Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4

To: Salvatore Bonaccorso <carnil@debian.org>, 840191@bugs.debian.org
Cc: team@security.debian.org
Subject: Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
From: Andreas Metzler <ametzler@bebt.de>
Date: Sun, 30 Oct 2016 07:46:16 +0100
Message-id: <[🔎] 20161030064616.5v5wegivncu4r22l@argenau.bebt.de>
Reply-to: Andreas Metzler <ametzler@bebt.de>, 840191@bugs.debian.org
In-reply-to: <[🔎] 147601883659.21108.9182354146656315165.reportbug@eldamar.local>
References: <[🔎] 147601883659.21108.9182354146656315165.reportbug@eldamar.local>

On 2016-10-09 Salvatore Bonaccorso <carnil@debian.org> wrote:
[...]
> Hi Stable Release Managers,

> X-Debbugs-CC'ed Andreas Metzler.

> gnutls28 in jessie is affected by CVE-2016-7444, GNUTLS-SA-2016-3,
> having a flaw in the OCSP certificate check. This was fixed upstream
> and included in unstable with 3.5.3-4 but would not warrant a DSA.

> Attached is proposed debdiff for jessie. Would it be acceptable for an
> upcoming point release?
[...]

I think it makes sense to  add the GnuTLS patch for compatibitlity with
CVE-2016-6489-patched nettle. (832983).

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog	2015-08-14 18:29:51.000000000 +0200
+++ gnutls28-3.3.8/debian/changelog	2016-10-30 07:39:11.000000000 +0100
@@ -1,3 +1,16 @@
+gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium
+
+  [ Salvatore Bonaccorso ]
+  * CVE-2016-7444: Incorrect certificate validation when using OCSP responses
+    (GNUTLS-SA-2016-3). See #840191.
+
+  [ Andreas Metzler ]
+  * Cherry pick 53_nettle-use-rsa_-_key_prepare-on-key-import.patch
+    from upstream GIT, which should allow gnutls continue to work with
+    CVE-2016-6489-patched nettle. See #832983.
+
+ -- Andreas Metzler <ametzler@debian.org>  Sun, 30 Oct 2016 07:39:08 +0100
+
 gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium
 
   * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from
diff -Nru gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
--- gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch	2016-10-30 07:01:40.000000000 +0100
@@ -0,0 +1,24 @@
+From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 27 Aug 2016 17:00:22 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP
+ response
+
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1251,6 +1251,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_r
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
++	cserial.size = t;
+ 
+ 	if (rserial.size != cserial.size
+ 	    || memcmp(cserial.data, rserial.data, rserial.size) != 0) {
diff -Nru gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch
--- gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch	2016-10-30 07:10:31.000000000 +0100
@@ -0,0 +1,152 @@
+From 186dc9c2012003587a38d7f4d03edd8da5fe989f Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sun, 7 Aug 2016 12:06:39 +0200
+Subject: [PATCH] nettle: use rsa_*_key_prepare on key import
+
+Previously we calculated the size of the key directly, but
+by using the rsa_*_key_prepare we benefit from any checks that
+may be introduced in the future. Specifically any checks for invalid
+public keys (e.g., keys that may crash the underlying gmp functions).
+
+This patch avoids calling rsa_private_key_prepare every time we construct
+a nettle private key struct, because this function requires a bigint
+multiplication. We call that function once on private key import.
+---
+ lib/nettle/pk.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 52 insertions(+), 10 deletions(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 2fab308..b41ebfb 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -98,18 +98,24 @@ _rsa_params_to_privkey(const gnutls_pk_params_st * pk_params,
+ 	memcpy(priv->c, pk_params->params[5], SIZEOF_MPZT);
+ 	memcpy(priv->a, pk_params->params[6], SIZEOF_MPZT);
+ 	memcpy(priv->b, pk_params->params[7], SIZEOF_MPZT);
++	/* we do not rsa_private_key_prepare() because it involves a multiplication.
++	 * we call it once when we import the parameters */
+ 	priv->size =
+ 	    nettle_mpz_sizeinbase_256_u(TOMPZ
+ 					(pk_params->params[RSA_MODULUS]));
+ }
+ 
+-static void
++/* returns a negative value on invalid pubkey */
++static int
+ _rsa_params_to_pubkey(const gnutls_pk_params_st * pk_params,
+ 		      struct rsa_public_key *pub)
+ {
+ 	memcpy(pub->n, pk_params->params[RSA_MODULUS], SIZEOF_MPZT);
+ 	memcpy(pub->e, pk_params->params[RSA_PUB], SIZEOF_MPZT);
+-	pub->size = nettle_mpz_sizeinbase_256_u(pub->n);
++	if (rsa_public_key_prepare(pub) == 0)
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
++	return 0;
+ }
+ 
+ static int
+@@ -340,7 +346,13 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
+ 		{
+ 			struct rsa_public_key pub;
+ 
+-			_rsa_params_to_pubkey(pk_params, &pub);
++			ret = _rsa_params_to_pubkey(pk_params, &pub);
++			if (ret < 0) {
++				ret =
++				    gnutls_assert_val
++				    (GNUTLS_E_ENCRYPTION_FAILED);
++				goto cleanup;
++			}
+ 
+ 			ret =
+ 			    rsa_encrypt(&pub, NULL, rnd_func,
+@@ -398,7 +410,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
+ 			bigint_t c;
+ 
+ 			_rsa_params_to_privkey(pk_params, &priv);
+-			_rsa_params_to_pubkey(pk_params, &pub);
++			ret = _rsa_params_to_pubkey(pk_params, &pub);
++			if (ret < 0)
++				return
++				    gnutls_assert_val
++				    (GNUTLS_E_DECRYPTION_FAILED);
++
+ 
+ 			if (ciphertext->size != pub.size)
+ 				return
+@@ -570,7 +587,11 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			mpz_t s;
+ 
+ 			_rsa_params_to_privkey(pk_params, &priv);
+-			_rsa_params_to_pubkey(pk_params, &pub);
++			ret = _rsa_params_to_pubkey(pk_params, &pub);
++			if (ret < 0)
++				return
++				    gnutls_assert_val
++				    (GNUTLS_E_PK_SIGN_FAILED);
+ 
+ 			mpz_init(s);
+ 
+@@ -707,7 +728,11 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ 		{
+ 			struct rsa_public_key pub;
+ 
+-			_rsa_params_to_pubkey(pk_params, &pub);
++			ret = _rsa_params_to_pubkey(pk_params, &pub);
++			if (ret < 0)
++				return
++				    gnutls_assert_val
++				    (GNUTLS_E_PK_SIG_VERIFY_FAILED);
+ 
+ 			if (signature->size != pub.size)
+ 				return
+@@ -1774,7 +1799,12 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
+ {
+ 	int ret;
+ 
+-	if (direction == GNUTLS_IMPORT && algo == GNUTLS_PK_RSA) {
++	if (direction != GNUTLS_IMPORT)
++		return 0;
++
++	if (algo == GNUTLS_PK_RSA) {
++		struct rsa_private_key priv;
++
+ 		/* do not trust the generated values. Some old private keys
+ 		 * generated by us have mess on the values. Those were very
+ 		 * old but it seemed some of the shipped example private
+@@ -1788,9 +1818,14 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
+ 			if (ret < 0)
+ 				return gnutls_assert_val(ret);
+ 		}
+-		mpz_invert(TOMPZ(params->params[RSA_COEF]),
+-			   TOMPZ(params->params[RSA_PRIME2]),
+-			   TOMPZ(params->params[RSA_PRIME1]));
++
++		if (mpz_cmp_ui(TOMPZ(params->params[RSA_PRIME1]), 0) == 0)
++			return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
++
++		if (mpz_invert(TOMPZ(params->params[RSA_COEF]),
++			       TOMPZ(params->params[RSA_PRIME2]),
++			       TOMPZ(params->params[RSA_PRIME1])) == 0)
++			return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ 
+ 		/* calculate exp1 [6] and exp2 [7] */
+ 		zrelease_mpi_key(&params->params[RSA_E1]);
+@@ -1801,6 +1836,13 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
+ 			return gnutls_assert_val(ret);
+ 
+ 		params->params_nr = RSA_PRIVATE_PARAMS;
++
++		/* perform nettle's internal checks */
++		_rsa_params_to_privkey(params, &priv);
++		ret = rsa_private_key_prepare(&priv);
++		if (ret == 0) {
++			return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
++		}
+ 	}
+ 
+ 	return 0;
+-- 
+2.8.1
+
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series	2015-08-13 19:52:00.000000000 +0200
+++ gnutls28-3.3.8/debian/patches/series	2016-10-30 07:16:01.000000000 +0100
@@ -14,3 +14,5 @@
 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch
 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch
 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch
+52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
+53_nettle-use-rsa_-_key_prepare-on-key-import.patch

Reply to:

Follow-Ups:
- Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#842509: jessie-pu: package opendkim/2.9.2-2
Next by Date: Bug#840501: transition: ipython
Previous by thread: Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
Next by thread: Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
Index(es):
- Date
- Thread