cha-internals.texi 30.8 KB
Newer Older
1 2
@node Internal architecture of GnuTLS
@chapter Internal Architecture of GnuTLS
3
@cindex internal architecture
4 5 6 7 8 9 10 11 12 13

This chapter is to give a brief description of the
way @acronym{GnuTLS} works. The focus is to give an idea
to potential developers and those who want to know what
happens inside the black box.

@menu
* The TLS Protocol::
* TLS Handshake Protocol::
* TLS Authentication Methods::
14
* TLS Hello Extension Handling::
15
* Cryptographic Backend::
16
* Random Number Generators-internals::
17
* FIPS140-2 mode::
18 19 20 21
@end menu

@node The TLS Protocol
@section The TLS Protocol
22
The main use case for the TLS protocol is shown in @ref{fig-client-server}.
23 24 25 26
A user of a library implementing the protocol expects no less than this functionality,
i.e., to be able to set parameters such as the accepted security level, perform a
negotiation with the peer and be able to exchange data.

27
@float Figure,fig-client-server
28 29 30 31
@image{gnutls-client-server-use-case,9cm}
@caption{TLS protocol use case.}
@end float

32 33 34 35
@node TLS Handshake Protocol
@section TLS Handshake Protocol
The @acronym{GnuTLS} handshake protocol is implemented as a state
machine that waits for input or returns immediately when the non-blocking
36
transport layer functions are used. The main idea is shown in @ref{fig-gnutls-handshake}.
37

38
@float Figure,fig-gnutls-handshake
39 40 41
@image{gnutls-handshake-state,9cm}
@caption{GnuTLS handshake state machine.}
@end float
42

43 44 45 46
Also the way the input is processed varies per ciphersuite. Several
implementations of the internal handlers are available and
@funcref{gnutls_handshake} only multiplexes the input to the appropriate
handler. For example a @acronym{PSK} ciphersuite has a different
47
implementation of the @code{process_client_key_exchange} than a
48
certificate ciphersuite. We illustrate the idea in @ref{fig-gnutls-handshake-sequence}.
49

50
@float Figure,fig-gnutls-handshake-sequence
51 52 53
@image{gnutls-handshake-sequence,12cm}
@caption{GnuTLS handshake process sequence.}
@end float
54 55 56 57 58 59

@node TLS Authentication Methods
@section TLS Authentication Methods
In @acronym{GnuTLS} authentication methods can be implemented quite
easily.  Since the required changes to add a new authentication method
affect only the handshake protocol, a simple interface is used. An
60 61 62
authentication method needs to implement the functions shown below.

@verbatim
63
typedef struct
64
{
Nikos Mavrogiannopoulos committed
65
  const char *name;
66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87
  int (*gnutls_generate_server_certificate) (gnutls_session_t, gnutls_buffer_st*);
  int (*gnutls_generate_client_certificate) (gnutls_session_t, gnutls_buffer_st*);
  int (*gnutls_generate_server_kx) (gnutls_session_t, gnutls_buffer_st*);
  int (*gnutls_generate_client_kx) (gnutls_session_t, gnutls_buffer_st*);
  int (*gnutls_generate_client_cert_vrfy) (gnutls_session_t, gnutls_buffer_st *);
  int (*gnutls_generate_server_certificate_request) (gnutls_session_t,
                                                     gnutls_buffer_st *);

  int (*gnutls_process_server_certificate) (gnutls_session_t, opaque *,
                                            size_t);
  int (*gnutls_process_client_certificate) (gnutls_session_t, opaque *,
                                            size_t);
  int (*gnutls_process_server_kx) (gnutls_session_t, opaque *, size_t);
  int (*gnutls_process_client_kx) (gnutls_session_t, opaque *, size_t);
  int (*gnutls_process_client_cert_vrfy) (gnutls_session_t, opaque *, size_t);
  int (*gnutls_process_server_certificate_request) (gnutls_session_t,
                                                    opaque *, size_t);
} mod_auth_st;
@end verbatim

Those functions are responsible for the
interpretation of the handshake protocol messages. It is common for such
88 89 90 91 92
functions to read data from one or more @code{credentials_t}
structures@footnote{such as the
@code{gnutls_certificate_credentials_t} structures} and write data,
such as certificates, usernames etc. to @code{auth_info_t} structures.

93

94
Simple examples of existing authentication methods can be seen in
95
@code{auth/@-psk.c} for PSK ciphersuites and @code{auth/@-srp.c} for SRP
96
ciphersuites. After implementing these functions the structure holding
97 98
its pointers has to be registered in @code{gnutls_@-algorithms.c} in the
@code{_gnutls_@-kx_@-algorithms} structure.
99

100
@node TLS Hello Extension Handling
101
@section TLS Extension Handling
102 103
As with authentication methods, adding TLS hello extensions can be done
quite easily by implementing the interface shown below.
104

105 106 107 108 109 110
@verbatim
typedef int (*gnutls_ext_recv_func) (gnutls_session_t session,
                                     const unsigned char *data, size_t len);
typedef int (*gnutls_ext_send_func) (gnutls_session_t session,
                                     gnutls_buffer_st *extdata);
@end verbatim
111

112 113 114
Here there are two main functions, one for parsing the received extension data
and one for formatting the extension data that must be send. These functions
have to check internally whether they operate within a client or a server session.
115 116

A simple example of an extension handler can be seen in
117 118 119 120 121 122
@code{lib/ext/@-srp.c} in GnuTLS' source code. After implementing these functions,
the extension has to be registered. Registering an extension can be done in two
ways. You can create a GnuTLS internal extension and register it in
@code{hello_ext.c} or write an external extension (not inside GnuTLS but
inside an application using GnuTLS) and register it via the exported functions
@funcref{gnutls_session_ext_register} or @funcref{gnutls_ext_register}.
123

124
@subheading Adding a new TLS hello extension
125

126
Adding support for a new TLS hello extension is done from time to time, and
127 128 129 130 131
the process to do so is not difficult. Here are the steps you need to
follow if you wish to do this yourself. For the sake of discussion, let's
consider adding support for the hypothetical TLS extension @code{foobar}.
The following section is about adding an hello extension to GnuTLS itself.
For custom application extensions you should check the exported functions
132
@funcref{gnutls_session_ext_register} or @funcref{gnutls_ext_register}.
133

134
@subsubheading Add @code{configure} option like @code{--enable-foobar} or @code{--disable-foobar}.
135

136
This step is useful when the extension code is large and it might be desirable
137 138
under some circumstances to be able to leave out the extension during compilation of GnuTLS.
If you don't need this kind of feature this step can be safely skipped.
139

140
Whether to choose enable or disable depends on whether you intend to make the extension be
141 142
enabled by default. Look at existing checks (i.e., SRP, authz) for
how to model the code. For example:
143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159

@example
AC_MSG_CHECKING([whether to disable foobar support])
AC_ARG_ENABLE(foobar,
	AS_HELP_STRING([--disable-foobar],
		[disable foobar support]),
	ac_enable_foobar=no)
if test x$ac_enable_foobar != xno; then
 AC_MSG_RESULT(no)
 AC_DEFINE(ENABLE_FOOBAR, 1, [enable foobar])
else
 ac_full=0
 AC_MSG_RESULT(yes)
fi
AM_CONDITIONAL(ENABLE_FOOBAR, test "$ac_enable_foobar" != "no")
@end example

160
These lines should go in @code{lib/m4/hooks.m4}.
161

162
@subsubheading Add an extension identifier to @code{extensions_t} in @code{gnutls_int.h}.
163

164 165 166 167
A good name for the identifier would be GNUTLS_EXTENSION_FOOBAR. If the
extension that you are implementing is an extension that is officially
registered by IANA then it is recommended to use its official name such
that the extension can be correctly identified by other developers. Check
168
with @url{http://www.iana.org/assignments/tls-extensiontype-values}
169 170 171
for registered extensions.

@subsubheading Register the extension in @code{lib/hello_ext.c}.
172

173 174
In order for the extension to be executed you need to register it in the
@code{static hello_ext_entry_st const *extfunc[]} list in @code{lib/hello_ext.c}.
175 176 177 178

A typical entry would be:

@example
179 180
#ifdef ENABLE_FOOBAR
	[GNUTLS_EXTENSION_FOOBAR] = &ext_mod_foobar,
181 182 183
#endif
@end example

184
Also for every extension you need to create an @code{hello_ext_entry_st}
185 186 187 188 189
that describes the extension. This structure is placed in the designated
c file for your extension and its name is used in the registration entry
as depicted above.

The structure of @code{hello_ext_entry_st} is as follows:
190
@example
191 192 193 194 195 196 197
  const hello_ext_entry_st ext_mod_foobar = @{
    .name = "FOOBAR",
    .tls_id = 255,
    .gid = GNUTLS_EXTENSION_FOOBAR,
    .parse_type = GNUTLS_EXT_TLS,
    .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO |
	GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO |
198 199
	GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO |
	GNUTLS_EXT_FLAG_TLS,
200 201 202 203 204 205 206
    .recv_func = _gnutls_foobar_recv_params,
    .send_func = _gnutls_foobar_send_params,
    .pack_func = _gnutls_foobar_pack,
    .unpack_func = _gnutls_foobar_unpack,
    .deinit_func = _gnutls_foobar_deinit,
    .cannot_be_overriden = 1
  @};
207 208
@end example

209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225
The GNUTLS_EXTENSION_FOOBAR is the identifier that you've added to
@code{gnutls_int.h} earlier. The @code{.tls_id} should contain the number
that IANA has assigned to this extension, or an unassigned number of your
choice if this is an unregistered extension. In the rest of this structure
you specify the functions to handle the extension data. The @code{receive} function
will be called upon reception of the data and will be used to parse or
interpret the extension data. The @code{send} function will be called prior to
sending the extension data on the wire and will be used to format the data
such that it can be send over the wire. The @code{pack} and @code{unpack}
functions will be used to prepare the data for storage in case of session resumption
(and vice versa). The @code{deinit} function will be called to deinitialize
the extension's private parameters, if any.

Look at @code{gnutls_ext_parse_type_t} and @code{gnutls_ext_flags_t} for a complete
list of available flags.

Note that the conditional @code{ENABLE_FOOBAR} definition should only be
226 227
used if step 1 with the @code{configure} options has taken place.

228
@subsubheading Add new files that implement the hello extension.
229

230 231 232 233
To keep things structured every extension should have its own files. The
functions that you should (at least) add are those referenced in the struct
from the previous step. Use descriptive file names such as @code{lib/ext/@-foobar.c}
and for the corresponding header @code{lib/ext/@-foobar.h}.
234
As a starter, you could add this:
235 236 237

@example
int
238
_gnutls_foobar_recv_params (gnutls_session_t session, const uint8_t * data,
239
                     size_t data_size)
240 241 242 243 244
@{
  return 0;
@}

int
245
_gnutls_foobar_send_params (gnutls_session_t session, gnutls_buffer_st* data)
246 247 248
@{
  return 0;
@}
249 250

int
251
_gnutls_foobar_pack (extension_priv_data_t epriv, gnutls_buffer_st * ps)
252 253 254 255 256 257
@{
   /* Append the extension's internal state to buffer */
   return 0;
@}

int
258
_gnutls_foobar_unpack (gnutls_buffer_st * ps, extension_priv_data_t * epriv)
259 260 261 262
@{
   /* Read the internal state from buffer */
   return 0;
@}
263 264
@end example

265
The @funcintref{_gnutls_foobar_recv_params} function is responsible for
266 267
parsing incoming extension data (both in the client and server).

268 269 270 271 272 273 274 275
The @funcintref{_gnutls_foobar_send_params} function is responsible for
formatting extension data such that it can be send over the wire (both in
the client and server). It should append data to provided buffer and
return a positive (or zero) number on success or a negative error code.
Previous to 3.6.0 versions of GnuTLS required that function to return the
number of bytes that were written. If zero is returned and no bytes are
appended the extension will not be sent. If a zero byte extension is to
be sent this function must return @code{GNUTLS_E_INT_RET_0}.
276

277
If you receive length fields that don't match, return
278 279
@code{GNUTLS_E_@-UNEXPECTED_@-PACKET_@-LENGTH}.  If you receive invalid
data, return @code{GNUTLS_E_@-RECEIVED_@-ILLEGAL_@-PARAMETER}.  You can use
280
other error codes from the list in @ref{Error codes}. Return 0 on success.
281 282

An extension typically stores private information in the @code{session}
283
data for later usage. That can be done using the functions
Tom committed
284 285
@funcintref{_gnutls_hello_ext_set_datum} and
@funcintref{_gnutls_hello_ext_get_datum}. You can check simple examples
286
at @code{lib/ext/@-max_@-record.c} and @code{lib/ext/@-server_@-name.c} extensions.
287
That private information can be saved and restored across session
288 289
resumption if the following functions are set:

290
The @funcintref{_gnutls_foobar_pack} function is responsible for packing
291
internal extension data to save them in the session resumption storage.
292

293
The @funcintref{_gnutls_foobar_unpack} function is responsible for
294
restoring session data from the session resumption storage.
295

296 297
When the internal data is stored using the @funcintref{_gnutls_hello_ext_set_datum},
then you can rely on the default pack and unpack functions:
298 299 300
@funcintref{_gnutls_hello_ext_default_pack} and
@funcintref{_gnutls_hello_ext_default_unpack}.

301 302 303 304
Recall that both for the client and server, the send and receive
functions most likely will need to do different things
depending on which mode they are in. It may be useful to make this
distinction explicit in the code. Thus, for example, a better
305 306 307 308 309
template than above would be:

@example
int
_gnutls_foobar_recv_params (gnutls_session_t session,
310
                            const uint8_t * data,
311 312 313 314 315 316 317 318 319 320
                            size_t data_size)
@{
  if (session->security_parameters.entity == GNUTLS_CLIENT)
    return foobar_recv_client (session, data, data_size);
  else
    return foobar_recv_server (session, data, data_size);
@}

int
_gnutls_foobar_send_params (gnutls_session_t session,
321
                            gnutls_buffer_st * data)
322 323
@{
  if (session->security_parameters.entity == GNUTLS_CLIENT)
324
    return foobar_send_client (session, data);
325
  else
326
    return foobar_send_server (session, data);
327 328 329 330 331
@}
@end example

The functions used would be declared as @code{static} functions, of
the appropriate prototype, in the same file.
332 333

When adding the new extension files, you'll need to add them to @code{lib/ext/@-Makefile.am}
334 335 336 337
as well, for example:

@example
if ENABLE_FOOBAR
338
libgnutls_ext_la_SOURCES += ext/foobar.c ext/foobar.h
339 340 341
endif
@end example

342
@subsubheading Add API functions to use the extension.
343

344
It might be desirable to allow users of the extension to
345
request the use of the extension, or set extension specific data.
346
This can be implemented by adding extension specific function calls
347
that can be added to @code{includes/@-gnutls/@-gnutls.h},
Nikos Mavrogiannopoulos committed
348
as long as the LGPLv2.1+ applies.
349
The implementation of these functions should lie in the @code{lib/ext/@-foobar.c} file.
350

351 352
To make the API available in the shared library you need to add the added
symbols in @code{lib/@-libgnutls.map}, so that the symbols are exported properly.
353 354 355 356 357

When writing GTK-DOC style documentation for your new APIs, don't
forget to add @code{Since:} tags to indicate the GnuTLS version the
API was introduced in.

Carolin Latze committed
358 359 360
@subheading Adding a new Supplemental Data Handshake Message

TLS handshake extensions allow to send so called supplemental data
361
handshake messages @xcite{RFC4680}. This short section explains how to
362
implement a supplemental data handshake message for a given TLS extension.
Carolin Latze committed
363

364 365
First of all, modify your extension @code{foobar} in the way, to instruct
the handshake process to send and receive supplemental data, as shown below.
Carolin Latze committed
366 367 368 369 370 371 372

@example
int
_gnutls_foobar_recv_params (gnutls_session_t session, const opaque * data,
                                 size_t _data_size)
@{
   ...
373
   gnutls_supplemental_recv(session, 1);
Carolin Latze committed
374 375 376 377 378 379 380
   ...
@}

int
_gnutls_foobar_send_params (gnutls_session_t session, gnutls_buffer_st *extdata)
@{
   ...
381
   gnutls_supplemental_send(session, 1);
Carolin Latze committed
382 383 384 385
   ...
@}
@end example

386
Furthermore you'll need two new functions @funcintref{_foobar_supp_recv_params}
387
and @funcintref{_foobar_supp_send_params}, which must conform to the following
388 389 390 391 392 393 394 395 396 397 398 399
prototypes.

@example
typedef int (*gnutls_supp_recv_func)(gnutls_session_t session,
                                     const unsigned char *data,
                                     size_t data_size);
typedef int (*gnutls_supp_send_func)(gnutls_session_t session,
                                     gnutls_buffer_t buf);
@end example

The following example code shows how to send a
``Hello World'' string in the supplemental data handshake message.
Carolin Latze committed
400 401

@example
402
int
403
_foobar_supp_recv_params(gnutls_session_t session, const opaque *data, size_t _data_size)
Carolin Latze committed
404
@{
405
   uint8_t len = _data_size;
Carolin Latze committed
406 407
   unsigned char *msg;

408 409 410 411
   msg = gnutls_malloc(len);
   if (msg == NULL) return GNUTLS_E_MEMORY_ERROR;

   memcpy(msg, data, len);
Carolin Latze committed
412 413
   msg[len]='\0';

414 415 416
   /* do something with msg */
   gnutls_free(msg);

Carolin Latze committed
417 418 419
   return len;
@}

420
int
421
_foobar_supp_send_params(gnutls_session_t session, gnutls_buffer_t buf)
Carolin Latze committed
422 423 424 425
@{
   unsigned char *msg = "hello world";
   int len = strlen(msg);

426 427
   if (gnutls_buffer_append_data(buf, msg, len) < 0)
       abort();
Carolin Latze committed
428 429 430 431 432

   return len;
@}
@end example

433 434
Afterwards, register the new supplemental data using @funcref{gnutls_session_supplemental_register},
or @funcref{gnutls_supplemental_register} at some point in your program.
435

436 437
@node Cryptographic Backend
@section Cryptographic Backend
438

439 440
Today most new processors, either for embedded or desktop systems
include either instructions  intended to speed up cryptographic operations,
441 442
or a co-processor with cryptographic capabilities. Taking advantage of
those is a challenging task for every cryptographic  application or
Nikos Mavrogiannopoulos committed
443 444
library. GnuTLS handles the cryptographic provider in a modular
way, following a layered approach to access
445
cryptographic operations as in @ref{fig-crypto-layers}.
446

447
@float Figure,fig-crypto-layers
448 449 450
@image{gnutls-crypto-layers,12cm}
@caption{GnuTLS cryptographic back-end design.}
@end float
451

452
The TLS layer uses a cryptographic provider layer, that will in turn either
453
use the default crypto provider -- a software crypto library, or use an external
454 455 456 457 458
crypto provider, if available in the local system. The reason of handling
the external cryptographic provider in GnuTLS and not delegating it to
the cryptographic libraries, is that none of the supported cryptographic
libraries support @code{/dev/crypto} or CPU-optimized cryptography in
an efficient way.
459

460
@subheading Cryptographic library layer
461
The Cryptographic library layer, currently supports only
462 463 464 465 466
libnettle. Older versions of GnuTLS used to support libgcrypt,
but it was switched with nettle mainly for performance reasons@footnote{See
@url{http://lists.gnu.org/archive/html/gnutls-devel/2011-02/msg00079.html}.}
and secondary because it is a simpler library to use.
In the future other cryptographic libraries might be supported as well.
467

468
@subheading External cryptography provider
469
Systems that include a cryptographic co-processor, typically come with
470
kernel drivers to utilize the operations from software. For this reason
471
GnuTLS provides a layer where each individual algorithm used can be replaced
472
by another implementation, i.e., the one provided by the driver. The
473 474 475
FreeBSD, OpenBSD and Linux kernels@footnote{Check @url{http://home.gna.org/cryptodev-linux/}
for the Linux kernel implementation of @code{/dev/crypto}.} include already
a number of hardware assisted implementations, and also provide an interface
476 477
to access them, called @code{/dev/crypto}.
GnuTLS will take advantage of this interface if compiled with special
478 479
options. That is because in most systems where hardware-assisted
cryptographic operations are not available, using this interface might
480
actually harm performance.
481

482 483 484
In systems that include cryptographic instructions with the CPU's
instructions set, using the kernel interface will introduce an
unneeded layer. For this reason GnuTLS includes such optimizations
Nikos Mavrogiannopoulos committed
485 486
found in popular processors such as the AES-NI or VIA PADLOCK instruction sets.
This is achieved using a mechanism that detects CPU capabilities and
Nikos Mavrogiannopoulos committed
487
overrides parts of crypto back-end at runtime.
Nikos Mavrogiannopoulos committed
488 489 490 491
The next section discusses the registration of a detected algorithm
optimization. For more information please consult the @acronym{GnuTLS}
source code in @code{lib/accelerated/}.

492
@subsubheading Overriding specific algorithms
493 494
When an optimized implementation of a single algorithm is available,
say a hardware assisted version of @acronym{AES-CBC} then the
495
following functions, from @code{crypto.h}, can
496
be used to register those algorithms.
497 498 499

@itemize

500
@item @funcref{gnutls_crypto_register_cipher}:
501 502
To register a cipher algorithm.

503 504 505 506 507 508 509 510
@item @funcref{gnutls_crypto_register_aead_cipher}:
To register an AEAD cipher algorithm.

@item @funcref{gnutls_crypto_register_mac}:
To register a MAC algorithm.

@item @funcref{gnutls_crypto_register_digest}:
To register a hash algorithm.
511 512 513 514 515 516 517

@end itemize

Those registration functions will only replace the specified algorithm
and leave the rest of subsystem intact.


518 519 520 521 522 523
@subheading Protecting keys through isolation

For asymmetric or public keys, GnuTLS supports PKCS #11 which allows
operation without access to long term keys, in addition to CPU offloading.
For more information see @ref{Hardware security modules and abstract key types}.

524 525 526 527

@node Random Number Generators-internals
@section Random Number Generators

528 529 530 531 532 533 534
@subheading About the generators

GnuTLS provides two random generators. The default, and the AES-DRBG random
generator which is only used when the library is compiled with support for
FIPS140-2 and the system is in FIPS140-2 mode.

@subheading The default generator - inner workings
535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550

The random number generator levels in @code{gnutls_rnd_level_t} map to two CHACHA-based random generators which
are initially seeded using the OS random device, e.g., @code{/dev/urandom}
or @code{getrandom()}. These random generators are unique per thread, and
are automatically re-seeded when a fork is detected.

The reason the CHACHA cipher was selected for the GnuTLS' PRNG is the fact
that CHACHA is considered a secure and fast stream cipher, and is already
defined for use in TLS protocol. As such, the utilization of it would
not stress the CPU caches, and would allow for better performance on busy
servers, irrespective of their architecture (e.g., even if AES is not
available with an optimized instruction set).

The generators are unique per thread to allow lock-free operation. That
induces a cost of around 140-bytes for the state of the generators per
thread, on threads that would utilize @funcref{gnutls_rnd}. At the same time
551 552 553
it allows fast and lock-free access to the generators. The lock-free access
benefits servers which utilize more than 4 threads, while imposes no cost on
single threaded processes.
554 555 556 557

On the first call to @funcref{gnutls_rnd} the generators are seeded with two independent
keys obtained from the OS random device. Their seed is used to output a fixed amount
of bytes before re-seeding; the number of bytes output varies per generator.
558 559 560 561 562 563 564

One generator is dedicated for the @code{GNUTLS_RND_NONCE} level, and the
second is shared for the @code{GNUTLS_RND_KEY} and @code{GNUTLS_RND_RANDOM}
levels. For the rest of this section we refer to the first as the nonce
generator and the second as the key generator.

The nonce generator will reseed after outputing a fixed amount of bytes
565 566 567 568
(typically few megabytes), or after few hours of operation without reaching
the limit has passed. It is being re-seed using
the key generator to obtain a new key for the CHACHA cipher, which is mixed
with its old one.
569

570 571
Similarly, the key generator, will also re-seed after a fixed amount
of bytes is generated (typically less than the nonce), and will also re-seed
572 573 574 575 576 577
based on time, i.e., after few hours of operation without reaching the limit
for a re-seed. For its re-seed it mixes mixes data obtained from the OS random
device with the previous key.

Although the key generator used to provide data for the @code{GNUTLS_RND_RANDOM}
and @code{GNUTLS_RND_KEY} levels is identical, when used with the @code{GNUTLS_RND_KEY} level
578 579
a re-key of the PRNG using its own output, is additionally performed. That ensures that
the recovery of the PRNG state will not be sufficient to recover previously generated values.
580 581


582 583 584 585 586 587 588 589 590 591 592
@subheading The AES-DRBG generator - inner workings

Similar with the default generator, the random number generator levels in @code{gnutls_rnd_level_t} map to two
AES-DRBG random generators which are initially seeded using the OS random device,
e.g., @code{/dev/urandom} or @code{getrandom()}. These random generators are
unique per thread, and are automatically re-seeded when a fork is detected.

The AES-DRBG generator is based on the AES cipher in counter mode and is
re-seeded after a fixed amount of bytes are generated.


593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625
@subheading Defense against PRNG attacks

This section describes the counter-measures available in the Pseudo-random number generator (PRNG)
of GnuTLS for known attacks as described in @xcite{PRNGATTACKS}. Note that, the attacks on a PRNG such as
state-compromise, assume a quite powerful adversary which has in practice
access to the PRNG state.

@subsubheading Cryptanalytic

To defend against cryptanalytic attacks GnuTLS' PRNG is a stream cipher
designed to defend against the same attacks. As such, GnuTLS' PRNG strength
with regards to this attack relies on the underlying crypto block,
which at the time of writing is CHACHA. That is easily replaceable in
the future if attacks are found to be possible in that cipher.

@subsubheading Input-based attacks

These attacks assume that the attacker can influence the input that is used
to form the state of the PRNG. To counter these attacks GnuTLS does not
gather input from the system environment but rather relies on the OS
provided random generator. That is the @code{/dev/urandom} or
@code{getentropy}/@code{getrandom} system calls. As such, GnuTLS' PRNG
is as strong as the system random generator can assure with regards to
input-based attacks.

@subsubheading State-compromise: Backtracking

A backtracking attack, assumes that an adversary obtains at some point of time
access to the generator state, and wants to recover past bytes. As the
GnuTLS generator is fine-tuned to provide multiple levels, such an attack
mainly concerns levels @code{GNUTLS_RND_RANDOM} and @code{GNUTLS_RND_KEY},
since @code{GNUTLS_RND_NONCE} is intended to output non-secret data.
The @code{GNUTLS_RND_RANDOM} generator at the time of writing can output
626
2MB prior to being re-seeded thus this is its upper bound for previously
627
generated data recovered using this attack. That assumes that the state
628
of the operating system random generator is unknown to the attacker, and we carry that
629 630 631 632 633 634 635 636 637 638 639 640 641
assumption on the next paragraphs. The usage of @code{GNUTLS_RND_KEY} level
ensures that no backtracking is possible for all output data, by re-keying
the PRNG using its own output.

Such an attack reflects the real world scenario where application's memory is
temporarily compromised, while the kernel's memory is inaccessible.

@subsubheading State-compromise: Permanent Compromise Attack

A permanent compromise attack implies that once an attacker compromises the
state of GnuTLS' random generator at a specific time, future and past
outputs from the generator are compromised. For past outputs the
previous paragraph applies. For future outputs, both the @code{GNUTLS_RND_RANDOM}
642
and the @code{GNUTLS_RND_KEY} will recover after 2MB of data have been generated
643 644 645
or few hours have passed (two at the time of writing). Similarly the @code{GNUTLS_RND_NONCE}
level generator will recover after several megabytes of output is generated,
or its re-key time is reached.
646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661

@subsubheading State-compromise: Iterative guessing

This attack assumes that after an attacker obtained the PRNG state
at some point, is able to recover the state at a later time by observing
outputs of the PRNG. That is countered by switching the key to generators
using a combination of a fresh key and the old one (using XOR), at
re-seed time. All levels are immune to such attack after a re-seed.

@subsubheading State-compromise: Meet-in-the-Middle

This attack assumes that the attacker obtained the PRNG state at
two distinct times, and being able to recover the state at the third time
after observing the output of the PRNG. Given the approach described
on the above paragraph, all levels are immune to such attack.

662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681
@node FIPS140-2 mode
@section FIPS140-2 mode

GnuTLS can operate in a special mode for FIPS140-2. That mode of operation
is for the conformance to NIST's FIPS140-2 publication, which consists of policies
for cryptographic modules (such as software libraries). Its implementation in
GnuTLS is designed for Red Hat Enterprise Linux, and can only be enabled
when the library is explicitly compiled with the '--enable-fips140-mode'
configure option. The operation of the library is then modified, as follows.

@itemize
@item FIPS140-2 mode is enabled when @code{/proc/sys/crypto/fips_enabled} contains '1' and @code{/etc/system-fips} is present.
@item Only approved by FIPS140-2 algorithms are enabled
@item Only approved by FIPS140-2 key lengths are allowed for key generation
@item The random generator used switches to DRBG-AES
@item The integrity of the GnuTLS and dependent libraries is checked on startup
@item Algorithm self-tests are run on library load
@item Any cryptographic operation will be refused if any of the self-tests failed
@end itemize

682 683 684 685 686 687 688

There are also few environment variables which modify that operation. The
environment variable @code{GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS} will disable
the library integrity tests on startup, and the variable
@code{GNUTLS_FORCE_FIPS_MODE} can be set to force a value from
@ref{gnutls_fips_mode_t}, i.e., '1' will enable the FIPS140-2
mode, while '0' will disable it.
689 690 691 692 693 694 695

The integrity checks for the dependent libraries and GnuTLS are performed
using '.hmac' files which are present at the same path as the library. The
key for the operations can be provided on compile-time with the configure
option '--with-fips140-key'. The MAC algorithm used is HMAC-SHA256.

On runtime an application can verify whether the library is in FIPS140-2
696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740
mode using the @funcref{gnutls_fips140_mode_enabled} function.

@subheading Relaxing FIPS140-2 requirements

The library by default operates in a strict enforcing mode, ensuring that
all constraints imposed by the FIPS140-2 specification are enforced. However
the application can relax these requirements via @funcref{gnutls_fips140_set_mode}
which can switch to alternative modes as in @ref{gnutls_fips_mode_t}.

@showenumdesc{gnutls_fips_mode_t,The @code{gnutls_@-fips_@-mode_t} enumeration.}

The intention of this API is to be used by applications which need to run in
FIPS140-2 mode, while they utilize few algorithms not in the allowed set,
e.g., for non-security related purposes. In these cases applications should
wrap the non-compliant code within blocks like the following.

@example
GNUTLS_FIPS140_SET_RELAX_MODE();

_gnutls_hash_fast(GNUTLS_DIG_MD5, buffer, sizeof(buffer), output);

GNUTLS_FIPS140_SET_STRICT_MODE();
@end example

The @code{GNUTLS_FIPS140_SET_RELAX_MODE} and
@code{GNUTLS_FIPS140_SET_STRICT_MODE} are macros to simplify the following
sequence of calls.

@example
if (gnutls_fips140_mode_enabled())
  gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);

_gnutls_hash_fast(GNUTLS_DIG_MD5, buffer, sizeof(buffer), output);

if (gnutls_fips140_mode_enabled())
  gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD);
@end example

The reason of the @code{GNUTLS_FIPS140_SET_MODE_THREAD} flag in the
previous calls is to localize the change in the mode.

Applications could also switch FIPS140-2 mode explicitly off, by calling
@example
gnutls_fips140_set_mode(GNUTLS_FIPS140_SET_MODE_LAX, 0);
@end example