Control: retitle -1 jessie-pu: package gnutls28/3.3.8-6+deb8u3 On 2015-08-12 Salvatore Bonaccorso <carnil@debian.org> wrote: > On Sat, Jun 20, 2015 at 04:03:48PM +0200, Andreas Metzler wrote: [...] > > I would like two fix two issues in jessie: > > > > #788704 VIA PadLock accelerated AES-CBC segfaults > > This pretty much breaks gnutls on VIA processors. > > > > GNUTLS-SA-2015-2. This might allow MD5 signatures, although they are > > disabled by default. (Detailed info in the security tracker) > Could you rebase this against 3.3.8-6+deb8u2 now available via > DSA-3334-1? I decided not to include the fix for GNUTLS-SA-2015-2 > since there is as well the lynx-cur update via s-p-u required. Hello, find attached a new debdiff against the latest jessie security update. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog --- gnutls28-3.3.8/debian/changelog 2015-08-12 11:17:52.000000000 +0200 +++ gnutls28-3.3.8/debian/changelog 2015-08-14 18:29:51.000000000 +0200 @@ -1,3 +1,19 @@ +gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium + + * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from + upstream version 3.3.12 to fix a crash in VIA PadLock asm. (Thanks, Peter + Lebbing). Closes: #788704 + * Pull 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch + 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch + 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch (the + latter unfuzzed) from GnuTLS 3.3.15 to fix GNUTLS-SA-2015-2. - A + ServerKeyExchange signature sent by the server was not verified to be in + the acceptable by the client set of algorithms. That had the effect of + allowing MD5 signatures (which are disabled by default) in the + ServerKeyExchange message. + + -- Andreas Metzler <ametzler@debian.org> Fri, 14 Aug 2015 18:28:30 +0200 + gnutls28 (3.3.8-6+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru gnutls28-3.3.8/debian/patches/50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch gnutls28-3.3.8/debian/patches/50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch --- gnutls28-3.3.8/debian/patches/50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.3.8/debian/patches/50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch 2015-08-13 19:47:58.000000000 +0200 @@ -0,0 +1,59 @@ +From 023156ae2504c1911f8f2e66a0ebde316931671c Mon Sep 17 00:00:00 2001 +From: Matthias-Christian Ott <ott@mirix.org> +Date: Tue, 30 Dec 2014 11:57:36 +0200 +Subject: [PATCH 1/2] Handle zero length plaintext for VIA PadLock functions + +If the plaintext is shorter than the block size of the used cipher, +_gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with +textlen = 0. padlock_ecb_encrypt and padlock_cbc_encrypt assume that the +plaintext length (last parameter) is greater than zero and segfault +otherwise. The assembler code for both functions is automatically +generated and imported from OpenSSL, so to ease maintenance the length +should be validated in the functions that call padlock_ecb_encrypt or +padlock_cbc_encrypt. +--- + lib/accelerated/x86/aes-gcm-padlock.c | 3 ++- + lib/accelerated/x86/aes-padlock.c | 6 ++++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/lib/accelerated/x86/aes-gcm-padlock.c b/lib/accelerated/x86/aes-gcm-padlock.c +index e1ad566..9e92292 100644 +--- a/lib/accelerated/x86/aes-gcm-padlock.c ++++ b/lib/accelerated/x86/aes-gcm-padlock.c +@@ -54,7 +54,8 @@ static void padlock_aes_encrypt(void *_ctx, + + pce = ALIGN16(&ctx->expanded_key); + +- padlock_ecb_encrypt(dst, src, pce, length); ++ if (length > 0) ++ padlock_ecb_encrypt(dst, src, pce, length); + } + + static void padlock_aes_set_encrypt_key(struct padlock_ctx *_ctx, +diff --git a/lib/accelerated/x86/aes-padlock.c b/lib/accelerated/x86/aes-padlock.c +index bccbd10..8ed10d8 100644 +--- a/lib/accelerated/x86/aes-padlock.c ++++ b/lib/accelerated/x86/aes-padlock.c +@@ -132,7 +132,8 @@ padlock_aes_cbc_encrypt(void *_ctx, const void *src, size_t src_size, + + pce = ALIGN16(&ctx->expanded_key); + +- padlock_cbc_encrypt(dst, src, pce, src_size); ++ if (src_size > 0) ++ padlock_cbc_encrypt(dst, src, pce, src_size); + + return 0; + } +@@ -147,7 +148,8 @@ padlock_aes_cbc_decrypt(void *_ctx, const void *src, size_t src_size, + + pcd = ALIGN16(&ctx->expanded_key); + +- padlock_cbc_encrypt(dst, src, pcd, src_size); ++ if (src_size > 0) ++ padlock_cbc_encrypt(dst, src, pcd, src_size); + + return 0; + } +-- +2.1.4 + diff -Nru gnutls28-3.3.8/debian/patches/51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch gnutls28-3.3.8/debian/patches/51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch --- gnutls28-3.3.8/debian/patches/51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.3.8/debian/patches/51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch 2015-08-13 19:52:00.000000000 +0200 @@ -0,0 +1,47 @@ +From 1e013f4c660fa79c2398dbcfd4f0e054c724c5ec Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@gnutls.org> +Date: Sat, 25 Apr 2015 19:14:07 +0200 +Subject: [PATCH 1/3] _gnutls_session_sign_algo_enabled: do not consider any + values from the extension data to decide acceptable algorithms + +--- + lib/ext/signature.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/lib/ext/signature.c b/lib/ext/signature.c +index fb971f5..6f3066e 100644 +--- a/lib/ext/signature.c ++++ b/lib/ext/signature.c +@@ -313,28 +313,12 @@ _gnutls_session_sign_algo_enabled(gnutls_session_t session, + gnutls_sign_algorithm_t sig) + { + unsigned i; +- int ret; + const version_entry_st *ver = get_version(session); +- sig_ext_st *priv; +- extension_priv_data_t epriv; + + if (unlikely(ver == NULL)) + return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + +- ret = +- _gnutls_ext_get_session_data(session, +- GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS, +- &epriv); +- if (ret < 0) { +- gnutls_assert(); +- return 0; +- } +- priv = epriv.ptr; +- +- if (!_gnutls_version_has_selectable_sighash(ver) +- || priv->sign_algorithms_size == 0) +- /* none set, allow all */ +- { ++ if (!_gnutls_version_has_selectable_sighash(ver)) { + return 0; + } + +-- +2.1.4 + diff -Nru gnutls28-3.3.8/debian/patches/51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch gnutls28-3.3.8/debian/patches/51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch --- gnutls28-3.3.8/debian/patches/51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.3.8/debian/patches/51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch 2015-08-13 19:52:00.000000000 +0200 @@ -0,0 +1,37 @@ +From a8076fa599f0a37f8e12e30eeadd50a0ea3c67b7 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@gnutls.org> +Date: Sat, 25 Apr 2015 19:34:34 +0200 +Subject: [PATCH 2/3] before falling back to SHA1 as signature algorithm in TLS + 1.2 check if it is enabled + +--- + lib/ext/signature.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/ext/signature.c b/lib/ext/signature.c +index 6f3066e..5ecc76a 100644 +--- a/lib/ext/signature.c ++++ b/lib/ext/signature.c +@@ -282,7 +282,10 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, + || priv->sign_algorithms_size == 0) + /* none set, allow SHA-1 only */ + { +- return gnutls_pk_to_sign(cert_algo, GNUTLS_DIG_SHA1); ++ ret = gnutls_pk_to_sign(cert_algo, GNUTLS_DIG_SHA1); ++ if (_gnutls_session_sign_algo_enabled(session, ret) < 0) ++ goto fail; ++ return ret; + } + + for (i = 0; i < priv->sign_algorithms_size; i++) { +@@ -301,6 +304,7 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, + } + } + ++ fail: + return GNUTLS_SIGN_UNKNOWN; + } + +-- +2.1.4 + diff -Nru gnutls28-3.3.8/debian/patches/51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch gnutls28-3.3.8/debian/patches/51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch --- gnutls28-3.3.8/debian/patches/51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.3.8/debian/patches/51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch 2015-08-13 19:52:00.000000000 +0200 @@ -0,0 +1,395 @@ +From 3d333e59621f6cf9381c846c405b23d79020d031 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@gnutls.org> +Date: Sat, 25 Apr 2015 20:00:04 +0200 +Subject: [PATCH 3/3] tests: added reproducer for the MD5 acceptance issue + +Reported by Karthikeyan Bhargavan. +http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html + +Conflicts: + tests/Makefile.am +--- + tests/Makefile.am | 2 +- + tests/sign-md5-rep.c | 365 +++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 366 insertions(+), 1 deletion(-) + create mode 100644 tests/sign-md5-rep.c + +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -84,7 +84,7 @@ ctests = mini-record-2 simple gc set_pkc + mini-cert-status mini-rsa-psk global-init sec-params \ + fips-test mini-global-load name-constraints x509-extensions \ + long-session-id mini-x509-callbacks-intr \ +- crlverify init_fds ++ crlverify init_fds sign-md5-rep + + if ENABLE_OCSP + ctests += ocsp +--- /dev/null ++++ b/tests/sign-md5-rep.c +@@ -0,0 +1,365 @@ ++/* ++ * Copyright (C) 2015 Nikos Mavrogiannopoulos ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <stdlib.h> ++ ++#if defined(_WIN32) ++ ++int main() ++{ ++ exit(77); ++} ++ ++#else ++ ++#include <string.h> ++#include <sys/types.h> ++#include <netinet/in.h> ++#include <sys/socket.h> ++#include <sys/wait.h> ++#include <arpa/inet.h> ++#include <unistd.h> ++#include <gnutls/gnutls.h> ++#include <gnutls/dtls.h> ++#include <signal.h> ++ ++#include "utils.h" ++ ++static void terminate(void); ++ ++/* This program tests whether EtM is negotiated as expected. ++ */ ++ ++static void server_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "server|<%d>| %s", level, str); ++} ++ ++static void client_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "client|<%d>| %s", level, str); ++} ++ ++static unsigned char server_cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" ++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" ++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" ++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" ++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" ++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" ++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" ++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" ++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" ++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" ++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" ++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" ++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t server_cert = { server_cert_pem, ++ sizeof(server_cert_pem) ++}; ++ ++static unsigned char server_key_pem[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" ++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" ++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" ++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" ++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" ++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" ++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" ++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" ++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" ++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" ++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" ++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" ++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++const gnutls_datum_t server_key = { server_key_pem, ++ sizeof(server_key_pem) ++}; ++ ++ ++static int handshake_callback(gnutls_session_t session, unsigned int htype, ++ unsigned post, unsigned int incoming, const gnutls_datum_t *msg) ++{ ++ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL); ++ return 0; ++} ++ ++ ++/* A very basic TLS client, with anonymous authentication. ++ */ ++ ++#define MAX_BUF 1024 ++ ++static void client(int fd) ++{ ++ int ret; ++ char buffer[MAX_BUF + 1]; ++ gnutls_certificate_credentials_t x509_cred; ++ gnutls_session_t session; ++ /* Need to enable anonymous KX specifically. */ ++ ++ global_init(); ++ ++ if (debug) { ++ gnutls_global_set_log_function(client_log_func); ++ gnutls_global_set_log_level(7); ++ } ++ ++ gnutls_certificate_allocate_credentials(&x509_cred); ++ ++ /* Initialize TLS session ++ */ ++ gnutls_init(&session, GNUTLS_CLIENT); ++ ++ /* Use default priorities */ ++ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-MD5", NULL); ++ ++ /* put the anonymous credentials to the current session ++ */ ++ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); ++ ++ gnutls_transport_set_int(session, fd); ++ gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE, ++ GNUTLS_HOOK_PRE, ++ handshake_callback); ++ ++ /* Perform the TLS handshake ++ */ ++ do { ++ ret = gnutls_handshake(session); ++ } ++ while (ret < 0 && gnutls_error_is_fatal(ret) == 0); ++ ++ if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM) { ++ /* success */ ++ goto end; ++ } ++ ++ if (ret < 0) { ++ fail("client: Handshake failed: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } else { ++ if (debug) ++ success("client: Handshake was completed\n"); ++ } ++ ++ if (gnutls_sign_algorithm_get(session) == GNUTLS_SIGN_RSA_MD5) { ++ fail("client: MD5 was negotiated\n"); ++ exit(1); ++ } ++ success("client: %s was negotiated\n", gnutls_sign_get_name(gnutls_sign_algorithm_get(session))); ++ ++ if (debug) ++ success("client: TLS version is: %s\n", ++ gnutls_protocol_get_name ++ (gnutls_protocol_get_version(session))); ++ ++ do { ++ do { ++ ret = gnutls_record_recv(session, buffer, MAX_BUF); ++ } while (ret == GNUTLS_E_AGAIN ++ || ret == GNUTLS_E_INTERRUPTED); ++ } while (ret > 0); ++ ++ if (ret == 0) { ++ if (debug) ++ success ++ ("client: Peer has closed the TLS connection\n"); ++ goto end; ++ } else if (ret < 0) { ++ if (ret != 0) { ++ fail("client: Error: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ } ++ ++ gnutls_bye(session, GNUTLS_SHUT_WR); ++ ++ end: ++ ++ close(fd); ++ ++ gnutls_deinit(session); ++ ++ gnutls_certificate_free_credentials(x509_cred); ++ ++ gnutls_global_deinit(); ++} ++ ++ ++/* These are global */ ++pid_t child; ++ ++static void terminate(void) ++{ ++ kill(child, SIGTERM); ++ exit(1); ++} ++ ++static void server(int fd) ++{ ++ int ret; ++ char buffer[MAX_BUF + 1]; ++ gnutls_session_t session; ++ gnutls_certificate_credentials_t x509_cred; ++ unsigned to_send = sizeof(buffer)/4; ++ ++ /* this must be called once in the program ++ */ ++ global_init(); ++ memset(buffer, 0, sizeof(buffer)); ++ ++ if (debug) { ++ gnutls_global_set_log_function(server_log_func); ++ gnutls_global_set_log_level(4711); ++ } ++ ++ gnutls_certificate_allocate_credentials(&x509_cred); ++ gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, ++ &server_key, ++ GNUTLS_X509_FMT_PEM); ++ ++ gnutls_init(&session, GNUTLS_SERVER); ++ ++ /* avoid calling all the priority functions, since the defaults ++ * are adequate. ++ */ ++ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-MD5", NULL); ++ ++ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); ++ ++ gnutls_transport_set_int(session, fd); ++ ++ do { ++ ret = gnutls_handshake(session); ++ } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); ++ if (ret < 0) { ++ close(fd); ++ gnutls_deinit(session); ++ fail("server: Handshake has failed (%s)\n\n", ++ gnutls_strerror(ret)); ++ terminate(); ++ } ++ ++ ++ if (debug) { ++ success("server: Handshake was completed\n"); ++ success("server: %s was negotiated\n", gnutls_sign_get_name(gnutls_sign_algorithm_get(session))); ++ } ++ ++ if (debug) ++ success("server: TLS version is: %s\n", ++ gnutls_protocol_get_name ++ (gnutls_protocol_get_version(session))); ++ ++ do { ++ do { ++ ret = ++ gnutls_record_send(session, buffer, ++ sizeof(buffer)); ++ } while (ret == GNUTLS_E_AGAIN ++ || ret == GNUTLS_E_INTERRUPTED); ++ ++ if (ret < 0) { ++ fail("Error sending %d byte packet: %s\n", to_send, ++ gnutls_strerror(ret)); ++ terminate(); ++ } ++ to_send++; ++ } ++ while (to_send < 64); ++ ++ to_send = -1; ++ /* do not wait for the peer to close the connection. ++ */ ++ gnutls_bye(session, GNUTLS_SHUT_WR); ++ ++ close(fd); ++ gnutls_deinit(session); ++ ++ gnutls_certificate_free_credentials(x509_cred); ++ ++ gnutls_global_deinit(); ++ ++ if (debug) ++ success("server: finished\n"); ++} ++ ++static void ch_handler(int sig) ++{ ++ int status; ++ wait(&status); ++ if (WEXITSTATUS(status) != 0 || ++ (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV)) { ++ if (WIFSIGNALED(status)) ++ fail("Child died with sigsegv\n"); ++ else ++ fail("Child died with status %d\n", ++ WEXITSTATUS(status)); ++ terminate(); ++ } ++ return; ++} ++ ++void doit(void) ++{ ++ int fd[2]; ++ int ret; ++ ++ signal(SIGCHLD, ch_handler); ++ ++ ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); ++ if (ret < 0) { ++ perror("socketpair"); ++ exit(1); ++ } ++ ++ child = fork(); ++ if (child < 0) { ++ perror("fork"); ++ fail("fork"); ++ exit(1); ++ } ++ ++ if (child) { ++ /* parent */ ++ close(fd[1]); ++ client(fd[0]); ++ kill(child, SIGTERM); ++ } else { ++ close(fd[0]); ++ server(fd[1]); ++ exit(0); ++ } ++} ++ ++#endif /* _WIN32 */ diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series --- gnutls28-3.3.8/debian/patches/series 2015-08-12 11:17:52.000000000 +0200 +++ gnutls28-3.3.8/debian/patches/series 2015-08-13 19:52:00.000000000 +0200 @@ -10,3 +10,7 @@ 45_eliminated-double-free.diff 46_Better-fix-for-the-double-free.diff 47_GNUTLS-SA-2015-3.patch +50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch +51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch +51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch +51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch
Attachment:
signature.asc
Description: Digital signature