Bug#849329: marked as done (unblock: gnutls28/3.5.7-3)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#849329: marked as done (unblock: gnutls28/3.5.7-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 26 Dec 2016 00:36:07 +0000
Message-id: <[🔎] handler.849329.D849329.14827124346988.ackdone@bugs.debian.org>
References: <7e75ba42-f418-f013-be20-e56700e86706@thykier.net> <[🔎] 20161225165945.2ie7kjxsfzpue7nk@argenau.bebt.de>

Your message dated Mon, 26 Dec 2016 00:32:00 +0000
with message-id <7e75ba42-f418-f013-be20-e56700e86706@thykier.net>
and subject line Re: Bug#849329: unblock: gnutls28/3.5.7-3
has caused the Debian Bug report #849329,
regarding unblock: gnutls28/3.5.7-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
849329: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849329
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: gnutls28/3.5.7-3
From: Andreas Metzler <ametzler@bebt.de>
Date: Sun, 25 Dec 2016 17:59:45 +0100
Message-id: <[🔎] 20161225165945.2ie7kjxsfzpue7nk@argenau.bebt.de>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello,

please speed up propagation of gnutls28 3.5.7-3 to testing. This is a
single-bugfix upload for #848905.

* 35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch,
  35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch from
  upstream 3.5 branch: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
  by PKCS#8 decryption functions when an invalid key is provided. This
  addresses regression on decrypting certain PKCS#8 keys.
  Closes: #848905

unblock gnutls28/3.5.7-3

Thanks in advance, cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-----------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/06/92627b5d607063eb71903a721233f5901066e9.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/1e/16d3b5f659ca4250cdd1a4cf9709b8b85f53fb.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/1f/32a0a57aec655b07964a5d98497e025cae7262.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/2b/a9be2c2eb381dc4edf836d798e59bdb361412c.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/52/67bd611b093a4b73120b2b5d283543e88df4bd.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/5f/5a02703e99f9e428a82aa80b90688b13f756b8.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/7c/e5a5afbd26492c200471e1c2ba705e922b8c55.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/8f/0f41e04edf62b0a7808b48ea52470517c48b9a.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/9a/ddeb34b9f349ee50037cd28d46fc5c9112c6fe.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/c1/ead7f61001838e6d88ff1cd74ac74e22c469f4.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/c2/f5f35a3622da6852d137d9610c9f94e44e4e67.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/c5/ed28d817ac7aaf9d6a0aa028f34f13e57f7a45.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/e5/412e005b4e94b4cc8270a540bb3db74af67b19.debug

Files in first .changes but not in second
-----------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/1e/e95a5dada2caafea18c6fb0a31662eaf74fd1b.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/25/49b7cc772d8fd074de0be00f0619db53bee1f1.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/39/bb37cbf9a096e7455e8799ee146f31942120d3.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/49/42f0c0688463070e6410365999f7a60d5bde23.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/85/be5dbc76bf55586a82cf140ae0f179b516acaf.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/97/c2ab04e6f0fa0d5ac7bf71e0e34c86fc3f3d6d.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/99/d619c6678ed0f956097d75c33cc897caf31647.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/9d/6f39cb57ee78768fb728e590d19669272f0816.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/a7/2a600aee19233e265d10b0e78447a952cb822c.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/b3/d24cdffab087bfe7d2b92c235a98d7ab0b91c8.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/cd/b980046cd934ff2b0fedb5235e56484dcfadcd.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/d5/48d9fedb88409e1a5f3e025a2d6eeae871fafd.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/d7/b94bc8d9b61dbb6da08afe0c08294819fe7bda.debug

Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.5.7-2-] {+3.5.7-3+}

Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Build-Ids: [-1ee95a5dada2caafea18c6fb0a31662eaf74fd1b 39bb37cbf9a096e7455e8799ee146f31942120d3 85be5dbc76bf55586a82cf140ae0f179b516acaf 97c2ab04e6f0fa0d5ac7bf71e0e34c86fc3f3d6d 99d619c6678ed0f956097d75c33cc897caf31647 a72a600aee19233e265d10b0e78447a952cb822c b3d24cdffab087bfe7d2b92c235a98d7ab0b91c8 d548d9fedb88409e1a5f3e025a2d6eeae871fafd d7b94bc8d9b61dbb6da08afe0c08294819fe7bda-] {+1e16d3b5f659ca4250cdd1a4cf9709b8b85f53fb 1f32a0a57aec655b07964a5d98497e025cae7262 2ba9be2c2eb381dc4edf836d798e59bdb361412c 5267bd611b093a4b73120b2b5d283543e88df4bd 5f5a02703e99f9e428a82aa80b90688b13f756b8 7ce5a5afbd26492c200471e1c2ba705e922b8c55 8f0f41e04edf62b0a7808b48ea52470517c48b9a c2f5f35a3622da6852d137d9610c9f94e44e4e67 e5412e005b4e94b4cc8270a540bb3db74af67b19+}
Depends: gnutls-bin (= [-3.5.7-2)-] {+3.5.7-3)+}
Installed-Size: [-991-] {+992+}
Version: [-3.5.7-2-] {+3.5.7-3+}

Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.5.7-2-] {+3.5.7-3+}

Control files of package libgnutls-dane0: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.14), libunbound2 (>= 1.4.1)
Version: [-3.5.7-2-] {+3.5.7-3+}

Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-4942f0c0688463070e6410365999f7a60d5bde23-] {+c1ead7f61001838e6d88ff1cd74ac74e22c469f4+}
Depends: libgnutls-dane0 (= [-3.5.7-2)-] {+3.5.7-3)+}
Version: [-3.5.7-2-] {+3.5.7-3+}

Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.14)
Version: [-3.5.7-2-] {+3.5.7-3+}

Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------------
Build-Ids: [-9d6f39cb57ee78768fb728e590d19669272f0816-] {+c5ed28d817ac7aaf9d6a0aa028f34f13e57f7a45+}
Depends: libgnutls-openssl27 (= [-3.5.7-2)-] {+3.5.7-3)+}
Version: [-3.5.7-2-] {+3.5.7-3+}

Control files of package libgnutls28-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutls-openssl27 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutlsxx28 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutls-dane0 (= [-3.5.7-2),-] {+3.5.7-3),+} nettle-dev, libc6-dev | libc-dev, zlib1g-dev, libtasn1-6-dev, libp11-kit-dev, libidn11-dev (>= 1.31)
Version: [-3.5.7-2-] {+3.5.7-3+}

Control files of package libgnutls30: lines which differ (wdiff format)
-----------------------------------------------------------------------
Version: [-3.5.7-2-] {+3.5.7-3+}

Control files of package libgnutls30-dbgsym: lines which differ (wdiff format)
------------------------------------------------------------------------------
Build-Ids: [-2549b7cc772d8fd074de0be00f0619db53bee1f1-] {+9addeb34b9f349ee50037cd28d46fc5c9112c6fe+}
Depends: libgnutls30 (= [-3.5.7-2)-] {+3.5.7-3)+}
Version: [-3.5.7-2-] {+3.5.7-3+}

Control files of package libgnutlsxx28: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.4), libgcc1 (>= 1:3.0), libstdc++6 (>= 5)
Version: [-3.5.7-2-] {+3.5.7-3+}

Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Build-Ids: [-cdb980046cd934ff2b0fedb5235e56484dcfadcd-] {+0692627b5d607063eb71903a721233f5901066e9+}
Depends: libgnutlsxx28 (= [-3.5.7-2)-] {+3.5.7-3)+}
Version: [-3.5.7-2-] {+3.5.7-3+}
diff -Nru gnutls28-3.5.7/debian/changelog gnutls28-3.5.7/debian/changelog
--- gnutls28-3.5.7/debian/changelog	2016-12-09 18:10:53.000000000 +0100
+++ gnutls28-3.5.7/debian/changelog	2016-12-20 18:47:13.000000000 +0100
@@ -1,3 +1,14 @@
+gnutls28 (3.5.7-3) unstable; urgency=medium
+
+  * 35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch,
+    35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch from
+    upstream 3.5 branch: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
+    by PKCS#8 decryption functions when an invalid key is provided. This
+    addresses regression on decrypting certain PKCS#8 keys.
+    Closes: #848905
+
+ -- Andreas Metzler <ametzler@debian.org>  Tue, 20 Dec 2016 18:47:13 +0100
+
 gnutls28 (3.5.7-2) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch
--- gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch	2016-12-20 18:39:09.000000000 +0100
@@ -0,0 +1,25 @@
+From e62aaf4bfaf1a4280db23d9729c2d7fa0fdf97e5 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 13 Dec 2016 11:27:38 +0100
+Subject: [PATCH 1/3] pkcs8: ensure that the correct error code is returned on
+ decryption failure
+
+---
+ lib/x509/privkey_pkcs8.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
+index 74bb466c6..0094a83a5 100644
+--- a/lib/x509/privkey_pkcs8.c
++++ b/lib/x509/privkey_pkcs8.c
+@@ -711,6 +711,7 @@ static int pkcs8_key_decrypt(const gnutls_datum_t * raw_key,
+ 			 &kdf_params, &enc_params, &tmp);
+ 	if (result < 0) {
+ 		gnutls_assert();
++		result = GNUTLS_E_DECRYPTION_FAILED;
+ 		goto error;
+ 	}
+ 
+-- 
+2.11.0
+
diff -Nru gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch
--- gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch	2016-12-20 18:47:13.000000000 +0100
@@ -0,0 +1,143 @@
+From 441d87cdd5548dc03765cc40c3ffc15eb722b474 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 13 Dec 2016 11:41:12 +0100
+Subject: [PATCH 2/3] tests: added test for PKCS#8 encrypted key decoding
+
+This also verifies that the return value when attempting to
+decrypt without a password is GNUTLS_E_DECRYPTION_FAILED.
+---
+ tests/Makefile.am                  |  2 +-
+ tests/pkcs8-key-decode-encrypted.c | 75 ++++++++++++++++++++++++++++++++++++++
+ tests/pkcs8-key-decode.c           | 20 ++++++----
+ 3 files changed, 89 insertions(+), 8 deletions(-)
+ create mode 100644 tests/pkcs8-key-decode-encrypted.c
+
+--- /dev/null
++++ b/tests/pkcs8-key-decode-encrypted.c
+@@ -0,0 +1,75 @@
++/*
++ * Copyright (C) 2015 Red Hat, Inc.
++ *
++ * Author: Daniel Berrange
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#include <gnutls/gnutls.h>
++#include <gnutls/x509.h>
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++
++#include "utils.h"
++
++#define PRIVATE_KEY \
++	"-----BEGIN ENCRYPTED PRIVATE KEY-----\n" \
++	"MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiebBrnqPv4owICCAAw\n" \
++	"HQYJYIZIAWUDBAEqBBBykFR6i1My/DYFBYrz1lmABIGQ3XGpp3+v/ENC1S+X7Ay6\n" \
++	"JoquYKuMw6yUmWoGFvPIPA9UWqMve2Uj4l2l96Sywd6iNFP63ow6pIq4wUP6REuY\n" \
++	"ZhCgoAOQomeFqhAhkw6QJCygp5vw2rh9OZ5tiP/Ko6IDTA2rSas91nepHpQOb247\n" \
++	"zta5XzXb5TRkBsVU8tAPADP+wS/vBCS05ne1wmhdD6c6\n" \
++	"-----END ENCRYPTED PRIVATE KEY-----\n"
++
++
++static int test_decode(void)
++{
++  gnutls_x509_privkey_t key;
++  const gnutls_datum_t data = {
++    (unsigned char *)PRIVATE_KEY,
++    strlen(PRIVATE_KEY)
++  };
++  int err;
++
++  if ((err = gnutls_x509_privkey_init(&key)) < 0) {
++    fail("Failed to init key %s\n", gnutls_strerror(err));
++  }
++
++  err = gnutls_x509_privkey_import_pkcs8(key, &data,
++					GNUTLS_X509_FMT_PEM, "", 0);
++  if (err != GNUTLS_E_DECRYPTION_FAILED) {
++    fail("Unexpected error code: %s/%d\n", gnutls_strerror(err), err);
++  }
++
++  err = gnutls_x509_privkey_import_pkcs8(key, &data,
++					GNUTLS_X509_FMT_PEM, "password", 0);
++  if (err != 0) {
++    fail("Unexpected error code: %s\n", gnutls_strerror(err));
++  }
++
++  success("Loaded key\n%s", PRIVATE_KEY);
++
++  gnutls_x509_privkey_deinit(key);
++  return 0;
++}
++
++void doit(void)
++{
++	test_decode();
++}
+--- a/tests/pkcs8-key-decode.c
++++ b/tests/pkcs8-key-decode.c
+@@ -26,6 +26,8 @@
+ #include <string.h>
+ #include <stdlib.h>
+ 
++#include "utils.h"
++
+ # define PRIVATE_KEY					      \
+     "-----BEGIN PRIVATE KEY-----\n"				\
+     "MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr\n"     \
+@@ -46,8 +48,8 @@
+     "dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci\n"	 \
+     "-----END PRIVATE KEY-----\n"
+ 
+-
+-int main(void) {
++static int test_load(void)
++{
+   gnutls_x509_privkey_t key;
+   const gnutls_datum_t data = {
+     (unsigned char *)PRIVATE_KEY,
+@@ -56,19 +58,23 @@ int main(void) {
+   int err;
+ 
+   if ((err = gnutls_x509_privkey_init(&key)) < 0) {
+-    fprintf(stderr, "Failed to init key %s\n", gnutls_strerror(err));
++    fail("Failed to init key %s\n", gnutls_strerror(err));
+     exit(1);
+   }
+ 
+   if ((err = gnutls_x509_privkey_import(key, &data,
+ 					GNUTLS_X509_FMT_PEM)) < 0) {
+-    fprintf(stderr, "Failed to import key %s\n", gnutls_strerror(err));
++    fail("Failed to import key %s\n", gnutls_strerror(err));
+     exit(1);
+   }
+ 
+-#if 0
+-  fprintf(stderr, "Loaded key\n%s", PRIVATE_KEY);
+-#endif
++  success("Loaded key\n%s", PRIVATE_KEY);
++
+   gnutls_x509_privkey_deinit(key);
+   return 0;
+ }
++
++void doit(void)
++{
++	test_load();
++}
diff -Nru gnutls28-3.5.7/debian/patches/series gnutls28-3.5.7/debian/patches/series
--- gnutls28-3.5.7/debian/patches/series	2016-12-08 08:20:07.000000000 +0100
+++ gnutls28-3.5.7/debian/patches/series	2016-12-20 18:43:44.000000000 +0100
@@ -1,2 +1,4 @@
 14_version_gettextcat.diff
 30_guile-snarf.diff
+35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch
+35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: Andreas Metzler <ametzler@bebt.de>, 849329-done@bugs.debian.org

Subject: Re: Bug#849329: unblock: gnutls28/3.5.7-3

From: Niels Thykier <niels@thykier.net>

Date: Mon, 26 Dec 2016 00:32:00 +0000

Message-id: <7e75ba42-f418-f013-be20-e56700e86706@thykier.net>

In-reply-to: <[🔎] 20161225165945.2ie7kjxsfzpue7nk@argenau.bebt.de>

References: <[🔎] 20161225165945.2ie7kjxsfzpue7nk@argenau.bebt.de>
Andreas Metzler:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hello,
> 
> please speed up propagation of gnutls28 3.5.7-3 to testing. This is a
> single-bugfix upload for #848905.
> 
> * 35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch,
>   35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch from
>   upstream 3.5 branch: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
>   by PKCS#8 decryption functions when an invalid key is provided. This
>   addresses regression on decrypting certain PKCS#8 keys.
>   Closes: #848905
> 
> unblock gnutls28/3.5.7-3
> 
> Thanks in advance, cu Andreas
> 

Aged, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#849329: unblock: gnutls28/3.5.7-3
  - From: Andreas Metzler <ametzler@bebt.de>

Prev by Date: Bug#849329: unblock: gnutls28/3.5.7-3
Next by Date: Bug#829606: jessie-pu: package duck/0.7+deb8u1
Previous by thread: Bug#849329: unblock: gnutls28/3.5.7-3
Next by thread: Bug#829606: jessie-pu: package duck/0.7+deb8u1
Index(es):
- Date
- Thread