Control: retitle -1 jessie-pu: package gnutls28/3.3.8-6+deb8u3 On 2015-08-12 Salvatore Bonaccorso <carnil@debian.org> wrote: > On Sat, Jun 20, 2015 at 04:03:48PM +0200, Andreas Metzler wrote: [...] > > I would like two fix two issues in jessie: > > > > #788704 VIA PadLock accelerated AES-CBC segfaults > > This pretty much breaks gnutls on VIA processors. > > > > GNUTLS-SA-2015-2. This might allow MD5 signatures, although they are > > disabled by default. (Detailed info in the security tracker) > Could you rebase this against 3.3.8-6+deb8u2 now available via > DSA-3334-1? I decided not to include the fix for GNUTLS-SA-2015-2 > since there is as well the lynx-cur update via s-p-u required. Hello, find attached a new debdiff against the latest jessie security update. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog 2015-08-12 11:17:52.000000000 +0200
+++ gnutls28-3.3.8/debian/changelog 2015-08-14 18:29:51.000000000 +0200
@@ -1,3 +1,19 @@
+gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium
+
+ * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from
+ upstream version 3.3.12 to fix a crash in VIA PadLock asm. (Thanks, Peter
+ Lebbing). Closes: #788704
+ * Pull 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch
+ 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch
+ 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch (the
+ latter unfuzzed) from GnuTLS 3.3.15 to fix GNUTLS-SA-2015-2. - A
+ ServerKeyExchange signature sent by the server was not verified to be in
+ the acceptable by the client set of algorithms. That had the effect of
+ allowing MD5 signatures (which are disabled by default) in the
+ ServerKeyExchange message.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 14 Aug 2015 18:28:30 +0200
+
gnutls28 (3.3.8-6+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru gnutls28-3.3.8/debian/patches/50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch gnutls28-3.3.8/debian/patches/50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch
--- gnutls28-3.3.8/debian/patches/50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch 2015-08-13 19:47:58.000000000 +0200
@@ -0,0 +1,59 @@
+From 023156ae2504c1911f8f2e66a0ebde316931671c Mon Sep 17 00:00:00 2001
+From: Matthias-Christian Ott <ott@mirix.org>
+Date: Tue, 30 Dec 2014 11:57:36 +0200
+Subject: [PATCH 1/2] Handle zero length plaintext for VIA PadLock functions
+
+If the plaintext is shorter than the block size of the used cipher,
+_gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with
+textlen = 0. padlock_ecb_encrypt and padlock_cbc_encrypt assume that the
+plaintext length (last parameter) is greater than zero and segfault
+otherwise. The assembler code for both functions is automatically
+generated and imported from OpenSSL, so to ease maintenance the length
+should be validated in the functions that call padlock_ecb_encrypt or
+padlock_cbc_encrypt.
+---
+ lib/accelerated/x86/aes-gcm-padlock.c | 3 ++-
+ lib/accelerated/x86/aes-padlock.c | 6 ++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/lib/accelerated/x86/aes-gcm-padlock.c b/lib/accelerated/x86/aes-gcm-padlock.c
+index e1ad566..9e92292 100644
+--- a/lib/accelerated/x86/aes-gcm-padlock.c
++++ b/lib/accelerated/x86/aes-gcm-padlock.c
+@@ -54,7 +54,8 @@ static void padlock_aes_encrypt(void *_ctx,
+
+ pce = ALIGN16(&ctx->expanded_key);
+
+- padlock_ecb_encrypt(dst, src, pce, length);
++ if (length > 0)
++ padlock_ecb_encrypt(dst, src, pce, length);
+ }
+
+ static void padlock_aes_set_encrypt_key(struct padlock_ctx *_ctx,
+diff --git a/lib/accelerated/x86/aes-padlock.c b/lib/accelerated/x86/aes-padlock.c
+index bccbd10..8ed10d8 100644
+--- a/lib/accelerated/x86/aes-padlock.c
++++ b/lib/accelerated/x86/aes-padlock.c
+@@ -132,7 +132,8 @@ padlock_aes_cbc_encrypt(void *_ctx, const void *src, size_t src_size,
+
+ pce = ALIGN16(&ctx->expanded_key);
+
+- padlock_cbc_encrypt(dst, src, pce, src_size);
++ if (src_size > 0)
++ padlock_cbc_encrypt(dst, src, pce, src_size);
+
+ return 0;
+ }
+@@ -147,7 +148,8 @@ padlock_aes_cbc_decrypt(void *_ctx, const void *src, size_t src_size,
+
+ pcd = ALIGN16(&ctx->expanded_key);
+
+- padlock_cbc_encrypt(dst, src, pcd, src_size);
++ if (src_size > 0)
++ padlock_cbc_encrypt(dst, src, pcd, src_size);
+
+ return 0;
+ }
+--
+2.1.4
+
diff -Nru gnutls28-3.3.8/debian/patches/51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch gnutls28-3.3.8/debian/patches/51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch
--- gnutls28-3.3.8/debian/patches/51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch 2015-08-13 19:52:00.000000000 +0200
@@ -0,0 +1,47 @@
+From 1e013f4c660fa79c2398dbcfd4f0e054c724c5ec Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 25 Apr 2015 19:14:07 +0200
+Subject: [PATCH 1/3] _gnutls_session_sign_algo_enabled: do not consider any
+ values from the extension data to decide acceptable algorithms
+
+---
+ lib/ext/signature.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/lib/ext/signature.c b/lib/ext/signature.c
+index fb971f5..6f3066e 100644
+--- a/lib/ext/signature.c
++++ b/lib/ext/signature.c
+@@ -313,28 +313,12 @@ _gnutls_session_sign_algo_enabled(gnutls_session_t session,
+ gnutls_sign_algorithm_t sig)
+ {
+ unsigned i;
+- int ret;
+ const version_entry_st *ver = get_version(session);
+- sig_ext_st *priv;
+- extension_priv_data_t epriv;
+
+ if (unlikely(ver == NULL))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+- ret =
+- _gnutls_ext_get_session_data(session,
+- GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
+- &epriv);
+- if (ret < 0) {
+- gnutls_assert();
+- return 0;
+- }
+- priv = epriv.ptr;
+-
+- if (!_gnutls_version_has_selectable_sighash(ver)
+- || priv->sign_algorithms_size == 0)
+- /* none set, allow all */
+- {
++ if (!_gnutls_version_has_selectable_sighash(ver)) {
+ return 0;
+ }
+
+--
+2.1.4
+
diff -Nru gnutls28-3.3.8/debian/patches/51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch gnutls28-3.3.8/debian/patches/51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch
--- gnutls28-3.3.8/debian/patches/51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch 2015-08-13 19:52:00.000000000 +0200
@@ -0,0 +1,37 @@
+From a8076fa599f0a37f8e12e30eeadd50a0ea3c67b7 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 25 Apr 2015 19:34:34 +0200
+Subject: [PATCH 2/3] before falling back to SHA1 as signature algorithm in TLS
+ 1.2 check if it is enabled
+
+---
+ lib/ext/signature.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/ext/signature.c b/lib/ext/signature.c
+index 6f3066e..5ecc76a 100644
+--- a/lib/ext/signature.c
++++ b/lib/ext/signature.c
+@@ -282,7 +282,10 @@ _gnutls_session_get_sign_algo(gnutls_session_t session,
+ || priv->sign_algorithms_size == 0)
+ /* none set, allow SHA-1 only */
+ {
+- return gnutls_pk_to_sign(cert_algo, GNUTLS_DIG_SHA1);
++ ret = gnutls_pk_to_sign(cert_algo, GNUTLS_DIG_SHA1);
++ if (_gnutls_session_sign_algo_enabled(session, ret) < 0)
++ goto fail;
++ return ret;
+ }
+
+ for (i = 0; i < priv->sign_algorithms_size; i++) {
+@@ -301,6 +304,7 @@ _gnutls_session_get_sign_algo(gnutls_session_t session,
+ }
+ }
+
++ fail:
+ return GNUTLS_SIGN_UNKNOWN;
+ }
+
+--
+2.1.4
+
diff -Nru gnutls28-3.3.8/debian/patches/51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch gnutls28-3.3.8/debian/patches/51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch
--- gnutls28-3.3.8/debian/patches/51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch 2015-08-13 19:52:00.000000000 +0200
@@ -0,0 +1,395 @@
+From 3d333e59621f6cf9381c846c405b23d79020d031 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 25 Apr 2015 20:00:04 +0200
+Subject: [PATCH 3/3] tests: added reproducer for the MD5 acceptance issue
+
+Reported by Karthikeyan Bhargavan.
+http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html
+
+Conflicts:
+ tests/Makefile.am
+---
+ tests/Makefile.am | 2 +-
+ tests/sign-md5-rep.c | 365 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 366 insertions(+), 1 deletion(-)
+ create mode 100644 tests/sign-md5-rep.c
+
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -84,7 +84,7 @@ ctests = mini-record-2 simple gc set_pkc
+ mini-cert-status mini-rsa-psk global-init sec-params \
+ fips-test mini-global-load name-constraints x509-extensions \
+ long-session-id mini-x509-callbacks-intr \
+- crlverify init_fds
++ crlverify init_fds sign-md5-rep
+
+ if ENABLE_OCSP
+ ctests += ocsp
+--- /dev/null
++++ b/tests/sign-md5-rep.c
+@@ -0,0 +1,365 @@
++/*
++ * Copyright (C) 2015 Nikos Mavrogiannopoulos
++ *
++ * Author: Nikos Mavrogiannopoulos
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++
++#if defined(_WIN32)
++
++int main()
++{
++ exit(77);
++}
++
++#else
++
++#include <string.h>
++#include <sys/types.h>
++#include <netinet/in.h>
++#include <sys/socket.h>
++#include <sys/wait.h>
++#include <arpa/inet.h>
++#include <unistd.h>
++#include <gnutls/gnutls.h>
++#include <gnutls/dtls.h>
++#include <signal.h>
++
++#include "utils.h"
++
++static void terminate(void);
++
++/* This program tests whether EtM is negotiated as expected.
++ */
++
++static void server_log_func(int level, const char *str)
++{
++ fprintf(stderr, "server|<%d>| %s", level, str);
++}
++
++static void client_log_func(int level, const char *str)
++{
++ fprintf(stderr, "client|<%d>| %s", level, str);
++}
++
++static unsigned char server_cert_pem[] =
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++ sizeof(server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++ "-----BEGIN RSA PRIVATE KEY-----\n"
++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++ "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++ sizeof(server_key_pem)
++};
++
++
++static int handshake_callback(gnutls_session_t session, unsigned int htype,
++ unsigned post, unsigned int incoming, const gnutls_datum_t *msg)
++{
++ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL);
++ return 0;
++}
++
++
++/* A very basic TLS client, with anonymous authentication.
++ */
++
++#define MAX_BUF 1024
++
++static void client(int fd)
++{
++ int ret;
++ char buffer[MAX_BUF + 1];
++ gnutls_certificate_credentials_t x509_cred;
++ gnutls_session_t session;
++ /* Need to enable anonymous KX specifically. */
++
++ global_init();
++
++ if (debug) {
++ gnutls_global_set_log_function(client_log_func);
++ gnutls_global_set_log_level(7);
++ }
++
++ gnutls_certificate_allocate_credentials(&x509_cred);
++
++ /* Initialize TLS session
++ */
++ gnutls_init(&session, GNUTLS_CLIENT);
++
++ /* Use default priorities */
++ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-MD5", NULL);
++
++ /* put the anonymous credentials to the current session
++ */
++ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
++
++ gnutls_transport_set_int(session, fd);
++ gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
++ GNUTLS_HOOK_PRE,
++ handshake_callback);
++
++ /* Perform the TLS handshake
++ */
++ do {
++ ret = gnutls_handshake(session);
++ }
++ while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
++
++ if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM) {
++ /* success */
++ goto end;
++ }
++
++ if (ret < 0) {
++ fail("client: Handshake failed: %s\n", gnutls_strerror(ret));
++ exit(1);
++ } else {
++ if (debug)
++ success("client: Handshake was completed\n");
++ }
++
++ if (gnutls_sign_algorithm_get(session) == GNUTLS_SIGN_RSA_MD5) {
++ fail("client: MD5 was negotiated\n");
++ exit(1);
++ }
++ success("client: %s was negotiated\n", gnutls_sign_get_name(gnutls_sign_algorithm_get(session)));
++
++ if (debug)
++ success("client: TLS version is: %s\n",
++ gnutls_protocol_get_name
++ (gnutls_protocol_get_version(session)));
++
++ do {
++ do {
++ ret = gnutls_record_recv(session, buffer, MAX_BUF);
++ } while (ret == GNUTLS_E_AGAIN
++ || ret == GNUTLS_E_INTERRUPTED);
++ } while (ret > 0);
++
++ if (ret == 0) {
++ if (debug)
++ success
++ ("client: Peer has closed the TLS connection\n");
++ goto end;
++ } else if (ret < 0) {
++ if (ret != 0) {
++ fail("client: Error: %s\n", gnutls_strerror(ret));
++ exit(1);
++ }
++ }
++
++ gnutls_bye(session, GNUTLS_SHUT_WR);
++
++ end:
++
++ close(fd);
++
++ gnutls_deinit(session);
++
++ gnutls_certificate_free_credentials(x509_cred);
++
++ gnutls_global_deinit();
++}
++
++
++/* These are global */
++pid_t child;
++
++static void terminate(void)
++{
++ kill(child, SIGTERM);
++ exit(1);
++}
++
++static void server(int fd)
++{
++ int ret;
++ char buffer[MAX_BUF + 1];
++ gnutls_session_t session;
++ gnutls_certificate_credentials_t x509_cred;
++ unsigned to_send = sizeof(buffer)/4;
++
++ /* this must be called once in the program
++ */
++ global_init();
++ memset(buffer, 0, sizeof(buffer));
++
++ if (debug) {
++ gnutls_global_set_log_function(server_log_func);
++ gnutls_global_set_log_level(4711);
++ }
++
++ gnutls_certificate_allocate_credentials(&x509_cred);
++ gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
++ &server_key,
++ GNUTLS_X509_FMT_PEM);
++
++ gnutls_init(&session, GNUTLS_SERVER);
++
++ /* avoid calling all the priority functions, since the defaults
++ * are adequate.
++ */
++ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-MD5", NULL);
++
++ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
++
++ gnutls_transport_set_int(session, fd);
++
++ do {
++ ret = gnutls_handshake(session);
++ } while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
++ if (ret < 0) {
++ close(fd);
++ gnutls_deinit(session);
++ fail("server: Handshake has failed (%s)\n\n",
++ gnutls_strerror(ret));
++ terminate();
++ }
++
++
++ if (debug) {
++ success("server: Handshake was completed\n");
++ success("server: %s was negotiated\n", gnutls_sign_get_name(gnutls_sign_algorithm_get(session)));
++ }
++
++ if (debug)
++ success("server: TLS version is: %s\n",
++ gnutls_protocol_get_name
++ (gnutls_protocol_get_version(session)));
++
++ do {
++ do {
++ ret =
++ gnutls_record_send(session, buffer,
++ sizeof(buffer));
++ } while (ret == GNUTLS_E_AGAIN
++ || ret == GNUTLS_E_INTERRUPTED);
++
++ if (ret < 0) {
++ fail("Error sending %d byte packet: %s\n", to_send,
++ gnutls_strerror(ret));
++ terminate();
++ }
++ to_send++;
++ }
++ while (to_send < 64);
++
++ to_send = -1;
++ /* do not wait for the peer to close the connection.
++ */
++ gnutls_bye(session, GNUTLS_SHUT_WR);
++
++ close(fd);
++ gnutls_deinit(session);
++
++ gnutls_certificate_free_credentials(x509_cred);
++
++ gnutls_global_deinit();
++
++ if (debug)
++ success("server: finished\n");
++}
++
++static void ch_handler(int sig)
++{
++ int status;
++ wait(&status);
++ if (WEXITSTATUS(status) != 0 ||
++ (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV)) {
++ if (WIFSIGNALED(status))
++ fail("Child died with sigsegv\n");
++ else
++ fail("Child died with status %d\n",
++ WEXITSTATUS(status));
++ terminate();
++ }
++ return;
++}
++
++void doit(void)
++{
++ int fd[2];
++ int ret;
++
++ signal(SIGCHLD, ch_handler);
++
++ ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
++ if (ret < 0) {
++ perror("socketpair");
++ exit(1);
++ }
++
++ child = fork();
++ if (child < 0) {
++ perror("fork");
++ fail("fork");
++ exit(1);
++ }
++
++ if (child) {
++ /* parent */
++ close(fd[1]);
++ client(fd[0]);
++ kill(child, SIGTERM);
++ } else {
++ close(fd[0]);
++ server(fd[1]);
++ exit(0);
++ }
++}
++
++#endif /* _WIN32 */
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series 2015-08-12 11:17:52.000000000 +0200
+++ gnutls28-3.3.8/debian/patches/series 2015-08-13 19:52:00.000000000 +0200
@@ -10,3 +10,7 @@
45_eliminated-double-free.diff
46_Better-fix-for-the-double-free.diff
47_GNUTLS-SA-2015-3.patch
+50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch
+51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch
+51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch
+51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch
Attachment:
signature.asc
Description: Digital signature