[Pkg-gnutls-commits] r1650 - in /packages/gnutls26/branches/branch2.12.20-1+wheezy/debian: changelog patches/34_pkcs11_memleak.diff patches/35_TLS-CBC_timing-attack.diff patches/series
ametzler at users.alioth.debian.org
ametzler at users.alioth.debian.org
Mon Feb 4 18:45:49 UTC 2013
Author: ametzler
Date: Mon Feb 4 18:45:48 2013
New Revision: 1650
URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=1650
Log:
Pull fixes from 2.12.23:
+ 34_pkcs11_memleak.diff Eliminated memory leak in PCKS #11
initialization.
+ 35_TLS-CBC_timing-attack.diff (GNUTLS-SA-2013-1) TLS CBC padding timing
attack
Added:
packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/34_pkcs11_memleak.diff
packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/35_TLS-CBC_timing-attack.diff
Modified:
packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/changelog
packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/series
Modified: packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/branches/branch2.12.20-1%2Bwheezy/debian/changelog?rev=1650&op=diff
==============================================================================
--- packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/changelog (original)
+++ packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/changelog Mon Feb 4 18:45:48 2013
@@ -1,8 +1,12 @@
-gnutls26 (2.12.20-4) UNRELEASED; urgency=low
-
- * NOT RELEASED YET
-
- -- Andreas Metzler <ametzler at debian.org> Sun, 06 Jan 2013 11:22:30 +0100
+gnutls26 (2.12.20-4) unstable; urgency=high
+
+ * Pull fixes from 2.12.23:
+ + 34_pkcs11_memleak.diff Eliminated memory leak in PCKS #11
+ initialization.
+ + 35_TLS-CBC_timing-attack.diff (GNUTLS-SA-2013-1) TLS CBC padding timing
+ attack
+
+ -- Andreas Metzler <ametzler at debian.org> Mon, 04 Feb 2013 19:35:29 +0100
gnutls26 (2.12.20-3) unstable; urgency=low
Added: packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/34_pkcs11_memleak.diff
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/branches/branch2.12.20-1%2Bwheezy/debian/patches/34_pkcs11_memleak.diff?rev=1650&op=file
==============================================================================
--- packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/34_pkcs11_memleak.diff (added)
+++ packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/34_pkcs11_memleak.diff Mon Feb 4 18:45:48 2013
@@ -1,0 +1,36 @@
+From 433bc2bdc118ac3b8a83a5fb7d41b3cecdd73cc9 Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Sun, 3 Feb 2013 13:13:34 -0500
+Subject: [PATCH 1/6] free allocated module name. Reported by Sam Varshavchik.
+
+This is the same fix from the 3.0 branch as:
+
+ ce7caadb "free allocated module name. Reported by Sam Varshavchik."
+
+** libgnutls: Eliminated memory leak in PCKS #11 initialization.
+Report and fix by Sam Varshavchik.
+
+diff --git a/lib/pkcs11.c b/lib/pkcs11.c
+index 59cf686..2bf6b04 100644
+--- a/lib/pkcs11.c
++++ b/lib/pkcs11.c
+@@ -441,7 +441,7 @@ static int
+ initialize_automatic_p11_kit (void)
+ {
+ struct ck_function_list **modules;
+- const char *name;
++ char *name;
+ ck_rv_t rv;
+ int i, ret;
+
+@@ -466,6 +466,7 @@ initialize_automatic_p11_kit (void)
+ gnutls_assert ();
+ _gnutls_debug_log ("Cannot add registered module: %s\n", name);
+ }
++ free(name);
+ }
+
+ free (modules);
+--
+1.7.10.4
+
Added: packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/35_TLS-CBC_timing-attack.diff
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/branches/branch2.12.20-1%2Bwheezy/debian/patches/35_TLS-CBC_timing-attack.diff?rev=1650&op=file
==============================================================================
--- packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/35_TLS-CBC_timing-attack.diff (added)
+++ packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/35_TLS-CBC_timing-attack.diff Mon Feb 4 18:45:48 2013
@@ -1,0 +1,183 @@
+Description: avoid a timing attack in TLS CBC record parsing.
+ http://www.gnutls.org/security.html#GNUTLS-SA-2013-1
+ http://www.isg.rhul.ac.uk/tls/
+Origin: upstream, http://gitorious.org/gnutls/gnutls/commit/458c67cf98740e7b12404f6c30e0d5317d56fd30 http://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9123630704668b2946f602b910e
+Forwarded: not-needed
+Last-Update: 2013-02-04
+
+--- gnutls26-2.12.20.orig/lib/gnutls_hash_int.h
++++ gnutls26-2.12.20/lib/gnutls_hash_int.h
+@@ -97,4 +97,25 @@ void _gnutls_mac_deinit_ssl3_handshake (
+
+ int _gnutls_hash_copy (digest_hd_st * dst_handle, digest_hd_st * src_handle);
+
++/* We shouldn't need to know that, but a work-around in decoding
++ * TLS record padding requires that.
++ */
++inline static size_t
++_gnutls_get_hash_block_len (gnutls_digest_algorithm_t algo)
++{
++ switch (algo)
++ {
++ case GNUTLS_DIG_MD5:
++ case GNUTLS_DIG_SHA1:
++ case GNUTLS_DIG_RMD160:
++ case GNUTLS_DIG_SHA256:
++ case GNUTLS_DIG_SHA384:
++ case GNUTLS_DIG_SHA512:
++ case GNUTLS_DIG_SHA224:
++ return 64;
++ default:
++ return 0;
++ }
++}
++
+ #endif /* GNUTLS_HASH_INT_H */
+--- gnutls26-2.12.20.orig/lib/gnutls_cipher.c
++++ gnutls26-2.12.20/lib/gnutls_cipher.c
+@@ -1,6 +1,6 @@
+ /*
+- * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2008, 2009, 2010
+- * Free Software Foundation, Inc.
++ * Copyright (C) 2000-2013 Free Software Foundation, Inc.
++ * Copyright (C) 2013 Nikos Mavrogiannopoulos
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+@@ -448,6 +448,48 @@ _gnutls_compressed2ciphertext (gnutls_se
+ return length;
+ }
+
++static void dummy_wait(record_parameters_st * params, gnutls_datum_t* plaintext,
++ unsigned pad_failed, unsigned int pad, unsigned total, int ver)
++{
++ /* this hack is only needed on CBC ciphers */
++ if (_gnutls_cipher_is_block (params->cipher_algorithm) == CIPHER_BLOCK)
++ {
++ uint8_t MAC[MAX_HASH_SIZE];
++ unsigned len;
++ digest_hd_st td;
++ int ret;
++
++ ret = mac_init (&td, params->mac_algorithm,
++ params->read.mac_secret.data,
++ params->read.mac_secret.size, ver);
++
++ if (ret < 0)
++ return;
++
++ /* force an additional hash compression function evaluation to prevent timing
++ * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
++ */
++ if (pad_failed == 0 && pad > 0)
++ {
++ len = _gnutls_get_hash_block_len(params->mac_algorithm);
++ if (len > 0)
++ {
++ /* This is really specific to the current hash functions.
++ * It should be removed once a protocol fix is in place.
++ */
++ if ((pad+total) % len > len-9 && total % len <= len-9)
++ {
++ if (len < plaintext->size)
++ mac_hash (&td, plaintext->data, len, ver);
++ else
++ mac_hash (&td, plaintext->data, plaintext->size, ver);
++ }
++ }
++ }
++
++ mac_deinit (&td, MAC, ver);
++ }
++}
+
+ /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
+ * Returns the actual compressed packet size.
+@@ -461,12 +503,12 @@ _gnutls_ciphertext2compressed (gnutls_se
+ {
+ uint8_t MAC[MAX_HASH_SIZE];
+ uint16_t c_length;
+- unsigned int pad;
++ unsigned int pad = 0;
+ int length;
+ uint16_t blocksize;
+ int ret, i, pad_failed = 0;
+ opaque preamble[PREAMBLE_SIZE];
+- int preamble_size;
++ int preamble_size = 0;
+ int ver = gnutls_protocol_get_version (session);
+ int hash_size = _gnutls_hash_get_algo_len (params->mac_algorithm);
+
+@@ -518,31 +560,23 @@ _gnutls_ciphertext2compressed (gnutls_se
+ gnutls_assert ();
+ return GNUTLS_E_DECRYPTION_FAILED;
+ }
+- pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
+-
+- if ((int) pad > (int) ciphertext.size - hash_size)
+- {
+- gnutls_assert ();
+- _gnutls_record_log
+- ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
+- session, pad, ciphertext.size, hash_size);
+- /* We do not fail here. We check below for the
+- * the pad_failed. If zero means success.
+- */
+- pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+- }
+-
+- length = ciphertext.size - hash_size - pad;
++ pad = ciphertext.data[ciphertext.size - 1]; /* pad */
+
+- /* Check the pading bytes (TLS 1.x)
++ /* Check the pading bytes (TLS 1.x).
++ * Note that we access all 256 bytes of ciphertext for padding check
++ * because there is a timing channel in that memory access (in certain CPUs).
+ */
+ if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0)
+ for (i = 2; i <= pad; i++)
+ {
+- if (ciphertext.data[ciphertext.size - i] !=
+- ciphertext.data[ciphertext.size - 1])
++ if (ciphertext.data[ciphertext.size - i] != pad)
+ pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+ }
++
++ if (pad_failed)
++ pad = 0;
++ length = ciphertext.size - hash_size - pad - 1;
++
+ break;
+ default:
+ gnutls_assert ();
+@@ -581,24 +615,19 @@ _gnutls_ciphertext2compressed (gnutls_se
+ mac_deinit (&td, MAC, ver);
+ }
+
+- /* This one was introduced to avoid a timing attack against the TLS
+- * 1.0 protocol.
+- */
+- if (pad_failed != 0)
+- {
+- gnutls_assert ();
+- return pad_failed;
+- }
+-
+ /* HMAC was not the same.
+ */
+- if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0)
++ if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0 || pad_failed != 0)
+ {
++ gnutls_datum_t compressed = {compress_data, compress_size};
++ /* HMAC was not the same. */
++ dummy_wait(params, &compressed, pad_failed, pad, length+preamble_size, ver);
++
+ gnutls_assert ();
+ return GNUTLS_E_DECRYPTION_FAILED;
+ }
+
+- /* copy the decrypted stuff to compress_data.
++ /* copy the decrypted stuff to compressed_data.
+ */
+ if (compress_size < length)
+ {
Modified: packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/branches/branch2.12.20-1%2Bwheezy/debian/patches/series?rev=1650&op=diff
==============================================================================
--- packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/series (original)
+++ packages/gnutls26/branches/branch2.12.20-1+wheezy/debian/patches/series Mon Feb 4 18:45:48 2013
@@ -7,3 +7,5 @@
31_allow_key_usage_violation.diff
32_record-padding-parsing.patch
33_stricter_rsa_pkcs_1.5.diff
+34_pkcs11_memleak.diff
+35_TLS-CBC_timing-attack.diff
More information about the Pkg-gnutls-commits
mailing list