rpm/gnutls
SHA256
1
0
Fork 0
forked from pool/gnutls
Code Pull Requests Activity

Accepting request 1105136 from home:pmonrealgonzalez:branches:security:tls

Browse Source 
- tests: Fix the SRP test that fails with SIGPIPE signal return due
  to a socket being closed before using it.
  * Add gnutls-srp-test-SIGPIPE.patch

- Update to version 3.8.1:
  * libgnutls: ClientHello extensions are randomized by default
    To make fingerprinting harder, TLS extensions in ClientHello
    messages are shuffled. As this behavior may cause compatibility
    issue with legacy applications that do not accept the last
    extension without payload, the behavior can be reverted with the
    %NO_SHUFFLE_EXTENSIONS priority keyword.
  * libgnutls: Add support for RFC 9258 external PSK importer.
    This enables to deploy the same PSK across multiple TLS versions
    (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application
    needs to set up a callback that formats the PSK identity using
    gnutls_psk_format_imported_identity().
  * libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to
    %GNUTLS_NO_DEFAULT_EXTENSIONS.
  * libgnutls: Add additional PBKDF limit checks in FIPS mode as
    defined in SP 800-132. Minimum salt length is 128 bits and
    minimum iterations bound is 1000 for PBKDF in FIPS mode.
  * libgnutls: Add a mechanism to control whether to enforce extended
    master secret (RFC 7627). FIPS 140-3 mandates the use of TLS
    session hash (extended master secret, EMS) in TLS 1.2. To enforce
    this, a new priority keyword %FORCE_SESSION_HASH is added and if
    it is set and EMS is not set, the peer aborts the connection. This
    behavior is the default in FIPS mode, though it can be overridden
    through the configuration file with the "tls-session-hash" option.
    In either case non-EMS PRF is reported as a non-approved operation
    through the FIPS service indicator.

OBS-URL: https://build.opensuse.org/request/show/1105136
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=98
This commit is contained in:
Pedro Monreal Gonzalez 2023-08-22 12:20:21 +00:00 committed by Git OBS Bridge
parent 8c2487bb4b
commit ab8ae2104b
11 changed files with 412 additions and 726 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
gnutls-3.8.0.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

BIN
gnutls-3.8.0.tar.xz.sig
View File

Binary file not shown.

3
gnutls-3.8.1.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ba8b9e15ae20aba88f44661978f5b5863494316fe7e722ede9d069fe6294829c
size 6447056

BIN
gnutls-3.8.1.tar.xz.sig Normal file
View File

Binary file not shown.

747
gnutls-FIPS-140-3-references.patch
View File

File diff suppressed because it is too large Load Diff

55
gnutls-FIPS-PCT-DH.patch
View File

@ -1,55 +0,0 @@
From 51b721b69fd08ef1c4c4989f5e12b643e170ff56 Mon Sep 17 00:00:00 2001
From: Pedro Monreal <pmgdeb@gmail.com>
Date: Thu, 16 Feb 2023 17:02:38 +0100
Subject: [PATCH] pk: extend pair-wise consistency to cover DH key generation
Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise
Consistency check, even if we only support ephemeral DH, as it is
required by FIPS 140-3 IG 10.3.A.
Signed-off-by: Pedro Monreal <pmgdeb@gmail.com>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
---
lib/nettle/pk.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
Index: gnutls-3.8.0/lib/nettle/pk.c
===================================================================
--- gnutls-3.8.0.orig/lib/nettle/pk.c
+++ gnutls-3.8.0/lib/nettle/pk.c
@@ -2520,6 +2520,35 @@ static int pct_test(gnutls_pk_algorithm_
}
break;
case GNUTLS_PK_DH:
+ {
+ mpz_t y;
+
+ /* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance
+ * of Pair-wise Consistency check, even if we only
+ * support ephemeral DH, as it is required by FIPS
+ * 140-3 IG 10.3.A.
+ *
+ * Use the private key, x, along with the generator g
+ * and prime modulus p included in the domain
+ * parameters associated with the key pair to compute
+ * g^x mod p. Compare the result to the public key, y.
+ */
+ mpz_init(y);
+ mpz_powm(y,
+ TOMPZ(params->params[DSA_G]),
+ TOMPZ(params->params[DSA_X]),
+ TOMPZ(params->params[DSA_P]));
+ if (unlikely
+ (mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) {
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_PK_GENERATION_ERROR);
+ mpz_clear(y);
+ goto cleanup;
+ }
+ mpz_clear(y);
+ break;
+ }
case GNUTLS_PK_ECDH_X25519:
case GNUTLS_PK_ECDH_X448:
ret = 0;

193
gnutls-FIPS-PCT-ECDH.patch
View File

@ -1,193 +0,0 @@
From 5030f40332ada4f90e80838a2232da36ce03757a Mon Sep 17 00:00:00 2001
From: Pedro Monreal <pmgdeb@gmail.com>
Date: Fri, 24 Feb 2023 22:02:48 +0000
Subject: [PATCH] ecdh: perform SP800-56A rev3 full pubkey validation on key
derivation
This implements full public key validation required in
SP800-56A rev3, section 5.6.2.3.3.
Co-authored-by: Daiki Ueno <ueno@gnu.org>
Signed-off-by: Pedro Monreal <pmgdeb@gmail.com>
---
lib/nettle/pk.c | 128 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 125 insertions(+), 3 deletions(-)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 6adf958a61..d30bca594f 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -71,6 +71,9 @@
static inline const struct ecc_curve *get_supported_nist_curve(int curve);
static inline const struct ecc_curve *get_supported_gost_curve(int curve);
+static inline const char *get_supported_nist_curve_order(int curve);
+static inline const char *get_supported_nist_curve_modulus(int curve);
+
/* When these callbacks are used for a nettle operation, the
* caller must check the macro HAVE_LIB_ERROR() after the operation
* is complete. If the macro is true, the operation is to be considered
@@ -406,6 +409,10 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
struct ecc_scalar ecc_priv;
struct ecc_point ecc_pub;
const struct ecc_curve *curve;
+ struct ecc_scalar n;
+ struct ecc_scalar m;
+ struct ecc_point r;
+ mpz_t x, y, xx, yy, nn, mm;
out->data = NULL;
@@ -428,17 +435,28 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
not_approved = true;
}
+ mpz_init(x);
+ mpz_init(y);
+ mpz_init(xx);
+ mpz_init(yy);
+ mpz_init(nn);
+ mpz_init(mm);
+
+ ecc_scalar_init(&n, curve);
+ ecc_scalar_init(&m, curve);
+ ecc_point_init(&r, curve);
+
ret = _ecc_params_to_pubkey(pub, &ecc_pub, curve);
if (ret < 0) {
gnutls_assert();
- goto cleanup;
+ goto ecc_fail_cleanup;
}
ret = _ecc_params_to_privkey(priv, &ecc_priv, curve);
if (ret < 0) {
ecc_point_clear(&ecc_pub);
gnutls_assert();
- goto cleanup;
+ goto ecc_fail_cleanup;
}
out->size = gnutls_ecc_curve_get_size(priv->curve);
@@ -449,14 +467,118 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
goto ecc_cleanup;
}
+ /* Perform ECC Full Public-Key Validation Routine
+ * according to SP800-56A (revision 3), 5.6.2.3.3.
+ */
+
+ /* Step 1: verify that Q is not an identity
+ * element (an infinity point). Note that this
+ * cannot happen in the nettle implementation,
+ * because it cannot represent an infinity point
+ * on curves. */
ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data,
out->size);
- if (ret < 0)
+ if (ret < 0) {
gnutls_free(out->data);
+ goto ecc_cleanup;
+ }
+#ifdef ENABLE_FIPS140
+ if (_gnutls_fips_mode_enabled()) {
+ const char *order, *modulus;
+
+ ecc_point_mul(&r, &ecc_priv, &ecc_pub);
+ ecc_point_get(&r, x, y);
+
+ /* Step 2: verify that both coordinates of Q are
+ * in the range [0, p - 1].
+ *
+ * Step 3: verify that Q lie on the curve
+ *
+ * Both checks are performed in nettle. */
+ if (!ecc_point_set(&r, x, y)) {
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_cleanup;
+ }
+
+ /* Step 4: verify that n * Q, where n is the
+ * curve order, result in an identity element
+ *
+ * Since nettle internally cannot represent an
+ * identity element on curves, we validate this
+ * instead:
+ *
+ * (n - 1) * Q = -Q
+ *
+ * That effectively means: n * Q = -Q + Q = O
+ */
+ order =
+ get_supported_nist_curve_order(priv->curve);
+ if (unlikely(order == NULL)) {
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_INTERNAL_ERROR);
+ goto ecc_cleanup;
+ }
+
+ ret = mpz_set_str(nn, order, 16);
+ if (unlikely(ret < 0)) {
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_MPI_SCAN_FAILED);
+ goto ecc_cleanup;
+ }
+
+ modulus =
+ get_supported_nist_curve_modulus
+ (priv->curve);
+ if (unlikely(modulus == NULL)) {
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_INTERNAL_ERROR);
+ goto ecc_cleanup;
+ }
+
+ ret = mpz_set_str(mm, modulus, 16);
+ if (unlikely(ret < 0)) {
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_MPI_SCAN_FAILED);
+ goto ecc_cleanup;
+ }
+
+ /* (n - 1) * Q = -Q */
+ mpz_sub_ui(nn, nn, 1);
+ ecc_scalar_set(&n, nn);
+ ecc_point_mul(&r, &n, &r);
+ ecc_point_get(&r, xx, yy);
+ mpz_sub(mm, mm, y);
+
+ if (mpz_cmp(xx, x) != 0 || mpz_cmp(yy, mm) != 0) {
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_cleanup;
+ }
+ } else {
+ not_approved = true;
+ }
+#endif
ecc_cleanup:
ecc_point_clear(&ecc_pub);
ecc_scalar_zclear(&ecc_priv);
+ ecc_fail_cleanup:
+ mpz_clear(x);
+ mpz_clear(y);
+ mpz_clear(xx);
+ mpz_clear(yy);
+ mpz_clear(nn);
+ mpz_clear(mm);
+ ecc_point_clear(&r);
+ ecc_scalar_clear(&n);
+ ecc_scalar_clear(&m);
if (ret < 0)
goto cleanup;
break;
--
GitLab

48
gnutls-FIPS-jitterentropy.patch
View File

@ -1,7 +1,7 @@
Index: gnutls-3.8.0/lib/nettle/sysrng-linux.c
Index: gnutls-3.8.1/lib/nettle/sysrng-linux.c
===================================================================
--- gnutls-3.8.0.orig/lib/nettle/sysrng-linux.c
+++ gnutls-3.8.0/lib/nettle/sysrng-linux.c
--- gnutls-3.8.1.orig/lib/nettle/sysrng-linux.c
+++ gnutls-3.8.1/lib/nettle/sysrng-linux.c
@@ -49,6 +49,15 @@
get_entropy_func _rnd_get_system_entropy = NULL;
@ -15,12 +15,12 @@ Index: gnutls-3.8.0/lib/nettle/sysrng-linux.c
+/* Declare function to fix a missing-prototypes compilation warning */
+void FIPS_jent_entropy_deinit(void);
+# endif
# ifdef HAVE_GETRANDOM
# include <sys/random.h>
# else
@@ -67,6 +76,101 @@ static ssize_t _getrandom0(void *buf, si
# endif
# endif
#ifdef HAVE_GETRANDOM
#include <sys/random.h>
#else
@@ -68,6 +77,101 @@ static ssize_t _getrandom0(void *buf, si
#endif
#endif
+# if defined(ENABLE_FIPS140)
+# if defined(HAVE_JENT)
@ -120,7 +120,7 @@ Index: gnutls-3.8.0/lib/nettle/sysrng-linux.c
static unsigned have_getrandom(void)
{
char c;
@@ -162,6 +266,24 @@ int _rnd_system_entropy_init(void)
@@ -163,6 +267,24 @@ int _rnd_system_entropy_init(void)
int urandom_fd;
#if defined(__linux__)
@ -145,7 +145,7 @@ Index: gnutls-3.8.0/lib/nettle/sysrng-linux.c
/* Enable getrandom() usage if available */
if (have_getrandom()) {
_rnd_get_system_entropy = _rnd_get_system_entropy_getrandom;
@@ -192,5 +314,12 @@ int _rnd_system_entropy_init(void)
@@ -193,5 +315,12 @@ int _rnd_system_entropy_init(void)
void _rnd_system_entropy_deinit(void)
{
/* A no-op now when we open and close /dev/urandom every time */
@ -158,11 +158,11 @@ Index: gnutls-3.8.0/lib/nettle/sysrng-linux.c
+#endif
return;
}
Index: gnutls-3.8.0/lib/nettle/Makefile.in
Index: gnutls-3.8.1/lib/nettle/Makefile.in
===================================================================
--- gnutls-3.8.0.orig/lib/nettle/Makefile.in
+++ gnutls-3.8.0/lib/nettle/Makefile.in
@@ -399,7 +399,7 @@ am__v_CC_1 =
--- gnutls-3.8.1.orig/lib/nettle/Makefile.in
+++ gnutls-3.8.1/lib/nettle/Makefile.in
@@ -402,7 +402,7 @@ am__v_CC_1 =
CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@ -171,10 +171,10 @@ Index: gnutls-3.8.0/lib/nettle/Makefile.in
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
Index: gnutls-3.8.0/lib/nettle/Makefile.am
Index: gnutls-3.8.1/lib/nettle/Makefile.am
===================================================================
--- gnutls-3.8.0.orig/lib/nettle/Makefile.am
+++ gnutls-3.8.0/lib/nettle/Makefile.am
--- gnutls-3.8.1.orig/lib/nettle/Makefile.am
+++ gnutls-3.8.1/lib/nettle/Makefile.am
@@ -20,7 +20,7 @@
include $(top_srcdir)/lib/common.mk
@ -184,10 +184,10 @@ Index: gnutls-3.8.0/lib/nettle/Makefile.am
AM_CPPFLAGS = \
-I$(srcdir)/int \
Index: gnutls-3.8.0/lib/nettle/rnd-fips.c
Index: gnutls-3.8.1/lib/nettle/rnd-fips.c
===================================================================
--- gnutls-3.8.0.orig/lib/nettle/rnd-fips.c
+++ gnutls-3.8.0/lib/nettle/rnd-fips.c
--- gnutls-3.8.1.orig/lib/nettle/rnd-fips.c
+++ gnutls-3.8.1/lib/nettle/rnd-fips.c
@@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
uint8_t buffer[DRBG_AES_SEED_SIZE];
int ret;
@ -210,10 +210,10 @@ Index: gnutls-3.8.0/lib/nettle/rnd-fips.c
ret = get_entropy(fctx, buffer, sizeof(buffer));
if (ret < 0) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
Index: gnutls-3.8.0/tests/Makefile.am
Index: gnutls-3.8.1/tests/Makefile.am
===================================================================
--- gnutls-3.8.0.orig/tests/Makefile.am
+++ gnutls-3.8.0/tests/Makefile.am
--- gnutls-3.8.1.orig/tests/Makefile.am
+++ gnutls-3.8.1/tests/Makefile.am
@@ -208,7 +208,7 @@ ctests += mini-record-2 simple gnutls_hm
dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \

22
gnutls-srp-test-SIGPIPE.patch Normal file
View File

@ -0,0 +1,22 @@
Index: gnutls-3.8.1/tests/srp.c
===================================================================
--- gnutls-3.8.1.orig/tests/srp.c
+++ gnutls-3.8.1/tests/srp.c
@@ -287,7 +289,7 @@ static void start(const char *name, cons
if (child) {
int status;
/* parent */
- close(fd[0]);
+ /* close(fd[0]); */
client(fd[1], prio, user, pass, exp_err);
if (exp_err < 0) {
kill(child, SIGTERM);
@@ -297,7 +299,7 @@ static void start(const char *name, cons
check_wait_status(status);
}
} else {
- close(fd[1]);
+ /* close(fd[1]); */
server(fd[0], prio);
exit(0);
}

54
gnutls.changes
View File

@ -1,3 +1,57 @@
-------------------------------------------------------------------
Mon Aug 21 09:33:40 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- tests: Fix the SRP test that fails with SIGPIPE signal return due
to a socket being closed before using it.
* Add gnutls-srp-test-SIGPIPE.patch
-------------------------------------------------------------------
Mon Aug 7 07:51:59 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to version 3.8.1:
* libgnutls: ClientHello extensions are randomized by default
To make fingerprinting harder, TLS extensions in ClientHello
messages are shuffled. As this behavior may cause compatibility
issue with legacy applications that do not accept the last
extension without payload, the behavior can be reverted with the
%NO_SHUFFLE_EXTENSIONS priority keyword.
* libgnutls: Add support for RFC 9258 external PSK importer.
This enables to deploy the same PSK across multiple TLS versions
(TLS 1.2 and TLS 1.3) in a secure manner. To use, the application
needs to set up a callback that formats the PSK identity using
gnutls_psk_format_imported_identity().
* libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to
%GNUTLS_NO_DEFAULT_EXTENSIONS.
* libgnutls: Add additional PBKDF limit checks in FIPS mode as
defined in SP 800-132. Minimum salt length is 128 bits and
minimum iterations bound is 1000 for PBKDF in FIPS mode.
* libgnutls: Add a mechanism to control whether to enforce extended
master secret (RFC 7627). FIPS 140-3 mandates the use of TLS
session hash (extended master secret, EMS) in TLS 1.2. To enforce
this, a new priority keyword %FORCE_SESSION_HASH is added and if
it is set and EMS is not set, the peer aborts the connection. This
behavior is the default in FIPS mode, though it can be overridden
through the configuration file with the "tls-session-hash" option.
In either case non-EMS PRF is reported as a non-approved operation
through the FIPS service indicator.
* New option --attime to specify current time.
To make testing with different timestamp to the system easier, the
tools doing certificate verification now provide a new option
--attime, which takes an arbitrary time.
* API and ABI modifications:
gnutls_psk_client_credentials_function3: New typedef
gnutls_psk_server_credentials_function3: New typedef
gnutls_psk_set_server_credentials_function3: New function
gnutls_psk_set_client_credentials_function3: New function
gnutls_psk_format_imported_identity: New function
GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags
* Rebase patches:
- gnutls-FIPS-140-3-references.patch
- gnutls-FIPS-jitterentropy.patch
* Remove patches merged/fixed upstream:
- gnutls-FIPS-PCT-DH.patch
- gnutls-FIPS-PCT-ECDH.patch
-------------------------------------------------------------------
Mon May 29 07:27:23 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

13
gnutls.spec
View File

@ -40,7 +40,7 @@
%endif
%bcond_with tpm
Name: gnutls
Version: 3.8.0
Version: 3.8.1
Release: 0
Summary: The GNU Transport Layer Security Library
License: GPL-3.0-or-later AND LGPL-2.1-or-later
@ -56,17 +56,16 @@ Source4: gnutls.rpmlintrc
Patch0: gnutls-3.5.11-skip-trust-store-tests.patch
Patch1: gnutls-FIPS-TLS_KDF_selftest.patch
Patch2: gnutls-disable-flaky-test-dtls-resume.patch
# PATCH-FIX-OPENSUSE The srp test fails with SIGPIPE
Patch3: gnutls-srp-test-SIGPIPE.patch
# FIPS 140-3 patches:
#PATCH-FIX-SUSE bsc#1207183 FIPS: DH/ECDH PCT public key regeneration
Patch100: gnutls-FIPS-PCT-DH.patch
Patch101: gnutls-FIPS-PCT-ECDH.patch
#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
Patch102: gnutls-FIPS-140-3-references.patch
Patch100: gnutls-FIPS-140-3-references.patch
#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp
Patch103: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
Patch101: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
#PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
Patch104: gnutls-FIPS-jitterentropy.patch
Patch102: gnutls-FIPS-jitterentropy.patch
%endif
BuildRequires: autogen
BuildRequires: automake