Hello, It seems there are more eyes looking at gnutls now, so to make things easier, here is a list of the parts of gnutls (and also libtasn1) that are exposed to network/untrusted data and have more need for auditing.
If you are able to audit the code please check the master branch (see instructions at http://www.gnutls.org/devel.html ), and in case you are able to successfully audit one of the following paths, please edit the files reviewed and add a header under the author: 'Reviewed-By: Your Name (date)' or 'Reviewed X.509 certificate verfication: Your name (date)' Then make a patch with any changes you see fit (e.g. fixes or simplifications of complex code) and send it to this list (preferably) or to me directly. If you cannot audit, but you know others that want and can, please forward that mail to them. The reward for significant flaw finders is eternal fame, and a @gnutls.org email address. Note that there are people that have requested access to the coverity gnutls logs. These are for a very old gnutls version and they don't reveal anything that isn't also visible by clang's scan-build. ********* The list: ********* 1. X.509 certificate verification starting from gnutls_certificate_verify_peers3() - gnutls_cert.c (may require PKIX details from RFC5280) 2. X.509 certificate verification starting from gnutls_x509_trust_list_verify_crt() - x509/verify-high.c 3. X.509 certificate verification starting from gnutls_x509_trust_list_verify_named_crt() - x509/verify-high.c 4. TOFU certificate verification starting from gnutls_verify_stored_pubkey() - verify-tofu.c 5. TLS record parsing starting from gnutls_record_recv() to gnutls_decrypt() - gnutls_record.c / gnutls_cipher.c (may require TLS record details from RFC2246) 6. TLS handshake for RSA key exchange - gnutls_handshake() from gnutls_handshake.c and auth/rsa.c. (may require TLS details from rfc5246) 7. TLS handshake for DHE-RSA key exchange - gnutls_handshake() from gnutls_handshake.c and auth/dhe.c. (may require TLS details from rfc5246) 8. TLS handshake for ECDHE-ECDSA key exchange - gnutls_handshake() from gnutls_handshake.c and auth/ecdhe.c. (may require TLS details from rfc4492) 9 TLS handshake as a state machine starting from gnutls_handshake in gnutls_handshake.c. 10. Random generator starting from gnutls_rnd() / random.c, and nettle/rnd.c. This generator should work on multi-threaded systems and after fork. 11. X.509 certificate parsing at x509/x509.c. (may require PKIX details from RFC5280) 12. (X.509 certificate) DER decoding at libtasn1's asn1_der_decoding. Check code from the upstream repository at: https://www.gnu.org/software/libtasn1/ (that's a task for the brave) regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
