From cde47b0c9c9138c00e46113c65e356aaa9f8f296 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 21 2020 23:20:55 +0000 Subject: import gnutls-3.6.8-9.el8 --- diff --git a/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch b/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch index 09092ca..ce51cad 100644 --- a/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch +++ b/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch @@ -313,123 +313,6 @@ index 4fadd4161..0233e6b9f 100644 2.20.1 -From 2123049ab9b963ef0ba108ed1cb180016bd672ab Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Wed, 17 Apr 2019 17:22:40 +0200 -Subject: [PATCH 3/7] nettle/pk.c: Do not call gnutls_rnd() during self tests - -When the library state is LIB_STATE_SELFTEST, use constant data instead -of calling gnutls_rnd(). This prevents the library to block if there is -insufficient entropy during FIPS self tests. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - lib/nettle/pk.c | 41 ++++++++++++++++++++++++++++++++++------- - 1 file changed, 34 insertions(+), 7 deletions(-) - -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index 08117c2d8..64633cc73 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -60,6 +60,33 @@ - static inline const struct ecc_curve *get_supported_nist_curve(int curve); - static inline const struct ecc_curve *get_supported_gost_curve(int curve); - -+/* Fill the buffer with data for testing purposes. -+ * This should be called only during self tests. -+ */ -+static int _pk_fill_buffer(void *buffer, size_t length) -+{ -+ if (_gnutls_get_lib_state() != LIB_STATE_SELFTEST) { -+ return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); -+ } -+ -+ memset(buffer, 0xAA, length); -+ -+ return 0; -+} -+ -+static int _pk_rnd(gnutls_rnd_level_t level, void *data, size_t len) -+{ -+ int ret; -+ -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) { -+ ret = _pk_fill_buffer(data, len); -+ } else { -+ ret = gnutls_rnd(level, data, len); -+ } -+ -+ return ret; -+} -+ - /* When these callbacks are used for a nettle operation, the - * caller must check the macro HAVE_LIB_ERROR() after the operation - * is complete. If the macro is true, the operation is to be considered -@@ -67,21 +94,21 @@ static inline const struct ecc_curve *get_supported_gost_curve(int curve); - */ - static void rnd_key_func(void *_ctx, size_t length, uint8_t * data) - { -- if (gnutls_rnd(GNUTLS_RND_KEY, data, length) < 0) { -+ if (_pk_rnd(GNUTLS_RND_KEY, data, length) < 0) { - _gnutls_switch_lib_state(LIB_STATE_ERROR); - } - } - - static void rnd_tmpkey_func(void *_ctx, size_t length, uint8_t * data) - { -- if (gnutls_rnd(GNUTLS_RND_RANDOM, data, length) < 0) { -+ if (_pk_rnd(GNUTLS_RND_RANDOM, data, length) < 0) { - _gnutls_switch_lib_state(LIB_STATE_ERROR); - } - } - - static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data) - { -- if (gnutls_rnd(GNUTLS_RND_NONCE, data, length) < 0) { -+ if (_pk_rnd(GNUTLS_RND_NONCE, data, length) < 0) { - _gnutls_switch_lib_state(LIB_STATE_ERROR); - } - } -@@ -650,7 +677,7 @@ _rsa_pss_sign_digest_tr(gnutls_digest_algorithm_t dig, - if (salt == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - -- ret = gnutls_rnd(GNUTLS_RND_NONCE, salt, salt_size); -+ ret = _pk_rnd(GNUTLS_RND_NONCE, salt, salt_size); - if (ret < 0) { - gnutls_assert(); - goto cleanup; -@@ -1732,7 +1759,7 @@ gnutls_x509_spki_st spki; - - _gnutls_dsa_q_to_hash(params, &hash_len); - gen_data = gnutls_malloc(hash_len); -- gnutls_rnd(GNUTLS_RND_NONCE, gen_data, hash_len); -+ _pk_rnd(GNUTLS_RND_NONCE, gen_data, hash_len); - - ddata.data = (void*)gen_data; - ddata.size = hash_len; -@@ -2101,7 +2128,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, - goto fail; - } - -- ret = gnutls_rnd(rnd_level, params->raw_priv.data, size); -+ ret = _pk_rnd(rnd_level, params->raw_priv.data, size); - if (ret < 0) { - ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - goto fail; -@@ -2240,7 +2267,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, - goto fail; - } - -- ret = gnutls_rnd(rnd_level, params->raw_priv.data, size); -+ ret = _pk_rnd(rnd_level, params->raw_priv.data, size); - if (ret < 0) { - ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - goto fail; --- -2.20.1 - - From db2b308fdbe98420b722eaf678c1a911bc51b0a5 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Thu, 18 Apr 2019 17:22:18 +0200 @@ -843,4 +726,3 @@ index fc8ee2525..3d665b723 100644 #if ENABLE_GOST -- 2.20.1 - diff --git a/SOURCES/gnutls-3.6.8-aead-cipher-encryptv2.patch b/SOURCES/gnutls-3.6.8-aead-cipher-encryptv2.patch new file mode 100644 index 0000000..8ed9aa6 --- /dev/null +++ b/SOURCES/gnutls-3.6.8-aead-cipher-encryptv2.patch @@ -0,0 +1,1296 @@ +From 38c8dc4317296624cba5b2c8ddba6e9047048180 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 1 Aug 2019 17:41:45 +0200 +Subject: [PATCH 1/3] iov: add iterator interface for giovec_t + +This adds an iterator interface over giovec_t array, extracting a +fixed sized block. + +Signed-off-by: Daiki Ueno +--- + .gitignore | 1 + + lib/Makefile.am | 3 +- + lib/iov.c | 120 ++++++++++++++++++++++++++++++++ + lib/iov.h | 46 +++++++++++++ + lib/libgnutls.map | 3 + + tests/Makefile.am | 6 +- + tests/iov.c | 170 ++++++++++++++++++++++++++++++++++++++++++++++ + 7 files changed, 347 insertions(+), 2 deletions(-) + create mode 100644 lib/iov.c + create mode 100644 lib/iov.h + create mode 100644 tests/iov.c + +diff --git a/lib/Makefile.am b/lib/Makefile.am +index ffc72e4c2..9fe78afbd 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -80,7 +80,8 @@ COBJECTS = range.c record.c compress.c debug.c cipher.c gthreads.h handshake-tls + system-keys.h urls.c urls.h prf.c auto-verify.c dh-session.c \ + cert-session.c handshake-checks.c dtls-sw.c dh-primes.c openpgp_compat.c \ + crypto-selftests.c crypto-selftests-pk.c secrets.c extv.c extv.h \ +- hello_ext_lib.c hello_ext_lib.h ocsp-api.c stek.c cert-cred-rawpk.c ++ hello_ext_lib.c hello_ext_lib.h ocsp-api.c stek.c cert-cred-rawpk.c \ ++ iov.c iov.h + + if WINDOWS + COBJECTS += system/keys-win.c +diff --git a/lib/iov.c b/lib/iov.c +new file mode 100644 +index 000000000..5dc29c54b +--- /dev/null ++++ b/lib/iov.c +@@ -0,0 +1,120 @@ ++/* ++ * Copyright (C) 2019 Red Hat, Inc. ++ * ++ * Author: Daiki Ueno ++ * ++ * This file is part of GnuTLS. ++ * ++ * The GnuTLS is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#include "gnutls_int.h" ++#include "iov.h" ++ ++/** ++ * _gnutls_iov_iter_init: ++ * @iter: the iterator ++ * @iov: the data buffers ++ * @iov_count: the number of data buffers ++ * @block_size: block size to iterate ++ * ++ * Initialize the iterator. ++ * ++ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise ++ * an error code is returned ++ */ ++int ++_gnutls_iov_iter_init(struct iov_iter_st *iter, ++ const giovec_t *iov, size_t iov_count, ++ size_t block_size) ++{ ++ if (unlikely(block_size > MAX_CIPHER_BLOCK_SIZE)) ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ ++ iter->iov = iov; ++ iter->iov_count = iov_count; ++ iter->iov_index = 0; ++ iter->iov_offset = 0; ++ iter->block_size = block_size; ++ iter->block_offset = 0; ++ return 0; ++} ++ ++/** ++ * _gnutls_iov_iter_next: ++ * @iter: the iterator ++ * @data: the return location of extracted data ++ * ++ * Retrieve block(s) pointed by @iter and advance it to the next ++ * position. It returns the number of consecutive blocks in @data. ++ * At the end of iteration, 0 is returned. ++ * ++ * If the data stored in @iter is not multiple of the block size, the ++ * remaining data is stored in the "block" field of @iter with the ++ * size stored in the "block_offset" field. ++ * ++ * Returns: On success, a value greater than or equal to zero is ++ * returned, otherwise a negative error code is returned ++ */ ++ssize_t ++_gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data) ++{ ++ while (iter->iov_index < iter->iov_count) { ++ const giovec_t *iov = &iter->iov[iter->iov_index]; ++ uint8_t *p = iov->iov_base; ++ size_t len = iov->iov_len; ++ size_t block_left; ++ ++ if (unlikely(len < iter->iov_offset)) ++ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); ++ len -= iter->iov_offset; ++ p += iter->iov_offset; ++ ++ /* We have at least one full block, return a whole set ++ * of full blocks immediately. */ ++ if (iter->block_offset == 0 && len >= iter->block_size) { ++ if ((len % iter->block_size) == 0) { ++ iter->iov_index++; ++ iter->iov_offset = 0; ++ } else ++ iter->iov_offset += ++ len - (len % iter->block_size); ++ ++ /* Return the blocks. */ ++ *data = p; ++ return len / iter->block_size; ++ } ++ ++ /* We can complete one full block to return. */ ++ block_left = iter->block_size - iter->block_offset; ++ if (len >= block_left) { ++ memcpy(iter->block + iter->block_offset, p, block_left); ++ iter->iov_offset += block_left; ++ iter->block_offset = 0; ++ ++ /* Return the filled block. */ ++ *data = iter->block; ++ return 1; ++ } ++ ++ /* Not enough data for a full block, store in temp ++ * memory and continue. */ ++ memcpy(iter->block + iter->block_offset, p, len); ++ iter->block_offset += len; ++ iter->iov_index++; ++ iter->iov_offset = 0; ++ } ++ return 0; ++} +diff --git a/lib/iov.h b/lib/iov.h +new file mode 100644 +index 000000000..47fba559a +--- /dev/null ++++ b/lib/iov.h +@@ -0,0 +1,46 @@ ++/* ++ * Copyright (C) 2019 Red Hat, Inc. ++ * ++ * Author: Daiki Ueno ++ * ++ * This file is part of GnuTLS. ++ * ++ * The GnuTLS is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#ifndef GNUTLS_LIB_IOV_H ++#define GNUTLS_LIB_IOV_H ++ ++#include "gnutls_int.h" ++ ++struct iov_iter_st { ++ const giovec_t *iov; ++ size_t iov_count; /* the number of iov */ ++ size_t iov_index; /* index of the current buffer */ ++ size_t iov_offset; /* byte offset in the current buffer */ ++ ++ uint8_t block[MAX_CIPHER_BLOCK_SIZE]; /* incomplete block for reading */ ++ size_t block_size; /* actual block size of the cipher */ ++ size_t block_offset; /* offset in block */ ++ ++}; ++ ++int _gnutls_iov_iter_init(struct iov_iter_st *iter, ++ const giovec_t *iov, size_t iov_count, ++ size_t block_size); ++ ++ssize_t _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data); ++ ++#endif /* GNUTLS_LIB_IOV_H */ +diff --git a/lib/libgnutls.map b/lib/libgnutls.map +index 0f31f4aef..fc93c0857 100644 +--- a/lib/libgnutls.map ++++ b/lib/libgnutls.map +@@ -1374,4 +1374,7 @@ GNUTLS_PRIVATE_3_4 { + _gnutls_global_set_gettime_function; + # Internal symbols needed by tests/tls13/anti_replay.c + _gnutls_anti_replay_check; ++ # needed by tests/iov: ++ _gnutls_iov_iter_init; ++ _gnutls_iov_iter_next; + } GNUTLS_3_4; +diff --git a/tests/Makefile.am b/tests/Makefile.am +index a8c2d152e..a2883570f 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm + null_retrieve_function tls-record-size-limit tls-crt_type-neg \ + resume-with-stek-expiration resume-with-previous-stek rawpk-api \ + tls-record-size-limit-asym dh-compute ecdh-compute \ +- sign-verify-deterministic ++ sign-verify-deterministic iov + + if HAVE_SECCOMP_TESTS + ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp +@@ -460,6 +460,10 @@ tls13_anti_replay_CPPFLAGS = $(AM_CPPFLAGS) \ + -I$(top_builddir)/gl \ + $(NETTLE_CFLAGS) + ++iov_CPPFLAGS = $(AM_CPPFLAGS) \ ++ -I$(top_srcdir)/gl \ ++ -I$(top_builddir)/gl ++ + if ENABLE_PKCS11 + if !WINDOWS + ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key +diff --git a/tests/iov.c b/tests/iov.c +new file mode 100644 +index 000000000..eda5583a7 +--- /dev/null ++++ b/tests/iov.c +@@ -0,0 +1,170 @@ ++/* ++ * Copyright (C) 2019 Red Hat, Inc. ++ * ++ * Author: Daiki Ueno ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include "gnutls_int.h" ++#include "../lib/iov.h" ++ ++#include "utils.h" ++ ++struct exp_st { ++ ssize_t ret; ++ size_t iov_index; ++ size_t iov_offset; ++ size_t block_offset; ++}; ++ ++struct test_st { ++ const char *name; ++ const giovec_t *iov; ++ size_t iovcnt; ++ size_t block_size; ++ const struct exp_st *exp; ++ size_t expcnt; ++ size_t remaining; ++}; ++ ++static const giovec_t iov16[] = { ++ {(void *) "0123456789abcdef", 16}, ++ {(void *) "0123456789abcdef", 16}, ++ {(void *) "0123456789abcdef", 16}, ++ {(void *) "0123456789abcdef", 16} ++}; ++ ++static const struct exp_st exp16_64[] = { ++ {1, 3, 16, 0}, ++ {0, 0, 0, 0} ++}; ++ ++static const struct exp_st exp16_32[] = { ++ {1, 1, 16, 0}, ++ {1, 3, 16, 0}, ++ {0, 0, 0, 0} ++}; ++ ++static const struct exp_st exp16_16[] = { ++ {1, 1, 0, 0}, ++ {1, 2, 0, 0}, ++ {1, 3, 0, 0}, ++ {1, 4, 0, 0}, ++ {0, 0, 0, 0} ++}; ++ ++static const struct exp_st exp16_4[] = { ++ {4, 1, 0, 0}, ++ {4, 2, 0, 0}, ++ {4, 3, 0, 0}, ++ {4, 4, 0, 0}, ++ {0, 0, 0, 0} ++}; ++ ++static const struct exp_st exp16_3[] = { ++ {5, 0, 15, 0}, ++ {1, 1, 2, 0}, ++ {4, 1, 14, 0}, ++ {1, 2, 1, 0}, ++ {5, 3, 0, 0}, ++ {5, 3, 15, 0}, ++ {0, 0, 0, 1} ++}; ++ ++static const giovec_t iov8[] = { ++ {(void *) "01234567", 8}, ++ {(void *) "01234567", 8}, ++ {(void *) "01234567", 8}, ++ {(void *) "01234567", 8} ++}; ++ ++static const struct exp_st exp8_64[] = { ++ {0, 0, 0, 32} ++}; ++ ++static const struct test_st tests[] = { ++ { "16/64", iov16, sizeof(iov16)/sizeof(iov16[0]), 64, ++ exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]), 0 }, ++ { "16/32", iov16, sizeof(iov16)/sizeof(iov16[0]), 32, ++ exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]), 0 }, ++ { "16/16", iov16, sizeof(iov16)/sizeof(iov16[0]), 16, ++ exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]), 0 }, ++ { "16/4", iov16, sizeof(iov16)/sizeof(iov16[0]), 4, ++ exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]), 0 }, ++ { "16/3", iov16, sizeof(iov16)/sizeof(iov16[0]), 3, ++ exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]), 1 }, ++ { "8/64", iov8, sizeof(iov8)/sizeof(iov8[0]), 64, ++ exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]), 32 } ++}; ++ ++void ++doit (void) ++{ ++ size_t i; ++ ++ for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { ++ struct iov_iter_st iter; ++ const struct exp_st *exp = tests[i].exp; ++ uint8_t *data; ++ size_t j; ++ ++ success("%s\n", tests[i].name); ++ assert(_gnutls_iov_iter_init(&iter, ++ tests[i].iov, tests[i].iovcnt, ++ tests[i].block_size) == 0); ++ for (j = 0; j < tests[i].expcnt; j++) { ++ ssize_t ret; ++ ++ ret = _gnutls_iov_iter_next(&iter, &data); ++ if (ret != exp[j].ret) ++ fail("iov_iter_next: %d != %d\n", ++ (int) ret, (int) exp[j].ret); ++ else if (debug) ++ success("iov_iter_next: %d == %d\n", ++ (int) ret, (int) exp[j].ret); ++ if (ret == 0) ++ break; ++ if (ret > 0) { ++ if (iter.iov_index != exp[j].iov_index) ++ fail("iter.iov_index: %u != %u\n", ++ (unsigned) iter.iov_index, (unsigned) exp[j].iov_index); ++ else if (debug) ++ success("iter.iov_index: %u == %u\n", ++ (unsigned) iter.iov_index, (unsigned) exp[j].iov_index); ++ if (iter.iov_offset != exp[j].iov_offset) ++ fail("iter.iov_offset: %u != %u\n", ++ (unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset); ++ else if (debug) ++ success("iter.iov_offset: %u == %u\n", ++ (unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset); ++ if (iter.block_offset != exp[j].block_offset) ++ fail("iter.block_offset: %u != %u\n", ++ (unsigned) iter.block_offset, (unsigned) exp[j].block_offset); ++ else if (debug) ++ success("iter.block_offset: %u == %u\n", ++ (unsigned) iter.block_offset, (unsigned) exp[j].block_offset); ++ } ++ } ++ if (iter.block_offset != tests[i].remaining) ++ fail("remaining: %u != %u\n", ++ (unsigned) iter.block_offset, (unsigned) tests[i].remaining); ++ } ++} +-- +2.21.0 + + +From 9ca7a2b42168d356126e306e25211d43ea3c2e7d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 1 Aug 2019 18:13:38 +0200 +Subject: [PATCH 2/3] crypto-api: use giovec_t iterator interface for + aead_encryptv + +This replaces the macros AUTH_UPDATE and ENCRYPT used in +gnutls_aead_cipher_encryptv() with the iov_iter interface. + +Signed-off-by: Daiki Ueno +--- + lib/crypto-api.c | 167 ++++++++++++++++------------------------------- + 1 file changed, 57 insertions(+), 110 deletions(-) + +diff --git a/lib/crypto-api.c b/lib/crypto-api.c +index 8af3f3b7d..70107fed0 100644 +--- a/lib/crypto-api.c ++++ b/lib/crypto-api.c +@@ -31,6 +31,7 @@ + #include + #include + #include "crypto-api.h" ++#include "iov.h" + + typedef struct api_cipher_hd_st { + cipher_hd_st ctx_enc; +@@ -916,98 +917,6 @@ static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) + } + } + +-#define AUTH_UPDATE_FINAL(ctx) do { \ +- if (index) { \ +- ret = _gnutls_cipher_auth(ctx, cache, index); \ +- if (unlikely(ret < 0)) \ +- return gnutls_assert_val(ret); \ +- } \ +- } while(0) +- +-#define AUTH_UPDATE(ctx, data, length) do { \ +- if (index) { \ +- ssize_t left = blocksize - index; \ +- if (length < left) { \ +- memcpy(cache+index, data, \ +- length); \ +- index += length; \ +- goto __update_done; \ +- } else { \ +- memcpy(cache+index, data, left); \ +- ret = _gnutls_cipher_auth(ctx, cache, blocksize); \ +- if (unlikely(ret < 0)) \ +- return gnutls_assert_val(ret); \ +- data += left; \ +- length -= left; \ +- } \ +- } \ +- if (length >= blocksize) { \ +- ssize_t to_proc = (length/blocksize)*blocksize; \ +- ret = _gnutls_cipher_auth(ctx, data, to_proc); \ +- if (unlikely(ret < 0)) \ +- return gnutls_assert_val(ret); \ +- data += to_proc; \ +- length -= to_proc; \ +- } \ +- if (length) \ +- memcpy(cache, data, length); \ +- index = length; \ +- __update_done: \ +- ; \ +- } while(0) +- +-#define ENCRYPT_FINAL(ctx, dst, dst_size) do { \ +- if (index) { \ +- if (unlikely(dst_size < (ssize_t)index)) \ +- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \ +- ret = _gnutls_cipher_encrypt2(ctx, cache, index, dst, dst_size); \ +- if (unlikely(ret < 0)) \ +- return gnutls_assert_val(ret); \ +- dst += index; \ +- dst_size -= index; \ +- } \ +- } while(0) +- +-#define ENCRYPT(ctx, data, length, dst, dst_size) do { \ +- if (index) { \ +- ssize_t left = blocksize - index; \ +- if (length < left) { \ +- memcpy(cache+index, data, \ +- length); \ +- index += length; \ +- goto __encrypt_done; \ +- } else { \ +- if (unlikely(dst_size < blocksize)) \ +- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \ +- memcpy(cache+index, data, left); \ +- ret = _gnutls_cipher_encrypt2(ctx, cache, blocksize, dst, dst_size); \ +- if (unlikely(ret < 0)) \ +- return gnutls_assert_val(ret); \ +- data += left; \ +- length -= left; \ +- dst += blocksize; \ +- dst_size -= blocksize; \ +- } \ +- } \ +- if (length >= blocksize) { \ +- ssize_t to_proc = (length/blocksize)*blocksize; \ +- if (unlikely(dst_size < to_proc)) \ +- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \ +- ret = _gnutls_cipher_encrypt2(ctx, data, to_proc, dst, dst_size); \ +- if (unlikely(ret < 0)) \ +- return gnutls_assert_val(ret); \ +- data += to_proc; \ +- length -= to_proc; \ +- dst += to_proc; \ +- dst_size -= to_proc; \ +- } \ +- if (length) \ +- memcpy(cache, data, length); \ +- index = length; \ +- __encrypt_done: \ +- ; \ +- } while(0) +- + + /** + * gnutls_aead_cipher_encryptv: +@@ -1039,14 +948,13 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + void *ctext, size_t *ctext_len) + { + api_aead_cipher_hd_st *h = handle; +- int ret; ++ ssize_t ret; + uint8_t *dst; +- ssize_t dst_size, total = 0, len; ++ ssize_t dst_size, total = 0; + uint8_t *p; +- unsigned i; +- uint8_t cache[MAX_CIPHER_BLOCK_SIZE]; +- unsigned index; + ssize_t blocksize = handle->ctx_enc.e->blocksize; ++ struct iov_iter_st iter; ++ size_t blocks; + + /* Limitation: this function provides an optimization under the internally registered + * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(), +@@ -1088,25 +996,64 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + if (unlikely(ret < 0)) + return gnutls_assert_val(ret); + +- index = 0; +- for (i = 0; i < (unsigned)auth_iovcnt; i++) { +- p = auth_iov[i].iov_base; +- len = auth_iov[i].iov_len; +- AUTH_UPDATE(&handle->ctx_enc, p, len); ++ ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ while (1) { ++ ret = _gnutls_iov_iter_next(&iter, &p); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ if (ret == 0) ++ break; ++ blocks = ret; ++ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ++ blocksize * blocks); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ } ++ if (iter.block_offset > 0) { ++ ret = _gnutls_cipher_auth(&handle->ctx_enc, ++ iter.block, iter.block_offset); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); + } +- AUTH_UPDATE_FINAL(&handle->ctx_enc); + + dst = ctext; + dst_size = *ctext_len; + +- index = 0; +- for (i = 0; i < (unsigned)iovcnt; i++) { +- p = iov[i].iov_base; +- len = iov[i].iov_len; +- ENCRYPT(&handle->ctx_enc, p, len, dst, dst_size); +- total += iov[i].iov_len; ++ ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ while (1) { ++ ret = _gnutls_iov_iter_next(&iter, &p); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ if (ret == 0) ++ break; ++ blocks = ret; ++ if (unlikely((size_t) dst_size < blocksize * blocks)) ++ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); ++ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, ++ blocksize * blocks, ++ dst, dst_size); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ DECR_LEN(dst_size, blocksize * blocks); ++ dst += blocksize * blocks; ++ total += blocksize * blocks; ++ } ++ if (iter.block_offset > 0) { ++ if (unlikely((size_t) dst_size < iter.block_offset)) ++ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); ++ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, ++ iter.block, iter.block_offset, ++ dst, dst_size); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ DECR_LEN(dst_size, iter.block_offset); ++ dst += iter.block_offset; ++ total += iter.block_offset; + } +- ENCRYPT_FINAL(&handle->ctx_enc, dst, dst_size); + + if ((size_t)dst_size < tag_size) + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); +-- +2.21.0 + + +From d230011cdbbe55f429b43d818c75c8f6687cbc78 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 2 Aug 2019 07:40:44 +0200 +Subject: [PATCH 3/3] crypto-api: add gnutls_aead_cipher_{en,de}cryptv2 + +This adds an in-place equivalent of gnutls_aead_cipher_encrypt() and +gnutls_aead_cipher_decrypt(), that works on data buffers. + +Signed-off-by: Daiki Ueno +--- + .gitignore | 1 + + NEWS | 7 + + devel/libgnutls-latest-x86_64.abi | 26 +++ + devel/symbols.last | 3 + + doc/Makefile.am | 4 + + doc/manpages/Makefile.am | 2 + + lib/crypto-api.c | 356 +++++++++++++++++++++++++++++- + lib/includes/gnutls/crypto.h | 14 ++ + lib/libgnutls.map | 7 + + tests/Makefile.am | 2 +- + tests/aead-cipher-vec.c | 123 +++++++++++ + 11 files changed, 541 insertions(+), 4 deletions(-) + create mode 100644 tests/aead-cipher-vec.c + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index 6d21d7482..add63c23d 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -635,12 +635,16 @@ FUNCS += functions/dane_verify_session_crt + FUNCS += functions/dane_verify_session_crt.short + FUNCS += functions/gnutls_aead_cipher_decrypt + FUNCS += functions/gnutls_aead_cipher_decrypt.short ++FUNCS += functions/gnutls_aead_cipher_decryptv2 ++FUNCS += functions/gnutls_aead_cipher_decryptv2.short + FUNCS += functions/gnutls_aead_cipher_deinit + FUNCS += functions/gnutls_aead_cipher_deinit.short + FUNCS += functions/gnutls_aead_cipher_encrypt + FUNCS += functions/gnutls_aead_cipher_encrypt.short + FUNCS += functions/gnutls_aead_cipher_encryptv + FUNCS += functions/gnutls_aead_cipher_encryptv.short ++FUNCS += functions/gnutls_aead_cipher_encryptv2 ++FUNCS += functions/gnutls_aead_cipher_encryptv2.short + FUNCS += functions/gnutls_aead_cipher_init + FUNCS += functions/gnutls_aead_cipher_init.short + FUNCS += functions/gnutls_alert_get +diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am +index d06c18013..ee855adf3 100644 +--- a/doc/manpages/Makefile.am ++++ b/doc/manpages/Makefile.am +@@ -119,9 +119,11 @@ APIMANS += dane_verify_crt.3 + APIMANS += dane_verify_crt_raw.3 + APIMANS += dane_verify_session_crt.3 + APIMANS += gnutls_aead_cipher_decrypt.3 ++APIMANS += gnutls_aead_cipher_decryptv2.3 + APIMANS += gnutls_aead_cipher_deinit.3 + APIMANS += gnutls_aead_cipher_encrypt.3 + APIMANS += gnutls_aead_cipher_encryptv.3 ++APIMANS += gnutls_aead_cipher_encryptv2.3 + APIMANS += gnutls_aead_cipher_init.3 + APIMANS += gnutls_alert_get.3 + APIMANS += gnutls_alert_get_name.3 +diff --git a/lib/crypto-api.c b/lib/crypto-api.c +index 70107fed0..2834c0199 100644 +--- a/lib/crypto-api.c ++++ b/lib/crypto-api.c +@@ -885,7 +885,26 @@ static void iov_store_free(struct iov_store_st *s) + } + } + +-static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) ++static int iov_store_grow(struct iov_store_st *s, size_t length) ++{ ++ if (s->allocated || s->data == NULL) { ++ s->size += length; ++ s->data = gnutls_realloc(s->data, s->size); ++ if (s->data == NULL) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ s->allocated = 1; ++ } else { ++ void *data = s->data; ++ size_t size = s->size + length; ++ s->data = gnutls_malloc(size); ++ memcpy(s->data, data, s->size); ++ s->size += length; ++ } ++ return 0; ++} ++ ++static int ++copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) + { + memset(dst, 0, sizeof(*dst)); + if (iovcnt == 0) { +@@ -917,6 +936,27 @@ static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) + } + } + ++static int ++copy_to_iov(struct iov_store_st *src, size_t size, ++ const giovec_t *iov, int iovcnt) ++{ ++ size_t offset = 0; ++ int i; ++ ++ if (unlikely(src->size < size)) ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ ++ for (i = 0; i < iovcnt && size > 0; i++) { ++ size_t to_copy = MIN(size, iov[i].iov_len); ++ memcpy(iov[i].iov_base, (uint8_t *) src->data + offset, to_copy); ++ offset += to_copy; ++ size -= to_copy; ++ } ++ if (size > 0) ++ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); ++ return 0; ++} ++ + + /** + * gnutls_aead_cipher_encryptv: +@@ -971,11 +1011,11 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + struct iov_store_st auth; + struct iov_store_st ptext; + +- ret = copy_iov(&auth, auth_iov, auth_iovcnt); ++ ret = copy_from_iov(&auth, auth_iov, auth_iovcnt); + if (ret < 0) + return gnutls_assert_val(ret); + +- ret = copy_iov(&ptext, iov, iovcnt); ++ ret = copy_from_iov(&ptext, iov, iovcnt); + if (ret < 0) { + iov_store_free(&auth); + return gnutls_assert_val(ret); +@@ -1066,6 +1106,316 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + return 0; + } + ++/** ++ * gnutls_aead_cipher_encryptv2: ++ * @handle: is a #gnutls_aead_cipher_hd_t type. ++ * @nonce: the nonce to set ++ * @nonce_len: The length of the nonce ++ * @auth_iov: additional data to be authenticated ++ * @auth_iovcnt: The number of buffers in @auth_iov ++ * @iov: the data to be encrypted ++ * @iovcnt: The number of buffers in @iov ++ * @tag: The authentication tag ++ * @tag_size: The size of the tag to use (use zero for the default) ++ * ++ * This is similar to gnutls_aead_cipher_encrypt(), but it performs ++ * in-place encryption on the provided data buffers. ++ * ++ * Returns: Zero or a negative error code on error. ++ * ++ * Since: 3.6.10 ++ **/ ++int ++gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, ++ const void *nonce, size_t nonce_len, ++ const giovec_t *auth_iov, int auth_iovcnt, ++ const giovec_t *iov, int iovcnt, ++ void *tag, size_t *tag_size) ++{ ++ api_aead_cipher_hd_st *h = handle; ++ ssize_t ret; ++ uint8_t *p; ++ ssize_t blocksize = handle->ctx_enc.e->blocksize; ++ struct iov_iter_st iter; ++ size_t blocks; ++ size_t _tag_size; ++ ++ if (tag_size == NULL || *tag_size == 0) ++ _tag_size = _gnutls_cipher_get_tag_size(h->ctx_enc.e); ++ else ++ _tag_size = *tag_size; ++ ++ if (_tag_size > (unsigned)_gnutls_cipher_get_tag_size(h->ctx_enc.e)) ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ ++ /* Limitation: this function provides an optimization under the internally registered ++ * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(), ++ * then this becomes a convenience function as it missed the lower-level primitives ++ * necessary for piecemeal encryption. */ ++ if (handle->ctx_enc.e->only_aead || handle->ctx_enc.encrypt == NULL) { ++ /* ciphertext cannot be produced in a piecemeal approach */ ++ struct iov_store_st auth; ++ struct iov_store_st ptext; ++ size_t ptext_size; ++ ++ ret = copy_from_iov(&auth, auth_iov, auth_iovcnt); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ++ ret = copy_from_iov(&ptext, iov, iovcnt); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto fallback_fail; ++ } ++ ++ ptext_size = ptext.size; ++ ++ /* append space for tag */ ++ ret = iov_store_grow(&ptext, _tag_size); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto fallback_fail; ++ } ++ ++ ret = gnutls_aead_cipher_encrypt(handle, nonce, nonce_len, ++ auth.data, auth.size, ++ _tag_size, ++ ptext.data, ptext_size, ++ ptext.data, &ptext.size); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto fallback_fail; ++ } ++ ++ ret = copy_to_iov(&ptext, ptext_size, iov, iovcnt); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto fallback_fail; ++ } ++ ++ if (tag != NULL) ++ memcpy(tag, ++ (uint8_t *) ptext.data + ptext_size, ++ _tag_size); ++ if (tag_size != NULL) ++ *tag_size = _tag_size; ++ ++ fallback_fail: ++ iov_store_free(&auth); ++ iov_store_free(&ptext); ++ ++ return ret; ++ } ++ ++ ret = _gnutls_cipher_setiv(&handle->ctx_enc, nonce, nonce_len); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ ++ ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ while (1) { ++ ret = _gnutls_iov_iter_next(&iter, &p); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ if (ret == 0) ++ break; ++ blocks = ret; ++ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ++ blocksize * blocks); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ } ++ if (iter.block_offset > 0) { ++ ret = _gnutls_cipher_auth(&handle->ctx_enc, ++ iter.block, iter.block_offset); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ } ++ ++ ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ while (1) { ++ ret = _gnutls_iov_iter_next(&iter, &p); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ if (ret == 0) ++ break; ++ blocks = ret; ++ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, ++ p, blocksize * blocks, ++ p, blocksize * blocks); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ } ++ if (iter.block_offset > 0) { ++ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, ++ iter.block, iter.block_offset, ++ iter.block, iter.block_offset); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ } ++ ++ if (tag != NULL) ++ _gnutls_cipher_tag(&handle->ctx_enc, tag, _tag_size); ++ if (tag_size != NULL) ++ *tag_size = _tag_size; ++ ++ return 0; ++} ++ ++/** ++ * gnutls_aead_cipher_decryptv2: ++ * @handle: is a #gnutls_aead_cipher_hd_t type. ++ * @nonce: the nonce to set ++ * @nonce_len: The length of the nonce ++ * @auth_iov: additional data to be authenticated ++ * @auth_iovcnt: The number of buffers in @auth_iov ++ * @iov: the data to decrypt ++ * @iovcnt: The number of buffers in @iov ++ * @tag: The authentication tag ++ * @tag_size: The size of the tag to use (use zero for the default) ++ * ++ * This is similar to gnutls_aead_cipher_decrypt(), but it performs ++ * in-place encryption on the provided data buffers. ++ * ++ * Returns: Zero or a negative error code on error. ++ * ++ * Since: 3.6.10 ++ **/ ++int ++gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, ++ const void *nonce, size_t nonce_len, ++ const giovec_t *auth_iov, int auth_iovcnt, ++ const giovec_t *iov, int iovcnt, ++ void *tag, size_t tag_size) ++{ ++ api_aead_cipher_hd_st *h = handle; ++ ssize_t ret; ++ uint8_t *p; ++ ssize_t blocksize = handle->ctx_enc.e->blocksize; ++ struct iov_iter_st iter; ++ size_t blocks; ++ uint8_t _tag[MAX_HASH_SIZE]; ++ ++ if (tag_size == 0) ++ tag_size = _gnutls_cipher_get_tag_size(h->ctx_enc.e); ++ else if (tag_size > (unsigned)_gnutls_cipher_get_tag_size(h->ctx_enc.e)) ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ ++ /* Limitation: this function provides an optimization under the internally registered ++ * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(), ++ * then this becomes a convenience function as it missed the lower-level primitives ++ * necessary for piecemeal encryption. */ ++ if (handle->ctx_enc.e->only_aead || handle->ctx_enc.encrypt == NULL) { ++ /* ciphertext cannot be produced in a piecemeal approach */ ++ struct iov_store_st auth; ++ struct iov_store_st ctext; ++ size_t ctext_size; ++ ++ ret = copy_from_iov(&auth, auth_iov, auth_iovcnt); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ++ ret = copy_from_iov(&ctext, iov, iovcnt); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto fallback_fail; ++ } ++ ++ ctext_size = ctext.size; ++ ++ /* append tag */ ++ ret = iov_store_grow(&ctext, tag_size); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto fallback_fail; ++ } ++ memcpy((uint8_t *) ctext.data + ctext_size, tag, tag_size); ++ ++ ret = gnutls_aead_cipher_decrypt(handle, nonce, nonce_len, ++ auth.data, auth.size, ++ tag_size, ++ ctext.data, ctext.size, ++ ctext.data, &ctext_size); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto fallback_fail; ++ } ++ ++ ret = copy_to_iov(&ctext, ctext_size, iov, iovcnt); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto fallback_fail; ++ } ++ ++ fallback_fail: ++ iov_store_free(&auth); ++ iov_store_free(&ctext); ++ ++ return ret; ++ } ++ ++ ret = _gnutls_cipher_setiv(&handle->ctx_enc, nonce, nonce_len); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ ++ ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ while (1) { ++ ret = _gnutls_iov_iter_next(&iter, &p); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ if (ret == 0) ++ break; ++ blocks = ret; ++ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ++ blocksize * blocks); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ } ++ if (iter.block_offset > 0) { ++ ret = _gnutls_cipher_auth(&handle->ctx_enc, ++ iter.block, iter.block_offset); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ } ++ ++ ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ while (1) { ++ ret = _gnutls_iov_iter_next(&iter, &p); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ if (ret == 0) ++ break; ++ blocks = ret; ++ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, ++ p, blocksize * blocks, ++ p, blocksize * blocks); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ } ++ if (iter.block_offset > 0) { ++ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, ++ iter.block, iter.block_offset, ++ iter.block, iter.block_offset); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ } ++ ++ if (tag != NULL) { ++ _gnutls_cipher_tag(&handle->ctx_enc, _tag, tag_size); ++ if (gnutls_memcmp(_tag, tag, tag_size) != 0) ++ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); ++ } ++ ++ return 0; ++} ++ + /** + * gnutls_aead_cipher_deinit: + * @handle: is a #gnutls_aead_cipher_hd_t type. +diff --git a/lib/includes/gnutls/crypto.h b/lib/includes/gnutls/crypto.h +index d2b8cae8f..4d4926c86 100644 +--- a/lib/includes/gnutls/crypto.h ++++ b/lib/includes/gnutls/crypto.h +@@ -92,6 +92,20 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + const giovec_t *iov, int iovcnt, + void *ctext, size_t *ctext_len); + ++int ++gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, ++ const void *nonce, size_t nonce_len, ++ const giovec_t *auth_iov, int auth_iovcnt, ++ const giovec_t *iov, int iovcnt, ++ void *tag, size_t *tag_size); ++ ++int ++gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, ++ const void *nonce, size_t nonce_len, ++ const giovec_t *auth_iov, int auth_iovcnt, ++ const giovec_t *iov, int iovcnt, ++ void *tag, size_t tag_size); ++ + void gnutls_aead_cipher_deinit(gnutls_aead_cipher_hd_t handle); + + /* Hash - MAC API */ +diff --git a/lib/libgnutls.map b/lib/libgnutls.map +index fc93c0857..f83a21e9b 100644 +--- a/lib/libgnutls.map ++++ b/lib/libgnutls.map +@@ -1286,6 +1286,13 @@ GNUTLS_3_6_8 + gnutls_ffdhe_8192_group_q; + } GNUTLS_3_6_6; + ++GNUTLS_3_6_10 ++{ ++ global: ++ gnutls_aead_cipher_encryptv2; ++ gnutls_aead_cipher_decryptv2; ++} GNUTLS_3_6_8; ++ + GNUTLS_FIPS140_3_4 { + global: + gnutls_cipher_self_test; +diff --git a/tests/Makefile.am b/tests/Makefile.am +index a2883570f..075c2728f 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm + null_retrieve_function tls-record-size-limit tls-crt_type-neg \ + resume-with-stek-expiration resume-with-previous-stek rawpk-api \ + tls-record-size-limit-asym dh-compute ecdh-compute \ +- sign-verify-deterministic iov ++ sign-verify-deterministic iov aead-cipher-vec + + if HAVE_SECCOMP_TESTS + ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp +diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c +new file mode 100644 +index 000000000..6c2542cf1 +--- /dev/null ++++ b/tests/aead-cipher-vec.c +@@ -0,0 +1,123 @@ ++/* ++ * Copyright (C) 2019 Red Hat, Inc. ++ * ++ * Author: Daiki Ueno ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++ ++#include ++#include ++#include ++#include "utils.h" ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "<%d>| %s", level, str); ++} ++ ++/* Test whether gnutls_aead_cipher_{en,de}crypt_vec works */ ++static void start(const char *name, int algo) ++{ ++ int ret; ++ gnutls_aead_cipher_hd_t ch; ++ uint8_t key16[64]; ++ uint8_t iv16[32]; ++ uint8_t auth[128]; ++ uint8_t data[128+64]; ++ gnutls_datum_t key, iv; ++ giovec_t iov[2]; ++ giovec_t auth_iov[2]; ++ uint8_t tag[64]; ++ size_t tag_size = 0; ++ ++ key.data = key16; ++ key.size = gnutls_cipher_get_key_size(algo); ++ assert(key.size <= sizeof(key16)); ++ ++ iv.data = iv16; ++ iv.size = gnutls_cipher_get_iv_size(algo); ++ assert(iv.size <= sizeof(iv16)); ++ ++ memset(iv.data, 0xff, iv.size); ++ memset(key.data, 0xfe, key.size); ++ memset(data, 0xfa, 128); ++ memset(auth, 0xaa, sizeof(auth)); ++ ++ iov[0].iov_base = data; ++ iov[0].iov_len = 64; ++ iov[1].iov_base = data + 64; ++ iov[1].iov_len = 64; ++ ++ auth_iov[0].iov_base = auth; ++ auth_iov[0].iov_len = 64; ++ auth_iov[1].iov_base = auth + 64; ++ auth_iov[1].iov_len = 64; ++ ++ success("trying %s\n", name); ++ ++ ret = ++ gnutls_aead_cipher_init(&ch, algo, &key); ++ if (ret < 0) ++ fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret)); ++ ++ ret = gnutls_aead_cipher_encryptv2(ch, ++ iv.data, iv.size, ++ auth_iov, 2, ++ iov, 2, ++ tag, &tag_size); ++ if (ret < 0) ++ fail("could not encrypt data: %s\n", gnutls_strerror(ret)); ++ ++ ret = gnutls_aead_cipher_decryptv2(ch, ++ iv.data, iv.size, ++ auth_iov, 2, ++ iov, 2, ++ tag, tag_size); ++ if (ret < 0) ++ fail("could not decrypt data: %s\n", gnutls_strerror(ret)); ++ ++ gnutls_aead_cipher_deinit(ch); ++} ++ ++void ++doit(void) ++{ ++ int ret; ++ ++ gnutls_global_set_log_function(tls_log_func); ++ if (debug) ++ gnutls_global_set_log_level(4711); ++ ++ ret = global_init(); ++ if (ret < 0) { ++ fail("Cannot initialize library\n"); /*errcode 1 */ ++ } ++ ++ start("aes-128-gcm", GNUTLS_CIPHER_AES_128_GCM); ++ start("aes-256-gcm", GNUTLS_CIPHER_AES_256_GCM); ++ start("aes-128-ccm", GNUTLS_CIPHER_AES_128_CCM); ++ if (!gnutls_fips140_mode_enabled()) ++ start("chacha20-poly1305", GNUTLS_CIPHER_CHACHA20_POLY1305); ++ ++ gnutls_global_deinit(); ++} +-- +2.21.0 + diff --git a/SOURCES/gnutls-3.6.8-decr-len.patch b/SOURCES/gnutls-3.6.8-decr-len.patch new file mode 100644 index 0000000..30272a1 --- /dev/null +++ b/SOURCES/gnutls-3.6.8-decr-len.patch @@ -0,0 +1,687 @@ +From e0fe31f1fc2ba13ada1d6bc35231847b75be4ee9 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 8 Aug 2019 18:02:08 +0200 +Subject: [PATCH 1/2] gnutls_int.h: make DECR_LEN neutral to signedness + +DECR_LEN was previously implemented in a way that it first decrements +the given length and then checks whether the result is negative. This +requires the caller to properly coerce the length argument to a signed +integer, before invoking the macro. + +Signed-off-by: Daiki Ueno +--- + lib/gnutls_int.h | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h +index 179d71b4a..7f7b6a7c9 100644 +--- a/lib/gnutls_int.h ++++ b/lib/gnutls_int.h +@@ -256,14 +256,15 @@ typedef enum record_send_state_t { + + #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y)) + +-#define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0) ++#define DECR_LEN(len, x) DECR_LENGTH_RET(len, x, GNUTLS_E_UNEXPECTED_PACKET_LENGTH) + #define DECR_LEN_FINAL(len, x) do { \ +- len-=x; \ +- if (len != 0) \ ++ if (len != x) \ + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); \ ++ else \ ++ len = 0; \ + } while (0) +-#define DECR_LENGTH_RET(len, x, RET) do { len-=x; if (len<0) {gnutls_assert(); return RET;} } while (0) +-#define DECR_LENGTH_COM(len, x, COM) do { len-=x; if (len<0) {gnutls_assert(); COM;} } while (0) ++#define DECR_LENGTH_RET(len, x, RET) DECR_LENGTH_COM(len, x, return RET) ++#define DECR_LENGTH_COM(len, x, COM) do { if (len +Date: Thu, 8 Aug 2019 18:04:18 +0200 +Subject: [PATCH 2/2] lib/*: remove unnecessary cast to ssize_t + +Signed-off-by: Daiki Ueno +--- + lib/crypto-api.c | 10 +++++----- + lib/ext/alpn.c | 3 +-- + lib/ext/client_cert_type.c | 9 ++++----- + lib/ext/cookie.c | 5 ++--- + lib/ext/ec_point_formats.c | 7 +++---- + lib/ext/key_share.c | 5 ++--- + lib/ext/max_record.c | 3 +-- + lib/ext/psk_ke_modes.c | 3 +-- + lib/ext/record_size_limit.c | 3 +-- + lib/ext/safe_renegotiation.c | 3 +-- + lib/ext/server_cert_type.c | 9 ++++----- + lib/ext/server_name.c | 3 +-- + lib/ext/session_ticket.c | 5 ++--- + lib/ext/signature.c | 3 +-- + lib/ext/srp.c | 3 +-- + lib/ext/srtp.c | 5 ++--- + lib/ext/status_request.c | 3 +-- + lib/ext/supported_groups.c | 3 +-- + lib/ext/supported_versions.c | 5 ++--- + lib/extv.c | 8 ++++---- + lib/sslv2_compat.c | 3 +-- + lib/supplemental.c | 4 ++-- + lib/tls13/certificate.c | 21 +++++++++++---------- + lib/tls13/psk_ext_parser.c | 4 +--- + lib/tls13/psk_ext_parser.h | 4 ++-- + lib/tls13/session_ticket.c | 2 +- + 26 files changed, 58 insertions(+), 78 deletions(-) + +diff --git a/lib/crypto-api.c b/lib/crypto-api.c +index 2834c0199..09b3d7bfc 100644 +--- a/lib/crypto-api.c ++++ b/lib/crypto-api.c +@@ -990,9 +990,9 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + api_aead_cipher_hd_st *h = handle; + ssize_t ret; + uint8_t *dst; +- ssize_t dst_size, total = 0; ++ size_t dst_size, total = 0; + uint8_t *p; +- ssize_t blocksize = handle->ctx_enc.e->blocksize; ++ size_t blocksize = handle->ctx_enc.e->blocksize; + struct iov_iter_st iter; + size_t blocks; + +@@ -1071,7 +1071,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + if (ret == 0) + break; + blocks = ret; +- if (unlikely((size_t) dst_size < blocksize * blocks)) ++ if (unlikely(dst_size < blocksize * blocks)) + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, + blocksize * blocks, +@@ -1083,7 +1083,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + total += blocksize * blocks; + } + if (iter.block_offset > 0) { +- if (unlikely((size_t) dst_size < iter.block_offset)) ++ if (unlikely(dst_size < iter.block_offset)) + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, + iter.block, iter.block_offset, +@@ -1095,7 +1095,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + total += iter.block_offset; + } + +- if ((size_t)dst_size < tag_size) ++ if (dst_size < tag_size) + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + + _gnutls_cipher_tag(&handle->ctx_enc, dst, tag_size); +diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c +index 34f6ce09d..b9991f0a1 100644 +--- a/lib/ext/alpn.c ++++ b/lib/ext/alpn.c +@@ -51,13 +51,12 @@ const hello_ext_entry_st ext_mod_alpn = { + + static int + _gnutls_alpn_recv_params(gnutls_session_t session, +- const uint8_t * data, size_t _data_size) ++ const uint8_t * data, size_t data_size) + { + unsigned int i; + int ret; + const uint8_t *p = data; + unsigned len1, len; +- ssize_t data_size = _data_size; + alpn_ext_st *priv; + gnutls_ext_priv_data_t epriv; + int selected_protocol_index; +diff --git a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c +index 471d42c5f..b627b71f9 100644 +--- a/lib/ext/client_cert_type.c ++++ b/lib/ext/client_cert_type.c +@@ -73,7 +73,6 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session, + gnutls_certificate_type_t cert_type; + + uint8_t i, found = 0; +- ssize_t len = data_size; + const uint8_t* pdata = data; + + /* Only activate this extension if we have cert credentials set +@@ -86,7 +85,7 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session, + + /* Compare packet length with expected packet length. For the + * client this is a single byte. */ +- if (len != 1) { ++ if (data_size != 1) { + return + gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + } +@@ -136,8 +135,8 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session, + + } else { // server mode + // Compare packet length with expected packet length. +- DECR_LEN(len, 1); +- if (data[0] != len) { ++ DECR_LEN(data_size, 1); ++ if (data[0] != data_size) { + return + gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + } +@@ -145,7 +144,7 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session, + + // Assign the contents of our data buffer to a gnutls_datum_t + cert_types.data = (uint8_t*)pdata; // Need casting to get rid of 'discards const qualifier' warning +- cert_types.size = len; ++ cert_types.size = data_size; + + // Store the client certificate types in our session + _gnutls_hello_ext_set_datum(session, +diff --git a/lib/ext/cookie.c b/lib/ext/cookie.c +index 1e66c3d49..0feb2f0e5 100644 +--- a/lib/ext/cookie.c ++++ b/lib/ext/cookie.c +@@ -53,10 +53,9 @@ const hello_ext_entry_st ext_mod_cookie = { + /* Only client sends this extension. */ + static int + cookie_recv_params(gnutls_session_t session, +- const uint8_t * data, size_t _data_size) ++ const uint8_t * data, size_t data_size) + { +- ssize_t data_size = _data_size; +- ssize_t csize; ++ size_t csize; + int ret; + gnutls_datum_t tmp; + +diff --git a/lib/ext/ec_point_formats.c b/lib/ext/ec_point_formats.c +index eb59ec139..c702d434c 100644 +--- a/lib/ext/ec_point_formats.c ++++ b/lib/ext/ec_point_formats.c +@@ -57,11 +57,10 @@ const hello_ext_entry_st ext_mod_supported_ec_point_formats = { + static int + _gnutls_supported_ec_point_formats_recv_params(gnutls_session_t session, + const uint8_t * data, +- size_t _data_size) ++ size_t data_size) + { +- int len, i; ++ size_t len, i; + int uncompressed = 0; +- int data_size = _data_size; + + if (session->security_parameters.entity == GNUTLS_CLIENT) { + if (data_size < 1) +@@ -91,7 +90,7 @@ _gnutls_supported_ec_point_formats_recv_params(gnutls_session_t session, + /* only sanity check here. We only support uncompressed points + * and a client must support it thus nothing to check. + */ +- if (_data_size < 1) ++ if (data_size < 1) + return + gnutls_assert_val + (GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION); +diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c +index 599eff8fb..8f0912e69 100644 +--- a/lib/ext/key_share.c ++++ b/lib/ext/key_share.c +@@ -504,11 +504,10 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou + + static int + key_share_recv_params(gnutls_session_t session, +- const uint8_t * data, size_t _data_size) ++ const uint8_t * data, size_t data_size) + { + int ret; +- ssize_t data_size = _data_size; +- ssize_t size; ++ size_t size; + unsigned gid; + const version_entry_st *ver; + const gnutls_group_entry_st *group; +diff --git a/lib/ext/max_record.c b/lib/ext/max_record.c +index dbb98cf62..3cada69be 100644 +--- a/lib/ext/max_record.c ++++ b/lib/ext/max_record.c +@@ -65,10 +65,9 @@ const hello_ext_entry_st ext_mod_max_record_size = { + + static int + _gnutls_max_record_recv_params(gnutls_session_t session, +- const uint8_t * data, size_t _data_size) ++ const uint8_t * data, size_t data_size) + { + ssize_t new_size; +- ssize_t data_size = _data_size; + + if (session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED) + return 0; +diff --git a/lib/ext/psk_ke_modes.c b/lib/ext/psk_ke_modes.c +index da7a55098..8d8effb43 100644 +--- a/lib/ext/psk_ke_modes.c ++++ b/lib/ext/psk_ke_modes.c +@@ -106,10 +106,9 @@ psk_ke_modes_send_params(gnutls_session_t session, + */ + static int + psk_ke_modes_recv_params(gnutls_session_t session, +- const unsigned char *data, size_t _len) ++ const unsigned char *data, size_t len) + { + uint8_t ke_modes_len; +- ssize_t len = _len; + const version_entry_st *vers = get_version(session); + gnutls_psk_server_credentials_t cred; + int dhpsk_pos = MAX_POS; +diff --git a/lib/ext/record_size_limit.c b/lib/ext/record_size_limit.c +index e9fe6a1d8..0e94fece3 100644 +--- a/lib/ext/record_size_limit.c ++++ b/lib/ext/record_size_limit.c +@@ -48,10 +48,9 @@ const hello_ext_entry_st ext_mod_record_size_limit = { + + static int + _gnutls_record_size_limit_recv_params(gnutls_session_t session, +- const uint8_t * data, size_t _data_size) ++ const uint8_t * data, size_t data_size) + { + ssize_t new_size; +- ssize_t data_size = _data_size; + const version_entry_st *vers; + + DECR_LEN(data_size, 2); +diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c +index 6424f45b5..bb4a57e45 100644 +--- a/lib/ext/safe_renegotiation.c ++++ b/lib/ext/safe_renegotiation.c +@@ -265,10 +265,9 @@ int _gnutls_ext_sr_send_cs(gnutls_session_t session) + + static int + _gnutls_sr_recv_params(gnutls_session_t session, +- const uint8_t * data, size_t _data_size) ++ const uint8_t * data, size_t data_size) + { + unsigned int len; +- ssize_t data_size = _data_size; + sr_ext_st *priv; + gnutls_ext_priv_data_t epriv; + int set = 0, ret; +diff --git a/lib/ext/server_cert_type.c b/lib/ext/server_cert_type.c +index dbcb3971b..864a44bbc 100644 +--- a/lib/ext/server_cert_type.c ++++ b/lib/ext/server_cert_type.c +@@ -73,7 +73,6 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, + gnutls_certificate_type_t cert_type; + + uint8_t i, found = 0; +- ssize_t len = data_size; + const uint8_t* pdata = data; + + /* Only activate this extension if we have cert credentials set +@@ -86,7 +85,7 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, + + /* Compare packet length with expected packet length. For the + * client this is a single byte. */ +- if (len != 1) { ++ if (data_size != 1) { + return + gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + } +@@ -135,8 +134,8 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, + + } else { // server mode + // Compare packet length with expected packet length. +- DECR_LEN(len, 1); +- if (data[0] != len) { ++ DECR_LEN(data_size, 1); ++ if (data[0] != data_size) { + return + gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + } +@@ -144,7 +143,7 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, + + // Assign the contents of our data buffer to a gnutls_datum_t + cert_types.data = (uint8_t*)pdata; // Need casting to get rid of 'discards const qualifier' warning +- cert_types.size = len; ++ cert_types.size = data_size; + + // Store the server certificate types in our session + _gnutls_hello_ext_set_datum(session, +diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c +index 259dc998e..0c6331569 100644 +--- a/lib/ext/server_name.c ++++ b/lib/ext/server_name.c +@@ -66,11 +66,10 @@ const hello_ext_entry_st ext_mod_server_name = { + */ + static int + _gnutls_server_name_recv_params(gnutls_session_t session, +- const uint8_t * data, size_t _data_size) ++ const uint8_t * data, size_t data_size) + { + const unsigned char *p; + uint16_t len, type; +- ssize_t data_size = _data_size; + gnutls_datum_t name; + + if (session->security_parameters.entity == GNUTLS_SERVER) { +diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c +index 98db39ff8..263273fa2 100644 +--- a/lib/ext/session_ticket.c ++++ b/lib/ext/session_ticket.c +@@ -78,7 +78,7 @@ static int + unpack_ticket(const gnutls_datum_t *ticket_data, struct ticket_st *ticket) + { + const uint8_t * data = ticket_data->data; +- ssize_t data_size = ticket_data->size; ++ size_t data_size = ticket_data->size; + const uint8_t *encrypted_state; + + /* Format: +@@ -371,11 +371,10 @@ unpack_session(gnutls_session_t session, const gnutls_datum_t *state) + + static int + session_ticket_recv_params(gnutls_session_t session, +- const uint8_t * data, size_t _data_size) ++ const uint8_t * data, size_t data_size) + { + gnutls_datum_t ticket_data; + gnutls_datum_t state; +- ssize_t data_size = _data_size; + int ret; + + if (session->internals.flags & GNUTLS_NO_TICKETS) +diff --git a/lib/ext/signature.c b/lib/ext/signature.c +index e734d2c7d..a90f58d53 100644 +--- a/lib/ext/signature.c ++++ b/lib/ext/signature.c +@@ -187,9 +187,8 @@ _gnutls_sign_algorithm_parse_data(gnutls_session_t session, + static int + _gnutls_signature_algorithm_recv_params(gnutls_session_t session, + const uint8_t * data, +- size_t _data_size) ++ size_t data_size) + { +- ssize_t data_size = _data_size; + int ret; + + if (session->security_parameters.entity == GNUTLS_CLIENT) { +diff --git a/lib/ext/srp.c b/lib/ext/srp.c +index 8b58222e0..07f6e6883 100644 +--- a/lib/ext/srp.c ++++ b/lib/ext/srp.c +@@ -59,10 +59,9 @@ const hello_ext_entry_st ext_mod_srp = { + + static int + _gnutls_srp_recv_params(gnutls_session_t session, const uint8_t * data, +- size_t _data_size) ++ size_t data_size) + { + uint8_t len; +- ssize_t data_size = _data_size; + gnutls_ext_priv_data_t epriv; + srp_ext_st *priv; + +diff --git a/lib/ext/srtp.c b/lib/ext/srtp.c +index 3fc7ed35a..412e26d45 100644 +--- a/lib/ext/srtp.c ++++ b/lib/ext/srtp.c +@@ -162,13 +162,12 @@ const char *gnutls_srtp_get_profile_name(gnutls_srtp_profile_t profile) + + static int + _gnutls_srtp_recv_params(gnutls_session_t session, +- const uint8_t * data, size_t _data_size) ++ const uint8_t * data, size_t data_size) + { + unsigned int i; + int ret; + const uint8_t *p = data; +- int len; +- ssize_t data_size = _data_size; ++ size_t len; + srtp_ext_st *priv; + gnutls_ext_priv_data_t epriv; + uint16_t profile; +diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c +index d8779e8cf..cf9d5bd03 100644 +--- a/lib/ext/status_request.c ++++ b/lib/ext/status_request.c +@@ -86,9 +86,8 @@ client_send(gnutls_session_t session, + static int + server_recv(gnutls_session_t session, + status_request_ext_st * priv, +- const uint8_t * data, size_t size) ++ const uint8_t * data, size_t data_size) + { +- ssize_t data_size = size; + unsigned rid_bytes = 0; + + /* minimum message is type (1) + responder_id_list (2) + +diff --git a/lib/ext/supported_groups.c b/lib/ext/supported_groups.c +index 952d3bb0c..ef7859f73 100644 +--- a/lib/ext/supported_groups.c ++++ b/lib/ext/supported_groups.c +@@ -93,10 +93,9 @@ static unsigned get_min_dh(gnutls_session_t session) + */ + static int + _gnutls_supported_groups_recv_params(gnutls_session_t session, +- const uint8_t * data, size_t _data_size) ++ const uint8_t * data, size_t data_size) + { + int i; +- ssize_t data_size = _data_size; + uint16_t len; + const uint8_t *p = data; + const gnutls_group_entry_st *group = NULL; +diff --git a/lib/ext/supported_versions.c b/lib/ext/supported_versions.c +index 52828ee37..8d52fad5c 100644 +--- a/lib/ext/supported_versions.c ++++ b/lib/ext/supported_versions.c +@@ -54,12 +54,11 @@ const hello_ext_entry_st ext_mod_supported_versions = { + + static int + supported_versions_recv_params(gnutls_session_t session, +- const uint8_t * data, size_t _data_size) ++ const uint8_t * data, size_t data_size) + { + const version_entry_st *vers; +- ssize_t data_size = _data_size; + uint8_t major, minor; +- ssize_t bytes; ++ size_t bytes; + int ret; + + if (session->security_parameters.entity == GNUTLS_SERVER) { +diff --git a/lib/extv.c b/lib/extv.c +index bfdfdf974..0c0c46f32 100644 +--- a/lib/extv.c ++++ b/lib/extv.c +@@ -105,7 +105,7 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb, + const gnutls_datum_t *data, unsigned int flags) + { + if (flags & GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO) { +- ssize_t size = data->size; ++ size_t size = data->size; + size_t len; + uint8_t *p = data->data; + +@@ -137,12 +137,12 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb, + DECR_LEN(size, len); + p += len; + +- if (size <= 0) ++ if (size == 0) + return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + return _gnutls_extv_parse(ctx, cb, p, size); + } else if (flags & GNUTLS_EXT_RAW_FLAG_DTLS_CLIENT_HELLO) { +- ssize_t size = data->size; ++ size_t size = data->size; + size_t len; + uint8_t *p = data->data; + +@@ -181,7 +181,7 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb, + DECR_LEN(size, len); + p += len; + +- if (size <= 0) ++ if (size == 0) + return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + return _gnutls_extv_parse(ctx, cb, p, size); +diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c +index 6122d1098..9d247ba4c 100644 +--- a/lib/sslv2_compat.c ++++ b/lib/sslv2_compat.c +@@ -87,14 +87,13 @@ _gnutls_handshake_select_v2_suite(gnutls_session_t session, + */ + int + _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data, +- unsigned int datalen) ++ unsigned int len) + { + uint16_t session_id_len = 0; + int pos = 0; + int ret = 0, sret = 0; + uint16_t sizeOfSuites; + uint8_t rnd[GNUTLS_RANDOM_SIZE], major, minor; +- int len = datalen; + int neg_version; + const version_entry_st *vers; + uint16_t challenge; +diff --git a/lib/supplemental.c b/lib/supplemental.c +index cd90fa1fb..07b38cc93 100644 +--- a/lib/supplemental.c ++++ b/lib/supplemental.c +@@ -192,14 +192,14 @@ _gnutls_parse_supplemental(gnutls_session_t session, + const uint8_t * data, int datalen) + { + const uint8_t *p = data; +- ssize_t dsize = datalen; ++ size_t dsize = datalen; + size_t total_size; + + DECR_LEN(dsize, 3); + total_size = _gnutls_read_uint24(p); + p += 3; + +- if (dsize != (ssize_t) total_size) { ++ if (dsize != total_size) { + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } +diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c +index bd257237f..8a1a11872 100644 +--- a/lib/tls13/certificate.c ++++ b/lib/tls13/certificate.c +@@ -360,11 +360,12 @@ static int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t *data + static int + parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) + { +- int len, ret; ++ int ret; ++ size_t len; + uint8_t *p = data; + cert_auth_info_t info; + gnutls_certificate_credentials_t cred; +- ssize_t dsize = data_size, size; ++ size_t size; + int i; + unsigned npeer_certs, npeer_ocsp, j; + crt_cert_ctx_st ctx; +@@ -395,31 +396,31 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) + if (info == NULL) + return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS); + +- DECR_LEN(dsize, 3); ++ DECR_LEN(data_size, 3); + size = _gnutls_read_uint24(p); + p += 3; + +- if (size != dsize) ++ if (size != data_size) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + + if (size == 0) + return gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND); + +- i = dsize; ++ i = data_size; + + while (i > 0) { +- DECR_LEN(dsize, 3); ++ DECR_LEN(data_size, 3); + len = _gnutls_read_uint24(p); + if (len == 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + +- DECR_LEN(dsize, len); ++ DECR_LEN(data_size, len); + p += len + 3; + i -= len + 3; + +- DECR_LEN(dsize, 2); ++ DECR_LEN(data_size, 2); + len = _gnutls_read_uint16(p); +- DECR_LEN(dsize, len); ++ DECR_LEN(data_size, len); + + i -= len + 2; + p += len + 2; +@@ -427,7 +428,7 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) + nentries++; + } + +- if (dsize != 0) ++ if (data_size != 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + + /* this is unnecessary - keeping to avoid a regression due to a re-org +diff --git a/lib/tls13/psk_ext_parser.c b/lib/tls13/psk_ext_parser.c +index 6e3a12f90..33ebc0461 100644 +--- a/lib/tls13/psk_ext_parser.c ++++ b/lib/tls13/psk_ext_parser.c +@@ -28,10 +28,8 @@ + * are present, or 0, on success. + */ + int _gnutls13_psk_ext_parser_init(psk_ext_parser_st *p, +- const unsigned char *data, size_t _len) ++ const unsigned char *data, size_t len) + { +- ssize_t len = _len; +- + if (!p || !data || !len) + return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + +diff --git a/lib/tls13/psk_ext_parser.h b/lib/tls13/psk_ext_parser.h +index 30b47e904..f46b211e0 100644 +--- a/lib/tls13/psk_ext_parser.h ++++ b/lib/tls13/psk_ext_parser.h +@@ -25,10 +25,10 @@ + + struct psk_ext_parser_st { + const unsigned char *identities_data; +- ssize_t identities_len; ++ size_t identities_len; + + const unsigned char *binders_data; +- ssize_t binders_len; ++ size_t binders_len; + }; + + typedef struct psk_ext_parser_st psk_ext_parser_st; +diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c +index 146aee9b1..072a56d9c 100644 +--- a/lib/tls13/session_ticket.c ++++ b/lib/tls13/session_ticket.c +@@ -105,7 +105,7 @@ unpack_ticket(gnutls_session_t session, gnutls_datum_t *packed, tls13_ticket_st + gnutls_mac_algorithm_t kdf; + const mac_entry_st *prf; + uint8_t *p; +- ssize_t len; ++ size_t len; + uint64_t v; + int ret; + +-- +2.21.0 + diff --git a/SOURCES/gnutls-3.6.8-fips-deterministic-ecdsa.patch b/SOURCES/gnutls-3.6.8-fips-deterministic-ecdsa.patch new file mode 100644 index 0000000..5be6209 --- /dev/null +++ b/SOURCES/gnutls-3.6.8-fips-deterministic-ecdsa.patch @@ -0,0 +1,1352 @@ +From e94ab6b703ee50ea020565e1b8729a9b1d524d84 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 29 Jul 2019 14:00:30 +0200 +Subject: [PATCH 1/6] nettle: add functions for deterministic ECDSA/DSA + +This adds functions to perform deterministic ECDSA/DSA, namely +_gnutls_{ecdsa,dsa}_compute_k(), which computes the k value according +to RFC 6979. The retrieved k value can be given to +nettle_{ecdsa,dsa}_sign() through a wrapper random function. + +Signed-off-by: Daiki Ueno +--- + lib/nettle/Makefile.am | 5 +- + lib/nettle/int/dsa-compute-k.c | 209 +++++++++++++++++++++++++++++++ + lib/nettle/int/dsa-compute-k.h | 37 ++++++ + lib/nettle/int/ecdsa-compute-k.c | 95 ++++++++++++++ + lib/nettle/int/ecdsa-compute-k.h | 37 ++++++ + lib/nettle/int/mpn-base256.c | 97 ++++++++++++++ + lib/nettle/int/mpn-base256.h | 48 +++++++ + 7 files changed, 527 insertions(+), 1 deletion(-) + create mode 100644 lib/nettle/int/dsa-compute-k.c + create mode 100644 lib/nettle/int/dsa-compute-k.h + create mode 100644 lib/nettle/int/ecdsa-compute-k.c + create mode 100644 lib/nettle/int/ecdsa-compute-k.h + create mode 100644 lib/nettle/int/mpn-base256.c + create mode 100644 lib/nettle/int/mpn-base256.h + +diff --git a/lib/nettle/Makefile.am b/lib/nettle/Makefile.am +index 1c60d3244..bd9dd753a 100644 +--- a/lib/nettle/Makefile.am ++++ b/lib/nettle/Makefile.am +@@ -45,7 +45,10 @@ libcrypto_la_SOURCES = pk.c mpi.c mac.c cipher.c init.c \ + backport/xts.c backport/xts.h \ + rnd.c int/rsa-fips.h int/rsa-keygen-fips186.c int/provable-prime.c \ + int/dsa-fips.h int/dsa-keygen-fips186.c int/dsa-validate.c \ +- int/tls1-prf.c int/tls1-prf.h ++ int/tls1-prf.c int/tls1-prf.h \ ++ int/dsa-compute-k.c int/dsa-compute-k.h \ ++ int/ecdsa-compute-k.c int/ecdsa-compute-k.h \ ++ int/mpn-base256.c int/mpn-base256.h + + if WINDOWS + libcrypto_la_SOURCES += sysrng-windows.c +diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c +new file mode 100644 +index 000000000..17d63318c +--- /dev/null ++++ b/lib/nettle/int/dsa-compute-k.c +@@ -0,0 +1,209 @@ ++/* ++ * Copyright (C) 2019 Red Hat, Inc. ++ * ++ * Author: Daiki Ueno ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#if HAVE_CONFIG_H ++# include "config.h" ++#endif ++ ++#include "dsa-compute-k.h" ++ ++#include "gnutls_int.h" ++#include "mem.h" ++#include "mpn-base256.h" ++#include ++ ++#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) ++ ++/* The maximum size of q, choosen from the fact that we support ++ * 521-bit elliptic curve generator and 512-bit DSA subgroup at ++ * maximum. */ ++#define MAX_Q_BITS 521 ++#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8) ++#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS) ++ ++#define MAX_HASH_BITS (MAX_HASH_SIZE * 8) ++#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS) ++ ++int ++_gnutls_dsa_compute_k(mpz_t k, ++ const mpz_t q, ++ const mpz_t x, ++ gnutls_mac_algorithm_t mac, ++ const uint8_t *digest, ++ size_t length) ++{ ++ uint8_t V[MAX_HASH_SIZE]; ++ uint8_t K[MAX_HASH_SIZE]; ++ uint8_t xp[MAX_Q_SIZE]; ++ uint8_t tp[MAX_Q_SIZE]; ++ mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)]; ++ mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2); ++ mp_size_t qn = mpz_size(q); ++ mp_bitcnt_t h_bits = length * 8; ++ mp_size_t hn = BITS_TO_LIMBS(h_bits); ++ size_t nbytes = (q_bits + 7) / 8; ++ const uint8_t c0 = 0x00; ++ const uint8_t c1 = 0x01; ++ mp_limb_t cy; ++ gnutls_hmac_hd_t hd; ++ int ret = 0; ++ ++ if (unlikely(q_bits > MAX_Q_BITS)) ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ if (unlikely(length > MAX_HASH_SIZE)) ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ ++ /* int2octets(x) */ ++ mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn); ++ ++ /* bits2octets(h) */ ++ mpn_set_base256(h, hn, digest, length); ++ ++ if (hn < qn) ++ /* qlen > blen: add zero bits to the left */ ++ mpn_zero(&h[hn], qn - hn); ++ else if (h_bits > q_bits) { ++ /* qlen < blen: keep the leftmost qlen bits. We do this in 2 ++ * steps because mpn_rshift only accepts shift count in the ++ * range 1 to mp_bits_per_limb-1. ++ */ ++ mp_bitcnt_t shift = h_bits - q_bits; ++ ++ if (shift / GMP_NUMB_BITS > 0) { ++ mpn_copyi(h, &h[shift / GMP_NUMB_BITS], qn); ++ hn -= shift / GMP_NUMB_BITS; ++ } ++ ++ if (shift % GMP_NUMB_BITS > 0) ++ mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS); ++ } ++ ++ cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn); ++ /* Fall back to addmul_1, if nettle is linked with mini-gmp. */ ++#ifdef mpn_cnd_add_n ++ mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn); ++#else ++ mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0); ++#endif ++ mpn_get_base256(tp, nbytes, h, qn); ++ ++ /* Step b */ ++ memset(V, c1, length); ++ ++ /* Step c */ ++ memset(K, c0, length); ++ ++ /* Step d */ ++ ret = gnutls_hmac_init(&hd, mac, K, length); ++ if (ret < 0) ++ goto out; ++ ret = gnutls_hmac(hd, V, length); ++ if (ret < 0) ++ goto out; ++ ret = gnutls_hmac(hd, &c0, 1); ++ if (ret < 0) ++ goto out; ++ ret = gnutls_hmac(hd, xp, nbytes); ++ if (ret < 0) ++ goto out; ++ ret = gnutls_hmac(hd, tp, nbytes); ++ if (ret < 0) ++ goto out; ++ gnutls_hmac_deinit(hd, K); ++ ++ /* Step e */ ++ ret = gnutls_hmac_fast(mac, K, length, V, length, V); ++ if (ret < 0) ++ goto out; ++ ++ /* Step f */ ++ ret = gnutls_hmac_init(&hd, mac, K, length); ++ if (ret < 0) ++ goto out; ++ ret = gnutls_hmac(hd, V, length); ++ if (ret < 0) ++ goto out; ++ ret = gnutls_hmac(hd, &c1, 1); ++ if (ret < 0) ++ goto out; ++ ret = gnutls_hmac(hd, xp, nbytes); ++ if (ret < 0) ++ goto out; ++ ret = gnutls_hmac(hd, tp, nbytes); ++ if (ret < 0) ++ goto out; ++ gnutls_hmac_deinit(hd, K); ++ ++ /* Step g */ ++ ret = gnutls_hmac_fast(mac, K, length, V, length, V); ++ if (ret < 0) ++ goto out; ++ ++ /* Step h */ ++ for (;;) { ++ /* Step 1 */ ++ size_t tlen = 0; ++ ++ /* Step 2 */ ++ while (tlen < nbytes) { ++ size_t remaining = MIN(nbytes - tlen, length); ++ ret = gnutls_hmac_fast(mac, K, length, V, length, V); ++ if (ret < 0) ++ goto out; ++ memcpy (&tp[tlen], V, remaining); ++ tlen += remaining; ++ } ++ ++ /* Step 3 */ ++ mpn_set_base256 (h, qn, tp, tlen); ++ if (tlen * 8 > q_bits) ++ mpn_rshift (h, h, qn, tlen * 8 - q_bits); ++ /* Check if k is in [1,q-1] */ ++ if (!mpn_zero_p (h, qn) && ++ mpn_cmp (h, mpz_limbs_read(q), qn) < 0) { ++ mpn_copyi(mpz_limbs_write(k, qn), h, qn); ++ mpz_limbs_finish(k, qn); ++ break; ++ } ++ ++ ret = gnutls_hmac_init(&hd, mac, K, length); ++ if (ret < 0) ++ goto out; ++ ret = gnutls_hmac(hd, V, length); ++ if (ret < 0) ++ goto out; ++ ret = gnutls_hmac(hd, &c0, 1); ++ if (ret < 0) ++ goto out; ++ gnutls_hmac_deinit(hd, K); ++ ++ ret = gnutls_hmac_fast(mac, K, length, V, length, V); ++ if (ret < 0) ++ goto out; ++ } ++ ++ out: ++ zeroize_key(xp, sizeof(xp)); ++ zeroize_key(tp, sizeof(tp)); ++ ++ return ret; ++} +diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h +new file mode 100644 +index 000000000..64e90e0ca +--- /dev/null ++++ b/lib/nettle/int/dsa-compute-k.h +@@ -0,0 +1,37 @@ ++/* ++ * Copyright (C) 2019 Red Hat, Inc. ++ * ++ * Author: Daiki Ueno ++ * ++ * This file is part of GnuTLS. ++ * ++ * The GnuTLS is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#ifndef GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H ++#define GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H ++ ++#include ++#include /* includes gmp.h */ ++ ++int ++_gnutls_dsa_compute_k(mpz_t k, ++ const mpz_t q, ++ const mpz_t x, ++ gnutls_mac_algorithm_t mac, ++ const uint8_t *digest, ++ size_t length); ++ ++#endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */ +diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c +new file mode 100644 +index 000000000..94914ebdf +--- /dev/null ++++ b/lib/nettle/int/ecdsa-compute-k.c +@@ -0,0 +1,95 @@ ++/* ++ * Copyright (C) 2019 Red Hat, Inc. ++ * ++ * Author: Daiki Ueno ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#if HAVE_CONFIG_H ++# include "config.h" ++#endif ++ ++#include "ecdsa-compute-k.h" ++ ++#include "dsa-compute-k.h" ++#include "gnutls_int.h" ++ ++static inline int ++_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve) ++{ ++ switch (curve) { ++#ifdef ENABLE_NON_SUITEB_CURVES ++ case GNUTLS_ECC_CURVE_SECP192R1: ++ mpz_init_set_str(*q, ++ "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836" ++ "146BC9B1B4D22831", ++ 16); ++ return 0; ++ case GNUTLS_ECC_CURVE_SECP224R1: ++ mpz_init_set_str(*q, ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2" ++ "E0B8F03E13DD29455C5C2A3D", ++ 16); ++ return 0; ++#endif ++ case GNUTLS_ECC_CURVE_SECP256R1: ++ mpz_init_set_str(*q, ++ "FFFFFFFF00000000FFFFFFFFFFFFFFFF" ++ "BCE6FAADA7179E84F3B9CAC2FC632551", ++ 16); ++ return 0; ++ case GNUTLS_ECC_CURVE_SECP384R1: ++ mpz_init_set_str(*q, ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFFFFFFFFFFC7634D81F4372DDF" ++ "581A0DB248B0A77AECEC196ACCC52973", ++ 16); ++ return 0; ++ case GNUTLS_ECC_CURVE_SECP521R1: ++ mpz_init_set_str(*q, ++ "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFA51868783BF2F966B7FCC0148F709A" ++ "5D03BB5C9B8899C47AEBB6FB71E91386" ++ "409", ++ 16); ++ return 0; ++ default: ++ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); ++ } ++} ++ ++int ++_gnutls_ecdsa_compute_k (mpz_t k, ++ gnutls_ecc_curve_t curve, ++ const mpz_t x, ++ gnutls_mac_algorithm_t mac, ++ const uint8_t *digest, ++ size_t length) ++{ ++ mpz_t q; ++ int ret; ++ ++ ret = _gnutls_ecc_curve_to_dsa_q(&q, curve); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ++ ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length); ++ mpz_clear(q); ++ return ret; ++} +diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h +new file mode 100644 +index 000000000..7ca401d6e +--- /dev/null ++++ b/lib/nettle/int/ecdsa-compute-k.h +@@ -0,0 +1,37 @@ ++/* ++ * Copyright (C) 2019 Red Hat, Inc. ++ * ++ * Author: Daiki Ueno ++ * ++ * This file is part of GnuTLS. ++ * ++ * The GnuTLS is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#ifndef GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H ++#define GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H ++ ++#include ++#include /* includes gmp.h */ ++ ++int ++_gnutls_ecdsa_compute_k (mpz_t k, ++ gnutls_ecc_curve_t curve, ++ const mpz_t x, ++ gnutls_mac_algorithm_t mac, ++ const uint8_t *digest, ++ size_t length); ++ ++#endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */ +diff --git a/lib/nettle/int/mpn-base256.c b/lib/nettle/int/mpn-base256.c +new file mode 100644 +index 000000000..88dd00bd2 +--- /dev/null ++++ b/lib/nettle/int/mpn-base256.c +@@ -0,0 +1,97 @@ ++/* gmp-glue.c ++ ++ Copyright (C) 2013 Niels Möller ++ Copyright (C) 2013 Red Hat ++ ++ This file is part of GNU Nettle. ++ ++ GNU Nettle is free software: you can redistribute it and/or ++ modify it under the terms of either: ++ ++ * the GNU Lesser General Public License as published by the Free ++ Software Foundation; either version 3 of the License, or (at your ++ option) any later version. ++ ++ or ++ ++ * the GNU General Public License as published by the Free ++ Software Foundation; either version 2 of the License, or (at your ++ option) any later version. ++ ++ or both in parallel, as here. ++ ++ GNU Nettle is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ General Public License for more details. ++ ++ You should have received copies of the GNU General Public License and ++ the GNU Lesser General Public License along with this program. If ++ not, see http://www.gnu.org/licenses/. ++*/ ++ ++#if HAVE_CONFIG_H ++# include "config.h" ++#endif ++ ++#include "mpn-base256.h" ++ ++void ++mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, ++ const uint8_t *xp, size_t xn) ++{ ++ size_t xi; ++ mp_limb_t out; ++ unsigned bits; ++ for (xi = xn, out = bits = 0; xi > 0 && rn > 0; ) ++ { ++ mp_limb_t in = xp[--xi]; ++ out |= (in << bits) & GMP_NUMB_MASK; ++ bits += 8; ++ if (bits >= GMP_NUMB_BITS) ++ { ++ *rp++ = out; ++ rn--; ++ ++ bits -= GMP_NUMB_BITS; ++ out = in >> (8 - bits); ++ } ++ } ++ if (rn > 0) ++ { ++ *rp++ = out; ++ if (--rn > 0) ++ mpn_zero (rp, rn); ++ } ++} ++ ++void ++mpn_get_base256 (uint8_t *rp, size_t rn, ++ const mp_limb_t *xp, mp_size_t xn) ++{ ++ unsigned bits; ++ mp_limb_t in; ++ for (bits = in = 0; xn > 0 && rn > 0; ) ++ { ++ if (bits >= 8) ++ { ++ rp[--rn] = in; ++ in >>= 8; ++ bits -= 8; ++ } ++ else ++ { ++ uint8_t old = in; ++ in = *xp++; ++ xn--; ++ rp[--rn] = old | (in << bits); ++ in >>= (8 - bits); ++ bits += GMP_NUMB_BITS - 8; ++ } ++ } ++ while (rn > 0) ++ { ++ rp[--rn] = in; ++ in >>= 8; ++ } ++} +diff --git a/lib/nettle/int/mpn-base256.h b/lib/nettle/int/mpn-base256.h +new file mode 100644 +index 000000000..b5ca4af03 +--- /dev/null ++++ b/lib/nettle/int/mpn-base256.h +@@ -0,0 +1,48 @@ ++/* gmp-glue.h ++ ++ Copyright (C) 2013 Niels Möller ++ Copyright (C) 2013 Red Hat ++ ++ This file is part of GNU Nettle. ++ ++ GNU Nettle is free software: you can redistribute it and/or ++ modify it under the terms of either: ++ ++ * the GNU Lesser General Public License as published by the Free ++ Software Foundation; either version 3 of the License, or (at your ++ option) any later version. ++ ++ or ++ ++ * the GNU General Public License as published by the Free ++ Software Foundation; either version 2 of the License, or (at your ++ option) any later version. ++ ++ or both in parallel, as here. ++ ++ GNU Nettle is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ General Public License for more details. ++ ++ You should have received copies of the GNU General Public License and ++ the GNU Lesser General Public License along with this program. If ++ not, see http://www.gnu.org/licenses/. ++*/ ++ ++#ifndef NETTLE_GMP_GLUE_H_INCLUDED ++#define NETTLE_GMP_GLUE_H_INCLUDED ++ ++#include ++ ++/* Like mpn_set_str, but always writes rn limbs. If input is larger, ++ higher bits are ignored. */ ++void ++mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, ++ const uint8_t *xp, size_t xn); ++ ++void ++mpn_get_base256 (uint8_t *rp, size_t rn, ++ const mp_limb_t *xp, mp_size_t xn); ++ ++#endif /* NETTLE_GMP_GLUE_H_INCLUDED */ +-- +2.21.0 + + +From f42d96451a654ccc3523b0a0086e18f19ba3fecc Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 29 Jul 2019 15:10:51 +0200 +Subject: [PATCH 2/6] privkey_sign_raw_data: remove unnecessary local variable + +Signed-off-by: Daiki Ueno +--- + lib/privkey.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/lib/privkey.c b/lib/privkey.c +index 8e353c5e5..2fee8777a 100644 +--- a/lib/privkey.c ++++ b/lib/privkey.c +@@ -1492,8 +1492,6 @@ privkey_sign_raw_data(gnutls_privkey_t key, + 0, + data, signature); + } else if (key->key.ext.sign_hash_func) { +- unsigned int flags = 0; +- + if (se->pk == GNUTLS_PK_RSA) { + se = _gnutls_sign_to_entry(GNUTLS_SIGN_RSA_RAW); + assert(se != NULL); +@@ -1502,7 +1500,7 @@ privkey_sign_raw_data(gnutls_privkey_t key, + /* se may not be set here if we are doing legacy RSA */ + return key->key.ext.sign_hash_func(key, se->id, + key->key.ext.userdata, +- flags, ++ 0, + data, signature); + } else { + if (!PK_IS_OK_FOR_EXT2(se->pk)) +-- +2.21.0 + + +From 3dd0df9e1a499c7b31bf7b4a315e797d2195c1ba Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 7 Aug 2019 14:37:00 +0200 +Subject: [PATCH 3/6] privkey_sign_prehashed: remove unused argument + +Signed-off-by: Daiki Ueno +--- + lib/privkey.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/lib/privkey.c b/lib/privkey.c +index 2fee8777a..8683b4e20 100644 +--- a/lib/privkey.c ++++ b/lib/privkey.c +@@ -43,7 +43,7 @@ privkey_sign_prehashed(gnutls_privkey_t signer, + const gnutls_sign_entry_st *se, + const gnutls_datum_t * hash_data, + gnutls_datum_t * signature, +- gnutls_x509_spki_st * params, unsigned flags); ++ gnutls_x509_spki_st * params); + + /** + * gnutls_privkey_get_type: +@@ -1253,7 +1253,7 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer, + return ret; + } + +- return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms, flags); ++ return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms); + } + + int +@@ -1377,7 +1377,7 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer, + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + return privkey_sign_prehashed(signer, se, +- hash_data, signature, ¶ms, flags); ++ hash_data, signature, ¶ms); + } + + static int +@@ -1385,8 +1385,7 @@ privkey_sign_prehashed(gnutls_privkey_t signer, + const gnutls_sign_entry_st *se, + const gnutls_datum_t * hash_data, + gnutls_datum_t * signature, +- gnutls_x509_spki_st * params, +- unsigned flags) ++ gnutls_x509_spki_st * params) + { + int ret; + gnutls_datum_t digest; +-- +2.21.0 + + +From 8eb3a29336ea11f6b417ce7e25d53513509bdd87 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 29 Jul 2019 14:01:11 +0200 +Subject: [PATCH 4/6] pk: implement deterministic ECDSA/DSA + +This exposes the deterministic ECDSA/DSA functionality through the +GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag. + +Signed-off-by: Daiki Ueno +--- + .gitignore | 1 + + NEWS | 7 ++ + lib/crypto-backend.h | 16 ++- + lib/includes/gnutls/abstract.h | 5 +- + lib/nettle/pk.c | 54 +++++++- + lib/privkey.c | 8 ++ + lib/x509/crq.c | 2 + + lib/x509/pkcs7.c | 2 + + lib/x509/sign.c | 2 + + tests/Makefile.am | 2 +- + tests/sign-verify-deterministic.c | 196 ++++++++++++++++++++++++++++++ + 11 files changed, 290 insertions(+), 5 deletions(-) + create mode 100644 tests/sign-verify-deterministic.c + +diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h +index 43124abaf..33eca6031 100644 +--- a/lib/crypto-backend.h ++++ b/lib/crypto-backend.h +@@ -187,6 +187,13 @@ typedef struct gnutls_x509_spki_st { + /* if non-zero, the legacy value for PKCS#7 signatures will be + * written for RSA signatures. */ + unsigned int legacy; ++ ++ /* the digest used by ECDSA/DSA */ ++ gnutls_digest_algorithm_t dsa_dig; ++ ++ /* flags may include GNUTLS_PK_FLAG_REPRODUCIBLE for ++ * deterministic ECDSA/DSA */ ++ unsigned int flags; + } gnutls_x509_spki_st; + + #define GNUTLS_MAX_PK_PARAMS 16 +@@ -219,9 +226,16 @@ typedef struct { + */ + typedef enum { + GNUTLS_PK_FLAG_NONE = 0, +- GNUTLS_PK_FLAG_PROVABLE = 1 ++ GNUTLS_PK_FLAG_PROVABLE = 1, ++ GNUTLS_PK_FLAG_REPRODUCIBLE = 2 + } gnutls_pk_flag_t; + ++#define FIX_SIGN_PARAMS(params, flags, dig) do { \ ++ if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { \ ++ (params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE; \ ++ (params).dsa_dig = (dig); \ ++ } \ ++} while (0) + + void gnutls_pk_params_release(gnutls_pk_params_st * p); + void gnutls_pk_params_clear(gnutls_pk_params_st * p); +diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h +index d4b7da68b..d8805681a 100644 +--- a/lib/includes/gnutls/abstract.h ++++ b/lib/includes/gnutls/abstract.h +@@ -371,7 +371,10 @@ int gnutls_privkey_status(gnutls_privkey_t key); + * gnutls_privkey_flags: + * @GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA: Make an RSA signature on the hashed data as in the TLS protocol. + * @GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS: Make an RSA signature on the hashed data with the PSS padding. +- * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make an RSA-PSS signature on the hashed data with reproducible parameters (zero salt). ++ * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make a signature on the hashed data with reproducible parameters. ++ * For RSA-PSS, that means to use empty salt instead of random value. For ECDSA/DSA, it uses the deterministic ++ * construction of random parameter according to RFC 6979. Note that ++ * this only supports the NIST curves and DSA subgroup bits up to 512. + * @GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE: When importing a private key, automatically + * release it when the structure it was imported is released. + * @GNUTLS_PRIVKEY_IMPORT_COPY: Copy required values during import. +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 08117c2d8..ebd6481cf 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -54,6 +54,8 @@ + #include "gost/gostdsa.h" + #include "gost/ecc-gost-curve.h" + #endif ++#include "int/ecdsa-compute-k.h" ++#include "int/dsa-compute-k.h" + #include + #include + +@@ -86,6 +88,12 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data) + } + } + ++static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) ++{ ++ mpz_t *k = _ctx; ++ nettle_mpz_get_str_256 (length, data, *k); ++} ++ + static void + ecc_scalar_zclear (struct ecc_scalar *s) + { +@@ -782,6 +790,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + struct dsa_signature sig; + int curve_id = pk_params->curve; + const struct ecc_curve *curve; ++ mpz_t k; ++ void *random_ctx; ++ nettle_random_func *random_func; + + curve = get_supported_nist_curve(curve_id); + if (curve == NULL) +@@ -808,7 +819,23 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + hash_len = vdata->size; + } + +- ecdsa_sign(&priv, NULL, rnd_nonce_func, hash_len, ++ mpz_init(k); ++ if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) { ++ ret = _gnutls_ecdsa_compute_k(k, ++ curve_id, ++ pk_params->params[ECC_K], ++ sign_params->dsa_dig, ++ vdata->data, ++ vdata->size); ++ if (ret < 0) ++ goto ecdsa_cleanup; ++ random_ctx = &k; ++ random_func = rnd_mpz_func; ++ } else { ++ random_ctx = NULL; ++ random_func = rnd_nonce_func; ++ } ++ ecdsa_sign(&priv, random_ctx, random_func, hash_len, + vdata->data, &sig); + + /* prevent memory leaks */ +@@ -824,6 +851,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + ecdsa_cleanup: + dsa_signature_clear(&sig); + ecc_scalar_zclear(&priv); ++ mpz_clear(k); + + if (ret < 0) { + gnutls_assert(); +@@ -836,6 +864,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + struct dsa_params pub; + bigint_t priv; + struct dsa_signature sig; ++ mpz_t k; ++ void *random_ctx; ++ nettle_random_func *random_func; + + memset(&priv, 0, sizeof(priv)); + memset(&pub, 0, sizeof(pub)); +@@ -856,8 +887,26 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + hash_len = vdata->size; + } + ++ mpz_init(k); ++ if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) { ++ ret = _gnutls_dsa_compute_k(k, ++ pub.q, ++ TOMPZ(priv), ++ sign_params->dsa_dig, ++ vdata->data, ++ vdata->size); ++ if (ret < 0) ++ goto dsa_fail; ++ /* cancel-out dsa_sign's addition of 1 to random data */ ++ mpz_sub_ui (k, k, 1); ++ random_ctx = &k; ++ random_func = rnd_mpz_func; ++ } else { ++ random_ctx = NULL; ++ random_func = rnd_nonce_func; ++ } + ret = +- dsa_sign(&pub, TOMPZ(priv), NULL, rnd_nonce_func, ++ dsa_sign(&pub, TOMPZ(priv), random_ctx, random_func, + hash_len, vdata->data, &sig); + if (ret == 0 || HAVE_LIB_ERROR()) { + gnutls_assert(); +@@ -871,6 +920,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + + dsa_fail: + dsa_signature_clear(&sig); ++ mpz_clear(k); + + if (ret < 0) { + gnutls_assert(); +diff --git a/lib/privkey.c b/lib/privkey.c +index 8683b4e20..4ef07c8b0 100644 +--- a/lib/privkey.c ++++ b/lib/privkey.c +@@ -1134,6 +1134,8 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer, + return ret; + } + ++ FIX_SIGN_PARAMS(params, flags, hash); ++ + return privkey_sign_and_hash_data(signer, _gnutls_pk_to_sign_entry(params.pk, hash), data, signature, ¶ms); + } + +@@ -1186,6 +1188,8 @@ gnutls_privkey_sign_data2(gnutls_privkey_t signer, + return ret; + } + ++ FIX_SIGN_PARAMS(params, flags, se->hash); ++ + return privkey_sign_and_hash_data(signer, se, data, signature, ¶ms); + } + +@@ -1253,6 +1257,8 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer, + return ret; + } + ++ FIX_SIGN_PARAMS(params, flags, se->hash); ++ + return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms); + } + +@@ -1376,6 +1382,8 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer, + if (unlikely(se == NULL)) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + ++ FIX_SIGN_PARAMS(params, flags, hash_algo); ++ + return privkey_sign_prehashed(signer, se, + hash_data, signature, ¶ms); + } +diff --git a/lib/x509/crq.c b/lib/x509/crq.c +index c8899f81a..4ca67535d 100644 +--- a/lib/x509/crq.c ++++ b/lib/x509/crq.c +@@ -2642,6 +2642,8 @@ gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key, + if (se == NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + ++ FIX_SIGN_PARAMS(params, flags, dig); ++ + result = privkey_sign_and_hash_data(key, se, + &tbs, &signature, ¶ms); + gnutls_free(tbs.data); +diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c +index 21fff7b07..98669e887 100644 +--- a/lib/x509/pkcs7.c ++++ b/lib/x509/pkcs7.c +@@ -2532,6 +2532,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7, + goto cleanup; + } + ++ FIX_SIGN_PARAMS(params, flags, dig); ++ + ret = privkey_sign_and_hash_data(signer_key, se, + &sigdata, &signature, ¶ms); + if (ret < 0) { +diff --git a/lib/x509/sign.c b/lib/x509/sign.c +index 8f7a96f21..461524f5b 100644 +--- a/lib/x509/sign.c ++++ b/lib/x509/sign.c +@@ -175,6 +175,8 @@ _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, + return result; + } + ++ FIX_SIGN_PARAMS(params, flags, dig); ++ + if (_gnutls_pk_is_not_prehashed(params.pk)) { + result = privkey_sign_raw_data(issuer_key, se, &tbs, &signature, ¶ms); + } else { +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 7970ad6b3..a8c2d152e 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -211,7 +211,8 @@ ctests += mini-record-2 simple gnutls_hm + tls13-server-kx-neg gnutls_ext_raw_parse_dtls key-export-pkcs8 \ + null_retrieve_function tls-record-size-limit tls-crt_type-neg \ + resume-with-stek-expiration resume-with-previous-stek rawpk-api \ +- tls-record-size-limit-asym dh-compute ecdh-compute ++ tls-record-size-limit-asym dh-compute ecdh-compute \ ++ sign-verify-deterministic + + if HAVE_SECCOMP_TESTS + ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp +diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c +new file mode 100644 +index 000000000..fe4873fc8 +--- /dev/null ++++ b/tests/sign-verify-deterministic.c +@@ -0,0 +1,196 @@ ++/* ++ * Copyright (C) 2017-2019 Red Hat, Inc. ++ * ++ * Author: Nikos Mavrogiannopoulos, Daiki Ueno ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#ifndef _WIN32 ++# include ++# include ++# include ++#endif ++#include ++#include ++#include ++#include ++#include "utils.h" ++ ++/* verifies whether the sign-data and verify-data APIs ++ * operate as expected with deterministic ECDSA/DSA (RFC 6979) */ ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "<%d> %s", level, str); ++} ++ ++struct _key_tests_st { ++ const char *name; ++ gnutls_datum_t key; ++ gnutls_datum_t msg; ++ gnutls_datum_t sig; ++ gnutls_pk_algorithm_t pk; ++ gnutls_digest_algorithm_t digest; ++ gnutls_sign_algorithm_t sigalgo; ++ unsigned int sign_flags; ++}; ++ ++/* Test vectors from RFC 6979 */ ++static const char dsa_privkey_rfc6979[] = ++ "-----BEGIN DSA PRIVATE KEY-----\n" ++ "MIIBugIBAAKBgQCG9coD3P6yJQY/+DCgx2m53Z1hU62R184n94fEMni0R+ZTO4ax\n" ++ "i+1uiki3hKFMJSxb4Nv2C4bWOFvS8S+3Y+2Ic6v9P1ui4KjApZCC6sBWk15Sna98\n" ++ "YQRniZx3re38hGyIGHC3sZsrWPm+BSGhcALjvda4ZoXukLPZobAreCsXeQIVAJlv\n" ++ "ln9sjjiNnijQHiBfupV6VpixAoGAB7D5JUYVC2JRS7dx4qDAzjh/A72mxWtQUgn/\n" ++ "Jf08Ez2Ju82X6QTgkRTZp9796t/JB46lRNLkAa7sxAu5+794/YeZWhChwny3eJtZ\n" ++ "S6fvtcQyap/lmgcOE223cXVGStykF75dzi9A0QpGo6OUPyarf9nAOY/4x27gpWgm\n" ++ "qKiPHb0CgYBd9eAd7THQKX4nThaRwZL+WGj++eGahHdkVLEAzxb2U5IZWji5BSPi\n" ++ "VC7mGHHARAy4fDIvxLTS7F4efsdm4b6NTOk1Q33BHDyP1CYziTPr/nOcs0ZfTTZo\n" ++ "xeRzUIJTseaC9ly9xPrpPC6iEjkOVJBahuIiMXC0Tqp9pd2f/Pt/OwIUQRYCyxmm\n" ++ "zMNElNedmO8eftWvJfc=\n" ++ "-----END DSA PRIVATE KEY-----\n"; ++ ++static const char ecdsa_secp256r1_privkey_rfc6979[] = ++ "-----BEGIN EC PRIVATE KEY-----\n" ++ "MHgCAQEEIQDJr6nYRbp1FmtcIVdnsdaTTlDD2zbomxJ7imIrEg9nIaAKBggqhkjO\n" ++ "PQMBB6FEA0IABGD+1LolWp0xyWHrdMY1bWjASbiSO2H6bOZpYi5g8p+2eQP+EAi4\n" ++ "vJmkGunpVii8ZPLxsgwtfp9Rd6PClNRGIpk=\n" ++ "-----END EC PRIVATE KEY-----\n"; ++ ++static const char sample[] = "sample"; ++ ++static const ++struct _key_tests_st tests[] = { ++ { ++ .name = "dsa key", ++ .key = {(void *) dsa_privkey_rfc6979, sizeof(dsa_privkey_rfc6979)-1}, ++ .msg = {(void *) sample, sizeof(sample)-1}, ++ .sig = {(void *) "\x30\x2d\x02\x15\x00\x81\xf2\xf5\x85\x0b\xe5\xbc\x12\x3c\x43\xf7\x1a\x30\x33\xe9\x38\x46\x11\xc5\x45\x02\x14\x4c\xdd\x91\x4b\x65\xeb\x6c\x66\xa8\xaa\xad\x27\x29\x9b\xee\x6b\x03\x5f\x5e\x89", 47}, ++ .pk = GNUTLS_PK_DSA, ++ .digest = GNUTLS_DIG_SHA256, ++ .sigalgo = GNUTLS_SIGN_DSA_SHA256, ++ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE ++ }, ++ { ++ .name = "ecdsa key", ++ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1}, ++ .msg = {(void *) sample, sizeof(sample)-1}, ++ .sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72}, ++ .pk = GNUTLS_PK_ECDSA, ++ .digest = GNUTLS_DIG_SHA256, ++ .sigalgo = GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, ++ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE ++ }, ++ { ++ .name = "ecdsa key", ++ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1}, ++ .msg = {(void *) sample, sizeof(sample)-1}, ++ .sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72}, ++ .pk = GNUTLS_PK_ECDSA, ++ .digest = GNUTLS_DIG_SHA256, ++ .sigalgo = GNUTLS_SIGN_ECDSA_SHA256, ++ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE ++ }, ++ { ++ .name = "ecdsa key (q bits < h bits)", ++ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1}, ++ .msg = {(void *) sample, sizeof(sample)-1}, ++ .sig = {(void *) "\x30\x44\x02\x20\x0e\xaf\xea\x03\x9b\x20\xe9\xb4\x23\x09\xfb\x1d\x89\xe2\x13\x05\x7c\xbf\x97\x3d\xc0\xcf\xc8\xf1\x29\xed\xdd\xc8\x00\xef\x77\x19\x02\x20\x48\x61\xf0\x49\x1e\x69\x98\xb9\x45\x51\x93\xe3\x4e\x7b\x0d\x28\x4d\xdd\x71\x49\xa7\x4b\x95\xb9\x26\x1f\x13\xab\xde\x94\x09\x54", 70}, ++ .pk = GNUTLS_PK_ECDSA, ++ .digest = GNUTLS_DIG_SHA384, ++ .sigalgo = GNUTLS_SIGN_ECDSA_SHA384, ++ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE ++ }, ++ { ++ .name = "ecdsa key (q bits > h bits)", ++ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1}, ++ .msg = {(void *) sample, sizeof(sample)-1}, ++ .sig = {(void *) "\x30\x45\x02\x20\x53\xb2\xff\xf5\xd1\x75\x2b\x2c\x68\x9d\xf2\x57\xc0\x4c\x40\xa5\x87\xfa\xba\xbb\x3f\x6f\xc2\x70\x2f\x13\x43\xaf\x7c\xa9\xaa\x3f\x02\x21\x00\xb9\xaf\xb6\x4f\xdc\x03\xdc\x1a\x13\x1c\x7d\x23\x86\xd1\x1e\x34\x9f\x07\x0a\xa4\x32\xa4\xac\xc9\x18\xbe\xa9\x88\xbf\x75\xc7\x4c", 71}, ++ .pk = GNUTLS_PK_ECDSA, ++ .digest = GNUTLS_DIG_SHA224, ++ .sigalgo = GNUTLS_SIGN_ECDSA_SHA224, ++ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE ++ } ++}; ++ ++#define testfail(fmt, ...) \ ++ fail("%s: "fmt, tests[i].name, ##__VA_ARGS__) ++ ++void doit(void) ++{ ++ gnutls_pubkey_t pubkey; ++ gnutls_privkey_t privkey; ++ gnutls_datum_t signature; ++ int ret; ++ size_t i; ++ ++ global_init(); ++ ++ gnutls_global_set_log_function(tls_log_func); ++ if (debug) ++ gnutls_global_set_log_level(6); ++ ++ for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { ++ success("testing: %s - %s\n", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo)); ++ ++ ret = gnutls_privkey_init(&privkey); ++ if (ret < 0) ++ testfail("gnutls_privkey_init\n"); ++ ++ ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0); ++ if (ret < 0) ++ testfail("gnutls_privkey_import_x509_raw\n"); ++ ++ ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags, ++ &tests[i].msg, &signature); ++ if (ret < 0) ++ testfail("gnutls_privkey_sign_data\n"); ++ ++ if (signature.size != tests[i].sig.size || ++ memcmp(signature.data, tests[i].sig.data, signature.size) != 0) ++ testfail("signature does not match"); ++ ++ ret = gnutls_pubkey_init(&pubkey); ++ if (ret < 0) ++ testfail("gnutls_pubkey_init\n"); ++ ++ ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0); ++ if (ret < 0) ++ testfail("gnutls_pubkey_import_privkey\n"); ++ ++ ret = ++ gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0, &tests[i].msg, ++ &signature); ++ if (ret < 0) ++ testfail("gnutls_pubkey_verify_data2\n"); ++ ++ gnutls_free(signature.data); ++ gnutls_privkey_deinit(privkey); ++ gnutls_pubkey_deinit(pubkey); ++ } ++ ++ gnutls_global_deinit(); ++} +-- +2.21.0 + + +From 1adee9e136176a8fe26bae036ebb275fe4c26f64 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 5 Aug 2019 15:21:55 +0200 +Subject: [PATCH 5/6] nettle: enable deterministic ECDSA/DSA during FIPS + selftests + +Signed-off-by: Daiki Ueno +--- + lib/nettle/pk.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index ebd6481cf..1f8e7f931 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -820,7 +820,8 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + } + + mpz_init(k); +- if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) { ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST || ++ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) { + ret = _gnutls_ecdsa_compute_k(k, + curve_id, + pk_params->params[ECC_K], +@@ -888,7 +889,8 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + } + + mpz_init(k); +- if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) { ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST || ++ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) { + ret = _gnutls_dsa_compute_k(k, + pub.q, + TOMPZ(priv), +-- +2.21.0 + + +From 3beaa23ef5852e2d8aaa610aac9cde9b46be4f77 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 7 Aug 2019 15:55:44 +0200 +Subject: [PATCH 6/6] nettle: prohibit deterministic ECDSA/DSA under FIPS + except selftests + +Signed-off-by: Daiki Ueno +--- + lib/nettle/pk.c | 8 ++++++++ + tests/sign-verify-deterministic.c | 27 ++++++++++++++++++++------- + 2 files changed, 28 insertions(+), 7 deletions(-) + +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 1f8e7f931..b2d27cf74 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -703,6 +703,14 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); + } + ++ /* deterministic ECDSA/DSA is prohibited under FIPS except in ++ * the selftests */ ++ if (_gnutls_fips_mode_enabled() && ++ _gnutls_get_lib_state() != LIB_STATE_SELFTEST && ++ (algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_ECDSA) && ++ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ + switch (algo) { + case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */ + { +diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c +index fe4873fc8..6e907288e 100644 +--- a/tests/sign-verify-deterministic.c ++++ b/tests/sign-verify-deterministic.c +@@ -154,29 +154,40 @@ void doit(void) + gnutls_global_set_log_level(6); + + for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { +- success("testing: %s - %s\n", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo)); ++ success("testing: %s - %s", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo)); ++ ++ ret = gnutls_pubkey_init(&pubkey); ++ if (ret < 0) ++ testfail("gnutls_pubkey_init\n"); + + ret = gnutls_privkey_init(&privkey); + if (ret < 0) + testfail("gnutls_privkey_init\n"); + ++ signature.data = NULL; ++ signature.size = 0; ++ + ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + testfail("gnutls_privkey_import_x509_raw\n"); + + ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags, + &tests[i].msg, &signature); +- if (ret < 0) +- testfail("gnutls_privkey_sign_data\n"); ++ if (gnutls_fips140_mode_enabled()) { ++ /* deterministic ECDSA/DSA is prohibited under FIPS */ ++ if (ret != GNUTLS_E_INVALID_REQUEST) ++ testfail("gnutls_privkey_sign_data unexpectedly succeeds\n"); ++ success(" - skipping\n"); ++ goto next; ++ } else { ++ if (ret < 0) ++ testfail("gnutls_privkey_sign_data\n"); ++ } + + if (signature.size != tests[i].sig.size || + memcmp(signature.data, tests[i].sig.data, signature.size) != 0) + testfail("signature does not match"); + +- ret = gnutls_pubkey_init(&pubkey); +- if (ret < 0) +- testfail("gnutls_pubkey_init\n"); +- + ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0); + if (ret < 0) + testfail("gnutls_pubkey_import_privkey\n"); +@@ -186,7 +197,9 @@ void doit(void) + &signature); + if (ret < 0) + testfail("gnutls_pubkey_verify_data2\n"); ++ success(" - pass"); + ++ next: + gnutls_free(signature.data); + gnutls_privkey_deinit(privkey); + gnutls_pubkey_deinit(pubkey); +-- +2.21.0 + +From 6cb58f18280bedfec9d7c8ac411574b868b3d758 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 16 Aug 2019 14:59:03 +0200 +Subject: [PATCH] crypto-backend: always set sign_params.dsa_sig when ECDSA/DSA + +In FIPS selftests we create deterministic signature and the +information about the digest algorithm is necessary. + +Signed-off-by: Daiki Ueno +--- + lib/crypto-backend.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h +index 33eca6031..664ba4377 100644 +--- a/lib/crypto-backend.h ++++ b/lib/crypto-backend.h +@@ -233,6 +233,9 @@ typedef enum { + #define FIX_SIGN_PARAMS(params, flags, dig) do { \ + if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { \ + (params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE; \ ++ } \ ++ if ((params).pk == GNUTLS_PK_DSA || \ ++ (params).pk == GNUTLS_PK_ECDSA) { \ + (params).dsa_dig = (dig); \ + } \ + } while (0) +-- +2.21.0 + diff --git a/SOURCES/gnutls-3.6.8-fips-rng-continuous.patch b/SOURCES/gnutls-3.6.8-fips-rng-continuous.patch new file mode 100644 index 0000000..6a88e65 --- /dev/null +++ b/SOURCES/gnutls-3.6.8-fips-rng-continuous.patch @@ -0,0 +1,203 @@ +From c7a419e7868fd9342c1799a04d21c2ff6292c405 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 21 Jun 2019 15:49:26 +0200 +Subject: [PATCH] nettle/rnd-fips: add FIPS 140-2 continuous RNG test + +This adds a continuous random number generator test as defined in FIPS +140-2 4.9.2, by iteratively fetching fixed sized block from the system +and comparing consecutive blocks. + +Signed-off-by: Daiki Ueno +--- + lib/nettle/rnd-fips.c | 102 +++++++++++++++++++++++++++++++++--------- + 1 file changed, 81 insertions(+), 21 deletions(-) + +diff --git a/lib/nettle/rnd-fips.c b/lib/nettle/rnd-fips.c +index ee68cf68d..ccb92d25a 100644 +--- a/lib/nettle/rnd-fips.c ++++ b/lib/nettle/rnd-fips.c +@@ -27,12 +27,13 @@ + + #include "gnutls_int.h" + #include "errors.h" +-#include +-#include +-#include ++#include + #include + #include + ++/* The block size is chosen arbitrarily */ ++#define ENTROPY_BLOCK_SIZE SHA256_DIGEST_SIZE ++ + /* This provides a random generator for gnutls. It uses + * two instances of the DRBG-AES-CTR generator, one for + * nonce level and another for the other levels of randomness. +@@ -41,11 +42,13 @@ struct fips_ctx { + struct drbg_aes_ctx nonce_context; + struct drbg_aes_ctx normal_context; + unsigned int forkid; ++ uint8_t entropy_hash[SHA256_DIGEST_SIZE]; + }; + + static int _rngfips_ctx_reinit(struct fips_ctx *fctx); + static int _rngfips_ctx_init(struct fips_ctx *fctx); +-static int drbg_reseed(struct drbg_aes_ctx *ctx); ++static int drbg_reseed(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx); ++static int get_entropy(struct fips_ctx *fctx, uint8_t *buffer, size_t length); + + static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx, + void *buffer, size_t length) +@@ -59,7 +62,7 @@ static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx, + } + + if (ctx->reseed_counter > DRBG_AES_RESEED_TIME) { +- ret = drbg_reseed(ctx); ++ ret = drbg_reseed(fctx, ctx); + if (ret < 0) + return gnutls_assert_val(ret); + } +@@ -71,54 +74,111 @@ static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx, + return 0; + } + ++static int get_entropy(struct fips_ctx *fctx, uint8_t *buffer, size_t length) ++{ ++ int ret; ++ uint8_t block[ENTROPY_BLOCK_SIZE]; ++ uint8_t hash[SHA256_DIGEST_SIZE]; ++ struct sha256_ctx ctx; ++ size_t total = 0; ++ ++ /* For FIPS 140-2 4.9.2 continuous random number generator ++ * test, iteratively fetch fixed sized block from the system ++ * RNG and compare consecutive blocks. ++ * ++ * Note that we store the hash of the entropy block rather ++ * than the block itself for backward secrecy. ++ */ ++ while (total < length) { ++ ret = _rnd_get_system_entropy(block, ENTROPY_BLOCK_SIZE); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ++ sha256_init(&ctx); ++ sha256_update(&ctx, sizeof(block), block); ++ sha256_digest(&ctx, sizeof(hash), hash); ++ ++ if (memcmp(hash, fctx->entropy_hash, sizeof(hash)) == 0) { ++ _gnutls_switch_lib_state(LIB_STATE_ERROR); ++ return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); ++ } ++ memcpy(fctx->entropy_hash, hash, sizeof(hash)); ++ ++ memcpy(buffer, block, MIN(length - total, sizeof(block))); ++ total += sizeof(block); ++ buffer += sizeof(block); ++ } ++ zeroize_key(block, sizeof(block)); ++ ++ return 0; ++} ++ + #define PSTRING "gnutls-rng" + #define PSTRING_SIZE (sizeof(PSTRING)-1) +-static int drbg_init(struct drbg_aes_ctx *ctx) ++static int drbg_init(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx) + { + uint8_t buffer[DRBG_AES_SEED_SIZE]; + int ret; + +- /* Get a key from the standard RNG or from the entropy source. */ +- ret = _rnd_get_system_entropy(buffer, sizeof(buffer)); ++ ret = get_entropy(fctx, buffer, sizeof(buffer)); + if (ret < 0) + return gnutls_assert_val(ret); + +- ret = drbg_aes_init(ctx, sizeof(buffer), buffer, PSTRING_SIZE, (void*)PSTRING); ++ ret = drbg_aes_init(ctx, sizeof(buffer), buffer, ++ PSTRING_SIZE, (void*)PSTRING); ++ zeroize_key(buffer, sizeof(buffer)); + if (ret == 0) + return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); + +- zeroize_key(buffer, sizeof(buffer)); +- +- return 0; ++ return GNUTLS_E_SUCCESS; + } + + /* Reseed a generator. */ +-static int drbg_reseed(struct drbg_aes_ctx *ctx) ++static int drbg_reseed(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx) + { + uint8_t buffer[DRBG_AES_SEED_SIZE]; + int ret; + +- /* The other two generators are seeded from /dev/random. */ +- ret = _rnd_get_system_entropy(buffer, sizeof(buffer)); ++ ret = get_entropy(fctx, buffer, sizeof(buffer)); + if (ret < 0) + return gnutls_assert_val(ret); + +- drbg_aes_reseed(ctx, sizeof(buffer), buffer, 0, NULL); ++ ret = drbg_aes_reseed(ctx, sizeof(buffer), buffer, 0, NULL); ++ zeroize_key(buffer, sizeof(buffer)); ++ if (ret == 0) ++ return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); + +- return 0; ++ return GNUTLS_E_SUCCESS; + } + + static int _rngfips_ctx_init(struct fips_ctx *fctx) + { ++ uint8_t block[ENTROPY_BLOCK_SIZE]; ++ struct sha256_ctx ctx; + int ret; + ++ /* For FIPS 140-2 4.9.2 continuous random number generator ++ * test, get the initial entropy from the system RNG and keep ++ * it for comparison. ++ * ++ * Note that we store the hash of the entropy block rather ++ * than the block itself for backward secrecy. ++ */ ++ ret = _rnd_get_system_entropy(block, sizeof(block)); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ sha256_init(&ctx); ++ sha256_update(&ctx, sizeof(block), block); ++ zeroize_key(block, sizeof(block)); ++ sha256_digest(&ctx, sizeof(fctx->entropy_hash), fctx->entropy_hash); ++ + /* normal */ +- ret = drbg_init(&fctx->normal_context); ++ ret = drbg_init(fctx, &fctx->normal_context); + if (ret < 0) + return gnutls_assert_val(ret); + + /* nonce */ +- ret = drbg_init(&fctx->nonce_context); ++ ret = drbg_init(fctx, &fctx->nonce_context); + if (ret < 0) + return gnutls_assert_val(ret); + +@@ -132,12 +192,12 @@ static int _rngfips_ctx_reinit(struct fips_ctx *fctx) + int ret; + + /* normal */ +- ret = drbg_reseed(&fctx->normal_context); ++ ret = drbg_reseed(fctx, &fctx->normal_context); + if (ret < 0) + return gnutls_assert_val(ret); + + /* nonce */ +- ret = drbg_reseed(&fctx->nonce_context); ++ ret = drbg_reseed(fctx, &fctx->nonce_context); + if (ret < 0) + return gnutls_assert_val(ret); + +-- +2.21.0 + diff --git a/SOURCES/gnutls-3.6.8-fips-rsa-random-selftests.patch b/SOURCES/gnutls-3.6.8-fips-rsa-random-selftests.patch new file mode 100644 index 0000000..93fdfe3 --- /dev/null +++ b/SOURCES/gnutls-3.6.8-fips-rsa-random-selftests.patch @@ -0,0 +1,124 @@ +From fbb6dd2a65c6fc7a2e9bd82fe66fde54f6cf2952 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 16 Aug 2019 17:01:05 +0200 +Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests + +Nettle's RSA signing, encryption and decryption functions still +require randomness for blinding, so fallback to use a fixed buffer in +selftests where entropy might not be available. + +Signed-off-by: Daiki Ueno +--- + lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++---- + 1 file changed, 33 insertions(+), 4 deletions(-) + +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index b2d27cf74..772fcdc21 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -94,6 +94,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) + nettle_mpz_get_str_256 (length, data, *k); + } + ++static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data) ++{ ++ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) { ++ _gnutls_switch_lib_state(LIB_STATE_ERROR); ++ } ++ ++ memset(data, 0xAA, length); ++} ++ + static void + ecc_scalar_zclear (struct ecc_scalar *s) + { +@@ -435,6 +444,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, + case GNUTLS_PK_RSA: + { + struct rsa_public_key pub; ++ nettle_random_func *random_func; + + ret = _rsa_params_to_pubkey(pk_params, &pub); + if (ret < 0) { +@@ -442,8 +452,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, + goto cleanup; + } + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_encrypt(&pub, NULL, rnd_nonce_func, ++ rsa_encrypt(&pub, NULL, random_func, + plaintext->size, plaintext->data, + p); + if (ret == 0 || HAVE_LIB_ERROR()) { +@@ -496,6 +510,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, + struct rsa_public_key pub; + size_t length; + bigint_t c; ++ nettle_random_func *random_func; + + _rsa_params_to_privkey(pk_params, &priv); + ret = _rsa_params_to_pubkey(pk_params, &pub); +@@ -526,8 +541,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, + goto cleanup; + } + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func, ++ rsa_decrypt_tr(&pub, &priv, NULL, random_func, + &length, plaintext->data, + TOMPZ(c)); + _gnutls_mpi_release(&c); +@@ -573,6 +592,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, + bigint_t c; + uint32_t is_err; + int ret; ++ nettle_random_func *random_func; + + if (algo != GNUTLS_PK_RSA || plaintext == NULL) { + gnutls_assert(); +@@ -592,7 +612,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, + return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED); + } + +- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func, ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; ++ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func, + plaintext_size, plaintext, TOMPZ(c)); + /* after this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side +@@ -942,6 +966,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + { + struct rsa_private_key priv; + struct rsa_public_key pub; ++ nettle_random_func *random_func; + mpz_t s; + + _rsa_params_to_privkey(pk_params, &priv); +@@ -952,8 +977,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + + mpz_init(s); + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func, ++ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func, + vdata->size, vdata->data, s); + if (ret == 0 || HAVE_LIB_ERROR()) { + gnutls_assert(); +-- +2.21.0 + diff --git a/SOURCES/gnutls-3.6.8-fix-aead-cipher-encryptv2.patch b/SOURCES/gnutls-3.6.8-fix-aead-cipher-encryptv2.patch new file mode 100644 index 0000000..0194c6c --- /dev/null +++ b/SOURCES/gnutls-3.6.8-fix-aead-cipher-encryptv2.patch @@ -0,0 +1,767 @@ +From bbb312749780928cc10b45662c6d7eadcaa98f0b Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 3 Oct 2019 10:34:18 +0200 +Subject: [PATCH 1/3] iov: _gnutls_iov_iter_next: return bytes instead of + blocks + +This eliminates the need of special handling of final block. Also +adds more tests in exceptional cases. + +Signed-off-by: Daiki Ueno +--- + lib/crypto-api.c | 82 +++++------------------------- + lib/iov.c | 31 +++++++++--- + tests/iov.c | 126 ++++++++++++++++++++++++++++++++--------------- + 3 files changed, 121 insertions(+), 118 deletions(-) + +diff --git a/lib/crypto-api.c b/lib/crypto-api.c +index 09b3d7bfc..41e759b74 100644 +--- a/lib/crypto-api.c ++++ b/lib/crypto-api.c +@@ -992,9 +992,9 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + uint8_t *dst; + size_t dst_size, total = 0; + uint8_t *p; ++ size_t len; + size_t blocksize = handle->ctx_enc.e->blocksize; + struct iov_iter_st iter; +- size_t blocks; + + /* Limitation: this function provides an optimization under the internally registered + * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(), +@@ -1045,15 +1045,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + return gnutls_assert_val(ret); + if (ret == 0) + break; +- blocks = ret; +- ret = _gnutls_cipher_auth(&handle->ctx_enc, p, +- blocksize * blocks); +- if (unlikely(ret < 0)) +- return gnutls_assert_val(ret); +- } +- if (iter.block_offset > 0) { +- ret = _gnutls_cipher_auth(&handle->ctx_enc, +- iter.block, iter.block_offset); ++ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret); + if (unlikely(ret < 0)) + return gnutls_assert_val(ret); + } +@@ -1070,29 +1062,15 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, + return gnutls_assert_val(ret); + if (ret == 0) + break; +- blocks = ret; +- if (unlikely(dst_size < blocksize * blocks)) +- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); +- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, +- blocksize * blocks, +- dst, dst_size); +- if (unlikely(ret < 0)) +- return gnutls_assert_val(ret); +- DECR_LEN(dst_size, blocksize * blocks); +- dst += blocksize * blocks; +- total += blocksize * blocks; +- } +- if (iter.block_offset > 0) { +- if (unlikely(dst_size < iter.block_offset)) +- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); ++ len = ret; + ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, +- iter.block, iter.block_offset, ++ p, len, + dst, dst_size); + if (unlikely(ret < 0)) + return gnutls_assert_val(ret); +- DECR_LEN(dst_size, iter.block_offset); +- dst += iter.block_offset; +- total += iter.block_offset; ++ DECR_LEN(dst_size, len); ++ dst += len; ++ total += len; + } + + if (dst_size < tag_size) +@@ -1137,7 +1115,6 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, + uint8_t *p; + ssize_t blocksize = handle->ctx_enc.e->blocksize; + struct iov_iter_st iter; +- size_t blocks; + size_t _tag_size; + + if (tag_size == NULL || *tag_size == 0) +@@ -1220,15 +1197,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, + return gnutls_assert_val(ret); + if (ret == 0) + break; +- blocks = ret; +- ret = _gnutls_cipher_auth(&handle->ctx_enc, p, +- blocksize * blocks); +- if (unlikely(ret < 0)) +- return gnutls_assert_val(ret); +- } +- if (iter.block_offset > 0) { +- ret = _gnutls_cipher_auth(&handle->ctx_enc, +- iter.block, iter.block_offset); ++ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret); + if (unlikely(ret < 0)) + return gnutls_assert_val(ret); + } +@@ -1242,17 +1211,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, + return gnutls_assert_val(ret); + if (ret == 0) + break; +- blocks = ret; +- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, +- p, blocksize * blocks, +- p, blocksize * blocks); +- if (unlikely(ret < 0)) +- return gnutls_assert_val(ret); +- } +- if (iter.block_offset > 0) { +- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, +- iter.block, iter.block_offset, +- iter.block, iter.block_offset); ++ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, ret, p, ret); + if (unlikely(ret < 0)) + return gnutls_assert_val(ret); + } +@@ -1296,7 +1255,6 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, + uint8_t *p; + ssize_t blocksize = handle->ctx_enc.e->blocksize; + struct iov_iter_st iter; +- size_t blocks; + uint8_t _tag[MAX_HASH_SIZE]; + + if (tag_size == 0) +@@ -1370,15 +1328,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, + return gnutls_assert_val(ret); + if (ret == 0) + break; +- blocks = ret; +- ret = _gnutls_cipher_auth(&handle->ctx_enc, p, +- blocksize * blocks); +- if (unlikely(ret < 0)) +- return gnutls_assert_val(ret); +- } +- if (iter.block_offset > 0) { +- ret = _gnutls_cipher_auth(&handle->ctx_enc, +- iter.block, iter.block_offset); ++ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret); + if (unlikely(ret < 0)) + return gnutls_assert_val(ret); + } +@@ -1392,17 +1342,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, + return gnutls_assert_val(ret); + if (ret == 0) + break; +- blocks = ret; +- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, +- p, blocksize * blocks, +- p, blocksize * blocks); +- if (unlikely(ret < 0)) +- return gnutls_assert_val(ret); +- } +- if (iter.block_offset > 0) { +- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, +- iter.block, iter.block_offset, +- iter.block, iter.block_offset); ++ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, ret, p, ret); + if (unlikely(ret < 0)) + return gnutls_assert_val(ret); + } +diff --git a/lib/iov.c b/lib/iov.c +index 5dc29c54b..17272886c 100644 +--- a/lib/iov.c ++++ b/lib/iov.c +@@ -58,8 +58,8 @@ _gnutls_iov_iter_init(struct iov_iter_st *iter, + * @data: the return location of extracted data + * + * Retrieve block(s) pointed by @iter and advance it to the next +- * position. It returns the number of consecutive blocks in @data. +- * At the end of iteration, 0 is returned. ++ * position. It returns the number of bytes in @data. At the end of ++ * iteration, 0 is returned. + * + * If the data stored in @iter is not multiple of the block size, the + * remaining data is stored in the "block" field of @iter with the +@@ -88,25 +88,30 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data) + if ((len % iter->block_size) == 0) { + iter->iov_index++; + iter->iov_offset = 0; +- } else +- iter->iov_offset += +- len - (len % iter->block_size); ++ } else { ++ len -= (len % iter->block_size); ++ iter->iov_offset += len; ++ } + + /* Return the blocks. */ + *data = p; +- return len / iter->block_size; ++ return len; + } + + /* We can complete one full block to return. */ + block_left = iter->block_size - iter->block_offset; + if (len >= block_left) { + memcpy(iter->block + iter->block_offset, p, block_left); +- iter->iov_offset += block_left; ++ if (len == block_left) { ++ iter->iov_index++; ++ iter->iov_offset = 0; ++ } else ++ iter->iov_offset += block_left; + iter->block_offset = 0; + + /* Return the filled block. */ + *data = iter->block; +- return 1; ++ return iter->block_size; + } + + /* Not enough data for a full block, store in temp +@@ -116,5 +121,15 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data) + iter->iov_index++; + iter->iov_offset = 0; + } ++ ++ if (iter->block_offset > 0) { ++ size_t len = iter->block_offset; ++ ++ /* Return the incomplete block. */ ++ *data = iter->block; ++ iter->block_offset = 0; ++ return len; ++ } ++ + return 0; + } +diff --git a/tests/iov.c b/tests/iov.c +index eda5583a7..3d116b471 100644 +--- a/tests/iov.c ++++ b/tests/iov.c +@@ -32,7 +32,6 @@ struct exp_st { + ssize_t ret; + size_t iov_index; + size_t iov_offset; +- size_t block_offset; + }; + + struct test_st { +@@ -42,7 +41,6 @@ struct test_st { + size_t block_size; + const struct exp_st *exp; + size_t expcnt; +- size_t remaining; + }; + + static const giovec_t iov16[] = { +@@ -53,40 +51,41 @@ static const giovec_t iov16[] = { + }; + + static const struct exp_st exp16_64[] = { +- {1, 3, 16, 0}, +- {0, 0, 0, 0} ++ {64, 4, 0}, ++ {0, 0, 0} + }; + + static const struct exp_st exp16_32[] = { +- {1, 1, 16, 0}, +- {1, 3, 16, 0}, +- {0, 0, 0, 0} ++ {32, 2, 0}, ++ {32, 4, 0}, ++ {0, 0, 0} + }; + + static const struct exp_st exp16_16[] = { +- {1, 1, 0, 0}, +- {1, 2, 0, 0}, +- {1, 3, 0, 0}, +- {1, 4, 0, 0}, +- {0, 0, 0, 0} ++ {16, 1, 0}, ++ {16, 2, 0}, ++ {16, 3, 0}, ++ {16, 4, 0}, ++ {0, 0, 0} + }; + + static const struct exp_st exp16_4[] = { +- {4, 1, 0, 0}, +- {4, 2, 0, 0}, +- {4, 3, 0, 0}, +- {4, 4, 0, 0}, +- {0, 0, 0, 0} ++ {16, 1, 0}, ++ {16, 2, 0}, ++ {16, 3, 0}, ++ {16, 4, 0}, ++ {0, 0, 0} + }; + + static const struct exp_st exp16_3[] = { +- {5, 0, 15, 0}, +- {1, 1, 2, 0}, +- {4, 1, 14, 0}, +- {1, 2, 1, 0}, +- {5, 3, 0, 0}, +- {5, 3, 15, 0}, +- {0, 0, 0, 1} ++ {15, 0, 15}, ++ {3, 1, 2}, ++ {12, 1, 14}, ++ {3, 2, 1}, ++ {15, 3, 0}, ++ {15, 3, 15}, ++ {1, 4, 0}, ++ {0, 0, 0} + }; + + static const giovec_t iov8[] = { +@@ -97,22 +96,74 @@ static const giovec_t iov8[] = { + }; + + static const struct exp_st exp8_64[] = { +- {0, 0, 0, 32} ++ {32, 4, 0}, ++ {0, 0, 0} ++}; ++ ++static const giovec_t iov_odd[] = { ++ {(void *) "0", 1}, ++ {(void *) "012", 3}, ++ {(void *) "01234", 5}, ++ {(void *) "0123456", 7}, ++ {(void *) "012345678", 9}, ++ {(void *) "01234567890", 11}, ++ {(void *) "0123456789012", 13}, ++ {(void *) "012345678901234", 15} ++}; ++ ++static const struct exp_st exp_odd_16[] = { ++ {16, 4, 0}, ++ {16, 5, 7}, ++ {16, 6, 12}, ++ {16, 8, 0}, ++ {0, 0, 0} ++}; ++ ++static const giovec_t iov_skip[] = { ++ {(void *) "0123456789012345", 16}, ++ {(void *) "01234567", 8}, ++ {(void *) "", 0}, ++ {(void *) "", 0}, ++ {(void *) "0123456789012345", 16} ++}; ++ ++static const struct exp_st exp_skip_16[] = { ++ {16, 1, 0}, ++ {16, 4, 8}, ++ {8, 5, 0}, ++ {0, 0, 0} ++}; ++ ++static const giovec_t iov_empty[] = { ++ {(void *) "", 0}, ++ {(void *) "", 0}, ++ {(void *) "", 0}, ++ {(void *) "", 0} ++}; ++ ++static const struct exp_st exp_empty_16[] = { ++ {0, 0, 0} + }; + + static const struct test_st tests[] = { + { "16/64", iov16, sizeof(iov16)/sizeof(iov16[0]), 64, +- exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]), 0 }, ++ exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]) }, + { "16/32", iov16, sizeof(iov16)/sizeof(iov16[0]), 32, +- exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]), 0 }, ++ exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]) }, + { "16/16", iov16, sizeof(iov16)/sizeof(iov16[0]), 16, +- exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]), 0 }, ++ exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]) }, + { "16/4", iov16, sizeof(iov16)/sizeof(iov16[0]), 4, +- exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]), 0 }, ++ exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]) }, + { "16/3", iov16, sizeof(iov16)/sizeof(iov16[0]), 3, +- exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]), 1 }, ++ exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]) }, + { "8/64", iov8, sizeof(iov8)/sizeof(iov8[0]), 64, +- exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]), 32 } ++ exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]) }, ++ { "odd/16", iov_odd, sizeof(iov_odd)/sizeof(iov_odd[0]), 16, ++ exp_odd_16, sizeof(exp_odd_16)/sizeof(exp_odd_16[0]) }, ++ { "skip/16", iov_skip, sizeof(iov_skip)/sizeof(iov_skip[0]), 16, ++ exp_skip_16, sizeof(exp_skip_16)/sizeof(exp_skip_16[0]) }, ++ { "empty/16", iov_empty, sizeof(iov_empty)/sizeof(iov_empty[0]), 16, ++ exp_empty_16, sizeof(exp_empty_16)/sizeof(exp_empty_16[0]) }, + }; + + void +@@ -155,16 +206,13 @@ doit (void) + else if (debug) + success("iter.iov_offset: %u == %u\n", + (unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset); +- if (iter.block_offset != exp[j].block_offset) +- fail("iter.block_offset: %u != %u\n", +- (unsigned) iter.block_offset, (unsigned) exp[j].block_offset); ++ if (iter.block_offset != 0) ++ fail("iter.block_offset: %u != 0\n", ++ (unsigned) iter.block_offset); + else if (debug) +- success("iter.block_offset: %u == %u\n", +- (unsigned) iter.block_offset, (unsigned) exp[j].block_offset); ++ success("iter.block_offset: %u == 0\n", ++ (unsigned) iter.block_offset); + } + } +- if (iter.block_offset != tests[i].remaining) +- fail("remaining: %u != %u\n", +- (unsigned) iter.block_offset, (unsigned) tests[i].remaining); + } + } +-- +2.21.0 + + +From c684814cc456a9792a9183ce77d32d435f29e6b7 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 1 Oct 2019 18:14:48 +0200 +Subject: [PATCH 2/3] iov: add _gnutls_iov_iter_sync to write back cached data + to iov + +Signed-off-by: Daiki Ueno +--- + lib/iov.c | 59 +++++++++++++++++++++++++++++++++++++++++++++ + lib/iov.h | 4 +++- + lib/libgnutls.map | 1 + + tests/iov.c | 61 +++++++++++++++++++++++++++++++++++++++++++---- + 4 files changed, 119 insertions(+), 6 deletions(-) + +diff --git a/lib/iov.c b/lib/iov.c +index 17272886c..1cd8d46dd 100644 +--- a/lib/iov.c ++++ b/lib/iov.c +@@ -133,3 +133,62 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data) + + return 0; + } ++ ++/** ++ * _gnutls_iov_iter_sync: ++ * @iter: the iterator ++ * @data: data returned by _gnutls_iov_iter_next ++ * @data_size: size of @data ++ * ++ * Flush the content of temp buffer (if any) to the data buffer. ++ */ ++int ++_gnutls_iov_iter_sync(struct iov_iter_st *iter, const uint8_t *data, ++ size_t data_size) ++{ ++ size_t iov_index; ++ size_t iov_offset; ++ ++ /* We didn't return the cached block. */ ++ if (data != iter->block) ++ return 0; ++ ++ iov_index = iter->iov_index; ++ iov_offset = iter->iov_offset; ++ ++ /* When syncing a cache block we walk backwards because we only have a ++ * pointer to were the block ends in the iovec, walking backwards is ++ * fine as we are always writing a full block, so the whole content ++ * is written in the right places: ++ * iovec: |--0--|---1---|--2--|-3-| ++ * block: |-----------------------| ++ * 1st write |---| ++ * 2nd write |----- ++ * 3rd write |------- ++ * last write |----- ++ */ ++ while (data_size > 0) { ++ const giovec_t *iov; ++ uint8_t *p; ++ size_t to_write; ++ ++ while (iov_offset == 0) { ++ if (unlikely(iov_index == 0)) ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ ++ iov_index--; ++ iov_offset = iter->iov[iov_index].iov_len; ++ } ++ ++ iov = &iter->iov[iov_index]; ++ p = iov->iov_base; ++ to_write = MIN(data_size, iov_offset); ++ ++ iov_offset -= to_write; ++ data_size -= to_write; ++ ++ memcpy(p + iov_offset, &iter->block[data_size], to_write); ++ } ++ ++ return 0; ++} +diff --git a/lib/iov.h b/lib/iov.h +index 47fba559a..5b9903460 100644 +--- a/lib/iov.h ++++ b/lib/iov.h +@@ -34,7 +34,6 @@ struct iov_iter_st { + uint8_t block[MAX_CIPHER_BLOCK_SIZE]; /* incomplete block for reading */ + size_t block_size; /* actual block size of the cipher */ + size_t block_offset; /* offset in block */ +- + }; + + int _gnutls_iov_iter_init(struct iov_iter_st *iter, +@@ -43,4 +42,7 @@ int _gnutls_iov_iter_init(struct iov_iter_st *iter, + + ssize_t _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data); + ++int _gnutls_iov_iter_sync(struct iov_iter_st *iter, const uint8_t *data, ++ size_t data_size); ++ + #endif /* GNUTLS_LIB_IOV_H */ +diff --git a/lib/libgnutls.map b/lib/libgnutls.map +index f83a21e9b..d6973f72e 100644 +--- a/lib/libgnutls.map ++++ b/lib/libgnutls.map +@@ -1394,4 +1394,5 @@ GNUTLS_PRIVATE_3_4 { + # needed by tests/iov: + _gnutls_iov_iter_init; + _gnutls_iov_iter_next; ++ _gnutls_iov_iter_sync; + } GNUTLS_3_4; +diff --git a/tests/iov.c b/tests/iov.c +index 3d116b471..2acd2b5f5 100644 +--- a/tests/iov.c ++++ b/tests/iov.c +@@ -44,10 +44,10 @@ struct test_st { + }; + + static const giovec_t iov16[] = { +- {(void *) "0123456789abcdef", 16}, +- {(void *) "0123456789abcdef", 16}, +- {(void *) "0123456789abcdef", 16}, +- {(void *) "0123456789abcdef", 16} ++ {(void *) "0123456789012345", 16}, ++ {(void *) "0123456789012345", 16}, ++ {(void *) "0123456789012345", 16}, ++ {(void *) "0123456789012345", 16} + }; + + static const struct exp_st exp16_64[] = { +@@ -166,20 +166,53 @@ static const struct test_st tests[] = { + exp_empty_16, sizeof(exp_empty_16)/sizeof(exp_empty_16[0]) }, + }; + ++static void ++copy(giovec_t *dst, uint8_t *buffer, const giovec_t *src, size_t iovcnt) ++{ ++ uint8_t *p = buffer; ++ size_t i; ++ ++ for (i = 0; i < iovcnt; i++) { ++ dst[i].iov_base = p; ++ dst[i].iov_len = src[i].iov_len; ++ memcpy(dst[i].iov_base, src[i].iov_base, src[i].iov_len); ++ p += src[i].iov_len; ++ } ++} ++ ++static void ++translate(uint8_t *data, size_t len) ++{ ++ for (; len > 0; len--) { ++ uint8_t *p = &data[len - 1]; ++ if (*p >= '0' && *p <= '9') ++ *p = 'A' + *p - '0'; ++ else if (*p >= 'A' && *p <= 'Z') ++ *p = '0' + *p - 'A'; ++ } ++} ++ ++#define MAX_BUF 1024 ++#define MAX_IOV 16 ++ + void + doit (void) + { ++ uint8_t buffer[MAX_BUF]; + size_t i; + + for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { ++ giovec_t iov[MAX_IOV]; + struct iov_iter_st iter; + const struct exp_st *exp = tests[i].exp; + uint8_t *data; + size_t j; + ++ copy(iov, buffer, tests[i].iov, tests[i].iovcnt); ++ + success("%s\n", tests[i].name); + assert(_gnutls_iov_iter_init(&iter, +- tests[i].iov, tests[i].iovcnt, ++ iov, tests[i].iovcnt, + tests[i].block_size) == 0); + for (j = 0; j < tests[i].expcnt; j++) { + ssize_t ret; +@@ -212,7 +245,25 @@ doit (void) + else if (debug) + success("iter.block_offset: %u == 0\n", + (unsigned) iter.block_offset); ++ ++ translate(data, ret); ++ ++ ret = _gnutls_iov_iter_sync(&iter, data, ret); ++ if (ret < 0) ++ fail("sync failed\n"); + } + } ++ ++ for (j = 0; j < tests[i].iovcnt; j++) { ++ translate(iov[j].iov_base, iov[j].iov_len); ++ ++ if (memcmp(iov[j].iov_base, tests[i].iov[j].iov_base, ++ iov[j].iov_len) != 0) ++ fail("iov doesn't match: %*s != %*s\n", ++ (int)iov[j].iov_len, ++ (char *)iov[j].iov_base, ++ (int)tests[i].iov[j].iov_len, ++ (char *)tests[i].iov[j].iov_len); ++ } + } + } +-- +2.21.0 + + +From 6df0cf1c0ec727fc237a9b429684c8f2ef5d34b7 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 1 Oct 2019 18:15:19 +0200 +Subject: [PATCH 3/3] gnutls_aead_cipher_{en,de}cryptv2: write back cached data + to buffers + +Previously, those functions failed to write the output to the buffers +if the buffer length is not multiple of cipher block size. This makes +sure that the cached data is always flushed. + +Signed-off-by: Daiki Ueno +--- + lib/crypto-api.c | 18 ++++++++++++++++-- + tests/aead-cipher-vec.c | 14 ++++++++------ + 2 files changed, 24 insertions(+), 8 deletions(-) + +diff --git a/lib/crypto-api.c b/lib/crypto-api.c +index 41e759b74..7308d7e7b 100644 +--- a/lib/crypto-api.c ++++ b/lib/crypto-api.c +@@ -1113,6 +1113,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, + api_aead_cipher_hd_st *h = handle; + ssize_t ret; + uint8_t *p; ++ size_t len; + ssize_t blocksize = handle->ctx_enc.e->blocksize; + struct iov_iter_st iter; + size_t _tag_size; +@@ -1211,7 +1212,13 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, + return gnutls_assert_val(ret); + if (ret == 0) + break; +- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, ret, p, ret); ++ ++ len = ret; ++ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, len, p, len); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ ++ ret = _gnutls_iov_iter_sync(&iter, p, len); + if (unlikely(ret < 0)) + return gnutls_assert_val(ret); + } +@@ -1253,6 +1260,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, + api_aead_cipher_hd_st *h = handle; + ssize_t ret; + uint8_t *p; ++ size_t len; + ssize_t blocksize = handle->ctx_enc.e->blocksize; + struct iov_iter_st iter; + uint8_t _tag[MAX_HASH_SIZE]; +@@ -1342,7 +1350,13 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, + return gnutls_assert_val(ret); + if (ret == 0) + break; +- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, ret, p, ret); ++ ++ len = ret; ++ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, len, p, len); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ ++ ret = _gnutls_iov_iter_sync(&iter, p, len); + if (unlikely(ret < 0)) + return gnutls_assert_val(ret); + } +diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c +index 6c2542cf1..10e3db862 100644 +--- a/tests/aead-cipher-vec.c ++++ b/tests/aead-cipher-vec.c +@@ -43,9 +43,9 @@ static void start(const char *name, int algo) + uint8_t key16[64]; + uint8_t iv16[32]; + uint8_t auth[128]; +- uint8_t data[128+64]; ++ uint8_t data[64+56+36]; + gnutls_datum_t key, iv; +- giovec_t iov[2]; ++ giovec_t iov[3]; + giovec_t auth_iov[2]; + uint8_t tag[64]; + size_t tag_size = 0; +@@ -60,13 +60,15 @@ static void start(const char *name, int algo) + + memset(iv.data, 0xff, iv.size); + memset(key.data, 0xfe, key.size); +- memset(data, 0xfa, 128); ++ memset(data, 0xfa, sizeof(data)); + memset(auth, 0xaa, sizeof(auth)); + + iov[0].iov_base = data; + iov[0].iov_len = 64; + iov[1].iov_base = data + 64; +- iov[1].iov_len = 64; ++ iov[1].iov_len = 56; ++ iov[2].iov_base = data + 64 + 56; ++ iov[2].iov_len = 36; + + auth_iov[0].iov_base = auth; + auth_iov[0].iov_len = 64; +@@ -83,7 +85,7 @@ static void start(const char *name, int algo) + ret = gnutls_aead_cipher_encryptv2(ch, + iv.data, iv.size, + auth_iov, 2, +- iov, 2, ++ iov, 3, + tag, &tag_size); + if (ret < 0) + fail("could not encrypt data: %s\n", gnutls_strerror(ret)); +@@ -91,7 +93,7 @@ static void start(const char *name, int algo) + ret = gnutls_aead_cipher_decryptv2(ch, + iv.data, iv.size, + auth_iov, 2, +- iov, 2, ++ iov, 3, + tag, tag_size); + if (ret < 0) + fail("could not decrypt data: %s\n", gnutls_strerror(ret)); +-- +2.21.0 + diff --git a/SOURCES/gnutls-3.6.8-fix-cfb8-decrypt.patch b/SOURCES/gnutls-3.6.8-fix-cfb8-decrypt.patch new file mode 100644 index 0000000..738069b --- /dev/null +++ b/SOURCES/gnutls-3.6.8-fix-cfb8-decrypt.patch @@ -0,0 +1,204 @@ +From 1c2135506825ae80966fe2797613806916b7e3c0 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 6 Nov 2019 12:07:24 +0100 +Subject: [PATCH 1/2] nettle: backport fixes to cfb8_decrypt + +cfb8: don't truncate output IV if input is shorter than block size: +https://git.lysator.liu.se/nettle/nettle/commit/f4a9c842621baf5d71aa9cc3989851f44dc46861 + +Signed-off-by: Daiki Ueno +--- + lib/nettle/backport/cfb8.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/nettle/backport/cfb8.c b/lib/nettle/backport/cfb8.c +index e9816feb7..1762192f4 100644 +--- a/lib/nettle/backport/cfb8.c ++++ b/lib/nettle/backport/cfb8.c +@@ -110,10 +110,12 @@ cfb8_decrypt(const void *ctx, nettle_cipher_func *f, + src += i; + dst += i; + +- memcpy(buffer, buffer + block_size, block_size); +- memcpy(buffer + block_size, src, +- length < block_size ? length : block_size); +- ++ if (i == block_size) ++ { ++ memcpy(buffer, buffer + block_size, block_size); ++ memcpy(buffer + block_size, src, ++ length < block_size ? length : block_size); ++ } + } + + memcpy(iv, buffer + i, block_size); +-- +2.21.0 + + +From cc01347302678719f0bcfb4f3383fe0f1e905ed8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 6 Nov 2019 13:17:57 +0100 +Subject: [PATCH 2/2] crypto-selftests: test CFB8 ciphers with different + chunksizes + +Signed-off-by: Guenther Deschner +Signed-off-by: Daiki Ueno +--- + lib/crypto-selftests.c | 124 +++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 118 insertions(+), 6 deletions(-) + +diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c +index 6caf817e8..5f0a4ec8b 100644 +--- a/lib/crypto-selftests.c ++++ b/lib/crypto-selftests.c +@@ -710,6 +710,107 @@ static int test_cipher(gnutls_cipher_algorithm_t cipher, + return 0; + } + ++static int test_cipher_all_block_sizes(gnutls_cipher_algorithm_t cipher, ++ const struct cipher_vectors_st *vectors, ++ size_t vectors_size, unsigned flags) ++{ ++ gnutls_cipher_hd_t hd; ++ int ret; ++ unsigned int i; ++ uint8_t tmp[384]; ++ gnutls_datum_t key, iv = {NULL, 0}; ++ size_t block; ++ size_t offset; ++ ++ for (i = 0; i < vectors_size; i++) { ++ for (block = 1; block <= vectors[i].plaintext_size; block++) { ++ key.data = (void *) vectors[i].key; ++ key.size = vectors[i].key_size; ++ ++ iv.data = (void *) vectors[i].iv; ++ iv.size = gnutls_cipher_get_iv_size(cipher); ++ ++ if (iv.size != vectors[i].iv_size) ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); ++ ++ ret = gnutls_cipher_init(&hd, cipher, &key, &iv); ++ if (ret < 0) { ++ _gnutls_debug_log("error initializing: %s\n", ++ gnutls_cipher_get_name(cipher)); ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); ++ } ++ ++ for (offset = 0; ++ offset < vectors[i].plaintext_size; ++ offset += block) { ++ ret = ++ gnutls_cipher_encrypt2(hd, ++ vectors[i].plaintext + offset, ++ MIN(block, vectors[i].plaintext_size - offset), ++ tmp + offset, ++ sizeof(tmp) - offset); ++ if (ret < 0) ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); ++ } ++ ++ if (memcmp ++ (tmp, vectors[i].ciphertext, ++ vectors[i].plaintext_size) != 0) { ++ _gnutls_debug_log("%s encryption of test vector %d failed with block size %d/%d!\n", ++ gnutls_cipher_get_name(cipher), ++ i, (int)block, (int)vectors[i].plaintext_size); ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); ++ } ++ ++ gnutls_cipher_deinit(hd); ++ } ++ } ++ ++ for (i = 0; i < vectors_size; i++) { ++ for (block = 1; block <= vectors[i].plaintext_size; block++) { ++ key.data = (void *) vectors[i].key; ++ key.size = vectors[i].key_size; ++ ++ iv.data = (void *) vectors[i].iv; ++ iv.size = gnutls_cipher_get_iv_size(cipher); ++ ++ ret = gnutls_cipher_init(&hd, cipher, &key, &iv); ++ if (ret < 0) ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); ++ ++ for (offset = 0; ++ offset + block <= vectors[i].plaintext_size; ++ offset += block) { ++ ret = ++ gnutls_cipher_decrypt2(hd, ++ vectors[i].ciphertext + offset, ++ MIN(block, vectors[i].plaintext_size - offset), ++ tmp + offset, ++ sizeof(tmp) - offset); ++ if (ret < 0) ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); ++ } ++ ++ if (memcmp ++ (tmp, vectors[i].plaintext, ++ vectors[i].plaintext_size) != 0) { ++ _gnutls_debug_log("%s decryption of test vector %d failed with block size %d!\n", ++ gnutls_cipher_get_name(cipher), ++ i, (int)block); ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); ++ } ++ ++ gnutls_cipher_deinit(hd); ++ } ++ } ++ ++ _gnutls_debug_log ++ ("%s self check succeeded\n", ++ gnutls_cipher_get_name(cipher)); ++ ++ return 0; ++} ++ + /* AEAD modes (compat APIs) */ + static int test_cipher_aead_compat(gnutls_cipher_algorithm_t cipher, + const struct cipher_aead_vectors_st *vectors, +@@ -1721,6 +1822,14 @@ static int test_mac(gnutls_mac_algorithm_t mac, + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \ + return ret + ++#define CASE2(x, func, func2, vectors) case x: \ ++ ret = func(x, V(vectors), flags); \ ++ if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \ ++ return ret; \ ++ ret = func2(x, V(vectors), flags); \ ++ if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \ ++ return ret ++ + #define NON_FIPS_CASE(x, func, vectors) case x: \ + if (_gnutls_fips_mode_enabled() == 0) { \ + ret = func(x, V(vectors), flags); \ +@@ -1786,14 +1895,17 @@ int gnutls_cipher_self_test(unsigned flags, gnutls_cipher_algorithm_t cipher) + NON_FIPS_CASE(GNUTLS_CIPHER_CHACHA20_POLY1305, test_cipher_aead, + chacha_poly1305_vectors); + FALLTHROUGH; +- CASE(GNUTLS_CIPHER_AES_128_CFB8, test_cipher, +- aes128_cfb8_vectors); ++ CASE2(GNUTLS_CIPHER_AES_128_CFB8, test_cipher, ++ test_cipher_all_block_sizes, ++ aes128_cfb8_vectors); + FALLTHROUGH; +- CASE(GNUTLS_CIPHER_AES_192_CFB8, test_cipher, +- aes192_cfb8_vectors); ++ CASE2(GNUTLS_CIPHER_AES_192_CFB8, test_cipher, ++ test_cipher_all_block_sizes, ++ aes192_cfb8_vectors); + FALLTHROUGH; +- CASE(GNUTLS_CIPHER_AES_256_CFB8, test_cipher, +- aes256_cfb8_vectors); ++ CASE2(GNUTLS_CIPHER_AES_256_CFB8, test_cipher, ++ test_cipher_all_block_sizes, ++ aes256_cfb8_vectors); + FALLTHROUGH; + CASE(GNUTLS_CIPHER_AES_128_XTS, test_cipher, + aes128_xts_vectors); +-- +2.21.0 + diff --git a/SOURCES/gnutls-3.6.8-pkcs11-login-error.patch b/SOURCES/gnutls-3.6.8-pkcs11-login-error.patch new file mode 100644 index 0000000..6135dca --- /dev/null +++ b/SOURCES/gnutls-3.6.8-pkcs11-login-error.patch @@ -0,0 +1,265 @@ +From fa5147c86941512921282b84819b896a0d4f29bb Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 19 Jun 2019 17:21:16 +0200 +Subject: [PATCH] pkcs11: ignore login error when traversing tokens + +If a token is a general access device, it is expected that login +attempt to that token returns error: +https://github.com/p11-glue/p11-kit/blob/master/trust/module.c#L852 + +On the other hand, _pkcs11_traverse_tokens treats the error as fatal +and stops iteration. This behavior prevents object search without +token specifier if such tokens are registered in the system. + +Reported by Stanislav Zidek in +https://bugzilla.redhat.com/show_bug.cgi?id=1705478 + +Signed-off-by: Daiki Ueno +--- + .gitignore | 1 + + lib/pkcs11.c | 8 +- + tests/Makefile.am | 2 +- + tests/p11-kit-load.sh | 23 ++++++ + tests/pkcs11/list-objects.c | 150 ++++++++++++++++++++++++++++++++++++ + 5 files changed, 182 insertions(+), 2 deletions(-) + create mode 100644 tests/pkcs11/list-objects.c + +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index de5309b29..2ef0e3e02 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -1617,7 +1617,13 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input, + info, flags); + if (ret < 0) { + gnutls_assert(); +- return ret; ++ pkcs11_close_session(&sinfo); ++ ++ /* treat the error as fatal only if ++ * the token requires login */ ++ if (l_tinfo.flags & CKF_LOGIN_REQUIRED) ++ return ret; ++ continue; + } + + ret = +diff --git a/tests/Makefile.am b/tests/Makefile.am +index a67f1549c..7fe954f63 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -496,7 +496,7 @@ dist_check_SCRIPTS += p11-kit-trust.sh testpkcs11.sh certtool-pkcs11.sh + if HAVE_PKCS11_TRUST_STORE + if P11KIT_0_23_11_API + dist_check_SCRIPTS += p11-kit-load.sh +-indirect_tests += pkcs11/list-tokens ++indirect_tests += pkcs11/list-tokens pkcs11/list-objects + endif + endif + +diff --git a/tests/p11-kit-load.sh b/tests/p11-kit-load.sh +index 3201a2c5f..419900f6a 100755 +--- a/tests/p11-kit-load.sh ++++ b/tests/p11-kit-load.sh +@@ -22,6 +22,7 @@ + srcdir="${srcdir:-.}" + builddir="${builddir:-.}" + CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" ++P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}" + DIFF="${DIFF:-diff}" + PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}" + TMP_SOFTHSM_DIR="./softhsm-load.$$.tmp" +@@ -90,6 +91,12 @@ if test $? != 0; then + exit 1 + fi + ++GNUTLS_PIN="${PIN}" ${P11TOOL} --login --label GnuTLS-Test-RSA --generate-privkey rsa --provider "${SOFTHSM_MODULE}" pkcs11: --outfile /dev/null ++if test $? != 0; then ++ echo "failed to generate privkey" ++ exit 1 ++fi ++ + FILTERTOKEN="sed s/token=.*//g" + + # Check whether both are listed +@@ -175,6 +182,22 @@ if test "$nr" != 2;then + exit 1 + fi + ++# Check whether public key and privkey are listed. ++nr=$(GNUTLS_PIN="${PIN}" ${builddir}/pkcs11/list-objects -o ${P11DIR} -t all pkcs11:token=GnuTLS-Test|sort -u|wc -l) ++if test "$nr" != 2;then ++ echo "Error in test 8: did not find all objects" ++ ${builddir}/pkcs11/list-objects -o ${P11DIR} -t all pkcs11:token=GnuTLS-Test ++ exit 1 ++fi ++ ++# Check whether all privkeys are listed even if trust module is registered. ++nr=$(GNUTLS_PIN="${PIN}" ${builddir}/pkcs11/list-objects -o ${P11DIR} -t privkey pkcs11:|sort -u|wc -l) ++if test "$nr" != 1;then ++ echo "Error in test 9: did not find privkey objects" ++ ${builddir}/pkcs11/list-objects -o ${P11DIR} -t privkey pkcs11: ++ exit 1 ++fi ++ + rm -f ${P11DIR}/* + rm -rf ${TMP_SOFTHSM_DIR} + +diff --git a/tests/pkcs11/list-objects.c b/tests/pkcs11/list-objects.c +new file mode 100644 +index 000000000..ab30cd568 +--- /dev/null ++++ b/tests/pkcs11/list-objects.c +@@ -0,0 +1,150 @@ ++/* ++ * Copyright (C) 2016-2017 Red Hat, Inc. ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#define P11_KIT_FUTURE_UNSTABLE_API ++#include ++#include "cert-common.h" ++ ++/* lists the registered PKCS#11 modules by p11-kit. ++ */ ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "|<%d>| %s", level, str); ++} ++ ++static const char *opt_pin; ++ ++static ++int pin_func(void* userdata, int attempt, const char* url, const char *label, ++ unsigned flags, char *pin, size_t pin_max) ++{ ++ if (attempt == 0) { ++ strcpy(pin, opt_pin); ++ return 0; ++ } ++ return -1; ++} ++ ++int main(int argc, char **argv) ++{ ++ int ret; ++ unsigned i; ++ int opt; ++ char *url, *mod; ++ unsigned flags; ++ unsigned obj_flags = 0; ++ int attrs = GNUTLS_PKCS11_OBJ_ATTR_ALL; ++ gnutls_pkcs11_obj_t *crt_list; ++ unsigned int crt_list_size = 0; ++ const char *envvar; ++ ++ ret = gnutls_global_init(); ++ if (ret != 0) { ++ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_global_set_log_function(tls_log_func); ++ ++ while((opt = getopt(argc, argv, "o:t:")) != -1) { ++ switch(opt) { ++ case 'o': ++ mod = strdup(optarg); ++ p11_kit_override_system_files(NULL, NULL, mod, mod, NULL); ++ break; ++ case 't': ++ /* specify the object type to list */ ++ if (strcmp(optarg, "all") == 0) ++ attrs = GNUTLS_PKCS11_OBJ_ATTR_ALL; ++ else if (strcmp(optarg, "privkey") == 0) ++ attrs = GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY; ++ else { ++ fprintf(stderr, "Unknown object type %s\n", optarg); ++ exit(1); ++ } ++ break; ++ default: ++ fprintf(stderr, "Unknown option %c\n", (char)opt); ++ exit(1); ++ } ++ } ++ ++ if (optind == argc) { ++ fprintf(stderr, "specify URL\n"); ++ exit(1); ++ } ++ url = argv[optind]; ++ ++ envvar = getenv("GNUTLS_PIN"); ++ if (envvar && *envvar != '\0') { ++ opt_pin = envvar; ++ obj_flags |= GNUTLS_PKCS11_OBJ_FLAG_LOGIN; ++ gnutls_pkcs11_set_pin_function(pin_func, NULL); ++ } ++ ++ ret = gnutls_pkcs11_token_get_flags(url, &flags); ++ if (ret < 0) { ++ flags = 0; ++ } ++ ++ ret = ++ gnutls_pkcs11_obj_list_import_url2(&crt_list, &crt_list_size, ++ url, attrs, obj_flags); ++ if (ret != 0) { ++ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ for (i = 0; i < crt_list_size; i++) { ++ char *output; ++ ++ ret = ++ gnutls_pkcs11_obj_export_url(crt_list[i], 0, ++ &output); ++ if (ret != 0) { ++ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ fprintf(stdout, "%s\n", output); ++ gnutls_free(output); ++ gnutls_pkcs11_obj_deinit(crt_list[i]); ++ } ++ gnutls_free(crt_list); ++ ++ gnutls_global_deinit(); ++} +-- +2.21.0 + diff --git a/SOURCES/gnutls-3.6.8-session-ticket-ub.patch b/SOURCES/gnutls-3.6.8-session-ticket-ub.patch new file mode 100644 index 0000000..96e11f7 --- /dev/null +++ b/SOURCES/gnutls-3.6.8-session-ticket-ub.patch @@ -0,0 +1,51 @@ +From 1f6bbceeeeb613cf4d790874bdd1e917a7071159 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 8 Jul 2019 16:54:56 +0200 +Subject: [PATCH] ext/session_ticket: avoid calling memcpy on overlapping + memory areas + +In _gnutls_encrypt_session_ticket, ticket.encrypted_state is allocated +from ticket_data->data, thus those memory areas may overlap. Using +memcpy here leads to undefined behavior. + +Spotted by valgrind run on ppc64le. + +==95231== Source and destination overlap in memcpy(0x47ce3a2, 0x47ce3a2, 160) +==95231== at 0x408A840: memcpy (vg_replace_strmem.c:1023) +==95231== by 0x424EE9F: pack_ticket (session_ticket.c:139) +==95231== by 0x424FA4F: _gnutls_encrypt_session_ticket (session_ticket.c:335) +==95231== by 0x4199E3B: generate_session_ticket (session_ticket.c:249) +==95231== by 0x419A333: _gnutls13_send_session_ticket (session_ticket.c:307) +==95231== by 0x40F8817: _gnutls13_handshake_server (handshake-tls13.c:511) +==95231== by 0x4110DEB: handshake_server (handshake.c:3331) +==95231== by 0x410C70B: gnutls_handshake (handshake.c:2727) +==95231== by 0x10009EBF: retry_handshake (serv.c:1306) +==95231== by 0x1000AB67: tcp_server (serv.c:1500) +==95231== by 0x10009E5B: main (serv.c:1297) +==95231== + +Signed-off-by: Daiki Ueno +--- + lib/ext/session_ticket.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c +index 09e240c2d..98db39ff8 100644 +--- a/lib/ext/session_ticket.c ++++ b/lib/ext/session_ticket.c +@@ -136,7 +136,11 @@ pack_ticket(const struct ticket_st *ticket, gnutls_datum_t *ticket_data) + _gnutls_write_uint16(ticket->encrypted_state_len, p); + p += 2; + +- memcpy(p, ticket->encrypted_state, ticket->encrypted_state_len); ++ /* We use memmove instead of memcpy here because ++ * ticket->encrypted_state is allocated from ++ * ticket_data->data, and thus both memory areas may overlap. ++ */ ++ memmove(p, ticket->encrypted_state, ticket->encrypted_state_len); + p += ticket->encrypted_state_len; + + memcpy(p, ticket->mac, TICKET_MAC_SIZE); +-- +2.21.0 + diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec index 025eae0..007d302 100644 --- a/SPECS/gnutls.spec +++ b/SPECS/gnutls.spec @@ -1,10 +1,19 @@ Version: 3.6.8 -Release: 3%{?dist} +Release: 9%{?dist} Patch1: gnutls-3.2.7-rpath.patch Patch2: gnutls-3.6.4-no-now-guile.patch Patch3: gnutls-3.6.5-fix-fips-signature-post.patch Patch4: gnutls-3.6.8-fips-aes-cbc-kat.patch Patch5: gnutls-3.6.8-multiple-key-updates.patch +Patch6: gnutls-3.6.8-fips-rng-continuous.patch +Patch7: gnutls-3.6.8-session-ticket-ub.patch +Patch8: gnutls-3.6.8-pkcs11-login-error.patch +Patch9: gnutls-3.6.8-fips-deterministic-ecdsa.patch +Patch10: gnutls-3.6.8-aead-cipher-encryptv2.patch +Patch11: gnutls-3.6.8-fips-rsa-random-selftests.patch +Patch12: gnutls-3.6.8-decr-len.patch +Patch13: gnutls-3.6.8-fix-aead-cipher-encryptv2.patch +Patch14: gnutls-3.6.8-fix-cfb8-decrypt.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -288,6 +297,27 @@ fi %endif %changelog +* Wed Nov 6 2019 Daiki Ueno - 3.6.8-9 +- Fix CFB8 decryption when repeatedly called (#1757848) +- Fix gnutls_aead_cipher_{en,de}cryptv2 with input not multiple of block size (#1757856) + +* Fri Aug 16 2019 Daiki Ueno - 3.6.8-8 +- Use fallback random function for RSA blinding in FIPS selftests + +* Fri Aug 16 2019 Daiki Ueno - 3.6.8-7 +- Fix deterministic signature creation in selftests + +* Fri Aug 16 2019 Daiki Ueno - 3.6.8-6 +- Treat login error more gracefully when enumerating PKCS#11 tokens (#1705478) +- Use deterministic ECDSA/DSA in FIPS selftests (#1716560) +- Add gnutls_aead_cipher_{encrypt,decrypt}v2 functions (#1684461) + +* Fri Aug 9 2019 Daiki Ueno - 3.6.8-5 +- Avoid UB when encrypting session tickets + +* Tue Jul 2 2019 Daiki Ueno - 3.6.8-4 +- Add RNG continuous test under FIPS + * Fri Jun 14 2019 Daiki Ueno - 3.6.8-3 - Follow-up fix on multiple key updates handling (#1673975)