|
 |
5dccd1 |
From 85a881cbca6f8e8578af7a026163ac3075ea267c Mon Sep 17 00:00:00 2001
|
|
|
5dccd1 |
From: Daiki Ueno <ueno@gnu.org>
|
|
|
5dccd1 |
Date: Mon, 21 Feb 2022 16:28:49 +0100
|
|
|
5dccd1 |
Subject: [PATCH] priority: compile out GOST algorithms IDs if they are
|
|
|
5dccd1 |
disabled
|
|
|
5dccd1 |
|
|
|
5dccd1 |
When compiled with --disable-gost, gnutls-cli --priority NORMAL --list
|
|
|
5dccd1 |
still prints GOST algorithms for ciphers, MACs, and signatures. This
|
|
|
5dccd1 |
change adds compile time checks to suppress them.
|
|
|
5dccd1 |
|
|
|
5dccd1 |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
5dccd1 |
---
|
|
|
5dccd1 |
lib/priority.c | 9 ++++++++-
|
|
|
5dccd1 |
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
5dccd1 |
|
|
|
5dccd1 |
diff --git a/lib/priority.c b/lib/priority.c
|
|
|
5dccd1 |
index 54d7b1bb45..0c7ac65d7b 100644
|
|
|
5dccd1 |
--- a/lib/priority.c
|
|
|
5dccd1 |
+++ b/lib/priority.c
|
|
|
5dccd1 |
@@ -309,7 +309,9 @@ static const int _kx_priority_secure[] = {
|
|
|
5dccd1 |
static const int* kx_priority_secure = _kx_priority_secure;
|
|
|
5dccd1 |
|
|
|
5dccd1 |
static const int _kx_priority_gost[] = {
|
|
|
5dccd1 |
+#ifdef ENABLE_GOST
|
|
|
5dccd1 |
GNUTLS_KX_VKO_GOST_12,
|
|
|
5dccd1 |
+#endif
|
|
|
5dccd1 |
0,
|
|
|
5dccd1 |
};
|
|
|
5dccd1 |
static const int* kx_priority_gost = _kx_priority_gost;
|
|
|
5dccd1 |
@@ -507,9 +509,10 @@ static const int _sign_priority_secure192[] = {
|
|
|
5dccd1 |
static const int* sign_priority_secure192 = _sign_priority_secure192;
|
|
|
5dccd1 |
|
|
|
5dccd1 |
static const int _sign_priority_gost[] = {
|
|
|
5dccd1 |
+#ifdef ENABLE_GOST
|
|
|
5dccd1 |
GNUTLS_SIGN_GOST_256,
|
|
|
5dccd1 |
GNUTLS_SIGN_GOST_512,
|
|
|
5dccd1 |
-
|
|
|
5dccd1 |
+#endif
|
|
|
5dccd1 |
0
|
|
|
5dccd1 |
};
|
|
|
5dccd1 |
static const int* sign_priority_gost = _sign_priority_gost;
|
|
|
5dccd1 |
@@ -531,13 +534,17 @@ static const int *cipher_priority_normal = _cipher_priority_normal_default;
|
|
|
5dccd1 |
static const int *mac_priority_normal = mac_priority_normal_default;
|
|
|
5dccd1 |
|
|
|
5dccd1 |
static const int _cipher_priority_gost[] = {
|
|
|
5dccd1 |
+#ifdef ENABLE_GOST
|
|
|
5dccd1 |
GNUTLS_CIPHER_GOST28147_TC26Z_CNT,
|
|
|
5dccd1 |
+#endif
|
|
|
5dccd1 |
0
|
|
|
5dccd1 |
};
|
|
|
5dccd1 |
static const int *cipher_priority_gost = _cipher_priority_gost;
|
|
|
5dccd1 |
|
|
|
5dccd1 |
static const int _mac_priority_gost[] = {
|
|
|
5dccd1 |
+#ifdef ENABLE_GOST
|
|
|
5dccd1 |
GNUTLS_MAC_GOST28147_TC26Z_IMIT,
|
|
|
5dccd1 |
+#endif
|
|
|
5dccd1 |
0
|
|
|
5dccd1 |
};
|
|
|
5dccd1 |
static const int *mac_priority_gost = _mac_priority_gost;
|
|
|
5dccd1 |
--
|
|
|
5dccd1 |
2.34.1
|
|
|
5dccd1 |
|
|
|
5dccd1 |
From f2bb30f68922d72f8bed29cc8b2a065087a0969f Mon Sep 17 00:00:00 2001
|
|
|
5dccd1 |
From: Daiki Ueno <ueno@gnu.org>
|
|
|
5dccd1 |
Date: Tue, 22 Feb 2022 17:09:46 +0100
|
|
|
5dccd1 |
Subject: [PATCH] algorithms: ensure _list() exclude non-existing algorithms
|
|
|
5dccd1 |
|
|
|
5dccd1 |
This aligns the behavior of _list() function for sign/pk to the one
|
|
|
5dccd1 |
for cipher/mac: the former previously returned all the algorithms
|
|
|
5dccd1 |
defined, while the latter returns only algorithms compiled in.
|
|
|
5dccd1 |
|
|
|
5dccd1 |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
5dccd1 |
---
|
|
|
5dccd1 |
lib/algorithms/publickey.c | 8 +++-
|
|
|
5dccd1 |
lib/algorithms/sign.c | 4 +-
|
|
|
5dccd1 |
lib/crypto-backend.h | 2 +
|
|
|
5dccd1 |
lib/nettle/pk.c | 86 ++++++++++++++++++++++++++++++++++++++
|
|
|
5dccd1 |
lib/pk.h | 2 +
|
|
|
5dccd1 |
5 files changed, 99 insertions(+), 3 deletions(-)
|
|
|
5dccd1 |
|
|
|
5dccd1 |
diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c
|
|
|
5dccd1 |
index b4cd6b1df0..caf53972ab 100644
|
|
|
5dccd1 |
--- a/lib/algorithms/publickey.c
|
|
|
5dccd1 |
+++ b/lib/algorithms/publickey.c
|
|
|
5dccd1 |
@@ -24,6 +24,7 @@
|
|
|
5dccd1 |
#include <algorithms.h>
|
|
|
5dccd1 |
#include "errors.h"
|
|
|
5dccd1 |
#include <x509/common.h>
|
|
|
5dccd1 |
+#include "pk.h"
|
|
|
5dccd1 |
|
|
|
5dccd1 |
|
|
|
5dccd1 |
/* KX mappings to PK algorithms */
|
|
|
5dccd1 |
@@ -203,8 +204,11 @@ const gnutls_pk_algorithm_t *gnutls_pk_list(void)
|
|
|
5dccd1 |
int i = 0;
|
|
|
5dccd1 |
|
|
|
5dccd1 |
GNUTLS_PK_LOOP(
|
|
|
5dccd1 |
- if (p->id != GNUTLS_PK_UNKNOWN && supported_pks[i > 0 ? (i - 1) : 0] != p->id)
|
|
|
5dccd1 |
- supported_pks[i++] = p->id
|
|
|
5dccd1 |
+ if (p->id != GNUTLS_PK_UNKNOWN &&
|
|
|
5dccd1 |
+ supported_pks[i > 0 ? (i - 1) : 0] != p->id &&
|
|
|
5dccd1 |
+ _gnutls_pk_exists(p->id)) {
|
|
|
5dccd1 |
+ supported_pks[i++] = p->id;
|
|
|
5dccd1 |
+ }
|
|
|
5dccd1 |
);
|
|
|
5dccd1 |
supported_pks[i++] = 0;
|
|
|
5dccd1 |
}
|
|
|
5dccd1 |
diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c
|
|
|
5dccd1 |
index 06abdb4cf8..4a5aaa75e1 100644
|
|
|
5dccd1 |
--- a/lib/algorithms/sign.c
|
|
|
5dccd1 |
+++ b/lib/algorithms/sign.c
|
|
|
5dccd1 |
@@ -27,6 +27,7 @@
|
|
|
5dccd1 |
#include <x509/common.h>
|
|
|
5dccd1 |
#include <assert.h>
|
|
|
5dccd1 |
#include "c-strcase.h"
|
|
|
5dccd1 |
+#include "pk.h"
|
|
|
5dccd1 |
|
|
|
5dccd1 |
/* signature algorithms;
|
|
|
5dccd1 |
*/
|
|
|
5dccd1 |
@@ -631,7 +632,8 @@ const gnutls_sign_algorithm_t *gnutls_sign_list(void)
|
|
|
5dccd1 |
|
|
|
5dccd1 |
GNUTLS_SIGN_LOOP(
|
|
|
5dccd1 |
/* list all algorithms, but not duplicates */
|
|
|
5dccd1 |
- if (supported_sign[i] != p->id) {
|
|
|
5dccd1 |
+ if (supported_sign[i] != p->id &&
|
|
|
5dccd1 |
+ _gnutls_pk_sign_exists(p->id)) {
|
|
|
5dccd1 |
assert(i+1 < MAX_ALGOS);
|
|
|
5dccd1 |
supported_sign[i++] = p->id;
|
|
|
5dccd1 |
supported_sign[i+1] = 0;
|
|
|
5dccd1 |
diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
|
|
|
5dccd1 |
index 9874033221..f0f68c337e 100644
|
|
|
5dccd1 |
--- a/lib/crypto-backend.h
|
|
|
5dccd1 |
+++ b/lib/crypto-backend.h
|
|
|
5dccd1 |
@@ -418,6 +418,8 @@ typedef struct gnutls_crypto_pk {
|
|
|
5dccd1 |
unsigned int flags);
|
|
|
5dccd1 |
|
|
|
5dccd1 |
int (*curve_exists) (gnutls_ecc_curve_t); /* true/false */
|
|
|
5dccd1 |
+ int (*pk_exists) (gnutls_pk_algorithm_t); /* true/false */
|
|
|
5dccd1 |
+ int (*sign_exists) (gnutls_sign_algorithm_t); /* true/false */
|
|
|
5dccd1 |
} gnutls_crypto_pk_st;
|
|
|
5dccd1 |
|
|
|
5dccd1 |
/* priority: infinity for backend algorithms, 90 for kernel
|
|
|
5dccd1 |
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
|
|
|
5dccd1 |
index a146568266..eba246f0b3 100644
|
|
|
5dccd1 |
--- a/lib/nettle/pk.c
|
|
|
5dccd1 |
+++ b/lib/nettle/pk.c
|
|
|
5dccd1 |
@@ -1883,6 +1883,90 @@ static int _wrap_nettle_pk_curve_exists(gnutls_ecc_curve_t curve)
|
|
|
5dccd1 |
}
|
|
|
5dccd1 |
}
|
|
|
5dccd1 |
|
|
|
5dccd1 |
+static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk)
|
|
|
5dccd1 |
+{
|
|
|
5dccd1 |
+ switch (pk) {
|
|
|
5dccd1 |
+ case GNUTLS_PK_RSA:
|
|
|
5dccd1 |
+ case GNUTLS_PK_DSA:
|
|
|
5dccd1 |
+ case GNUTLS_PK_DH:
|
|
|
5dccd1 |
+ case GNUTLS_PK_ECDSA:
|
|
|
5dccd1 |
+ case GNUTLS_PK_ECDH_X25519:
|
|
|
5dccd1 |
+ case GNUTLS_PK_RSA_PSS:
|
|
|
5dccd1 |
+ case GNUTLS_PK_EDDSA_ED25519:
|
|
|
5dccd1 |
+#if ENABLE_GOST
|
|
|
5dccd1 |
+ case GNUTLS_PK_GOST_01:
|
|
|
5dccd1 |
+ case GNUTLS_PK_GOST_12_256:
|
|
|
5dccd1 |
+ case GNUTLS_PK_GOST_12_512:
|
|
|
5dccd1 |
+#endif
|
|
|
5dccd1 |
+ case GNUTLS_PK_ECDH_X448:
|
|
|
5dccd1 |
+ case GNUTLS_PK_EDDSA_ED448:
|
|
|
5dccd1 |
+ return 1;
|
|
|
5dccd1 |
+ default:
|
|
|
5dccd1 |
+ return 0;
|
|
|
5dccd1 |
+ }
|
|
|
5dccd1 |
+}
|
|
|
5dccd1 |
+
|
|
|
5dccd1 |
+static int _wrap_nettle_pk_sign_exists(gnutls_sign_algorithm_t sign)
|
|
|
5dccd1 |
+{
|
|
|
5dccd1 |
+ switch (sign) {
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_SHA1:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_DSA_SHA1:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_MD5:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_MD2:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_RMD160:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_SHA256:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_SHA384:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_SHA512:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_SHA224:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_DSA_SHA224:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_DSA_SHA256:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SHA1:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SHA224:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SHA256:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SHA384:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SHA512:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_DSA_SHA384:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_DSA_SHA512:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SHA3_224:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SHA3_256:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SHA3_384:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SHA3_512:
|
|
|
5dccd1 |
+
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_DSA_SHA3_224:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_DSA_SHA3_256:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_DSA_SHA3_384:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_DSA_SHA3_512:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_SHA3_224:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_SHA3_256:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_SHA3_384:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_SHA3_512:
|
|
|
5dccd1 |
+
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_PSS_SHA256:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_PSS_SHA384:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_PSS_SHA512:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_EDDSA_ED25519:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_RAW:
|
|
|
5dccd1 |
+
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SECP256R1_SHA256:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SECP384R1_SHA384:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_ECDSA_SECP521R1_SHA512:
|
|
|
5dccd1 |
+
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_PSS_RSAE_SHA256:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_PSS_RSAE_SHA384:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_RSA_PSS_RSAE_SHA512:
|
|
|
5dccd1 |
+
|
|
|
5dccd1 |
+#if ENABLE_GOST
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_GOST_94:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_GOST_256:
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_GOST_512:
|
|
|
5dccd1 |
+#endif
|
|
|
5dccd1 |
+ case GNUTLS_SIGN_EDDSA_ED448:
|
|
|
5dccd1 |
+ return 1;
|
|
|
5dccd1 |
+ default:
|
|
|
5dccd1 |
+ return 0;
|
|
|
5dccd1 |
+ }
|
|
|
5dccd1 |
+}
|
|
|
5dccd1 |
+
|
|
|
5dccd1 |
/* Generates algorithm's parameters. That is:
|
|
|
5dccd1 |
* For DSA: p, q, and g are generated.
|
|
|
5dccd1 |
* For RSA: nothing
|
|
|
5dccd1 |
@@ -3872,4 +3956,6 @@ gnutls_crypto_pk_st _gnutls_pk_ops = {
|
|
|
5dccd1 |
.pk_fixup_private_params = wrap_nettle_pk_fixup,
|
|
|
5dccd1 |
.derive = _wrap_nettle_pk_derive,
|
|
|
5dccd1 |
.curve_exists = _wrap_nettle_pk_curve_exists,
|
|
|
5dccd1 |
+ .pk_exists = _wrap_nettle_pk_exists,
|
|
|
5dccd1 |
+ .sign_exists = _wrap_nettle_pk_sign_exists
|
|
|
5dccd1 |
};
|
|
|
5dccd1 |
diff --git a/lib/pk.h b/lib/pk.h
|
|
|
5dccd1 |
index cc61e08cef..7f3c9995da 100644
|
|
|
5dccd1 |
--- a/lib/pk.h
|
|
|
5dccd1 |
+++ b/lib/pk.h
|
|
|
5dccd1 |
@@ -40,6 +40,8 @@ extern gnutls_crypto_pk_st _gnutls_pk_ops;
|
|
|
5dccd1 |
#define _gnutls_pk_generate_params( algo, bits, priv) _gnutls_pk_ops.generate_params( algo, bits, priv)
|
|
|
5dccd1 |
#define _gnutls_pk_hash_algorithm( pk, sig, params, hash) _gnutls_pk_ops.hash_algorithm(pk, sig, params, hash)
|
|
|
5dccd1 |
#define _gnutls_pk_curve_exists( curve) _gnutls_pk_ops.curve_exists(curve)
|
|
|
5dccd1 |
+#define _gnutls_pk_exists(algo) _gnutls_pk_ops.pk_exists(algo)
|
|
|
5dccd1 |
+#define _gnutls_pk_sign_exists(algo) _gnutls_pk_ops.sign_exists(algo)
|
|
|
5dccd1 |
|
|
|
5dccd1 |
inline static int
|
|
|
5dccd1 |
_gnutls_pk_fixup(gnutls_pk_algorithm_t algo, gnutls_direction_t direction,
|
|
|
5dccd1 |
--
|
|
|
5dccd1 |
2.34.1
|
|
|
5dccd1 |
|