pool/gnutls
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gnutls/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
Pedro Monreal Gonzalez f82cc71bfb - Update to 3.8.9 
- libgnutls: leancrypto was added as an interim option for PQC
    The library can now be built with leancrypto instead of liboqs for
    post-quantum cryptography (PQC), when configured with
    --with-leancrypto option instead of --with-liboqs.
  - libgnutls: Experimental support for ML-DSA signature algorithm
    The library and certtool now support ML-DSA signature algorithm as
    defined in FIPS 204 and based on
    draft-ietf-lamps-dilithium-certificates-04. This feature is
    currently marked as experimental and can only be enabled when
    compiled with --with-leancrypto or --with-liboqs.
    Contributed by David Dudas.
  - libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
    The support for ML-KEM post-quantum key encapsulation mechanisms
    has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
    MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
    draft-kwiatkowski-tls-ecdhe-mlkem-03.
  - libgnutls: Fix potential DoS in handling certificates with numerous name
    constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
    bundled copy of libtasn1 has also been updated to the latest 4.20.0
    release to complete the fix.  Reported by Bing Shi (#1553).
    [GNUTLS-SA-2025-02-07, CVSS: medium] [bsc#1236974, CVE-2024-12243
  - Licensing information moved to REAMDE.md, COPYING, COPYING.LESSERv2
  * Rebased gnutls-FIPS-140-3-references.patch
  * Rebased gnutls-FIPS-TLS_KDF_selftest.patch
  * Rebased gnutls-FIPS-jitterentropy.patch
  * Rebased gnutls-disable-flaky-test-dtls-resume.patch
  * Rebased gnutls-srp-test-SIGPIPE.patch
  * Rebased gnutls-3.5.11-skip-trust-store-tests.patch
  * Add gnutls-set-cligen-python-interp.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=119
2025-02-24 12:46:22 +00:00

121 lines
3.7 KiB
Diff
Raw Blame History

Index: gnutls-3.8.8/lib/fips.c
===================================================================
--- gnutls-3.8.8.orig/lib/fips.c
+++ gnutls-3.8.8/lib/fips.c
@@ -349,11 +349,90 @@ static int load_hmac_file(struct hmac_fi
}
/*
+ * check_dep_lib_hmac:
+ * @path: path to the library which hmac should be compared
+ *
+ * Verify that HMAC of a given library matches the hmac in the file
+ * provided by the library, named: .<libname>.so.<soname>.hmac.
+ *
+ * Returns: 0 on successful HMAC verification, a negative error code otherwise
+ */
+static int check_dep_lib_hmac(const char *path)
+{
+ int ret;
+ unsigned prev;
+ uint8_t hmac[HMAC_SIZE];
+ gnutls_datum_t data;
+ char hmac_path[GNUTLS_PATH_MAX];
+ uint8_t lib_hmac[HMAC_SIZE];
+ size_t lib_hmac_size;
+
+ _gnutls_debug_log("Loading: %s\n", path);
+ ret = gnutls_load_file(path, &data);
+ if (ret < 0) {
+ _gnutls_debug_log("Could not load %s: %s\n", path,
+ gnutls_strerror(ret));
+ return gnutls_assert_val(ret);
+ }
+
+ prev = _gnutls_get_lib_state();
+ _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL);
+ ret = gnutls_hmac_fast(HMAC_ALGO, FIPS_KEY, sizeof(FIPS_KEY) - 1,
+ data.data, data.size, hmac);
+ _gnutls_switch_lib_state(prev);
+
+ gnutls_free(data.data);
+ if (ret < 0) {
+ _gnutls_debug_log("Could not calculate HMAC for %s: %s\n", path,
+ gnutls_strerror(ret));
+ return gnutls_assert_val(ret);
+ }
+
+ /* Check now the integrity of the hmac provided by the library */
+ ret = get_hmac_path(hmac_path, sizeof(hmac_path), path);
+ if (ret < 0) {
+ _gnutls_debug_log("Could not get hmac file path: %s\n",
+ gnutls_strerror(ret));
+ return ret;
+ }
+ _gnutls_debug_log("Loading: %s\n", hmac_path);
+ ret = gnutls_load_file(hmac_path, &data);
+ if (ret < 0) {
+ _gnutls_debug_log("Could not load %s: %s\n", hmac_path,
+ gnutls_strerror(ret));
+ return gnutls_assert_val(ret);
+ }
+ lib_hmac_size = hex_data_size(data.size);
+ /* trim eventual newlines from the end of the data read from file */
+ while ((data.size > 0) && (data.data[data.size - 1] == '\n')) {
+ data.data[data.size - 1] = 0;
+ data.size--;
+ }
+ ret = gnutls_hex_decode(&data, lib_hmac, &lib_hmac_size);
+ gnutls_free(data.data);
+ if (ret < 0) {
+ _gnutls_debug_log("Could not hex decode hmac\n");
+ return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+ }
+ ret = gnutls_memcmp(lib_hmac, hmac, HMAC_SIZE);
+ if (ret){
+ _gnutls_debug_log("Calculated MAC for %s does not match\n",
+ path);
+ gnutls_memset(hmac, 0, HMAC_SIZE);
+ gnutls_memset(lib_hmac, 0, HMAC_SIZE);
+ return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+ }
+ _gnutls_debug_log("Successfully verified MAC for %s\n", path);
+ gnutls_memset(hmac, 0, HMAC_SIZE);
+ return 0;
+}
+
+/*
* check_lib_hmac:
* @entry: hmac file entry
* @path: path to the library which hmac should be compared
*
- * Verify that HMAC from hmac file entry matches HMAC of given library.
+ * Verify that HMAC from hmac file entry matches HMAC of gnutls library.
*
* Returns: 0 on successful HMAC verification, a negative error code otherwise
*/
@@ -496,17 +575,20 @@ static int check_binary_integrity(void)
if (ret < 0)
return ret;
#ifdef NETTLE_LIBRARY_SONAME
- ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ //ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ ret = check_dep_lib_hmac(paths.nettle);
if (ret < 0)
return ret;
#endif
#ifdef HOGWEED_LIBRARY_SONAME
- ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
+ //ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
+ ret = check_dep_lib_hmac(paths.hogweed);
if (ret < 0)
return ret;
#endif
#ifdef GMP_LIBRARY_SONAME
- ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ //ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ ret = check_dep_lib_hmac(paths.gmp);
if (ret < 0)
return ret;
#endif
Reference in New Issue View Git Blame Copy Permalink