[Debian-iot-maintainers] Bug#993866: librhonabwy0.9: jwe cbc tag computation error and jws alg:none signature verification issue
Nicolas Mora
babelouest at debian.org
Tue Sep 7 15:01:18 BST 2021
Package: librhonabwy0.9
Version: 0.9.13-3
Severity: important
Tags: patch
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages librhonabwy0.9 depends on:
ii libc6 2.31-13
ii libgnutls30 3.7.1-5
ii libjansson4 2.13.1-1.1
pn liborcania2.1 <none>
pn libulfius2.7 <none>
pn libyder2.0 <none>
ii zlib1g 1:1.2.11.dfsg-2
librhonabwy0.9 recommends no packages.
-------------- next part --------------
--- a/src/jwe.c
+++ b/src/jwe.c
@@ -450,7 +450,7 @@
memcpy(compute_hmac+hmac_size, al, 8);
hmac_size += 8;
- if (!(res = gnutls_hmac_fast(mac, jwe->key, 16, compute_hmac, hmac_size, tag))) {
+ if (!(res = gnutls_hmac_fast(mac, jwe->key, jwe->key_len/2, compute_hmac, hmac_size, tag))) {
*tag_len = gnutls_hmac_get_len(mac)/2;
ret = RHN_OK;
} else {
--- a/src/jws.c
+++ b/src/jws.c
@@ -1268,9 +1268,6 @@
case R_JWA_ALG_ES256K:
ret = RHN_ERROR_UNSUPPORTED;
break;
- case R_JWA_ALG_NONE:
- ret = RHN_OK;
- break;
default:
ret = RHN_ERROR_INVALID;
break;
--- a/test/jws_core.c
+++ b/test/jws_core.c
@@ -496,7 +496,7 @@
ck_assert_ptr_ne((token = r_jws_serialize(jws_sign, NULL, 0)), NULL);
ck_assert_int_eq(r_jws_parse(jws_verify, token, 0), RHN_OK);
- ck_assert_int_eq(r_jws_verify_signature(jws_verify, NULL, 0), RHN_OK);
+ ck_assert_int_eq(r_jws_verify_signature(jws_verify, NULL, 0), RHN_ERROR_INVALID);
o_free(token);
r_jws_free(jws_sign);
More information about the Debian-iot-maintainers
mailing list