin attack, the RSAES-PKCS1-v1_5
|
||||||
|
is being deprecated (encryption and decryption) and will be
|
||||||
|
disabled in the future. A new option 'allow-rsa-pkcs1-encrypt'
|
||||||
|
has been added into the system-wide library configuration which
|
||||||
|
allows to enable/disable the RSAES-PKCS1-v1_5. Currently, the
|
||||||
|
RSAES-PKCS1-v1_5 is enabled by default.
|
||||||
|
* libgnutls: Added support for RIPEMD160 and PBES1-DES-SHA1 for
|
||||||
|
backward compatibility with GCR.
|
||||||
|
* libgnutls: A couple of memory related issues have been fixed in
|
||||||
|
RSA PKCS#1 v1.5 decryption error handling and deterministic ECDSA
|
||||||
|
with earlier versions of GMP. These were a regression introduced
|
||||||
|
in the 3.8.4 release. See #1535 and !1827.
|
||||||
|
* build: Fixed a bug where building gnutls statically failed due
|
||||||
|
to a duplicate definition of nettle_rsa_compute_root_tr().
|
||||||
|
* API and ABI modifications:
|
||||||
|
- GNUTLS_PKCS_PBES1_DES_SHA1: New enum member of
|
||||||
|
gnutls_pkcs_encrypt_flags_t
|
||||||
|
* Rebase patches:
|
||||||
|
- gnutls-FIPS-TLS_KDF_selftest.patch
|
||||||
|
- gnutls-FIPS-140-3-references.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Mar 20 12:08:50 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
Wed Mar 20 12:08:50 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
@ -20,6 +107,45 @@ Wed Mar 20 12:08:50 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
|||||||
pre-intitization done in the main thread. [bsc#1221242]
|
pre-intitization done in the main thread. [bsc#1221242]
|
||||||
* Add gnutls-FIPS-jitterentropy-deinit-threads.patch
|
* Add gnutls-FIPS-jitterentropy-deinit-threads.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Mar 20 09:26:32 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- Update to 3.8.4:
|
||||||
|
* libgnutls: RSA-OAEP encryption scheme is now supported
|
||||||
|
To use it with an unrestricted RSA private key, one would need to
|
||||||
|
initialize a gnutls_x509_spki_t object with necessary parameters
|
||||||
|
for RSA-OAEP and attach it to the private key. It is also possible
|
||||||
|
to import restricted private keys if they are stored in PKCS#8
|
||||||
|
format.
|
||||||
|
* libgnutls: Fix side-channel in the deterministic ECDSA.
|
||||||
|
Reported by George Pantelakis (#1516).
|
||||||
|
[GNUTLS-SA-2023-12-04, CVSS: medium] [bsc#1221746, CVE-2024-28834]
|
||||||
|
* libgnutls: Fixed a bug where certtool crashed when verifying a
|
||||||
|
certificate chain with more than 16 certificates. Reported by
|
||||||
|
William Woodruff (#1525) and yixiangzhike (#1527).
|
||||||
|
[GNUTLS-SA-2024-01-23, CVSS: medium] [bsc#1221747, CVE-2024-28835]
|
||||||
|
* libgnutls: Compression libraries are now loaded dynamically as needed
|
||||||
|
instead of all being loaded during gnutls library initialization.
|
||||||
|
As a result, the library initialization should be faster.
|
||||||
|
* build: The gnutls library can now be linked with the static library
|
||||||
|
of GMP. Note that in order for this to work libgmp.a needs to be
|
||||||
|
compiled with -fPIC and libhogweed in Nettle also has to be linked
|
||||||
|
to the static library of GMP. This can be used to prevent custom
|
||||||
|
memory allocators from being overriden by other applications.
|
||||||
|
* API and ABI modifications:
|
||||||
|
- gnutls_x509_spki_get_rsa_oaep_params: New function.
|
||||||
|
- gnutls_x509_spki_set_rsa_oaep_params: New function.
|
||||||
|
- GNUTLS_PK_RSA_OAEP: New enum member of gnutls_pk_algorithm_t.
|
||||||
|
* Rebase patches:
|
||||||
|
- gnutls-FIPS-140-3-references.patch
|
||||||
|
- gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 21 18:04:48 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
- Remove some if..endif that do not affect any result
|
||||||
|
- Split documentation (some 1100 files) to separate subpackage
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Jan 17 08:41:07 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
Wed Jan 17 08:41:07 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
34
gnutls.spec
34
gnutls.spec
@ -35,12 +35,14 @@
|
|||||||
# disable for now, as our OBS builds do not work with it. Marcus 20220511
|
# disable for now, as our OBS builds do not work with it. Marcus 20220511
|
||||||
#bcond_without kcapi
|
#bcond_without kcapi
|
||||||
%bcond_with kcapi
|
%bcond_with kcapi
|
||||||
|
%bcond_without liboqs
|
||||||
%else
|
%else
|
||||||
%bcond_with kcapi
|
%bcond_with kcapi
|
||||||
|
%bcond_with liboqs
|
||||||
%endif
|
%endif
|
||||||
%bcond_with tpm
|
%bcond_with tpm
|
||||||
Name: gnutls
|
Name: gnutls
|
||||||
Version: 3.8.3
|
Version: 3.8.8
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: The GNU Transport Layer Security Library
|
Summary: The GNU Transport Layer Security Library
|
||||||
License: GPL-3.0-or-later AND LGPL-2.1-or-later
|
License: GPL-3.0-or-later AND LGPL-2.1-or-later
|
||||||
@ -69,10 +71,6 @@ Patch102: gnutls-FIPS-jitterentropy.patch
|
|||||||
#PATCH-FIX-SUSE bsc#1221242 Fix memleak in gnutls' jitterentropy collector
|
#PATCH-FIX-SUSE bsc#1221242 Fix memleak in gnutls' jitterentropy collector
|
||||||
Patch103: gnutls-FIPS-jitterentropy-deinit-threads.patch
|
Patch103: gnutls-FIPS-jitterentropy-deinit-threads.patch
|
||||||
%endif
|
%endif
|
||||||
#PATCH-FIX-UPSTREAM bsc#1221746 CVE-2024-28834: gnutls: side-channel in the deterministic ECDSA
|
|
||||||
Patch200: gnutls-CVE-2024-28834.patch
|
|
||||||
#PATCH-FIX-UPSTREAM bsc#1221747 CVE-2024-28835: gnutls: certtool crash when verifying a certificate chain
|
|
||||||
Patch201: gnutls-CVE-2024-28835.patch
|
|
||||||
BuildRequires: autogen
|
BuildRequires: autogen
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: datefudge
|
BuildRequires: datefudge
|
||||||
@ -95,6 +93,9 @@ BuildRequires: pkgconfig(zlib)
|
|||||||
%if %{with kcapi}
|
%if %{with kcapi}
|
||||||
BuildRequires: pkgconfig(libkcapi)
|
BuildRequires: pkgconfig(libkcapi)
|
||||||
%endif
|
%endif
|
||||||
|
%if %{with liboqs}
|
||||||
|
BuildRequires: pkgconfig(liboqs)
|
||||||
|
%endif
|
||||||
%if 0%{?suse_version} <= 1320
|
%if 0%{?suse_version} <= 1320
|
||||||
BuildRequires: net-tools
|
BuildRequires: net-tools
|
||||||
%else
|
%else
|
||||||
@ -138,7 +139,6 @@ The GnuTLS library provides a secure layer over a reliable transport
|
|||||||
layer. Currently the GnuTLS library implements the proposed standards
|
layer. Currently the GnuTLS library implements the proposed standards
|
||||||
of the IETF's TLS working group.
|
of the IETF's TLS working group.
|
||||||
|
|
||||||
%if %{with dane}
|
|
||||||
%package -n libgnutls-dane%{gnutls_dane_sover}
|
%package -n libgnutls-dane%{gnutls_dane_sover}
|
||||||
Summary: DANE support for the GNU Transport Layer Security Library
|
Summary: DANE support for the GNU Transport Layer Security Library
|
||||||
License: LGPL-2.1-or-later
|
License: LGPL-2.1-or-later
|
||||||
@ -148,7 +148,6 @@ Group: System/Libraries
|
|||||||
The GnuTLS project aims to develop a library that provides a secure
|
The GnuTLS project aims to develop a library that provides a secure
|
||||||
layer over a reliable transport layer.
|
layer over a reliable transport layer.
|
||||||
This package contains the "DANE" part of gnutls.
|
This package contains the "DANE" part of gnutls.
|
||||||
%endif
|
|
||||||
|
|
||||||
%package -n libgnutlsxx%{gnutlsxx_sover}
|
%package -n libgnutlsxx%{gnutlsxx_sover}
|
||||||
Summary: C++ API for the GNU Transport Layer Security Library
|
Summary: C++ API for the GNU Transport Layer Security Library
|
||||||
@ -178,7 +177,6 @@ Requires: crypto-policies
|
|||||||
%description -n libgnutls-devel
|
%description -n libgnutls-devel
|
||||||
Files needed for software development using gnutls.
|
Files needed for software development using gnutls.
|
||||||
|
|
||||||
%if %{with dane}
|
|
||||||
%package -n libgnutls-dane-devel
|
%package -n libgnutls-dane-devel
|
||||||
Summary: Development package for GnuTLS DANE component
|
Summary: Development package for GnuTLS DANE component
|
||||||
License: LGPL-2.1-or-later
|
License: LGPL-2.1-or-later
|
||||||
@ -187,7 +185,14 @@ Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
|
|||||||
|
|
||||||
%description -n libgnutls-dane-devel
|
%description -n libgnutls-dane-devel
|
||||||
Files needed for software development using gnutls.
|
Files needed for software development using gnutls.
|
||||||
%endif
|
|
||||||
|
%package -n libgnutls-devel-doc
|
||||||
|
Summary: Manual and Info pages for libgnutls
|
||||||
|
License: LGPL-2.1-or-later
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
%description -n libgnutls-devel-doc
|
||||||
|
Manpages (troff) and GNU Info pages for libgnutls.
|
||||||
|
|
||||||
%package -n libgnutlsxx-devel
|
%package -n libgnutlsxx-devel
|
||||||
Summary: Development package for the GnuTLS C++ API
|
Summary: Development package for the GnuTLS C++ API
|
||||||
@ -235,6 +240,9 @@ autoreconf -fiv
|
|||||||
%if %{with srp}
|
%if %{with srp}
|
||||||
--enable-srp-authentication \
|
--enable-srp-authentication \
|
||||||
%endif
|
%endif
|
||||||
|
%if %{with liboqs}
|
||||||
|
--with-liboqs \
|
||||||
|
%endif
|
||||||
%ifarch %{ix86} %{arm}
|
%ifarch %{ix86} %{arm}
|
||||||
--disable-year2038 \
|
--disable-year2038 \
|
||||||
%endif
|
%endif
|
||||||
@ -304,12 +312,8 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
|
|||||||
|
|
||||||
%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
||||||
%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
|
||||||
|
|
||||||
%if %{with dane}
|
|
||||||
%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
||||||
%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
|
||||||
%endif
|
|
||||||
|
|
||||||
%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
||||||
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
|
||||||
|
|
||||||
@ -371,9 +375,11 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
|
|||||||
%{_includedir}/%{name}/urls.h
|
%{_includedir}/%{name}/urls.h
|
||||||
%{_libdir}/libgnutls.so
|
%{_libdir}/libgnutls.so
|
||||||
%{_libdir}/pkgconfig/gnutls.pc
|
%{_libdir}/pkgconfig/gnutls.pc
|
||||||
|
|
||||||
|
%files -n libgnutls-devel-doc
|
||||||
%{_mandir}/man3/*
|
%{_mandir}/man3/*
|
||||||
%{_infodir}/*%{ext_info}
|
%{_infodir}/*%{ext_info}
|
||||||
%doc %{_docdir}/libgnutls-devel
|
%{_docdir}/libgnutls-devel
|
||||||
|
|
||||||
%if %{with dane}
|
%if %{with dane}
|
||||||
%files -n libgnutls-dane-devel
|
%files -n libgnutls-dane-devel
|
||||||
|
Loading…
Reference in New Issue
Block a user