[Pkg-gnutls-commits] r1666 - in /packages/gnutls28/branches/branch_3.0.22-2/debian: ./ patches/
ametzler at users.alioth.debian.org
ametzler at users.alioth.debian.org
Thu Feb 7 09:59:17 UTC 2013
Author: ametzler
Date: Thu Feb 7 09:59:16 2013
New Revision: 1666
URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=1666
Log:
Pull the same set of fixes included in gnutls26 2.12.20-4 for gnutls28,
if they are missing. (34_pkcs11_memleak.diff was part of 3.0.14.):
+40_Prevent-the-usage-of-strlen-on-null-values.patch Fix segfault caused
by running strlen() on NULL. See #647747.
+41_Tolerate-key-usage-violation.patch Always tolerate key usage
violation errors from the side of the peer, but also notify via an
audit message.
+42_Corrected-bugs-in-record-parsing.patch Fix record padding parsing
issue. This was also reported in the "lucky thirteen" paper.
+43_Stricter-RSA-PKCS-1-1.5-encoding.-Reported-by-Kikuch.patch Fixes
random handshake failures with non-GnuTLS implementations.
+45_Fixes-to-avoid-a-timing-attack-in-TLS-CBC-record-par.patch
(GNUTLS-SA-2013-1) TLS CBC padding timing attack. CVE-2013-0169
CVE-2013-1619.
Added:
packages/gnutls28/branches/branch_3.0.22-2/debian/patches/40_Prevent-the-usage-of-strlen-on-null-values.patch
packages/gnutls28/branches/branch_3.0.22-2/debian/patches/41_Tolerate-key-usage-violation.patch
packages/gnutls28/branches/branch_3.0.22-2/debian/patches/42_Corrected-bugs-in-record-parsing.patch
packages/gnutls28/branches/branch_3.0.22-2/debian/patches/43_Stricter-RSA-PKCS-1-1.5-encoding.-Reported-by-Kikuch.patch
packages/gnutls28/branches/branch_3.0.22-2/debian/patches/45_Fixes-to-avoid-a-timing-attack-in-TLS-CBC-record-par.patch
Modified:
packages/gnutls28/branches/branch_3.0.22-2/debian/changelog
packages/gnutls28/branches/branch_3.0.22-2/debian/patches/series
Modified: packages/gnutls28/branches/branch_3.0.22-2/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls28/branches/branch_3.0.22-2/debian/changelog?rev=1666&op=diff
==============================================================================
--- packages/gnutls28/branches/branch_3.0.22-2/debian/changelog (original)
+++ packages/gnutls28/branches/branch_3.0.22-2/debian/changelog Thu Feb 7 09:59:16 2013
@@ -1,3 +1,22 @@
+gnutls28 (3.0.22-3) unstable; urgency=high
+
+ * Pull the same set of fixes included in gnutls26 2.12.20-4 for gnutls28,
+ if they are missing. (34_pkcs11_memleak.diff was part of 3.0.14.):
+ +40_Prevent-the-usage-of-strlen-on-null-values.patch Fix segfault caused
+ by running strlen() on NULL. See #647747.
+ +41_Tolerate-key-usage-violation.patch Always tolerate key usage
+ violation errors from the side of the peer, but also notify via an
+ audit message.
+ +42_Corrected-bugs-in-record-parsing.patch Fix record padding parsing
+ issue. This was also reported in the "lucky thirteen" paper.
+ +43_Stricter-RSA-PKCS-1-1.5-encoding.-Reported-by-Kikuch.patch Fixes
+ random handshake failures with non-GnuTLS implementations.
+ +45_Fixes-to-avoid-a-timing-attack-in-TLS-CBC-record-par.patch
+ (GNUTLS-SA-2013-1) TLS CBC padding timing attack. CVE-2013-0169
+ CVE-2013-1619.
+
+ -- Andreas Metzler <ametzler at debian.org> Thu, 07 Feb 2013 10:19:02 +0100
+
gnutls28 (3.0.22-2) unstable; urgency=low
* Upload to unstable. This is a leaf-package experimental should get
Added: packages/gnutls28/branches/branch_3.0.22-2/debian/patches/40_Prevent-the-usage-of-strlen-on-null-values.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls28/branches/branch_3.0.22-2/debian/patches/40_Prevent-the-usage-of-strlen-on-null-values.patch?rev=1666&op=file
==============================================================================
--- packages/gnutls28/branches/branch_3.0.22-2/debian/patches/40_Prevent-the-usage-of-strlen-on-null-values.patch (added)
+++ packages/gnutls28/branches/branch_3.0.22-2/debian/patches/40_Prevent-the-usage-of-strlen-on-null-values.patch Thu Feb 7 09:59:16 2013
@@ -1,0 +1,58 @@
+From 6ce282dbc7a445edd98c6407d39fbd54b28f0502 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Sat, 25 Aug 2012 15:37:17 +0200
+Subject: [PATCH] Prevent the usage of strlen() on null values.
+
+---
+ lib/x509/privkey_pkcs8.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
+index 3af1045..2e3417f 100644
+--- a/lib/x509/privkey_pkcs8.c
++++ b/lib/x509/privkey_pkcs8.c
+@@ -1593,6 +1593,10 @@ decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn,
+ cipher_hd_st ch;
+ int ch_init = 0;
+ int key_size;
++ unsigned int pass_len = 0;
++
++ if (password)
++ pass_len = strlen(password);
+
+ data_size = 0;
+ result = asn1_read_value (pkcs8_asn, root, NULL, &data_size);
+@@ -1641,7 +1645,7 @@ decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn,
+ case PBES2_AES_192:
+ case PBES2_AES_256:
+
+- result = _gnutls_pbkdf2_sha1 (password, strlen (password),
++ result = _gnutls_pbkdf2_sha1 (password, pass_len,
+ kdf_params->salt, kdf_params->salt_size,
+ kdf_params->iter_count, key, key_size);
+
+@@ -1896,8 +1900,12 @@ generate_key (schema_id schema,
+ struct pbe_enc_params *enc_params, gnutls_datum_t * key)
+ {
+ unsigned char rnd[2];
++ unsigned int pass_len = 0;
+ int ret;
+
++ if (password)
++ pass_len = strlen(password);
++
+ ret = _gnutls_rnd (GNUTLS_RND_RANDOM, rnd, 2);
+ if (ret < 0)
+ {
+@@ -1971,7 +1979,7 @@ generate_key (schema_id schema,
+ case PBES2_AES_192:
+ case PBES2_AES_256:
+
+- ret = _gnutls_pbkdf2_sha1 (password, strlen (password),
++ ret = _gnutls_pbkdf2_sha1 (password, pass_len,
+ kdf_params->salt, kdf_params->salt_size,
+ kdf_params->iter_count,
+ key->data, kdf_params->key_size);
+--
+1.7.10.4
+
Added: packages/gnutls28/branches/branch_3.0.22-2/debian/patches/41_Tolerate-key-usage-violation.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls28/branches/branch_3.0.22-2/debian/patches/41_Tolerate-key-usage-violation.patch?rev=1666&op=file
==============================================================================
--- packages/gnutls28/branches/branch_3.0.22-2/debian/patches/41_Tolerate-key-usage-violation.patch (added)
+++ packages/gnutls28/branches/branch_3.0.22-2/debian/patches/41_Tolerate-key-usage-violation.patch Thu Feb 7 09:59:16 2013
@@ -1,0 +1,66 @@
+Description: Tolerate key usage violation.
+ Pulled from upstream.
+ This is basically <16d365ab359436651deb35a8ec6cdc0e76c077d9>, however major
+ parts of that patch revert 16d365ab359436651deb35a8ec6cdc0e76c077d9, which
+ is why we combine these.
+ 61b4442c6871253d90ace549f700d41e0f5982d3, updating the verify_tls_hash()
+ prototype is also include.
+Origin: upstream, 16d365ab359436651deb35a8ec6cdc0e76c077d9 16d365ab359436651deb35a8ec6cdc0e76c077d9 61b4442c6871253d90ace549f700d41e0f5982d3
+Forwarded: not-needed
+
+--- gnutls28-3.0.22.orig/lib/gnutls_sig.c
++++ gnutls28-3.0.22/lib/gnutls_sig.c
+@@ -221,7 +221,7 @@ sign_tls_hash (gnutls_session_t session,
+ if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
+ {
+ gnutls_assert ();
+- return GNUTLS_E_KEY_USAGE_VIOLATION;
++ _gnutls_audit_log(session, "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n");
+ }
+
+ /* External signing. Deprecated. To be removed. */
+@@ -269,7 +269,7 @@ es_cleanup:
+ }
+
+ static int
+-verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st* cert,
++verify_tls_hash (gnutls_session_t session, gnutls_protocol_t ver, gnutls_pcert_st* cert,
+ const gnutls_datum_t * hash_concat,
+ gnutls_datum_t * signature, size_t sha1pos,
+ gnutls_sign_algorithm_t sign_algo,
+@@ -293,7 +293,7 @@ verify_tls_hash (gnutls_protocol_t ver,
+ if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
+ {
+ gnutls_assert ();
+- return GNUTLS_E_KEY_USAGE_VIOLATION;
++ _gnutls_audit_log(session, "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n");
+ }
+
+ if (pk_algo == GNUTLS_PK_UNKNOWN)
+@@ -418,7 +418,7 @@ _gnutls_handshake_verify_data (gnutls_se
+ dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
+ }
+
+- ret = verify_tls_hash (ver, cert, &dconcat, signature,
++ ret = verify_tls_hash (session, ver, cert, &dconcat, signature,
+ dconcat.size -
+ _gnutls_hash_get_algo_len (hash_algo),
+ sign_algo,
+@@ -467,7 +467,7 @@ _gnutls_handshake_verify_crt_vrfy12 (gnu
+ dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
+
+ ret =
+- verify_tls_hash (ver, cert, &dconcat, signature, 0, sign_algo, pk);
++ verify_tls_hash (session, ver, cert, &dconcat, signature, 0, sign_algo, pk);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+@@ -561,7 +561,7 @@ _gnutls_handshake_verify_crt_vrfy (gnutl
+ dconcat.size = 20 + 16; /* md5+ sha */
+
+ ret =
+- verify_tls_hash (ver, cert, &dconcat, signature, 16,
++ verify_tls_hash (session, ver, cert, &dconcat, signature, 16,
+ GNUTLS_SIGN_UNKNOWN,
+ gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL));
+ if (ret < 0)
Added: packages/gnutls28/branches/branch_3.0.22-2/debian/patches/42_Corrected-bugs-in-record-parsing.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls28/branches/branch_3.0.22-2/debian/patches/42_Corrected-bugs-in-record-parsing.patch?rev=1666&op=file
==============================================================================
--- packages/gnutls28/branches/branch_3.0.22-2/debian/patches/42_Corrected-bugs-in-record-parsing.patch (added)
+++ packages/gnutls28/branches/branch_3.0.22-2/debian/patches/42_Corrected-bugs-in-record-parsing.patch Thu Feb 7 09:59:16 2013
@@ -1,0 +1,48 @@
+From 425a54f0df10e4edcab3eb1b50b45304d14e6c66 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Tue, 4 Dec 2012 20:57:38 +0100
+Subject: [PATCH] Corrected bugs in record parsing.
+
+Corrected bugs in record padding parsing. Reported by Kenny Patterson and Nadhem Alfardan.
+---
+ lib/gnutls_cipher.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
+index b49b439..d252190 100644
+--- a/lib/gnutls_cipher.c
++++ b/lib/gnutls_cipher.c
+@@ -440,10 +440,10 @@ ciphertext_to_compressed (gnutls_session_t session,
+ uint64* sequence)
+ {
+ uint8_t tag[MAX_HASH_SIZE];
+- uint8_t pad;
++ unsigned int pad, i;
+ int length, length_to_decrypt;
+ uint16_t blocksize;
+- int ret, i, pad_failed = 0;
++ int ret, pad_failed = 0;
+ uint8_t preamble[MAX_PREAMBLE_SIZE];
+ unsigned int preamble_size;
+ unsigned int ver = gnutls_protocol_get_version (session);
+@@ -540,7 +540,7 @@ ciphertext_to_compressed (gnutls_session_t session,
+ pad = ciphertext->data[ciphertext->size - 1] + 1; /* pad */
+
+
+- if ((int) pad > (int) ciphertext->size - tag_size)
++ if (pad > (int) ciphertext->size - tag_size)
+ {
+ gnutls_assert ();
+ _gnutls_record_log
+@@ -558,7 +558,7 @@ ciphertext_to_compressed (gnutls_session_t session,
+ /* Check the pading bytes (TLS 1.x)
+ */
+ if (ver != GNUTLS_SSL3)
+- for (i = 2; i < pad; i++)
++ for (i = 2; i <= pad; i++)
+ {
+ if (ciphertext->data[ciphertext->size - i] !=
+ ciphertext->data[ciphertext->size - 1])
+--
+1.7.10.4
+
Added: packages/gnutls28/branches/branch_3.0.22-2/debian/patches/43_Stricter-RSA-PKCS-1-1.5-encoding.-Reported-by-Kikuch.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls28/branches/branch_3.0.22-2/debian/patches/43_Stricter-RSA-PKCS-1-1.5-encoding.-Reported-by-Kikuch.patch?rev=1666&op=file
==============================================================================
--- packages/gnutls28/branches/branch_3.0.22-2/debian/patches/43_Stricter-RSA-PKCS-1-1.5-encoding.-Reported-by-Kikuch.patch (added)
+++ packages/gnutls28/branches/branch_3.0.22-2/debian/patches/43_Stricter-RSA-PKCS-1-1.5-encoding.-Reported-by-Kikuch.patch Thu Feb 7 09:59:16 2013
@@ -1,0 +1,40 @@
+From b46ef9e234d13d51f967f7c1bac96fed42e971b0 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Mon, 31 Dec 2012 20:08:32 +0100
+Subject: [PATCH] Stricter RSA PKCS #1 1.5 encoding. Reported by Kikuchi
+ Masashi.
+
+
+ NEWS | 3 +++
+ lib/nettle/pk.c | 4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+ b/NEWS
+ ** libgnutls: Stricter RSA PKCS #1 1.5 encoding. Reported
+ by Kikuchi Masashi.
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index fc3275c..7a8833f 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -208,7 +208,7 @@ _wrap_nettle_pk_encrypt (gnutls_pk_algorithm_t algo,
+ mpz_powm (p, p, TOMPZ (pk_params->params[1]) /*e */ ,
+ TOMPZ (pk_params->params[0] /*m */ ));
+
+- ret = _gnutls_mpi_dprint_size (p, ciphertext, plaintext->size);
++ ret = _gnutls_mpi_dprint_size (p, ciphertext, nettle_mpz_sizeinbase_256_u(TOMPZ (pk_params->params[0])));
+ _gnutls_mpi_release (&p);
+
+ if (ret < 0)
+@@ -487,7 +487,7 @@ _wrap_nettle_pk_sign (gnutls_pk_algorithm_t algo,
+
+ rsa_unblind (nc, ri, pk_params->params[0] /*m */ );
+
+- ret = _gnutls_mpi_dprint (nc, signature);
++ ret = _gnutls_mpi_dprint_size (nc, signature, nettle_mpz_sizeinbase_256_u(TOMPZ (pk_params->params[0])));
+
+ rsa_fail:
+ _gnutls_mpi_release (&nc);
+--
+1.7.10.4
+
Added: packages/gnutls28/branches/branch_3.0.22-2/debian/patches/45_Fixes-to-avoid-a-timing-attack-in-TLS-CBC-record-par.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls28/branches/branch_3.0.22-2/debian/patches/45_Fixes-to-avoid-a-timing-attack-in-TLS-CBC-record-par.patch?rev=1666&op=file
==============================================================================
--- packages/gnutls28/branches/branch_3.0.22-2/debian/patches/45_Fixes-to-avoid-a-timing-attack-in-TLS-CBC-record-par.patch (added)
+++ packages/gnutls28/branches/branch_3.0.22-2/debian/patches/45_Fixes-to-avoid-a-timing-attack-in-TLS-CBC-record-par.patch Thu Feb 7 09:59:16 2013
@@ -1,0 +1,205 @@
+From 8dc2822966f64dd9cf7dde9c7aacd80d49d3ffe5 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Mon, 4 Feb 2013 03:08:04 +0100
+Subject: [PATCH] Fixes to avoid a timing attack in TLS CBC record parsing.
+
+---
+ lib/gnutls_cipher.c | 97 ++++++++++++++++++++++++++++++-------------------
+ lib/gnutls_hash_int.h | 21 +++++++++++
+ 2 files changed, 81 insertions(+), 37 deletions(-)
+
+diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
+index d252190..f515257 100644
+--- a/lib/gnutls_cipher.c
++++ b/lib/gnutls_cipher.c
+@@ -1,5 +1,6 @@
+ /*
+- * Copyright (C) 2000-2012 Free Software Foundation, Inc.
++ * Copyright (C) 2000-2013 Free Software Foundation, Inc.
++ * Copyright (C) 2013 Nikos Mavrogiannopoulos
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+@@ -427,6 +428,36 @@ compressed_to_ciphertext (gnutls_session_t session,
+ return length;
+ }
+
++static void dummy_wait(record_parameters_st * params, gnutls_datum_t* plaintext,
++ unsigned pad_failed, unsigned int pad, unsigned total)
++{
++ /* this hack is only needed on CBC ciphers */
++ if (_gnutls_cipher_is_block (params->cipher_algorithm) == CIPHER_BLOCK)
++ {
++ unsigned len;
++
++ /* force an additional hash compression function evaluation to prevent timing
++ * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
++ */
++ if (pad_failed == 0 && pad > 0)
++ {
++ len = _gnutls_get_hash_block_len(params->mac_algorithm);
++ if (len > 0)
++ {
++ /* This is really specific to the current hash functions.
++ * It should be removed once a protocol fix is in place.
++ */
++ if ((pad+total) % len > len-9 && total % len <= len-9)
++ {
++ if (len < plaintext->size)
++ _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, plaintext->data, len);
++ else
++ _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, plaintext->data, plaintext->size);
++ }
++ }
++ }
++ }
++}
+
+ /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
+ * Returns the actual compressed packet size.
+@@ -440,10 +471,12 @@ ciphertext_to_compressed (gnutls_session_t session,
+ uint64* sequence)
+ {
+ uint8_t tag[MAX_HASH_SIZE];
+- unsigned int pad, i;
++ unsigned int pad = 0, i;
+ int length, length_to_decrypt;
+ uint16_t blocksize;
+- int ret, pad_failed = 0;
++ int ret;
++ unsigned int tmp_pad_failed = 0;
++ unsigned int pad_failed = 0;
+ uint8_t preamble[MAX_PREAMBLE_SIZE];
+ unsigned int preamble_size;
+ unsigned int ver = gnutls_protocol_get_version (session);
+@@ -452,6 +485,7 @@ ciphertext_to_compressed (gnutls_session_t session,
+
+ blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm);
+
++
+ /* actual decryption (inplace)
+ */
+ switch (_gnutls_cipher_is_block (params->cipher_algorithm))
+@@ -524,7 +558,7 @@ ciphertext_to_compressed (gnutls_session_t session,
+ ciphertext->data += blocksize;
+ }
+
+- if (ciphertext->size < tag_size)
++ if (ciphertext->size < tag_size+1)
+ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
+
+ /* we don't use the auth_cipher interface here, since
+@@ -537,42 +571,30 @@ ciphertext_to_compressed (gnutls_session_t session,
+ ciphertext->data, ciphertext->size)) < 0)
+ return gnutls_assert_val(ret);
+
+- pad = ciphertext->data[ciphertext->size - 1] + 1; /* pad */
+-
+-
+- if (pad > (int) ciphertext->size - tag_size)
+- {
+- gnutls_assert ();
+- _gnutls_record_log
+- ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
+- session, pad, ciphertext->size, tag_size);
+- /* We do not fail here. We check below for the
+- * the pad_failed. If zero means success.
+- */
+- pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+- pad %= blocksize;
+- }
+-
+- length = ciphertext->size - tag_size - pad;
++ pad = ciphertext->data[ciphertext->size - 1]; /* pad */
+
+- /* Check the pading bytes (TLS 1.x)
++ /* Check the pading bytes (TLS 1.x).
++ * Note that we access all 256 bytes of ciphertext for padding check
++ * because there is a timing channel in that memory access (in certain CPUs).
+ */
+ if (ver != GNUTLS_SSL3)
+- for (i = 2; i <= pad; i++)
++ for (i = 2; i <= MIN(256, ciphertext->size); i++)
+ {
+- if (ciphertext->data[ciphertext->size - i] !=
+- ciphertext->data[ciphertext->size - 1])
+- pad_failed = GNUTLS_E_DECRYPTION_FAILED;
++ tmp_pad_failed |= (ciphertext->data[ciphertext->size - i] != pad);
++ pad_failed |= ((i<= (1+pad)) & (tmp_pad_failed));
+ }
+
+- if (length < 0)
++ if (pad_failed != 0 || (1+pad > ((int) ciphertext->size - tag_size)))
+ {
+- /* Setting a proper length to prevent timing differences in
+- * processing of records with invalid encryption.
++ /* We do not fail here. We check below for the
++ * the pad_failed. If zero means success.
+ */
+- length = ciphertext->size - tag_size;
++ pad_failed = 1;
++ pad = 0;
+ }
+
++ length = ciphertext->size - tag_size - pad - 1;
++
+ /* Pass the type, version, length and compressed through
+ * MAC.
+ */
+@@ -596,15 +618,16 @@ ciphertext_to_compressed (gnutls_session_t session,
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+- /* This one was introduced to avoid a timing attack against the TLS
+- * 1.0 protocol.
+- */
+- /* HMAC was not the same.
+- */
+ if (memcmp (tag, &ciphertext->data[length], tag_size) != 0 || pad_failed != 0)
+- return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
++ {
++ gnutls_datum compressed = {compress_data, compress_size};
++ /* HMAC was not the same. */
++ dummy_wait(params, &compressed, pad_failed, pad, length+preamble_size);
++
++ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
++ }
+
+- /* copy the decrypted stuff to compress_data.
++ /* copy the decrypted stuff to compressed_data.
+ */
+ if (compress_size < length)
+ return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED);
+diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h
+index 5c55490..b91671c 100644
+--- a/lib/gnutls_hash_int.h
++++ b/lib/gnutls_hash_int.h
+@@ -176,4 +176,25 @@ inline static int IS_SHA(gnutls_digest_algorithm_t algo)
+ return 0;
+ }
+
++/* We shouldn't need to know that, but a work-around in decoding
++ * TLS record padding requires that.
++ */
++inline static size_t
++_gnutls_get_hash_block_len (gnutls_digest_algorithm_t algo)
++{
++ switch (algo)
++ {
++ case GNUTLS_DIG_MD5:
++ case GNUTLS_DIG_SHA1:
++ case GNUTLS_DIG_RMD160:
++ case GNUTLS_DIG_SHA256:
++ case GNUTLS_DIG_SHA384:
++ case GNUTLS_DIG_SHA512:
++ case GNUTLS_DIG_SHA224:
++ return 64;
++ default:
++ return 0;
++ }
++}
++
+ #endif /* GNUTLS_HASH_INT_H */
+--
+1.7.10.4
+
Modified: packages/gnutls28/branches/branch_3.0.22-2/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls28/branches/branch_3.0.22-2/debian/patches/series?rev=1666&op=diff
==============================================================================
--- packages/gnutls28/branches/branch_3.0.22-2/debian/patches/series (original)
+++ packages/gnutls28/branches/branch_3.0.22-2/debian/patches/series Thu Feb 7 09:59:16 2013
@@ -1,3 +1,8 @@
14_version_gettextcat.diff
20_test-select.diff
30_forcesystemlibopts.diff
+40_Prevent-the-usage-of-strlen-on-null-values.patch
+41_Tolerate-key-usage-violation.patch
+42_Corrected-bugs-in-record-parsing.patch
+43_Stricter-RSA-PKCS-1-1.5-encoding.-Reported-by-Kikuch.patch
+45_Fixes-to-avoid-a-timing-attack-in-TLS-CBC-record-par.patch
More information about the Pkg-gnutls-commits
mailing list