Heads-up GNUTLS-SA-2020-07-14 [CVE-2023-0361]
Andreas Metzler
ametzler at bebt.de
Sun Feb 12 13:32:51 GMT 2023
On 2023-02-10 Andreas Metzler <ametzler at bebt.de> wrote:
> On 2023-02-10 Andreas Metzler <ametzler at bebt.de> wrote:
> > Hello,
> > today's releases of GnuTLS 3.7.9 and 3.8.0 fix "a Bleichenbacher oracle
> > in the TLS RSA key exchange.". Details here:
> > https://gitlab.com/gnutls/gnutls/-/issues/1050
> > 3.7.9 is basically a single-bugfix release, since the tarball publication
> > was delayed I had uploaded a patched 3.7.8-5 instead to sid.
> according to upstream the problematic code is present in 3.6.5-3.6.16,
> 3.7.0-3.7.8, i.e both buster and bullseye.
Hello,
3.7.8 patch applies unmodified without fuzz to 3.7.1.
cu Andreas
-------------- next part --------------
diff -Nru gnutls28-3.7.1/debian/changelog gnutls28-3.7.1/debian/changelog
--- gnutls28-3.7.1/debian/changelog 2022-08-07 16:30:17.000000000 +0200
+++ gnutls28-3.7.1/debian/changelog 2023-02-12 13:59:45.000000000 +0100
@@ -1,3 +1,10 @@
+gnutls28 (3.7.1-5+deb11u3) bullseye-security; urgency=high
+
+ * Fix timing sidechannel vulnerability in RSA decryption.
+ GNUTLS-SA-2020-07-14 CVE-2023-0361
+
+ -- Andreas Metzler <ametzler at debian.org> Sun, 12 Feb 2023 13:59:45 +0100
+
gnutls28 (3.7.1-5+deb11u2) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru gnutls28-3.7.1/debian/patches/61_01-auth-rsa-side-step-potential-side-channel.patc gnutls28-3.7.1/debian/patches/61_01-auth-rsa-side-step-potential-side-channel.patc
--- gnutls28-3.7.1/debian/patches/61_01-auth-rsa-side-step-potential-side-channel.patc 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.7.1/debian/patches/61_01-auth-rsa-side-step-potential-side-channel.patc 2023-02-12 08:05:01.000000000 +0100
@@ -0,0 +1,53 @@
+From c149dd0767f32789e391280cb1eb06b7eb7c6bce Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin at redhat.com>
+Date: Tue, 9 Aug 2022 16:05:53 +0200
+Subject: [PATCH 1/3] auth/rsa: side-step potential side-channel
+
+Remove branching that depends on secret data.
+
+Signed-off-by: Alexander Sosedkin <asosedkin at redhat.com>
+Signed-off-by: Hubert Kario <hkario at redhat.com>
+Tested-by: Hubert Kario <hkario at redhat.com>
+---
+ lib/auth/rsa.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 8108ee841d..6b158bacb2 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -153,11 +153,10 @@ _gnutls_get_public_rsa_params(gnutls_session_t session,
+
+ static int
+ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ size_t _data_size)
+ {
+- const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
+ gnutls_datum_t ciphertext;
+ int ret, dsize;
+ ssize_t data_size = _data_size;
+ volatile uint8_t ver_maj, ver_min;
+ volatile uint8_t check_ver_min;
+@@ -233,19 +232,10 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
+ /* if check_ver_min then session->key.key.data[1] must equal ver_min */
+ ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+ CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+
+- if (ok) {
+- /* call logging function unconditionally so all branches are
+- * indistinguishable for timing and cache access when debug
+- * logging is disabled */
+- _gnutls_no_log("%s", attack_error);
+- } else {
+- _gnutls_debug_log("%s", attack_error);
+- }
+-
+ /* This is here to avoid the version check attack
+ * discussed above.
+ */
+ session->key.key.data[0] = ver_maj;
+ session->key.key.data[1] = ver_min;
+--
+2.39.1
+
diff -Nru gnutls28-3.7.1/debian/patches/61_02-rsa-remove-dead-code.patch gnutls28-3.7.1/debian/patches/61_02-rsa-remove-dead-code.patch
--- gnutls28-3.7.1/debian/patches/61_02-rsa-remove-dead-code.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.7.1/debian/patches/61_02-rsa-remove-dead-code.patch 2023-02-12 08:05:01.000000000 +0100
@@ -0,0 +1,84 @@
+From 7c963102ec2119eecc1789b993aabe5edfd75f3b Mon Sep 17 00:00:00 2001
+From: Hubert Kario <hkario at redhat.com>
+Date: Wed, 8 Feb 2023 14:32:09 +0100
+Subject: [PATCH 2/3] rsa: remove dead code
+
+since the `ok` variable isn't used any more, we can remove all code
+used to calculate it
+
+Signed-off-by: Hubert Kario <hkario at redhat.com>
+---
+ lib/auth/rsa.c | 20 +++-----------------
+ 1 file changed, 3 insertions(+), 17 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 6b158bacb2..858701fe6e 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -157,12 +157,10 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ {
+ gnutls_datum_t ciphertext;
+ int ret, dsize;
+ ssize_t data_size = _data_size;
+ volatile uint8_t ver_maj, ver_min;
+- volatile uint8_t check_ver_min;
+- volatile uint32_t ok;
+
+ #ifdef ENABLE_SSL3
+ if (get_num_version(session) == GNUTLS_SSL3) {
+ /* SSL 3.0
+ */
+@@ -184,11 +182,10 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ ciphertext.size = dsize;
+ }
+
+ ver_maj = _gnutls_get_adv_version_major(session);
+ ver_min = _gnutls_get_adv_version_minor(session);
+- check_ver_min = (session->internals.allow_wrong_pms == 0);
+
+ session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+ if (session->key.key.data == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_MEMORY_ERROR;
+@@ -203,14 +200,13 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ session->key.key.size = 0;
+ gnutls_assert();
+ return ret;
+ }
+
+- ret =
+- gnutls_privkey_decrypt_data2(session->internals.selected_key,
+- 0, &ciphertext, session->key.key.data,
+- session->key.key.size);
++ gnutls_privkey_decrypt_data2(session->internals.selected_key,
++ 0, &ciphertext, session->key.key.data,
++ session->key.key.size);
+ /* After this point, any conditional on failure that cause differences
+ * in execution may create a timing or cache access pattern side
+ * channel that can be used as an oracle, so treat very carefully */
+
+ /* Error handling logic:
+@@ -222,20 +218,10 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ * proceed normally. This is to defend against the attack described
+ * in the paper "Attacking RSA-based sessions in SSL/TLS" by
+ * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
+ */
+
+- /* ok is 0 in case of error and 1 in case of success. */
+-
+- /* if ret < 0 */
+- ok = CONSTCHECK_EQUAL(ret, 0);
+- /* session->key.key.data[0] must equal ver_maj */
+- ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
+- /* if check_ver_min then session->key.key.data[1] must equal ver_min */
+- ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+- CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+-
+ /* This is here to avoid the version check attack
+ * discussed above.
+ */
+ session->key.key.data[0] = ver_maj;
+ session->key.key.data[1] = ver_min;
+--
+2.39.1
+
diff -Nru gnutls28-3.7.1/debian/patches/series gnutls28-3.7.1/debian/patches/series
--- gnutls28-3.7.1/debian/patches/series 2022-08-07 16:30:17.000000000 +0200
+++ gnutls28-3.7.1/debian/patches/series 2023-02-12 08:06:24.000000000 +0100
@@ -21,3 +21,5 @@
56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch
56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch
60-Fix-double-free-during-gnutls_pkcs7_verify.patch
+61_01-auth-rsa-side-step-potential-side-channel.patc
+61_02-rsa-remove-dead-code.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20230212/d1bd7660/attachment.sig>
More information about the Pkg-gnutls-maint
mailing list