On 2016-10-09 Salvatore Bonaccorso <car...@debian.org> wrote:
[...]
> Hi Stable Release Managers,
> X-Debbugs-CC'ed Andreas Metzler.
> gnutls28 in jessie is affected by CVE-2016-7444, GNUTLS-SA-2016-3,
> having a flaw in the OCSP certificate check. This was fixed upstream
> and included in unstable with 3.5.3-4 but would not warrant a DSA.
> Attached is proposed debdiff for jessie. Would it be acceptable for an
> upcoming point release?
[...]
I think it makes sense to add the GnuTLS patch for compatibitlity with
CVE-2016-6489-patched nettle. (832983).
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog 2015-08-14 18:29:51.000000000 +0200
+++ gnutls28-3.3.8/debian/changelog 2016-10-30 07:39:11.000000000 +0100
@@ -1,3 +1,16 @@
+gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium
+
+ [ Salvatore Bonaccorso ]
+ * CVE-2016-7444: Incorrect certificate validation when using OCSP responses
+ (GNUTLS-SA-2016-3). See #840191.
+
+ [ Andreas Metzler ]
+ * Cherry pick 53_nettle-use-rsa_-_key_prepare-on-key-import.patch
+ from upstream GIT, which should allow gnutls continue to work with
+ CVE-2016-6489-patched nettle. See #832983.
+
+ -- Andreas Metzler <ametz...@debian.org> Sun, 30 Oct 2016 07:39:08 +0100
+
gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium
* Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from
diff -Nru gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
--- gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 2016-10-30 07:01:40.000000000 +0100
@@ -0,0 +1,24 @@
+From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Sat, 27 Aug 2016 17:00:22 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP
+ response
+
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1251,6 +1251,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_r
+ gnutls_assert();
+ goto cleanup;
+ }
++ cserial.size = t;
+
+ if (rserial.size != cserial.size
+ || memcmp(cserial.data, rserial.data, rserial.size) != 0) {
diff -Nru gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch
--- gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch 2016-10-30 07:10:31.000000000 +0100
@@ -0,0 +1,152 @@
+From 186dc9c2012003587a38d7f4d03edd8da5fe989f Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Sun, 7 Aug 2016 12:06:39 +0200
+Subject: [PATCH] nettle: use rsa_*_key_prepare on key import
+
+Previously we calculated the size of the key directly, but
+by using the rsa_*_key_prepare we benefit from any checks that
+may be introduced in the future. Specifically any checks for invalid
+public keys (e.g., keys that may crash the underlying gmp functions).
+
+This patch avoids calling rsa_private_key_prepare every time we construct
+a nettle private key struct, because this function requires a bigint
+multiplication. We call that function once on private key import.
+---
+ lib/nettle/pk.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 52 insertions(+), 10 deletions(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 2fab308..b41ebfb 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -98,18 +98,24 @@ _rsa_params_to_privkey(const gnutls_pk_params_st * pk_params,
+ memcpy(priv->c, pk_params->params[5], SIZEOF_MPZT);
+ memcpy(priv->a, pk_params->params[6], SIZEOF_MPZT);
+ memcpy(priv->b, pk_params->params[7], SIZEOF_MPZT);
++ /* we do not rsa_private_key_prepare() because it involves a multiplication.
++ * we call it once when we import the parameters */
+ priv->size =
+ nettle_mpz_sizeinbase_256_u(TOMPZ
+ (pk_params->params[RSA_MODULUS]));
+ }
+
+-static void
++/* returns a negative value on invalid pubkey */
++static int
+ _rsa_params_to_pubkey(const gnutls_pk_params_st * pk_params,
+ struct rsa_public_key *pub)
+ {
+ memcpy(pub->n, pk_params->params[RSA_MODULUS], SIZEOF_MPZT);
+ memcpy(pub->e, pk_params->params[RSA_PUB], SIZEOF_MPZT);
+- pub->size = nettle_mpz_sizeinbase_256_u(pub->n);
++ if (rsa_public_key_prepare(pub) == 0)
++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
++ return 0;
+ }
+
+ static int
+@@ -340,7 +346,13 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
+ {
+ struct rsa_public_key pub;
+
+- _rsa_params_to_pubkey(pk_params, &pub);
++ ret = _rsa_params_to_pubkey(pk_params, &pub);
++ if (ret < 0) {
++ ret =
++ gnutls_assert_val
++ (GNUTLS_E_ENCRYPTION_FAILED);
++ goto cleanup;
++ }
+
+ ret =
+ rsa_encrypt(&pub, NULL, rnd_func,
+@@ -398,7 +410,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
+ bigint_t c;
+
+ _rsa_params_to_privkey(pk_params, &priv);
+- _rsa_params_to_pubkey(pk_params, &pub);
++ ret = _rsa_params_to_pubkey(pk_params, &pub);
++ if (ret < 0)
++ return
++ gnutls_assert_val
++ (GNUTLS_E_DECRYPTION_FAILED);
++
+
+ if (ciphertext->size != pub.size)
+ return
+@@ -570,7 +587,11 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ mpz_t s;
+
+ _rsa_params_to_privkey(pk_params, &priv);
+- _rsa_params_to_pubkey(pk_params, &pub);
++ ret = _rsa_params_to_pubkey(pk_params, &pub);
++ if (ret < 0)
++ return
++ gnutls_assert_val
++ (GNUTLS_E_PK_SIGN_FAILED);
+
+ mpz_init(s);
+
+@@ -707,7 +728,11 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ {
+ struct rsa_public_key pub;
+
+- _rsa_params_to_pubkey(pk_params, &pub);
++ ret = _rsa_params_to_pubkey(pk_params, &pub);
++ if (ret < 0)
++ return
++ gnutls_assert_val
++ (GNUTLS_E_PK_SIG_VERIFY_FAILED);
+
+ if (signature->size != pub.size)
+ return
+@@ -1774,7 +1799,12 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
+ {
+ int ret;
+
+- if (direction == GNUTLS_IMPORT && algo == GNUTLS_PK_RSA) {
++ if (direction != GNUTLS_IMPORT)
++ return 0;
++
++ if (algo == GNUTLS_PK_RSA) {
++ struct rsa_private_key priv;
++
+ /* do not trust the generated values. Some old private keys
+ * generated by us have mess on the values. Those were very
+ * old but it seemed some of the shipped example private
+@@ -1788,9 +1818,14 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+- mpz_invert(TOMPZ(params->params[RSA_COEF]),
+- TOMPZ(params->params[RSA_PRIME2]),
+- TOMPZ(params->params[RSA_PRIME1]));
++
++ if (mpz_cmp_ui(TOMPZ(params->params[RSA_PRIME1]), 0) == 0)
++ return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
++
++ if (mpz_invert(TOMPZ(params->params[RSA_COEF]),
++ TOMPZ(params->params[RSA_PRIME2]),
++ TOMPZ(params->params[RSA_PRIME1])) == 0)
++ return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+
+ /* calculate exp1 [6] and exp2 [7] */
+ zrelease_mpi_key(¶ms->params[RSA_E1]);
+@@ -1801,6 +1836,13 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
+ return gnutls_assert_val(ret);
+
+ params->params_nr = RSA_PRIVATE_PARAMS;
++
++ /* perform nettle's internal checks */
++ _rsa_params_to_privkey(params, &priv);
++ ret = rsa_private_key_prepare(&priv);
++ if (ret == 0) {
++ return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
++ }
+ }
+
+ return 0;
+--
+2.8.1
+
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series 2015-08-13 19:52:00.000000000 +0200
+++ gnutls28-3.3.8/debian/patches/series 2016-10-30 07:16:01.000000000 +0100
@@ -14,3 +14,5 @@
51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch
51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch
51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch
+52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
+53_nettle-use-rsa_-_key_prepare-on-key-import.patch
