--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package gnutls28/3.5.8-5+deb9u3
- From: Andreas Metzler <ametzler@bebt.de>
- Date: Sun, 23 Jul 2017 15:28:55 +0200
- Message-id: <20170723132855.7vrysssv2ef4tf5r@argenau.bebt.de>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
gnutls upstream has pointed out that it would make sense to pull
two patches from 3.5.14. These improve interoperability by avoiding
incorrect OCSP verification errors. These errors could become quite
common with growing popularity of ecdsa signatures.
thanks, cu Andreas
diff -Nru gnutls28-3.5.8/debian/changelog gnutls28-3.5.8/debian/changelog
--- gnutls28-3.5.8/debian/changelog 2017-07-08 10:29:05.000000000 +0200
+++ gnutls28-3.5.8/debian/changelog 2017-07-23 14:28:37.000000000 +0200
@@ -1,3 +1,14 @@
+gnutls28 (3.5.8-5+deb9u3) stretch; urgency=medium
+
+ * 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
+ 38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from
+ gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa
+ signatures.
+ https://gitlab.com/gnutls/gnutls/issues/223
+ Thanks to Nikos Mavrogiannopoulos for the suggestion.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 23 Jul 2017 14:28:37 +0200
+
gnutls28 (3.5.8-5+deb9u2) stretch; urgency=medium
* 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from
diff -Nru gnutls28-3.5.8/debian/patches/38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch gnutls28-3.5.8/debian/patches/38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
--- gnutls28-3.5.8/debian/patches/38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch 2017-07-23 13:49:16.000000000 +0200
@@ -0,0 +1,56 @@
+From 4115dda443f38119ad46262f7f4adc78cfa1bf83 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 30 Jun 2017 10:04:01 +0200
+Subject: [PATCH 1/2] OCSP: check the subject public key identifier field to
+ figure issuer
+
+Normally when attempting to match the 'Responder Key ID' in an OCSP response
+against the issuer certificate we check (according to RFC6960) against the
+hash of the SPKI field. However, in few certificates (see commit:
+"added ECDSA OCSP response verification"), that may not be the case. In that
+certificate, that value matches the Subject Public Key identifier field
+but not the hash.
+
+To account for these certificates, we enhance the matching to also consider
+the Subject Public Key identifier field.
+
+Relates: #223
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/x509/ocsp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
+index dcdf435d2..68e721eaa 100644
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1923,9 +1923,24 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp)
+
+ for (i = 0; i < ncerts; i++) {
+ if (keyid.data != NULL) {
+- uint8_t digest[20];
++ uint8_t digest[128]; /* to support longer key IDs */
+ gnutls_datum_t spki;
++ size_t digest_size = sizeof(digest);
+
++ _gnutls_debug_log("checking key ID against SPK identifier\n");
++
++ /* check subject key identifier as well, some certificates
++ * match that, but not the hash */
++ rc = gnutls_x509_crt_get_subject_key_id(certs[i], digest, &digest_size, NULL);
++ if (rc >= 0 && digest_size == keyid.size &&
++ memcmp(keyid.data, digest, digest_size) == 0) {
++ signercert = certs[i];
++ goto quit;
++ }
++
++ _gnutls_debug_log("checking key ID against SPKI hash\n");
++
++ /* continue with checking the hash */
+ rc = _gnutls_x509_get_raw_field2(certs[i]->cert, &certs[i]->der,
+ "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey",
+ &spki);
+--
+2.13.2
+
diff -Nru gnutls28-3.5.8/debian/patches/38_02-OCSP-find_signercert-improved-DER-length-calculation.patch gnutls28-3.5.8/debian/patches/38_02-OCSP-find_signercert-improved-DER-length-calculation.patch
--- gnutls28-3.5.8/debian/patches/38_02-OCSP-find_signercert-improved-DER-length-calculation.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.8/debian/patches/38_02-OCSP-find_signercert-improved-DER-length-calculation.patch 2017-07-23 13:49:16.000000000 +0200
@@ -0,0 +1,77 @@
+From 3c36d980d447251b34677c21bd4a141829c045f6 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 1 Jul 2017 10:50:57 +0200
+Subject: [PATCH 2/2] OCSP: find_signercert: improved DER length calculation
+
+Previously we were assuming a fixed amount of length bytes which
+is not correct for all possible lengths. Use libtasn1 to decode
+the length field.
+
+Resolves: #223
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+---
+ lib/x509/ocsp.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
+index 68e721eaa..321a676b3 100644
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1923,9 +1923,10 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp)
+
+ for (i = 0; i < ncerts; i++) {
+ if (keyid.data != NULL) {
+- uint8_t digest[128]; /* to support longer key IDs */
++ uint8_t digest[64]; /* to support longer key IDs */
+ gnutls_datum_t spki;
+ size_t digest_size = sizeof(digest);
++ int len;
+
+ _gnutls_debug_log("checking key ID against SPK identifier\n");
+
+@@ -1946,19 +1947,36 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp)
+ &spki);
+ if (rc < 0 || spki.size < 6) {
+ signercert = NULL;
+- goto quit;
++ continue;
+ }
+
+ /* For some reason the protocol requires we skip the
+ * tag, length and number of unused bits.
+ */
+- spki.data += 5;
+- spki.size -= 5;
+- rc = gnutls_hash_fast(GNUTLS_DIG_SHA1, spki.data, spki.size, digest);
++ if (spki.data[0] != 0x03) { /* bit string */
++ gnutls_assert();
++ signercert = NULL;
++ continue;
++ }
++
++ rc = asn1_get_length_der(spki.data+1, spki.size-1, &len);
++ if (rc <= 0) {
++ gnutls_assert();
++ signercert = NULL;
++ continue;
++ }
++ len += 1+1; /* skip unused bits as well */
++ if (len >= (int)spki.size) {
++ gnutls_assert();
++ signercert = NULL;
++ continue;
++ }
++
++ rc = gnutls_hash_fast(GNUTLS_DIG_SHA1, spki.data+len, spki.size-len, digest);
+ if (rc < 0) {
+ gnutls_assert();
+ signercert = NULL;
+- goto quit;
++ continue;
+ }
+
+ if ((20 == keyid.size) &&
+--
+2.13.2
+
diff -Nru gnutls28-3.5.8/debian/patches/series gnutls28-3.5.8/debian/patches/series
--- gnutls28-3.5.8/debian/patches/series 2017-07-07 19:43:58.000000000 +0200
+++ gnutls28-3.5.8/debian/patches/series 2017-07-23 13:50:20.000000000 +0200
@@ -13,3 +13,5 @@
36_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-responder-.patch
36_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-documented-.patch
37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch
+38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
+38_02-OCSP-find_signercert-improved-DER-length-calculation.patch
--- End Message ---