Hi Andreas
It looks like you have managed without the context. I'm sorry that I was a little too brief.
First thank you a lot for confirming that gnutls do not use nettle in wheezy. This is very good to know as I can safely patch nettle without considering gnutls usage of nettle. Thanks! It saves me the burden of patching and coordinating several uploads.
The follow up patches that are needed are to modify gnutls (as long as it is using nettle).
This (below) is what I have understood from Niels Möller. He is the source of my knowledge so please be in contact with him about the details.
The correction in nettle is to use mpz_powm_sec instead of mpz_powm. The problem is that mpz_powm_sec will crash if the modulo argument is an even number. So a check is needed to ensure that or else we have a denial of service problem.
You can see the detailed correction here:
Nettle have added such checks in the *_key_prepare functions, see here:
I think this merge commit may be of help:
The issue is that gnutls do not use (or do not check the return code) these prepare functions so there is therefore nothing that prevent the service from crashing in case an invalid signature is provided. The attack would for example be possible on some service provider having a common web server for multiple clients where the client can add their own certificate/key. In such case the whole server will go down instead of just this client.
So a check is needed in gnutls to check that the modulo is not even. This can be done either by using the prepare functions (and check the return code) or by checking it explicitly.
Was this enough context?
// Ola