Bug#910445: stretch-pu: package gnutls28/3.5.8-5+deb9u4

Andreas Metzler ametzler at bebt.de
Sat Oct 6 13:43:55 BST 2018


Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org at packages.debian.org
Usertags: pu

Hello,

I would like to fix CVE-2018-10844 and CVE-2018-10845 in stretch. Moritz
has brought this up. Neither of us has strong feelings whether it is
better fix this via proposed-updates or via stretch-security. However
proposed-updates probably gets more public testing so we will try this
way.

Find attached the debdiff, which pulls the respective merge
tmp-gnutls_3_5_x-backport-record-pad-fixes (unfuzzed) from gnutls_3.5.x
branch. - The change is included in 3.5.19 (sid/buster).

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-----------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/0e/df33e82a82671f7e361a8ffa83b02400337604.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/1c/1bc93c559cfe2ebd1b5676fa4b355118edf38e.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/1c/399494f95f5e9ff28fcbd0243e96639fad69d3.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/1d/b976be2d75d79dfd97e68dba3ee84babe5a3cc.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/51/a6d9549543590e69584a2dd9df4e919cd62918.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/64/414524cec63b3a8334146aa0c4dab71fae4080.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/6f/0012f94a9f80ef7e652dacc713347841f66907.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/98/eef0a29dcce526336be09fbbb0eccb3ece9f17.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/a5/c92e78a7d0a175b524703387c994518830abfa.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/ad/42bf08cf713e4a18ed1dd04dcc200a1cdafe94.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/c0/cf4951b3020f4fdf0b30c32934e922348e3660.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/f4/43a08baf0b78f1286c82e9d3e085c83734d37b.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/f7/a745a4765a1efbfc31d0e21d0b5aca9aa2c5b1.debug

Files in first .changes but not in second
-----------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/07/a8f58a7e4e32a36feee7511f728d5896439b13.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/25/228bbeb1c692f8764099a856ab8c9463f7c325.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/56/b071cc5cdbf3379e2fbd90ef0cd5220c2f5184.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/62/b6624925c412cac109e9da7365741013909148.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/82/fd500760efeffc6ab6218382df366b21e45cd7.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/95/ecbc8c0bed5fb3f85263c86ab04236c62074e9.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/a7/9a2015b873e022124d9315238ad03a4402bdf9.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/a8/a2ad066f20b10398a4047b4a5ac2032fdcc3d7.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/ae/d5f6101feccff8bc000ecacbba48fec06e8287.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/b4/6e61051b2031f71073e6c0ea4bb76107f34ea9.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/b9/f0527947a73e0ec453baca3986a122b8a74777.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/ba/f0016a0105eb9eb689bd33997207d4a704386d.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/f2/80a75bf8875888acc5b3c2f9a99496ade949c4.debug

Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Build-Ids: [-56b071cc5cdbf3379e2fbd90ef0cd5220c2f5184 62b6624925c412cac109e9da7365741013909148 82fd500760efeffc6ab6218382df366b21e45cd7 95ecbc8c0bed5fb3f85263c86ab04236c62074e9 a79a2015b873e022124d9315238ad03a4402bdf9 aed5f6101feccff8bc000ecacbba48fec06e8287 b46e61051b2031f71073e6c0ea4bb76107f34ea9 b9f0527947a73e0ec453baca3986a122b8a74777 f280a75bf8875888acc5b3c2f9a99496ade949c4-] {+0edf33e82a82671f7e361a8ffa83b02400337604 1db976be2d75d79dfd97e68dba3ee84babe5a3cc 64414524cec63b3a8334146aa0c4dab71fae4080 6f0012f94a9f80ef7e652dacc713347841f66907 98eef0a29dcce526336be09fbbb0eccb3ece9f17 a5c92e78a7d0a175b524703387c994518830abfa ad42bf08cf713e4a18ed1dd04dcc200a1cdafe94 c0cf4951b3020f4fdf0b30c32934e922348e3660 f7a745a4765a1efbfc31d0e21d0b5aca9aa2c5b1+}
Depends: gnutls-bin (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+}
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

Control files of package libgnutls-dane0: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>= 2.14), libunbound2 (>= 1.4.1)
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-25228bbeb1c692f8764099a856ab8c9463f7c325-] {+1c399494f95f5e9ff28fcbd0243e96639fad69d3+}
Depends: libgnutls-dane0 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+}
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>= 2.14)
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------------
Build-Ids: [-baf0016a0105eb9eb689bd33997207d4a704386d-] {+51a6d9549543590e69584a2dd9df4e919cd62918+}
Depends: libgnutls-openssl27 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+}
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

Control files of package libgnutls28-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libgnutls-openssl27 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libgnutlsxx28 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libgnutls-dane0 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} nettle-dev, libc6-dev | libc-dev, zlib1g-dev, libtasn1-6-dev, libp11-kit-dev, libidn11-dev (>= 1.31)
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

Control files of package libgnutls30: lines which differ (wdiff format)
-----------------------------------------------------------------------
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

Control files of package libgnutls30-dbgsym: lines which differ (wdiff format)
------------------------------------------------------------------------------
Build-Ids: [-07a8f58a7e4e32a36feee7511f728d5896439b13-] {+1c1bc93c559cfe2ebd1b5676fa4b355118edf38e+}
Depends: libgnutls30 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+}
Installed-Size: [-2880-] {+2882+}
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

Control files of package libgnutlsxx28: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>= 2.4), libgcc1 (>= 1:3.0), libstdc++6 (>= 5)
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Build-Ids: [-a8a2ad066f20b10398a4047b4a5ac2032fdcc3d7-] {+f443a08baf0b78f1286c82e9d3e085c83734d37b+}
Depends: libgnutlsxx28 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+}
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}

diff -Nru gnutls28-3.5.8/debian/changelog gnutls28-3.5.8/debian/changelog
--- gnutls28-3.5.8/debian/changelog	2017-07-23 14:28:37.000000000 +0200
+++ gnutls28-3.5.8/debian/changelog	2018-10-06 14:06:18.000000000 +0200
@@ -1,3 +1,14 @@
+gnutls28 (3.5.8-5+deb9u4) stretch; urgency=medium
+
+  * Pull fixes for CVE-2018-10844 and CVE-2018-10845 from gnutls 3.5.19
+    + 39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch
+    + 39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
+    + 39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
+    + 39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
+    + 39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch
+
+ -- Andreas Metzler <ametzler at debian.org>  Sat, 06 Oct 2018 14:06:18 +0200
+
 gnutls28 (3.5.8-5+deb9u3) stretch; urgency=medium
 
   * 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
diff -Nru gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch
--- gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch	2018-10-06 13:53:23.000000000 +0200
@@ -0,0 +1,92 @@
+From e14d85eb8b1987d86f7b1d101a0e7795675d20d4 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Tue, 12 Jun 2018 14:22:52 +0200
+Subject: [PATCH 1/5] dummy_wait: correctly account the length field in SHA384
+ HMAC
+
+The existing lucky13 attack count-measures did not work correctly for
+SHA384 HMAC.
+
+The overall impact of that should not be significant as SHA384 is prioritized
+lower than SHA256 or SHA1 and thus it is not typically negotiated, unless a
+client prioritizes a SHA384 MAC, or a server only supports SHA384, and in both
+cases the vulnerability is only present if Encrypt-then-MAC (RFC7366) is unsupported
+by the peer.
+
+Relates #455
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav at redhat.com>
+---
+ lib/algorithms/mac.c |  4 ++--
+ lib/cipher.c         | 24 +++++++++++-------------
+ 2 files changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c
+index 0198e4a205..d345ddb712 100644
+--- a/lib/algorithms/mac.c
++++ b/lib/algorithms/mac.c
+@@ -37,9 +37,9 @@ static const mac_entry_st hash_algorithms[] = {
+ 	{"SHA256", HASH_OID_SHA256, MAC_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1,
+ 	 64},
+ 	{"SHA384", HASH_OID_SHA384, MAC_OID_SHA384, GNUTLS_MAC_SHA384, 48, 48, 0, 0, 1,
+-	 64},
++	 128},
+ 	{"SHA512", HASH_OID_SHA512, MAC_OID_SHA512, GNUTLS_MAC_SHA512, 64, 64, 0, 0, 1,
+-	 64},
++	 128},
+ 	{"SHA224", HASH_OID_SHA224, MAC_OID_SHA224, GNUTLS_MAC_SHA224, 28, 28, 0, 0, 1,
+ 	 64},
+ 	{"SHA3-256", HASH_OID_SHA3_256, NULL, GNUTLS_MAC_SHA3_256, 32, 32, 0, 0, 1,
+diff --git a/lib/cipher.c b/lib/cipher.c
+index 84f30637be..c675a64032 100644
+--- a/lib/cipher.c
++++ b/lib/cipher.c
+@@ -459,9 +459,10 @@ static void dummy_wait(record_parameters_st * params,
+ 		       gnutls_datum_t * plaintext, unsigned pad_failed,
+ 		       unsigned int pad, unsigned total)
+ {
+-	/* this hack is only needed on CBC ciphers */
++	/* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode
++	 * is not supported by the peer. */
+ 	if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) {
+-		unsigned len;
++		unsigned len, v;
+ 
+ 		/* force an additional hash compression function evaluation to prevent timing 
+ 		 * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
+@@ -469,11 +470,14 @@ static void dummy_wait(record_parameters_st * params,
+ 		if (pad_failed == 0 && pad > 0) {
+ 			len = _gnutls_mac_block_size(params->mac);
+ 			if (len > 0) {
+-				/* This is really specific to the current hash functions.
+-				 * It should be removed once a protocol fix is in place.
+-				 */
+-				if ((pad + total) % len > len - 9
+-				    && total % len <= len - 9) {
++				if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
++					/* v = 1 for the hash function padding + 16 for message length */
++					v = 17;
++				else /* v = 1 for the hash function padding + 8 for message length */
++					v = 9;
++
++				if ((pad + total) % len > len - v
++				    && total % len <= len - v) {
+ 					if (len < plaintext->size)
+ 						_gnutls_auth_cipher_add_auth
+ 						    (&params->read.
+@@ -814,12 +818,6 @@ ciphertext_to_compressed(gnutls_session_t session,
+ 		if (unlikely(ret < 0))
+ 			return gnutls_assert_val(ret);
+ 
+-		/* Here there could be a timing leakage in CBC ciphersuites that
+-		 * could be exploited if the cost of a successful memcmp is high. 
+-		 * A constant time memcmp would help there, but it is not easy to maintain
+-		 * against compiler optimizations. Currently we rely on the fact that
+-		 * a memcmp comparison is negligible over the crypto operations.
+-		 */
+ 		if (unlikely
+ 		    (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) {
+ 			/* HMAC was not the same. */
+-- 
+2.19.0
+
diff -Nru gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
--- gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch	2018-10-06 13:53:23.000000000 +0200
@@ -0,0 +1,107 @@
+From c2e094acd68f7159025b2e2556d6fb4427b41dd7 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Tue, 12 Jun 2018 14:27:57 +0200
+Subject: [PATCH 2/5] dummy_wait: always hash the same amount of blocks that
+ would have been on minimum pad
+
+This improves protection against lucky13-type of attacks when
+encrypt-then-mac is not in use.
+
+Resolves #456
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav at redhat.com>
+---
+ lib/cipher.c | 63 +++++++++++++++++++++++++++-------------------------
+ 1 file changed, 33 insertions(+), 30 deletions(-)
+
+diff --git a/lib/cipher.c b/lib/cipher.c
+index c675a64032..287f2e8c8a 100644
+--- a/lib/cipher.c
++++ b/lib/cipher.c
+@@ -455,41 +455,42 @@ compressed_to_ciphertext(gnutls_session_t session,
+ 	return length;
+ }
+ 
+-static void dummy_wait(record_parameters_st * params,
+-		       gnutls_datum_t * plaintext, unsigned pad_failed,
+-		       unsigned int pad, unsigned total)
++static void dummy_wait(record_parameters_st *params,
++		       gnutls_datum_t *plaintext,
++		       unsigned int mac_data, unsigned int max_mac_data)
+ {
+ 	/* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode
+ 	 * is not supported by the peer. */
+ 	if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) {
+-		unsigned len, v;
++		unsigned v;
++		unsigned int tag_size =
++		    _gnutls_auth_cipher_tag_len(&params->read.cipher_state);
++		unsigned hash_block = _gnutls_mac_block_size(params->mac);
+ 
+-		/* force an additional hash compression function evaluation to prevent timing 
++		/* force additional hash compression function evaluations to prevent timing
+ 		 * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
+ 		 */
+-		if (pad_failed == 0 && pad > 0) {
+-			len = _gnutls_mac_block_size(params->mac);
+-			if (len > 0) {
+-				if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
+-					/* v = 1 for the hash function padding + 16 for message length */
+-					v = 17;
+-				else /* v = 1 for the hash function padding + 8 for message length */
+-					v = 9;
+-
+-				if ((pad + total) % len > len - v
+-				    && total % len <= len - v) {
+-					if (len < plaintext->size)
+-						_gnutls_auth_cipher_add_auth
+-						    (&params->read.
+-						     cipher_state,
+-						     plaintext->data, len);
+-					else
+-						_gnutls_auth_cipher_add_auth
+-						    (&params->read.
+-						     cipher_state,
+-						     plaintext->data,
+-						     plaintext->size);
+-				}
++		if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
++			/* v = 1 for the hash function padding + 16 for message length */
++			v = 17;
++		else /* v = 1 for the hash function padding + 8 for message length */
++			v = 9;
++
++		if (hash_block > 0) {
++			int max_blocks = (max_mac_data+v+hash_block-1)/hash_block;
++			int hashed_blocks = (mac_data+v+hash_block-1)/hash_block;
++			unsigned to_hash;
++
++			max_blocks -= hashed_blocks;
++			if (max_blocks < 1)
++				return;
++
++			to_hash = max_blocks * hash_block;
++			if ((unsigned)to_hash+1+tag_size < plaintext->size) {
++				_gnutls_auth_cipher_add_auth
++					    (&params->read.cipher_state,
++					     plaintext->data+plaintext->size-tag_size-to_hash-1,
++					     to_hash);
+ 			}
+ 		}
+ 	}
+@@ -821,8 +822,10 @@ ciphertext_to_compressed(gnutls_session_t session,
+ 		if (unlikely
+ 		    (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) {
+ 			/* HMAC was not the same. */
+-			dummy_wait(params, compressed, pad_failed, pad,
+-				   length + preamble_size);
++			gnutls_datum_t data = {compressed->data, ciphertext->size};
++
++			dummy_wait(params, &data, length + preamble_size,
++				   preamble_size + ciphertext->size - tag_size - 1);
+ 
+ 			return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
+ 		}
+-- 
+2.19.0
+
diff -Nru gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
--- gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch	2018-10-06 13:53:23.000000000 +0200
@@ -0,0 +1,39 @@
+From 62a39773e9d0c4a686a3d8d2b6cca32f82c26cd7 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Tue, 12 Jun 2018 14:29:57 +0200
+Subject: [PATCH 3/5] cbc_mac_verify: require minimum padding under SSL3.0
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav at redhat.com>
+---
+ lib/cipher.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cipher.c b/lib/cipher.c
+index 287f2e8c8a..8e7bd8227d 100644
+--- a/lib/cipher.c
++++ b/lib/cipher.c
+@@ -747,8 +747,12 @@ ciphertext_to_compressed(gnutls_session_t session,
+ 			 * because there is a timing channel in that memory access (in certain CPUs).
+ 			 */
+ #ifdef ENABLE_SSL3
+-			if (ver->id != GNUTLS_SSL3)
++			if (ver->id == GNUTLS_SSL3) {
++				if (pad >= blocksize)
++					pad_failed = 1;
++			} else
+ #endif
++			{
+ 				for (i = 2; i <= MIN(256, ciphertext->size); i++) {
+ 					tmp_pad_failed |=
+ 					    (compressed->
+@@ -756,6 +760,7 @@ ciphertext_to_compressed(gnutls_session_t session,
+ 					pad_failed |=
+ 					    ((i <= (1 + pad)) & (tmp_pad_failed));
+ 				}
++			}
+ 
+ 			if (unlikely
+ 			    (pad_failed != 0
+-- 
+2.19.0
+
diff -Nru gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
--- gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch	2018-10-06 13:53:23.000000000 +0200
@@ -0,0 +1,101 @@
+From c433cdf92349afae66c703bdacedf987f423605e Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Tue, 12 Jun 2018 14:31:40 +0200
+Subject: [PATCH 4/5] hmac-sha384 and sha256 ciphersuites were removed from
+ defaults
+
+These ciphersuites are deprecated since the introduction of AEAD
+ciphersuites, and are only necessary for compatibility with older
+servers. Since older servers already support hmac-sha1 there is
+no reason to keep these ciphersuites enabled by default, as they
+increase our attack surface.
+
+Relates #456
+
+## Unfuzzed for Debian 3.5.8.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav at redhat.com>
+---
+ lib/priority.c            |  8 --------
+ tests/dtls1-2-mtu-check.c |  2 +-
+ tests/priorities.c        | 12 ++++++------
+ 3 files changed, 7 insertions(+), 15 deletions(-)
+
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -417,8 +417,6 @@ static const int* sign_priority_secure19
+ 
+ static const int mac_priority_normal_default[] = {
+ 	GNUTLS_MAC_SHA1,
+-	GNUTLS_MAC_SHA256,
+-	GNUTLS_MAC_SHA384,
+ 	GNUTLS_MAC_AEAD,
+ 	GNUTLS_MAC_MD5,
+ 	0
+@@ -426,8 +424,6 @@ static const int mac_priority_normal_def
+ 
+ static const int mac_priority_normal_fips[] = {
+ 	GNUTLS_MAC_SHA1,
+-	GNUTLS_MAC_SHA256,
+-	GNUTLS_MAC_SHA384,
+ 	GNUTLS_MAC_AEAD,
+ 	0
+ };
+@@ -461,16 +457,12 @@ static const int* mac_priority_suiteb =
+ 
+ static const int _mac_priority_secure128[] = {
+ 	GNUTLS_MAC_SHA1,
+-	GNUTLS_MAC_SHA256,
+-	GNUTLS_MAC_SHA384,
+ 	GNUTLS_MAC_AEAD,
+ 	0
+ };
+ static const int* mac_priority_secure128 = _mac_priority_secure128;
+ 
+ static const int _mac_priority_secure192[] = {
+-	GNUTLS_MAC_SHA256,
+-	GNUTLS_MAC_SHA384,
+ 	GNUTLS_MAC_AEAD,
+ 	0
+ };
+--- a/tests/dtls1-2-mtu-check.c
++++ b/tests/dtls1-2-mtu-check.c
+@@ -79,7 +79,7 @@ static void dtls_mtu_try(const char *nam
+ 				serverx509cred);
+ 
+ 	assert(gnutls_priority_set_direct(server,
+-				   "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519",
++				   "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SHA256",
+ 				   NULL) >= 0);
+ 	gnutls_transport_set_push_function(server, server_push);
+ 	gnutls_transport_set_pull_function(server, server_pull);
+--- a/tests/priorities.c
++++ b/tests/priorities.c
+@@ -93,21 +93,21 @@ try_prio(const char *prio, unsigned expe
+ 
+ void doit(void)
+ {
+-	const int normal = 57;
+-	const int null = 5;
+-	const int sec128 = 53;
++	const int normal = 41;
++	const int null = 4;
++	const int sec128 = 37;
+ 
+-	try_prio("PFS", 42, 12, __LINE__);
++	try_prio("PFS", 30, 12, __LINE__);
+ 	try_prio("NORMAL", normal, 12, __LINE__);
+ 	try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 12, __LINE__);
+ #ifndef ENABLE_FIPS140
+ 	try_prio("NORMAL:+CIPHER-ALL", normal, 12, __LINE__);	/* all (except null) */
+ 	try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1, __LINE__);	/* null */
+ 	try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 13, __LINE__);	/* should be null + all */
+-	try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 8, 1, __LINE__);	/* should be null + all */
++	try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 4, 1, __LINE__);	/* should be null + all */
+ #endif
+ 	try_prio("PERFORMANCE", normal, 12, __LINE__);
+-	try_prio("SECURE256", 22, 6, __LINE__);
++	try_prio("SECURE256", 14, 6, __LINE__);
+ 	try_prio("SECURE128", sec128, 11, __LINE__);
+ 	try_prio("SECURE128:+SECURE256", sec128, 11, __LINE__);	/* should be the same as SECURE128 */
+ 	try_prio("SECURE128:+SECURE256:+NORMAL", normal, 12, __LINE__);	/* should be the same as NORMAL */
diff -Nru gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch
--- gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch	2018-10-06 13:53:23.000000000 +0200
@@ -0,0 +1,38 @@
+From 9fdd24d53c84cc68dac1be28f8b1436e424ce1f1 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Wed, 13 Jun 2018 12:55:02 +0200
+Subject: [PATCH 5/5] tests: pkcs12_encode: fix test for SHA512
+
+We don't support SHA512 in the 3.5.x branch.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav at redhat.com>
+---
+ tests/pkcs12_encode.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
+index 46c5092e49..e45755789b 100644
+--- a/tests/pkcs12_encode.c
++++ b/tests/pkcs12_encode.c
+@@ -220,18 +220,6 @@ void doit(void)
+ 		exit(1);
+ 	}
+ 
+-	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA512, "passwd1");
+-	if (ret < 0) {
+-		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+-		exit(1);
+-	}
+-
+-	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd1");
+-	if (ret < 0) {
+-		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+-		exit(1);
+-	}
+-
+ 	size = sizeof(outbuf);
+ 	ret =
+ 	    gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf,
+-- 
+2.19.0
+
diff -Nru gnutls28-3.5.8/debian/patches/series gnutls28-3.5.8/debian/patches/series
--- gnutls28-3.5.8/debian/patches/series	2017-07-23 13:50:20.000000000 +0200
+++ gnutls28-3.5.8/debian/patches/series	2018-10-06 13:53:23.000000000 +0200
@@ -15,3 +15,8 @@
 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch
 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
 38_02-OCSP-find_signercert-improved-DER-length-calculation.patch
+39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch
+39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
+39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
+39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
+39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20181006/f8f45d85/attachment-0001.sig>


More information about the Pkg-gnutls-maint mailing list