pool/gnutls
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1074130 from home:pmonrealgonzalez:branches:security:tls

Browse Source 
- Update to 3.8.0: [bsc#1205763, bsc#1209627]
  * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key
    exchange. Reported by Hubert Kario (#1050). Fix developed by
    Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium]
    [CVE-2023-0361]
  * libgnutls: C++ library is now header only. All definitions
    from gnutlsxx.c have been moved into gnutlsxx.h. Users of the
    C++ interface have two options:
    1. include gnutlsxx.h in their application and link against
       the C library. (default)
    2. include gnutlsxx.h in their application, compile with
       GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link
       against the C++ library.
  * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST
    priority modifier have been added to allow disabling of the
    status_request TLS extension in the client side.
  * libgnutls: TLS heartbeat is disabled by default.
    The heartbeat extension in TLS (RFC 6520) is not widely used
    given other implementations dropped support for it. To enable
    back support for it, supply --enable-heartbeat-support to
    configure script.
  * libgnutls: SRP authentication is now disabled by default.
    It is disabled because the SRP authentication in TLS is not
    up to date with the latest TLS standards and its ciphersuites
    are based on the CBC mode and SHA-1. To enable it back, supply
    --enable-srp-authentication option to configure script.
  * libgnutls: All code has been indented using "indent -ppi1 -linux".
    CI/CD has been adjusted to catch regressions. This is implemented
    through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s
    commit-check. You may run devel/indent-gnutls to fix any

OBS-URL: https://build.opensuse.org/request/show/1074130
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=88
This commit is contained in:
Pedro Monreal Gonzalez 2023-03-24 12:22:34 +00:00 committed by Git OBS Bridge
parent e78803cceb
commit cf30493c2c
17 changed files with 573 additions and 1194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnutls-3.7.9.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:aaa03416cdbd54eb155187b359e3ec3ed52ec73df4df35a0edd49429ff64d844
size 6377212

BIN
gnutls-3.7.9.tar.xz.sig
View File

Binary file not shown.

BIN
gnutls-3.8.0.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
gnutls-3.8.0.tar.xz.sig Normal file
View File

Binary file not shown.

524
gnutls-FIPS-140-3-references.patch
View File

File diff suppressed because it is too large Load Diff

114
gnutls-FIPS-PCT-DH.patch
View File

@ -1,85 +1,55 @@
Index: gnutls-3.7.8/lib/nettle/pk.c
From 51b721b69fd08ef1c4c4989f5e12b643e170ff56 Mon Sep 17 00:00:00 2001
From: Pedro Monreal <pmgdeb@gmail.com>
Date: Thu, 16 Feb 2023 17:02:38 +0100
Subject: [PATCH] pk: extend pair-wise consistency to cover DH key generation
Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise
Consistency check, even if we only support ephemeral DH, as it is
required by FIPS 140-3 IG 10.3.A.
Signed-off-by: Pedro Monreal <pmgdeb@gmail.com>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
---
lib/nettle/pk.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
Index: gnutls-3.8.0/lib/nettle/pk.c
===================================================================
--- gnutls-3.7.8.orig/lib/nettle/pk.c
+++ gnutls-3.7.8/lib/nettle/pk.c
@@ -2498,6 +2498,48 @@ static int pct_test(gnutls_pk_algorithm_
--- gnutls-3.8.0.orig/lib/nettle/pk.c
+++ gnutls-3.8.0/lib/nettle/pk.c
@@ -2520,6 +2520,35 @@ static int pct_test(gnutls_pk_algorithm_
}
break;
case GNUTLS_PK_DH:
+ if (_gnutls_fips_mode_enabled()) {
+ /* Perform Owner Assurance of Pair-wise Consistency
+ * according to SP800-56A (revision 3), 5.6.2.1.4.
+ {
+ mpz_t y;
+
+ /* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance
+ * of Pair-wise Consistency check, even if we only
+ * support ephemeral DH, as it is required by FIPS
+ * 140-3 IG 10.3.A.
+ *
+ * DH params (see lib/crypto-backend.h)
+ * [DSA_P] [0] is p (prime number)
+ * [DSA_Q] [1] is q (prime order)
+ * [DSA_G] [2] is g (generator)
+ * [DSA_Y] [3] is y (public key)
+ * [DSA_X] [4] is x (private key only)
+ *
+ * Regenerate the public key from the private key with
+ * y = g^x mod p and compare it with the previous one.
+ * Use the private key, x, along with the generator g
+ * and prime modulus p included in the domain
+ * parameters associated with the key pair to compute
+ * g^x mod p. Compare the result to the public key, y.
+ */
+
+ mpz_t p, g, y, x;
+
+ mpz_init(p);
+ mpz_init(g);
+ mpz_init(y);
+ mpz_init(x);
+
+ mpz_set(p, params->params[DSA_P]);
+ mpz_set(g, params->params[DSA_G]);
+ mpz_set(x, params->params[DSA_X]);
+
+ mpz_powm(y, g, x, p);
+
+ ret = mpz_cmp(y, params->params[DSA_Y]);
+ if (unlikely(ret != 0)) {
+ ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
+ }
+
+ mpz_clear(p);
+ mpz_clear(g);
+ mpz_clear(y);
+ mpz_clear(x);
+ if (ret < 0) {
+ mpz_powm(y,
+ TOMPZ(params->params[DSA_G]),
+ TOMPZ(params->params[DSA_X]),
+ TOMPZ(params->params[DSA_P]));
+ if (unlikely
+ (mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) {
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_PK_GENERATION_ERROR);
+ mpz_clear(y);
+ goto cleanup;
+ }
+ mpz_clear(y);
+ break;
+ }
+ break;
case GNUTLS_PK_ECDH_X25519:
case GNUTLS_PK_ECDH_X448:
ret = 0;
@@ -2780,8 +2822,17 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a
}
}
#endif
-
- ret = _gnutls_mpi_init_multi(&params->params[DSA_Y], &params->params[DSA_X], NULL);
+ if (_gnutls_fips_mode_enabled()) {
+ ret = _gnutls_mpi_init_multi(&params->params[DSA_P],
+ &params->params[DSA_G],
+ &params->params[DSA_Y],
+ &params->params[DSA_X],
+ NULL);
+ } else {
+ ret = _gnutls_mpi_init_multi(&params->params[DSA_Y],
+ &params->params[DSA_X],
+ NULL);
+ }
if (ret < 0) {
gnutls_assert();
goto dh_fail;
@@ -2790,6 +2841,11 @@ wrap_nettle_pk_generate_keys(gnutls_pk_a
mpz_set(TOMPZ(params->params[DSA_Y]), y);
mpz_set(TOMPZ(params->params[DSA_X]), x);
params->params_nr += 2;
+ if (_gnutls_fips_mode_enabled()) {
+ mpz_set(TOMPZ(params->params[DSA_P]), pub.p);
+ mpz_set(TOMPZ(params->params[DSA_G]), pub.g);
+ params->params_nr += 2;
+ }
ret = 0;

90
gnutls-FIPS-PCT-ECDH.patch
View File

@ -1,7 +1,22 @@
Index: gnutls-3.7.3/lib/nettle/pk.c
===================================================================
--- gnutls-3.7.3.orig/lib/nettle/pk.c
+++ gnutls-3.7.3/lib/nettle/pk.c
From 5030f40332ada4f90e80838a2232da36ce03757a Mon Sep 17 00:00:00 2001
From: Pedro Monreal <pmgdeb@gmail.com>
Date: Fri, 24 Feb 2023 22:02:48 +0000
Subject: [PATCH] ecdh: perform SP800-56A rev3 full pubkey validation on key
derivation
This implements full public key validation required in
SP800-56A rev3, section 5.6.2.3.3.
Co-authored-by: Daiki Ueno <ueno@gnu.org>
Signed-off-by: Pedro Monreal <pmgdeb@gmail.com>
---
lib/nettle/pk.c | 128 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 125 insertions(+), 3 deletions(-)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 6adf958a61..d30bca594f 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -71,6 +71,9 @@
static inline const struct ecc_curve *get_supported_nist_curve(int curve);
static inline const struct ecc_curve *get_supported_gost_curve(int curve);
@ -12,7 +27,7 @@ Index: gnutls-3.7.3/lib/nettle/pk.c
/* When these callbacks are used for a nettle operation, the
* caller must check the macro HAVE_LIB_ERROR() after the operation
* is complete. If the macro is true, the operation is to be considered
@@ -406,6 +409,10 @@ dh_cleanup:
@@ -406,6 +409,10 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
struct ecc_scalar ecc_priv;
struct ecc_point ecc_pub;
const struct ecc_curve *curve;
@ -23,7 +38,7 @@ Index: gnutls-3.7.3/lib/nettle/pk.c
out->data = NULL;
@@ -425,10 +432,21 @@ dh_cleanup:
@@ -428,17 +435,28 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
not_approved = true;
}
@ -42,20 +57,19 @@ Index: gnutls-3.7.3/lib/nettle/pk.c
if (ret < 0) {
gnutls_assert();
- goto cleanup;
+ goto ecc_pub_cleanup;
+ goto ecc_fail_cleanup;
}
ret =
@@ -436,7 +454,7 @@ dh_cleanup:
ret = _ecc_params_to_privkey(priv, &ecc_priv, curve);
if (ret < 0) {
ecc_point_clear(&ecc_pub);
gnutls_assert();
- goto cleanup;
+ goto ecc_priv_cleanup;
+ goto ecc_fail_cleanup;
}
out->size = gnutls_ecc_curve_get_size(priv->curve);
@@ -449,16 +467,111 @@ dh_cleanup:
@@ -449,14 +467,118 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
goto ecc_cleanup;
}
@ -64,7 +78,7 @@ Index: gnutls-3.7.3/lib/nettle/pk.c
+ */
+
+ /* Step 1: verify that Q is not an identity
+ * element (an infinity point). Note that this
+ * element (an infinity point). Note that this
+ * cannot happen in the nettle implementation,
+ * because it cannot represent an infinity point
+ * on curves. */
@ -75,7 +89,6 @@ Index: gnutls-3.7.3/lib/nettle/pk.c
gnutls_free(out->data);
+ goto ecc_cleanup;
+ }
+
+#ifdef ENABLE_FIPS140
+ if (_gnutls_fips_mode_enabled()) {
+ const char *order, *modulus;
@ -90,7 +103,9 @@ Index: gnutls-3.7.3/lib/nettle/pk.c
+ *
+ * Both checks are performed in nettle. */
+ if (!ecc_point_set(&r, x, y)) {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_cleanup;
+ }
+
@ -105,54 +120,63 @@ Index: gnutls-3.7.3/lib/nettle/pk.c
+ *
+ * That effectively means: n * Q = -Q + Q = O
+ */
+ order = get_supported_nist_curve_order(priv->curve);
+ order =
+ get_supported_nist_curve_order(priv->curve);
+ if (unlikely(order == NULL)) {
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_INTERNAL_ERROR);
+ goto ecc_cleanup;
+ }
+
+ ret = mpz_set_str(nn, order, 16);
+ if (unlikely(ret < 0)) {
+ ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_MPI_SCAN_FAILED);
+ goto ecc_cleanup;
+ }
+
+ modulus = get_supported_nist_curve_modulus(priv->curve);
+ modulus =
+ get_supported_nist_curve_modulus
+ (priv->curve);
+ if (unlikely(modulus == NULL)) {
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_INTERNAL_ERROR);
+ goto ecc_cleanup;
+ }
+
+ ret = mpz_set_str(mm, modulus, 16);
+ if (unlikely(ret < 0)) {
+ ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_MPI_SCAN_FAILED);
+ goto ecc_cleanup;
+ }
+
+ /* (n - 1) * Q = -Q */
+ mpz_sub_ui (nn, nn, 1);
+ mpz_sub_ui(nn, nn, 1);
+ ecc_scalar_set(&n, nn);
+ ecc_point_mul(&r, &n, &r);
+ ecc_point_get(&r, xx, yy);
+ mpz_sub (mm, mm, y);
+ mpz_sub(mm, mm, y);
+
+ if (mpz_cmp(xx, x) != 0 || mpz_cmp(yy, mm) != 0) {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_cleanup;
+ }
+ } else {
+ not_approved = true;
+ }
+#endif
+
+ ret = 0;
ecc_cleanup:
- ecc_point_clear(&ecc_pub);
ecc_cleanup:
ecc_point_clear(&ecc_pub);
ecc_scalar_zclear(&ecc_priv);
+ ecc_priv_cleanup:
+ ecc_point_clear(&ecc_pub);
+ ecc_pub_cleanup:
+ ecc_fail_cleanup:
+ mpz_clear(x);
+ mpz_clear(y);
+ mpz_clear(xx);
@ -162,10 +186,8 @@ Index: gnutls-3.7.3/lib/nettle/pk.c
+ ecc_point_clear(&r);
+ ecc_scalar_clear(&n);
+ ecc_scalar_clear(&m);
+
if (ret < 0)
goto cleanup;
+
break;
}
case GNUTLS_PK_ECDH_X25519:
--
GitLab

114
gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
View File

@ -1,114 +0,0 @@
Index: gnutls-3.7.7/lib/crypto-api.c
===================================================================
--- gnutls-3.7.7.orig/lib/crypto-api.c
+++ gnutls-3.7.7/lib/crypto-api.c
@@ -2228,7 +2228,12 @@ gnutls_pbkdf2(gnutls_mac_algorithm_t mac
if (!is_mac_algo_allowed(mac)) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
- } else if (!is_mac_algo_approved_in_fips(mac)) {
+ } else if (!is_mac_algo_approved_for_pbkdf2_in_fips(mac)) {
+ not_approved = true;
+ }
+
+ /* Key lengthes less than 112 bits are not approved */
+ if (length < 14 || key->size < 14) {
not_approved = true;
}
Index: gnutls-3.7.7/lib/fips.h
===================================================================
--- gnutls-3.7.7.orig/lib/fips.h
+++ gnutls-3.7.7/lib/fips.h
@@ -100,6 +100,25 @@ is_mac_algo_approved_in_fips(gnutls_mac_
}
inline static bool
+is_mac_algo_approved_for_pbkdf2_in_fips(gnutls_mac_algorithm_t algo)
+{
+ switch (algo) {
+ case GNUTLS_MAC_SHA1:
+ case GNUTLS_MAC_SHA256:
+ case GNUTLS_MAC_SHA384:
+ case GNUTLS_MAC_SHA512:
+ case GNUTLS_MAC_SHA224:
+ case GNUTLS_MAC_SHA3_224:
+ case GNUTLS_MAC_SHA3_256:
+ case GNUTLS_MAC_SHA3_384:
+ case GNUTLS_MAC_SHA3_512:
+ return true;
+ default:
+ return false;
+ }
+}
+
+inline static bool
is_mac_algo_allowed_in_fips(gnutls_mac_algorithm_t algo)
{
return is_mac_algo_approved_in_fips(algo);
Index: gnutls-3.7.7/lib/crypto-selftests.c
===================================================================
--- gnutls-3.7.7.orig/lib/crypto-selftests.c
+++ gnutls-3.7.7/lib/crypto-selftests.c
@@ -3090,30 +3090,6 @@ struct pbkdf2_vectors_st {
};
const struct pbkdf2_vectors_st pbkdf2_sha256_vectors[] = {
- /* RFC 7914: 11. Test Vectors for PBKDF2 with HMAC-SHA-256 */
- {
- STR(key, key_size, "passwd"),
- STR(salt, salt_size, "salt"),
- .iter_count = 1,
- STR(output, output_size,
- "\x55\xac\x04\x6e\x56\xe3\x08\x9f\xec\x16\x91\xc2\x25\x44"
- "\xb6\x05\xf9\x41\x85\x21\x6d\xde\x04\x65\xe6\x8b\x9d\x57"
- "\xc2\x0d\xac\xbc\x49\xca\x9c\xcc\xf1\x79\xb6\x45\x99\x16"
- "\x64\xb3\x9d\x77\xef\x31\x7c\x71\xb8\x45\xb1\xe3\x0b\xd5"
- "\x09\x11\x20\x41\xd3\xa1\x97\x83"),
- },
- /* RFC 7914: 11. Test Vectors for PBKDF2 with HMAC-SHA-256 */
- {
- STR(key, key_size, "Password"),
- STR(salt, salt_size, "NaCl"),
- .iter_count = 80000,
- STR(output, output_size,
- "\x4d\xdc\xd8\xf6\x0b\x98\xbe\x21\x83\x0c\xee\x5e\xf2\x27"
- "\x01\xf9\x64\x1a\x44\x18\xd0\x4c\x04\x14\xae\xff\x08\x87"
- "\x6b\x34\xab\x56\xa1\xd4\x25\xa1\x22\x58\x33\x54\x9a\xdb"
- "\x84\x1b\x51\xc9\xb3\x17\x6a\x27\x2b\xde\xbb\xa1\xd0\x78"
- "\x47\x8f\x62\xb3\x97\xf3\x3c\x8d"),
- },
/* Test vector extracted from:
* https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */
{
Index: gnutls-3.7.7/tests/kdf-api.c
===================================================================
--- gnutls-3.7.7.orig/tests/kdf-api.c
+++ gnutls-3.7.7/tests/kdf-api.c
@@ -192,14 +192,19 @@ doit(void)
"2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
"34007208d5b887185865");
- /* Test vector from RFC 6070. More thorough testing is done
- * in nettle. */
- test_pbkdf2(GNUTLS_MAC_SHA1,
- "70617373776f7264", /* "password" */
- "73616c74", /* "salt" */
+ /* Test vector extracted from:
+ * https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */
+ test_pbkdf2(GNUTLS_MAC_SHA256,
+ "70617373776f726450415353"
+ "574f524470617373776f7264", /* "passwordPASSWORDpassword" */
+ "73616c7453414c5473616c74"
+ "53414c5473616c7453414c54"
+ "73616c7453414c5473616c74", /* "saltSALTsaltSALTsaltSALTsaltSALTsalt" */
4096,
- 20,
- "4b007901b765489abead49d926f721d065a429c1");
+ 40,
+ "348c89dbcbd32b2f32d814b8"
+ "116e84cf2b17347ebc180018"
+ "1c4e2a1fb8dd53e1c635518c7dac47e9");
gnutls_fips140_context_deinit(fips_context);
}

91
gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
View File

@ -1,91 +0,0 @@
---
lib/nettle/sysrng-linux.c | 6 ++++++
1 file changed, 6 insertions(+)
Index: gnutls-3.7.8/lib/nettle/sysrng-linux.c
===================================================================
--- gnutls-3.7.8.orig/lib/nettle/sysrng-linux.c
+++ gnutls-3.7.8/lib/nettle/sysrng-linux.c
@@ -49,11 +49,13 @@
get_entropy_func _rnd_get_system_entropy = NULL;
#if defined(__linux__)
-# ifdef ENABLE_FIPS140
+# if defined(ENABLE_FIPS140)
# define HAVE_JENT
# include <jitterentropy.h>
static int jent_initialized = 0;
static struct rand_data* ec = NULL;
+/* Declare function to fix a missing-prototypes compilation warning */
+void FIPS_jent_entropy_deinit(void);
# endif
# ifdef HAVE_GETRANDOM
# include <sys/random.h>
@@ -72,7 +74,8 @@ static ssize_t _getrandom0(void *buf, si
# endif
# endif
-# if defined(HAVE_JENT)
+# if defined(ENABLE_FIPS140)
+# if defined(HAVE_JENT)
/* check whether the CPU Jitter entropy collector is available. */
static unsigned FIPS_jent_entropy_init(void)
{
@@ -161,6 +164,7 @@ static int _rnd_get_system_entropy_jent(
return 0;
}
+# endif
# endif
static unsigned have_getrandom(void)
@@ -260,7 +264,8 @@ int _rnd_system_entropy_init(void)
int urandom_fd;
#if defined(__linux__)
-# if defined(HAVE_JENT)
+# if defined(ENABLE_FIPS140)
+# if defined(HAVE_JENT)
/* Enable jitterentropy usage if available */
if (FIPS_jent_entropy_init()) {
_rnd_get_system_entropy = _rnd_get_system_entropy_jent;
@@ -268,7 +273,14 @@ int _rnd_system_entropy_init(void)
return 0;
} else {
_gnutls_debug_log("jitterentropy is not available\n");
+ /* Set error state when FIPS_jent_entropy_init failed and FIPS mode is enabled */
+ if (_gnutls_fips_mode_enabled()) {
+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+ _gnutls_switch_lib_state(LIB_STATE_ERROR);
+ return gnutls_assert_val(GNUTLS_E_RANDOM_DEVICE_ERROR);
+ }
}
+# endif
# endif
/* Enable getrandom() usage if available */
if (have_getrandom()) {
@@ -300,8 +312,10 @@ void _rnd_system_entropy_deinit(void)
{
/* A no-op now when we open and close /dev/urandom every time */
#if defined(__linux__)
-# if defined(HAVE_JENT)
+# if defined(ENABLE_FIPS140)
+# if defined(HAVE_JENT)
FIPS_jent_entropy_deinit();
+# endif
# endif
#endif
return;
Index: gnutls-3.7.8/tests/Makefile.am
===================================================================
--- gnutls-3.7.8.orig/tests/Makefile.am
+++ gnutls-3.7.8/tests/Makefile.am
@@ -208,7 +208,7 @@ ctests += mini-record-2 simple gnutls_hm
dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \
- set_x509_key_file_ocsp client-fastopen rng-sigint srp rng-pthread \
+ set_x509_key_file_ocsp client-fastopen srp rng-pthread \
safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \

36
gnutls-FIPS-disable-failing-tests.patch
View File

@ -1,36 +0,0 @@
Index: gnutls-3.7.7/guile/Makefile.am
===================================================================
--- gnutls-3.7.7.orig/guile/Makefile.am
+++ gnutls-3.7.7/guile/Makefile.am
@@ -102,14 +102,11 @@ endif HAVE_GUILD
#
TESTS = \
- tests/anonymous-auth.scm \
- tests/session-record-port.scm \
tests/pkcs-import-export.scm \
tests/errors.scm \
tests/x509-certificates.scm \
tests/x509-auth.scm \
tests/reauth.scm \
- tests/premature-termination.scm \
tests/priorities.scm
if ENABLE_SRP
Index: gnutls-3.7.7/guile/Makefile.in
===================================================================
--- gnutls-3.7.7.orig/guile/Makefile.in
+++ gnutls-3.7.7/guile/Makefile.in
@@ -2335,10 +2335,9 @@ CLEANFILES = modules/gnutls.scm $(am__ap
#
# Tests.
#
-TESTS = tests/anonymous-auth.scm tests/session-record-port.scm \
- tests/pkcs-import-export.scm tests/errors.scm \
+TESTS = tests/pkcs-import-export.scm tests/errors.scm \
tests/x509-certificates.scm tests/x509-auth.scm \
- tests/reauth.scm tests/premature-termination.scm \
+ tests/reauth.scm \
tests/priorities.scm $(am__append_2)
TESTS_ENVIRONMENT = \
GUILE_AUTO_COMPILE=0 \

198
gnutls-FIPS-jitterentropy.patch
View File

@ -1,122 +1,131 @@
Index: gnutls-3.7.3/lib/nettle/sysrng-linux.c
Index: gnutls-3.8.0/lib/nettle/sysrng-linux.c
===================================================================
--- gnutls-3.7.3.orig/lib/nettle/sysrng-linux.c
+++ gnutls-3.7.3/lib/nettle/sysrng-linux.c
@@ -49,6 +49,12 @@
--- gnutls-3.8.0.orig/lib/nettle/sysrng-linux.c
+++ gnutls-3.8.0/lib/nettle/sysrng-linux.c
@@ -49,6 +49,15 @@
get_entropy_func _rnd_get_system_entropy = NULL;
#if defined(__linux__)
+# ifdef ENABLE_FIPS140
+# if defined(ENABLE_FIPS140)
+# define HAVE_JENT
+# include <jitterentropy.h>
+static int jent_initialized = 0;
+static struct rand_data* ec = NULL;
+/* Per thread context of random generator, and a flag to indicate initialization */
+static _Thread_local struct rand_data* ec = NULL;
+static _Thread_local int jent_initialized = 0;
+/* Declare function to fix a missing-prototypes compilation warning */
+void FIPS_jent_entropy_deinit(void);
+# endif
# ifdef HAVE_GETRANDOM
# include <sys/random.h>
# else
@@ -66,6 +72,96 @@ static ssize_t _getrandom0(void *buf, si
@@ -67,6 +76,101 @@ static ssize_t _getrandom0(void *buf, si
# endif
# endif
+# if defined(HAVE_JENT)
+# if defined(ENABLE_FIPS140)
+# if defined(HAVE_JENT)
+/* check whether the CPU Jitter entropy collector is available. */
+static unsigned FIPS_jent_entropy_init(void)
+{
+ unsigned int rv = 1;
+ unsigned int osr = 1; /* <OSR> Oversampling rate */
+ unsigned int flags = 0; /* JENT_FORCE_FIPS
+ * JENT_DISABLE_MEMORY_ACCESS
+ * JENT_DISABLE_INTERNAL_TIMER
+ * JENT_FORCE_INTERNAL_TIMER
+ * JENT_MAX_MEMSIZE_{32,64,128,256,512}kB
+ * JENT_MAX_MEMSIZE_{1,2,4,8,16,32,64,128,256,512}MB
+ */
+ unsigned int rv = 1;
+ unsigned int osr = 1; /* <OSR> Oversampling rate */
+ unsigned int flags = 0; /* JENT_FORCE_FIPS
+ * JENT_DISABLE_MEMORY_ACCESS
+ * JENT_DISABLE_INTERNAL_TIMER
+ * JENT_FORCE_INTERNAL_TIMER
+ * JENT_MAX_MEMSIZE_{32,64,128,256,512}kB
+ * JENT_MAX_MEMSIZE_{1,2,4,8,16,32,64,128,256,512}MB
+ */
+
+ /* Set the FIPS flag. */
+ flags |= JENT_FORCE_FIPS;
+ /* Set the FIPS flag. */
+ flags |= JENT_FORCE_FIPS;
+
+ /* Do not re-initialize jent. */
+ if (jent_initialized == 0) {
+ if (jent_entropy_init_ex(osr, flags))
+ return 0;
+ jent_initialized = 1;
+ }
+ /* Do not re-initialize jent. */
+ if (jent_initialized == 0) {
+ if (jent_entropy_init_ex(osr, flags))
+ return 0;
+ jent_initialized = 1;
+ }
+
+ /* Allocate the entropy collector. */
+ if (ec == NULL) {
+ ec = jent_entropy_collector_alloc(osr, flags);
+ if (ec == NULL) {
+ rv = 0;
+ }
+ }
+ /* Allocate the entropy collector. */
+ if (ec == NULL) {
+ ec = jent_entropy_collector_alloc(osr, flags);
+ if (ec == NULL) {
+ rv = 0;
+ }
+ }
+
+ return rv;
+ return rv;
+}
+
+void FIPS_jent_entropy_deinit(void)
+{
+ /* Free the entropy collector. */
+ if (ec != NULL) {
+ jent_entropy_collector_free(ec);
+ ec = NULL;
+ }
+ /* Free the entropy collector. */
+ if (ec != NULL) {
+ jent_entropy_collector_free(ec);
+ ec = NULL;
+ }
+
+ return;
+ jent_initialized = 0;
+
+ return;
+}
+
+/* returns exactly the amount of bytes requested */
+static int force_jent(void *buf, size_t buflen, unsigned int flags,
+ unsigned int osr)
+ unsigned int osr)
+{
+ static int jent_bytes = -1;
+ static int jent_bytes = -1;
+
+ if (buf == NULL || buflen == 0) {
+ return -1;
+ }
+ if (buf == NULL || buflen == 0) {
+ return -1;
+ }
+
+ /* Ensure the entropy source has been fully initiated. */
+ if (jent_initialized == 0 || ec == NULL) {
+ if (!FIPS_jent_entropy_init()) {
+ return -1;
+ }
+ }
+ /* Ensure the entropy source has been fully initiated. */
+ if (jent_initialized == 0 || ec == NULL) {
+ if (!FIPS_jent_entropy_init()) {
+ return -1;
+ }
+ }
+
+ /* Get entropy bytes. */
+ jent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen);
+ /* Get entropy bytes. */
+ jent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen);
+
+ return jent_bytes;
+ return jent_bytes;
+}
+
+static int _rnd_get_system_entropy_jent(void* _rnd, size_t size)
+{
+ int ret;
+ unsigned int osr = 1;
+ unsigned int flags = 0;
+ int ret;
+ unsigned int osr = 1;
+ unsigned int flags = 0;
+
+ /* Set the FIPS flag. */
+ flags |= JENT_FORCE_FIPS;
+ /* Set the FIPS flag. */
+ flags |= JENT_FORCE_FIPS;
+
+ ret = force_jent(_rnd, size, flags, osr);
+ if (ret < 0) {
+ int e = errno;
+ gnutls_assert();
+ _gnutls_debug_log("Failed to use jent: %s\n", strerror(e));
+ FIPS_jent_entropy_deinit();
+ return GNUTLS_E_RANDOM_DEVICE_ERROR;
+ }
+ ret = force_jent(_rnd, size, flags, osr);
+ if (ret < 0) {
+ int e = errno;
+ gnutls_assert();
+ _gnutls_debug_log("Failed to use jent: %s\n", strerror(e));
+ FIPS_jent_entropy_deinit();
+ return GNUTLS_E_RANDOM_DEVICE_ERROR;
+ }
+
+ return 0;
+ return 0;
+}
+# endif
+# endif
+
static unsigned have_getrandom(void)
{
@@ -164,6 +260,16 @@ int _rnd_system_entropy_init(void)
char c;
@@ -162,6 +266,24 @@ int _rnd_system_entropy_init(void)
int urandom_fd;
#if defined(__linux__)
+# if defined(HAVE_JENT)
+# if defined(ENABLE_FIPS140)
+# if defined(HAVE_JENT)
+ /* Enable jitterentropy usage if available */
+ if (FIPS_jent_entropy_init()) {
+ _rnd_get_system_entropy = _rnd_get_system_entropy_jent;
@ -124,28 +133,36 @@ Index: gnutls-3.7.3/lib/nettle/sysrng-linux.c
+ return 0;
+ } else {
+ _gnutls_debug_log("jitterentropy is not available\n");
+ /* Set error state when FIPS_jent_entropy_init failed and FIPS mode is enabled */
+ if (_gnutls_fips_mode_enabled()) {
+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+ _gnutls_switch_lib_state(LIB_STATE_ERROR);
+ return gnutls_assert_val(GNUTLS_E_RANDOM_DEVICE_ERROR);
+ }
+ }
+# endif
+# endif
/* Enable getrandom() usage if available */
if (have_getrandom()) {
_rnd_get_system_entropy = _rnd_get_system_entropy_getrandom;
@@ -193,6 +299,11 @@ int _rnd_system_entropy_init(void)
@@ -192,5 +314,12 @@ int _rnd_system_entropy_init(void)
void _rnd_system_entropy_deinit(void)
{
/* A no-op now when we open and close /dev/urandom every time */
+#if defined(__linux__)
+# if defined(HAVE_JENT)
+# if defined(ENABLE_FIPS140)
+# if defined(HAVE_JENT)
+ FIPS_jent_entropy_deinit();
+# endif
+# endif
+#endif
return;
}
Index: gnutls-3.7.3/lib/nettle/Makefile.in
Index: gnutls-3.8.0/lib/nettle/Makefile.in
===================================================================
--- gnutls-3.7.3.orig/lib/nettle/Makefile.in
+++ gnutls-3.7.3/lib/nettle/Makefile.in
@@ -398,7 +398,7 @@ am__v_CC_1 =
--- gnutls-3.8.0.orig/lib/nettle/Makefile.in
+++ gnutls-3.8.0/lib/nettle/Makefile.in
@@ -399,7 +399,7 @@ am__v_CC_1 =
CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@ -154,10 +171,10 @@ Index: gnutls-3.7.3/lib/nettle/Makefile.in
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
Index: gnutls-3.7.3/lib/nettle/Makefile.am
Index: gnutls-3.8.0/lib/nettle/Makefile.am
===================================================================
--- gnutls-3.7.3.orig/lib/nettle/Makefile.am
+++ gnutls-3.7.3/lib/nettle/Makefile.am
--- gnutls-3.8.0.orig/lib/nettle/Makefile.am
+++ gnutls-3.8.0/lib/nettle/Makefile.am
@@ -20,7 +20,7 @@
include $(top_srcdir)/lib/common.mk
@ -167,10 +184,10 @@ Index: gnutls-3.7.3/lib/nettle/Makefile.am
AM_CPPFLAGS = \
-I$(srcdir)/int \
Index: gnutls-3.7.3/lib/nettle/rnd-fips.c
Index: gnutls-3.8.0/lib/nettle/rnd-fips.c
===================================================================
--- gnutls-3.7.3.orig/lib/nettle/rnd-fips.c
+++ gnutls-3.7.3/lib/nettle/rnd-fips.c
--- gnutls-3.8.0.orig/lib/nettle/rnd-fips.c
+++ gnutls-3.8.0/lib/nettle/rnd-fips.c
@@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
uint8_t buffer[DRBG_AES_SEED_SIZE];
int ret;
@ -193,3 +210,16 @@ Index: gnutls-3.7.3/lib/nettle/rnd-fips.c
ret = get_entropy(fctx, buffer, sizeof(buffer));
if (ret < 0) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
Index: gnutls-3.8.0/tests/Makefile.am
===================================================================
--- gnutls-3.8.0.orig/tests/Makefile.am
+++ gnutls-3.8.0/tests/Makefile.am
@@ -208,7 +208,7 @@ ctests += mini-record-2 simple gnutls_hm
dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \
- set_x509_key_file_ocsp client-fastopen rng-sigint srp rng-pthread \
+ set_x509_key_file_ocsp client-fastopen srp rng-pthread \
safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \

242
gnutls-Make-XTS-key-check-failure-not-fatal.patch
View File

@ -1,242 +0,0 @@
From 00fff0aad2b606801704046042aa3b2b24f07d63 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Thu, 29 Sep 2022 15:31:28 +0200
Subject: [PATCH] Make XTS key check failure not fatal
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
lib/accelerated/x86/aes-xts-x86-aesni.c | 1 -
lib/nettle/cipher.c | 73 ++++++++---------------
tests/Makefile.am | 2 +-
tests/xts-key-check.c | 78 +++++++++++++++++++++++++
5 files changed, 103 insertions(+), 52 deletions(-)
create mode 100644 tests/xts-key-check.c
diff --git a/lib/accelerated/x86/aes-xts-x86-aesni.c b/lib/accelerated/x86/aes-xts-x86-aesni.c
index 0588d0bd55..d6936a688d 100644
--- a/lib/accelerated/x86/aes-xts-x86-aesni.c
+++ b/lib/accelerated/x86/aes-xts-x86-aesni.c
@@ -73,7 +73,6 @@ x86_aes_xts_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
/* Check key block according to FIPS-140-2 IG A.9 */
if (_gnutls_fips_mode_enabled()){
if (gnutls_memcmp(key, key + (keysize / 2), keysize / 2) == 0) {
- _gnutls_switch_lib_state(LIB_STATE_ERROR);
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
}
}
diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c
index c9c59fb0ba..9c2ce19e7e 100644
--- a/lib/nettle/cipher.c
+++ b/lib/nettle/cipher.c
@@ -448,12 +448,14 @@ _gcm_decrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst,
length, dst, src);
}
-static void _des_set_key(struct des_ctx *ctx, const uint8_t *key)
+static void
+_des_set_key(struct des_ctx *ctx, const uint8_t *key)
{
des_set_key(ctx, key);
}
-static void _des3_set_key(struct des3_ctx *ctx, const uint8_t *key)
+static void
+_des3_set_key(struct des3_ctx *ctx, const uint8_t *key)
{
des3_set_key(ctx, key);
}
@@ -476,50 +478,6 @@ _cfb8_decrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst,
length, dst, src);
}
-static void
-_xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key,
- const uint8_t *key)
-{
- if (_gnutls_fips_mode_enabled() &&
- gnutls_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0)
- _gnutls_switch_lib_state(LIB_STATE_ERROR);
-
- xts_aes128_set_encrypt_key(xts_key, key);
-}
-
-static void
-_xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key,
- const uint8_t *key)
-{
- if (_gnutls_fips_mode_enabled() &&
- gnutls_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0)
- _gnutls_switch_lib_state(LIB_STATE_ERROR);
-
- xts_aes128_set_decrypt_key(xts_key, key);
-}
-
-static void
-_xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key,
- const uint8_t *key)
-{
- if (_gnutls_fips_mode_enabled() &&
- gnutls_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0)
- _gnutls_switch_lib_state(LIB_STATE_ERROR);
-
- xts_aes256_set_encrypt_key(xts_key, key);
-}
-
-static void
-_xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key,
- const uint8_t *key)
-{
- if (_gnutls_fips_mode_enabled() &&
- gnutls_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0)
- _gnutls_switch_lib_state(LIB_STATE_ERROR);
-
- xts_aes256_set_decrypt_key(xts_key, key);
-}
-
static void
_xts_aes128_encrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst,
const uint8_t * src)
@@ -1041,8 +999,8 @@ static const struct nettle_cipher_st builtin_ciphers[] = {
.ctx_size = sizeof(struct xts_aes128_key),
.encrypt = _xts_aes128_encrypt,
.decrypt = _xts_aes128_decrypt,
- .set_encrypt_key = (nettle_set_key_func*)_xts_aes128_set_encrypt_key,
- .set_decrypt_key = (nettle_set_key_func*)_xts_aes128_set_decrypt_key,
+ .set_encrypt_key = (nettle_set_key_func*)xts_aes128_set_encrypt_key,
+ .set_decrypt_key = (nettle_set_key_func*)xts_aes128_set_decrypt_key,
.max_iv_size = AES_BLOCK_SIZE,
},
{ .algo = GNUTLS_CIPHER_AES_256_XTS,
@@ -1052,8 +1010,8 @@ static const struct nettle_cipher_st builtin_ciphers[] = {
.ctx_size = sizeof(struct xts_aes256_key),
.encrypt = _xts_aes256_encrypt,
.decrypt = _xts_aes256_decrypt,
- .set_encrypt_key = (nettle_set_key_func*)_xts_aes256_set_encrypt_key,
- .set_decrypt_key = (nettle_set_key_func*)_xts_aes256_set_decrypt_key,
+ .set_encrypt_key = (nettle_set_key_func*)xts_aes256_set_encrypt_key,
+ .set_decrypt_key = (nettle_set_key_func*)xts_aes256_set_decrypt_key,
.max_iv_size = AES_BLOCK_SIZE,
},
{ .algo = GNUTLS_CIPHER_AES_128_SIV,
@@ -1144,6 +1102,21 @@ wrap_nettle_cipher_setkey(void *_ctx, const void *key, size_t keysize)
return 0;
}
+ switch (ctx->cipher->algo) {
+ case GNUTLS_CIPHER_AES_128_XTS:
+ if (_gnutls_fips_mode_enabled() &&
+ gnutls_memcmp(key, (char *)key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ break;
+ case GNUTLS_CIPHER_AES_256_XTS:
+ if (_gnutls_fips_mode_enabled() &&
+ gnutls_memcmp(key, (char *)key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ break;
+ default:
+ break;
+ }
+
if (ctx->enc)
ctx->cipher->set_encrypt_key(ctx->ctx_ptr, key);
else
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 3e126f0046..1122886b31 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -233,7 +233,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
tls13-without-timeout-func buffer status-request-revoked \
set_x509_ocsp_multi_cli kdf-api keylog-func handshake-write \
x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \
- x509-upnconstraint cipher-padding pkcs7-verify-double-free \
+ x509-upnconstraint xts-key-check cipher-padding pkcs7-verify-double-free \
fips-rsa-sizes
ctests += tls-channel-binding
diff --git a/tests/xts-key-check.c b/tests/xts-key-check.c
new file mode 100644
index 0000000000..a3bea5abca
--- /dev/null
+++ b/tests/xts-key-check.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2022 Red Hat, Inc.
+ *
+ * Author: Zoltan Fridrich
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <gnutls/crypto.h>
+
+#include "utils.h"
+
+static void test_xts_check(gnutls_cipher_algorithm_t alg)
+{
+ int ret;
+ gnutls_cipher_hd_t ctx;
+ gnutls_datum_t key, iv;
+
+ iv.size = gnutls_cipher_get_iv_size(alg);
+ iv.data = gnutls_malloc(iv.size);
+ if (iv.data == NULL)
+ fail("Error: %s\n", gnutls_strerror(GNUTLS_E_MEMORY_ERROR));
+ gnutls_memset(iv.data, 0xf0, iv.size);
+
+ key.size = gnutls_cipher_get_key_size(alg);
+ key.data = gnutls_malloc(key.size);
+ if (key.data == NULL) {
+ gnutls_free(iv.data);
+ fail("Error: %s\n", gnutls_strerror(GNUTLS_E_MEMORY_ERROR));
+ }
+ gnutls_memset(key.data, 0xf0, key.size);
+
+ ret = gnutls_cipher_init(&ctx, alg, &key, &iv);
+ if (ret == GNUTLS_E_SUCCESS) {
+ gnutls_cipher_deinit(ctx);
+ gnutls_free(iv.data);
+ gnutls_free(key.data);
+ fail("cipher initialization should fail for key1 == key2\n");
+ }
+
+ key.data[0] = 0xff;
+
+ ret = gnutls_cipher_init(&ctx, alg, &key, &iv);
+ gnutls_free(iv.data);
+ gnutls_free(key.data);
+
+ if (ret == GNUTLS_E_SUCCESS)
+ gnutls_cipher_deinit(ctx);
+ else
+ fail("cipher initialization should succeed with key1 != key2"
+ "\n%s\n", gnutls_strerror(ret));
+}
+
+void doit(void)
+{
+ if (!gnutls_fips140_mode_enabled())
+ exit(77);
+
+ test_xts_check(GNUTLS_CIPHER_AES_128_XTS);
+ test_xts_check(GNUTLS_CIPHER_AES_256_XTS);
+}
--
GitLab

21
gnutls-verify-library-HMAC.patch
View File

@ -1,21 +0,0 @@
Index: gnutls-3.7.8/lib/fips.c
===================================================================
--- gnutls-3.7.8.orig/lib/fips.c
+++ gnutls-3.7.8/lib/fips.c
@@ -402,6 +402,8 @@ static int check_binary_integrity(void)
ret = check_lib_hmac(&file.gnutls, GNUTLS_LIBRARY_NAME, "gnutls_global_init");
if (ret < 0)
return ret;
+ /* Check only the binary integrity of the libgnutls library */
+#if 0
ret = check_lib_hmac(&file.nettle, NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key");
if (ret < 0)
return ret;
@@ -411,6 +413,7 @@ static int check_binary_integrity(void)
ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init");
if (ret < 0)
return ret;
+#endif
return 0;
}

70
gnutls.changes
View File

@ -1,3 +1,73 @@
-------------------------------------------------------------------
Tue Feb 21 10:17:00 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 3.8.0: [bsc#1205763, bsc#1209627]
* libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key
exchange. Reported by Hubert Kario (#1050). Fix developed by
Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium]
[CVE-2023-0361]
* libgnutls: C++ library is now header only. All definitions
from gnutlsxx.c have been moved into gnutlsxx.h. Users of the
C++ interface have two options:
1. include gnutlsxx.h in their application and link against
the C library. (default)
2. include gnutlsxx.h in their application, compile with
GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link
against the C++ library.
* libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST
priority modifier have been added to allow disabling of the
status_request TLS extension in the client side.
* libgnutls: TLS heartbeat is disabled by default.
The heartbeat extension in TLS (RFC 6520) is not widely used
given other implementations dropped support for it. To enable
back support for it, supply --enable-heartbeat-support to
configure script.
* libgnutls: SRP authentication is now disabled by default.
It is disabled because the SRP authentication in TLS is not
up to date with the latest TLS standards and its ciphersuites
are based on the CBC mode and SHA-1. To enable it back, supply
--enable-srp-authentication option to configure script.
* libgnutls: All code has been indented using "indent -ppi1 -linux".
CI/CD has been adjusted to catch regressions. This is implemented
through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.ymls
commit-check. You may run devel/indent-gnutls to fix any
indentation issues if you make code modifications.
* guile: Guile-bindings removed. They have been extracted into a
separate project to reduce complexity and to simplify maintenance,
see <https://gitlab.com/gnutls/guile/>.
* minitasn1: Upgraded to libtasn1 version 4.19.
* API and ABI modifications:
GNUTLS_NO_STATUS_REQUEST: New flag
GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member
GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member
* Merge gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
and gnutls-FIPS-jitterentropy-threadsafe.patch into the main
patch gnutls-FIPS-jitterentropy.patch
* Rebase gnutls-FIPS-140-3-references.patch
* Rebase patches with upstream version:
- gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch
* Remove patches merged/fixed upstream:
- gnutls-FIPS-disable-failing-tests.patch
- gnutls-verify-library-HMAC.patch
- gnutls_ECDSA_signing.patch
- gnutls-Make-XTS-key-check-failure-not-fatal.patch
- gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
* Update keyring with https://gnutls.org/gnutls-release-keyring.gpg
-------------------------------------------------------------------
Thu Feb 16 19:43:04 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- FIPS: Make the jitterentropy calls thread-safe [bsc#1208146]
* Add gnutls-FIPS-jitterentropy-threadsafe.patch
-------------------------------------------------------------------
Thu Feb 16 12:31:25 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183]
* Rebase patches with the version submitted upstream.
* Avoid copying the key material: gnutls-FIPS-PCT-DH.patch
* Improve logic around memory release: gnutls-FIPS-PCT-ECDH.patch
-------------------------------------------------------------------
Fri Feb 10 13:12:25 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

BIN
gnutls.keyring
View File

Binary file not shown.

89
gnutls.spec
View File

@ -25,6 +25,11 @@
%else
%bcond_with dane
%endif
%if 0%{?suse_version} >= 1550
%bcond_without srp
%else
%bcond_with srp
%endif
# Enable Linux kernel AF_ALG based acceleration
%if 0%{?suse_version} >= 1550
# disable for now, as our OBS builds do not work with it. Marcus 20220511
@ -34,50 +39,37 @@
%bcond_with kcapi
%endif
%bcond_with tpm
%bcond_without guile
Name: gnutls
Version: 3.7.9
Version: 3.8.0
Release: 0
Summary: The GNU Transport Layer Security Library
License: GPL-3.0-or-later AND LGPL-2.1-or-later
Group: Productivity/Networking/Security
URL: https://www.gnutls.org/
Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz
Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig
Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz
Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz.sig
# https://gnutls.org/gnutls-release-keyring.gpg
Source2: gnutls.keyring
Source2: https://gnutls.org/gnutls-release-keyring.gpg#/gnutls.keyring
Source3: baselibs.conf
# Suppress a false positive on the .hmac file
Source4: gnutls.rpmlintrc
Patch0: gnutls-3.5.11-skip-trust-store-tests.patch
Patch1: gnutls-FIPS-TLS_KDF_selftest.patch
Patch2: gnutls-FIPS-disable-failing-tests.patch
Patch3: gnutls_ECDSA_signing.patch
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
%ifnarch s390 s390x
#PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
Patch4: gnutls-FIPS-jitterentropy.patch
#PATCH-FIX-SUSE bsc#1202146 FIPS: Set error state when jent init failed in FIPS mode
Patch5: gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
%endif
%endif
#PATCH-FIX-SUSE bsc#1190698 FIPS: SLI gnutls_pbkdf2: verify keylengths and allow SHA only
Patch6: gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
#PATCH-FIX-UPSTREAM bsc#1203779 Make XTS key check failure not fatal
Patch7: gnutls-Make-XTS-key-check-failure-not-fatal.patch
Patch8: gnutls-disable-flaky-test-dtls-resume.patch
#PATCH-FIX-OPENSUSE bsc#1199881 Verify only the libgnutls library HMAC
Patch9: gnutls-verify-library-HMAC.patch
Patch2: gnutls-disable-flaky-test-dtls-resume.patch
# FIPS 140-3 patches:
#PATCH-FIX-SUSE bsc#1207183 FIPS: DH/ECDH PCT public key regeneration
Patch10: gnutls-FIPS-PCT-DH.patch
Patch11: gnutls-FIPS-PCT-ECDH.patch
Patch100: gnutls-FIPS-PCT-DH.patch
Patch101: gnutls-FIPS-PCT-ECDH.patch
#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
Patch12: gnutls-FIPS-140-3-references.patch
Patch102: gnutls-FIPS-140-3-references.patch
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
#PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
Patch103: gnutls-FIPS-jitterentropy.patch
%endif
BuildRequires: autogen
BuildRequires: automake
BuildRequires: datefudge
BuildRequires: fdupes
BuildRequires: fipscheck
BuildRequires: gcc-c++
BuildRequires: gtk-doc
# The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
@ -112,9 +104,6 @@ BuildRequires: unbound-devel
BuildRequires: libunbound-devel
%endif
%endif
%if %{with guile}
BuildRequires: guile-devel > 1.8
%endif
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
BuildRequires: crypto-policies
Requires: crypto-policies
@ -213,17 +202,6 @@ Requires: libstdc++-devel
%description -n libgnutlsxx-devel
Files needed for software development using gnutls.
%if %{with guile}
%package guile
Summary: Guile wrappers for gnutls
License: LGPL-2.1-or-later
Group: Development/Libraries/Other
Requires: guile > 1.8
%description guile
GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
%endif
%prep
%autosetup -p1
@ -233,10 +211,8 @@ echo "SYSTEM=NORMAL" >> tests/system.prio
export LDFLAGS="-pie -Wl,-z,now -Wl,-z,relro"
export CFLAGS="%{optflags} -fPIE"
export CXXFLAGS="%{optflags} -fPIE"
autoreconf -fiv
# Rename the internal .hmac file to include the so library version
sed -i "s/\.gnutls\.hmac/\.libgnutls\.so\.%{gnutls_sover}\.hmac/g" lib/Makefile.am lib/Makefile.in lib/fips.c
autoreconf -fiv
%configure \
gl_cv_func_printf_directive_n=yes \
@ -258,16 +234,15 @@ sed -i "s/\.gnutls\.hmac/\.libgnutls\.so\.%{gnutls_sover}\.hmac/g" lib/Makefile.
%else
--disable-libdane \
%endif
%if %{with guile}
--enable-guile \
--with-guile-extension-dir=%{_libdir}/guile/3.0 \
%else
--disable-guile \
%if %{with srp}
--enable-srp-authentication \
%endif
--enable-shared \
--enable-fips140-mode \
--with-fips140-module-name="GnuTLS version" \
--with-fips140-module-version="%{version}-%{release}" \
%{nil}
%make_build
%install
@ -287,11 +262,11 @@ sed -i "s/\.gnutls\.hmac/\.libgnutls\.so\.%{gnutls_sover}\.hmac/g" lib/Makefile.
# the macro is too late.
# remark: This is the same as running
# openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
# note: The FIPS hmac is now calculated with an internal tool since
# Note: The FIPS hmac is now calculated with an internal tool since
# commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed
%{expand:%%global __os_install_post {%__os_install_post
./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}" > %{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac
sed -i "s^%{buildroot}/usr^^" %{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac
./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}" > "%{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac"
sed -i "s^%{buildroot}/usr^^" "%{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac"
}}
rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
@ -318,7 +293,8 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls
find -name test-suite.log -print -exec cat {} +
exit 1
}
#Run the regression tests also in FIPS mode
# Run the regression tests also in forced FIPS mode
GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
find -name test-suite.log -print -exec cat {} +
exit 1
@ -346,7 +322,9 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
%{_bindir}/ocsptool
%{_bindir}/psktool
%{_bindir}/p11tool
%if %{with srp}
%{_bindir}/srptool
%endif
%if %{with dane}
%{_bindir}/danetool
%endif
@ -414,11 +392,4 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/gnutlsxx.h
%if %{with guile}
%files guile
%license LICENSE
%{_libdir}/guile/*
%{_datadir}/guile/site/*
%endif
%changelog

172
gnutls_ECDSA_signing.patch
View File

@ -1,172 +0,0 @@
Index: gnutls-3.7.7/lib/crypto-api.c
===================================================================
--- gnutls-3.7.7.orig/lib/crypto-api.c
+++ gnutls-3.7.7/lib/crypto-api.c
@@ -1056,6 +1056,7 @@ gnutls_hash_hd_t gnutls_hash_copy(gnutls
int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size)
{
int ret;
+ bool not_approved = false;
FAIL_IF_LIB_ERROR;
@@ -1066,6 +1067,10 @@ int gnutls_key_generate(gnutls_datum_t *
if (_gnutls_fips_mode_enabled() != 0 &&
key_size > FIPS140_RND_KEY_SIZE)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ if (key_size < 14) {
+ not_approved = true;
+ }
+
#endif
key->size = key_size;
@@ -1082,6 +1087,15 @@ int gnutls_key_generate(gnutls_datum_t *
return ret;
}
+#ifdef ENABLE_FIPS140
+ if (not_approved) {
+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+ } else {
+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
+ }
+
+#endif
+
return 0;
}
Index: gnutls-3.7.7/lib/fips.h
===================================================================
--- gnutls-3.7.7.orig/lib/fips.h
+++ gnutls-3.7.7/lib/fips.h
@@ -145,6 +145,30 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
}
}
+inline static bool
+is_digest_algo_approved_for_sign_in_fips(gnutls_digest_algorithm_t algo)
+{
+ switch (algo) {
+ case GNUTLS_DIG_SHA224:
+ case GNUTLS_DIG_SHA256:
+ case GNUTLS_DIG_SHA384:
+ case GNUTLS_DIG_SHA512:
+ case GNUTLS_DIG_SHA3_224:
+ case GNUTLS_DIG_SHA3_256:
+ case GNUTLS_DIG_SHA3_384:
+ case GNUTLS_DIG_SHA3_512:
+ return true;
+ default:
+ return false;
+ }
+}
+
+inline static bool
+is_digest_algo_allowed_for_sign_in_fips(gnutls_digest_algorithm_t algo)
+{
+ return is_digest_algo_approved_for_sign_in_fips(algo);
+}
+
#ifdef ENABLE_FIPS140
/* This will test the condition when in FIPS140-2 mode
* and return an error if necessary or ignore */
@@ -205,9 +229,33 @@ is_cipher_algo_allowed(gnutls_cipher_alg
return true;
}
+
+inline static bool
+is_digest_algo_allowed_for_sign(gnutls_digest_algorithm_t algo)
+{
+ gnutls_fips_mode_t mode = _gnutls_fips_mode_enabled();
+ if (_gnutls_get_lib_state() != LIB_STATE_SELFTEST &&
+ !is_digest_algo_allowed_for_sign_in_fips(algo)) {
+ switch (mode) {
+ case GNUTLS_FIPS140_LOG:
+ _gnutls_audit_log(NULL, "fips140-2: allowing access to %s\n",
+ gnutls_cipher_get_name(algo));
+ FALLTHROUGH;
+ case GNUTLS_FIPS140_DISABLED:
+ case GNUTLS_FIPS140_LAX:
+ return true;
+ default:
+ return false;
+ }
+ }
+
+ return true;
+}
+
#else
# define is_mac_algo_allowed(x) true
# define is_cipher_algo_allowed(x) true
+# define is_digest_algo_allowed_for_sign(x) true
# define FIPS_RULE(condition, ret_error, ...)
#endif
Index: gnutls-3.7.7/lib/privkey.c
===================================================================
--- gnutls-3.7.7.orig/lib/privkey.c
+++ gnutls-3.7.7/lib/privkey.c
@@ -1284,10 +1284,24 @@ privkey_sign_and_hash_data(gnutls_privke
int ret;
gnutls_datum_t digest;
const mac_entry_st *me;
+ bool not_approved = false;
if (unlikely(se == NULL))
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ if (se->pk == GNUTLS_PK_ECDSA && !is_digest_algo_allowed_for_sign(se->hash)) {
+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+ return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
+ } else if (se->pk == GNUTLS_PK_ECDSA && !is_digest_algo_approved_for_sign_in_fips(se->hash)) {
+ not_approved = true;
+ }
+
+ if (not_approved) {
+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+ } else {
+ _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
+ }
+
if (_gnutls_pk_is_not_prehashed(se->pk)) {
return privkey_sign_raw_data(signer, se, data, signature, params);
}
Index: gnutls-3.7.7/tests/fips-test.c
===================================================================
--- gnutls-3.7.7.orig/tests/fips-test.c
+++ gnutls-3.7.7/tests/fips-test.c
@@ -38,6 +38,7 @@ static void tls_log_func(int level, cons
fprintf(stderr, "<%d>| %s", level, str);
}
+static uint8_t key13[13];
static uint8_t key16[16];
static uint8_t iv16[16];
uint8_t key_data[64];
@@ -269,6 +270,7 @@ void doit(void)
gnutls_pubkey_t pubkey;
gnutls_x509_privkey_t xprivkey;
gnutls_privkey_t privkey;
+ gnutls_datum_t key_invalid = { key13, sizeof(key13) };
gnutls_datum_t key = { key16, sizeof(key16) };
gnutls_datum_t iv = { iv16, sizeof(iv16) };
gnutls_datum_t signature;
@@ -309,6 +311,14 @@ void doit(void)
/* Try crypto.h functionality */
test_ciphers();
+ /* Try creating key with less than 112 bits: not approved */
+ FIPS_PUSH_CONTEXT();
+ ret = gnutls_key_generate(&key_invalid, 13);
+ if (ret < 0) {
+ fail("gnutls_generate_key failed\n");
+ }
+ FIPS_POP_CONTEXT(NOT_APPROVED);
+
FIPS_PUSH_CONTEXT();
ret = gnutls_cipher_init(&ch, GNUTLS_CIPHER_AES_128_CBC, &key, &iv);
if (ret < 0) {