diff --git a/backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch b/backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch deleted file mode 100644 index 50e0fa3..0000000 --- a/backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 23 Oct 2023 09:26:57 +0900 -Subject: [PATCH] auth/rsa_psk: side-step potential side-channel - -This removes branching that depends on secret data, porting changes -for regular RSA key exchange from -4804febddc2ed958e5ae774de2a8f85edeeff538 and -80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the -allow_wrong_pms as it was used sorely to control debug output -depending on the branching. - -Signed-off-by: Daiki Ueno - -Conflict::rsa_psk.c - ---- - lib/auth/rsa.c | 2 +- - lib/auth/rsa_psk.c | 90 ++++++++++++++++++---------------------------- - lib/gnutls_int.h | 4 --- - lib/priority.c | 1 - - 4 files changed, 35 insertions(+), 62 deletions(-) - -diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c -index 492ec11..dd0fea1 100644 ---- a/lib/auth/rsa.c -+++ b/lib/auth/rsa.c -@@ -206,7 +206,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, size_t _data_size) - session->key.key.size); - /* After this point, any conditional on failure that cause differences - * in execution may create a timing or cache access pattern side -- * channel that can be used as an oracle, so treat very carefully */ -+ * channel that can be used as an oracle, so tread carefully */ - - /* Error handling logic: - * In case decryption fails then don't inform the peer. Just use the -diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c -index c1e9ac4..289ecbd 100644 ---- a/lib/auth/rsa_psk.c -+++ b/lib/auth/rsa_psk.c -@@ -255,14 +255,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, - { - gnutls_datum_t username; - psk_auth_info_t info; -- gnutls_datum_t plaintext; - gnutls_datum_t ciphertext; - gnutls_datum_t pwd_psk = { NULL, 0 }; - int ret, dsize; -- int randomize_key = 0; - ssize_t data_size = _data_size; - gnutls_psk_server_credentials_t cred; - gnutls_datum_t premaster_secret = { NULL, 0 }; -+ volatile uint8_t ver_maj, ver_min; - - cred = (gnutls_psk_server_credentials_t) - _gnutls_get_cred(session, GNUTLS_CRD_PSK); -@@ -320,68 +319,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, - } - ciphertext.size = dsize; - -- ret = -- gnutls_privkey_decrypt_data(session->internals.selected_key, 0, -- &ciphertext, &plaintext); -- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) { -- /* In case decryption fails then don't inform -- * the peer. Just use a random key. (in order to avoid -- * attack against pkcs-1 formatting). -- */ -+ ver_maj = _gnutls_get_adv_version_major(session); -+ ver_min = _gnutls_get_adv_version_minor(session); -+ -+ premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE); -+ if (premaster_secret.data == NULL) { - gnutls_assert(); -- _gnutls_debug_log -- ("auth_rsa_psk: Possible PKCS #1 format attack\n"); -- if (ret >= 0) { -- gnutls_free(plaintext.data); -- } -- randomize_key = 1; -- } else { -- /* If the secret was properly formatted, then -- * check the version number. -- */ -- if (_gnutls_get_adv_version_major(session) != plaintext.data[0] -- || (session->internals.allow_wrong_pms == 0 -- && _gnutls_get_adv_version_minor(session) != -- plaintext.data[1])) { -- /* No error is returned here, if the version number check -- * fails. We proceed normally. -- * That is to defend against the attack described in the paper -- * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima, -- * Ondej Pokorny and Tomas Rosa. -- */ -- gnutls_assert(); -- _gnutls_debug_log -- ("auth_rsa: Possible PKCS #1 version check format attack\n"); -- } -+ return GNUTLS_E_MEMORY_ERROR; - } -+ premaster_secret.size = GNUTLS_MASTER_SIZE; - -- if (randomize_key != 0) { -- premaster_secret.size = GNUTLS_MASTER_SIZE; -- premaster_secret.data = gnutls_malloc(premaster_secret.size); -- if (premaster_secret.data == NULL) { -- gnutls_assert(); -- return GNUTLS_E_MEMORY_ERROR; -- } -- -- /* we do not need strong random numbers here. -- */ -- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, -- premaster_secret.size); -- if (ret < 0) { -- gnutls_assert(); -- goto cleanup; -- } -- } else { -- premaster_secret.data = plaintext.data; -- premaster_secret.size = plaintext.size; -+ /* Fallback value when decryption fails. Needs to be unpredictable. */ -+ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, -+ premaster_secret.size); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; - } - -+ gnutls_privkey_decrypt_data2(session->internals.selected_key, 0, -+ &ciphertext, premaster_secret.data, -+ premaster_secret.size); -+ /* After this point, any conditional on failure that cause differences -+ * in execution may create a timing or cache access pattern side -+ * channel that can be used as an oracle, so tread carefully */ -+ -+ /* Error handling logic: -+ * In case decryption fails then don't inform the peer. Just use the -+ * random key previously generated. (in order to avoid attack against -+ * pkcs-1 formatting). -+ * -+ * If we get version mismatches no error is returned either. We -+ * proceed normally. This is to defend against the attack described -+ * in the paper "Attacking RSA-based sessions in SSL/TLS" by -+ * Vlastimil Klima, Ondej Pokorny and Tomas Rosa. -+ */ -+ - /* This is here to avoid the version check attack - * discussed above. - */ -- -- premaster_secret.data[0] = _gnutls_get_adv_version_major(session); -- premaster_secret.data[1] = _gnutls_get_adv_version_minor(session); -+ premaster_secret.data[0] = ver_maj; -+ premaster_secret.data[1] = ver_min; - - /* find the key of this username - */ -diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h -index 969454b..034059a 100644 ---- a/lib/gnutls_int.h -+++ b/lib/gnutls_int.h -@@ -977,7 +977,6 @@ struct gnutls_priority_st { - bool _no_etm; - bool _no_ext_master_secret; - bool _allow_key_usage_violation; -- bool _allow_wrong_pms; - bool _dumbfw; - unsigned int _dh_prime_bits; /* old (deprecated) variable */ - -@@ -995,7 +994,6 @@ struct gnutls_priority_st { - (x)->no_etm = 1; \ - (x)->no_ext_master_secret = 1; \ - (x)->allow_key_usage_violation = 1; \ -- (x)->allow_wrong_pms = 1; \ - (x)->dumbfw = 1 - - # define ENABLE_PRIO_COMPAT(x) \ -@@ -1004,7 +1002,6 @@ struct gnutls_priority_st { - (x)->_no_etm = 1; \ - (x)->_no_ext_master_secret = 1; \ - (x)->_allow_key_usage_violation = 1; \ -- (x)->_allow_wrong_pms = 1; \ - (x)->_dumbfw = 1 - - /* DH and RSA parameters types. -@@ -1129,7 +1126,6 @@ typedef struct { - bool no_etm; - bool no_ext_master_secret; - bool allow_key_usage_violation; -- bool allow_wrong_pms; - bool dumbfw; - - /* old (deprecated) variable. This is used for both srp_prime_bits -diff --git a/lib/priority.c b/lib/priority.c -index 154929e..8dd9c42 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -725,7 +725,6 @@ int gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority) - COPY_TO_INTERNALS(no_etm); - COPY_TO_INTERNALS(no_ext_master_secret); - COPY_TO_INTERNALS(allow_key_usage_violation); -- COPY_TO_INTERNALS(allow_wrong_pms); - COPY_TO_INTERNALS(dumbfw); - COPY_TO_INTERNALS(dh_prime_bits); - --- -2.33.0 - diff --git a/backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch b/backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch index a2653fb..5bcb716 100644 --- a/backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch +++ b/backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch @@ -10,24 +10,25 @@ decryption. This also avoids an extra memcpy to session->key.key. Signed-off-by: Daiki Ueno Reference: https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e -Conflicts: lib/auth/rsa_psk.c +Conflicts: NA + --- - lib/auth/rsa_psk.c | 70 ++++++++++++++++++++++++---------------------- - 1 file changed, 36 insertions(+), 34 deletions(-) + lib/auth/rsa_psk.c | 69 ++++++++++++++++++++++++---------------------- + 1 file changed, 36 insertions(+), 33 deletions(-) diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c -index 289ecbd..4043a64 100644 +index 99f908460..399fb4da1 100644 --- a/lib/auth/rsa_psk.c +++ b/lib/auth/rsa_psk.c -@@ -260,7 +260,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, +@@ -256,7 +256,6 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, int ret, dsize; ssize_t data_size = _data_size; gnutls_psk_server_credentials_t cred; - gnutls_datum_t premaster_secret = { NULL, 0 }; volatile uint8_t ver_maj, ver_min; - cred = (gnutls_psk_server_credentials_t) -@@ -322,24 +321,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred( +@@ -318,24 +317,49 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, ver_maj = _gnutls_get_adv_version_major(session); ver_min = _gnutls_get_adv_version_minor(session); @@ -37,7 +38,8 @@ index 289ecbd..4043a64 100644 + * filled in if the key is not found. + */ + ret = _gnutls_psk_pwd_find_entry(session, info->username, -+ strlen(info->username), &pwd_psk); ++ strlen(info->username), &pwd_psk, ++ NULL); + if (ret < 0) + return gnutls_assert_val(ret); + @@ -84,7 +86,7 @@ index 289ecbd..4043a64 100644 /* After this point, any conditional on failure that cause differences * in execution may create a timing or cache access pattern side * channel that can be used as an oracle, so tread carefully */ -@@ -358,31 +381,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, +@@ -354,31 +378,10 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, /* This is here to avoid the version check attack * discussed above. */ @@ -93,14 +95,16 @@ index 289ecbd..4043a64 100644 - - /* find the key of this username - */ -- ret = -- _gnutls_psk_pwd_find_entry(session, info->username, -- strlen(info->username), &pwd_psk); +- ret = _gnutls_psk_pwd_find_entry(session, info->username, +- strlen(info->username), &pwd_psk, +- NULL); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } -- ++ session->key.key.data[2] = ver_maj; ++ session->key.key.data[3] = ver_min; + - ret = set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret); - if (ret < 0) { - gnutls_assert(); @@ -108,18 +112,15 @@ index 289ecbd..4043a64 100644 - } - - ret = 0; -- cleanup: +-cleanup: - _gnutls_free_key_datum(&pwd_psk); - _gnutls_free_temp_key_datum(&premaster_secret); - - return ret; -+ session->key.key.data[2] = ver_maj; -+ session->key.key.data[3] = ver_min; -+ + return 0; } - static int + static int _gnutls_proc_rsa_psk_server_kx(gnutls_session_t session, -- 2.33.0 diff --git a/backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch b/backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch index f2ededa..4da3b7e 100644 --- a/backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch +++ b/backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch @@ -17,18 +17,18 @@ manner. Signed-off-by: Daiki Ueno Reference: https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405 -Conflict: tests/test-chains.h +Conflict: NA --- lib/x509/common.c | 4 ++ - tests/test-chains.h | 124 ++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 128 insertions(+) + tests/test-chains.h | 125 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 129 insertions(+) diff --git a/lib/x509/common.c b/lib/x509/common.c -index 2cc95c9..44317ba 100644 +index 861cace4c..d749a062c 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c -@@ -1771,6 +1771,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t * clist, +@@ -1741,6 +1741,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, break; } @@ -40,10 +40,10 @@ index 2cc95c9..44317ba 100644 insorted[prev] = 1; } diff --git a/tests/test-chains.h b/tests/test-chains.h -index 6355f28..c11a097 100644 +index 9ce23764d..3e559fecd 100644 --- a/tests/test-chains.h +++ b/tests/test-chains.h -@@ -4263,6 +4263,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = { +@@ -4260,6 +4260,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = { NULL }; @@ -171,14 +171,15 @@ index 6355f28..c11a097 100644 +}; + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) - # pragma GCC diagnostic push - # pragma GCC diagnostic ignored "-Wunused-variable" -@@ -4442,6 +4565,7 @@ static struct - rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca, - GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM), - GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1}, -+ { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, 1704955300}, - { NULL, NULL, NULL, 0, 0} + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wunused-variable" +@@ -4571,6 +4694,8 @@ static struct { + GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM), + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, + 1620118136, 1 }, ++ { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, ++ 1704955300 }, + { NULL, NULL, NULL, 0, 0 } }; -- diff --git a/fix-ipv6-handshake-failed.patch b/fix-ipv6-handshake-failed.patch index 6278865..1e280bc 100644 --- a/fix-ipv6-handshake-failed.patch +++ b/fix-ipv6-handshake-failed.patch @@ -6,31 +6,32 @@ Subject: [PATCH] fix ipv6 handshake failed reason: fix ipv6 handshake failed Signed-off-by: lvying + --- - lib/ext/server_name.c | 4 +++- - lib/str.h | 10 ++++++++++ + lib/ext/server_name.c | 4 +++- + lib/str.h | 10 ++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c -index 259dc99..f61c1f2 100644 +index a7329d0..7be1ca1 100644 --- a/lib/ext/server_name.c +++ b/lib/ext/server_name.c -@@ -112,7 +112,9 @@ _gnutls_server_name_recv_params(gnutls_session_t session, +@@ -108,7 +108,9 @@ static int _gnutls_server_name_recv_params(gnutls_session_t session, DECR_LEN(data_size, len); - if (type == 0) { /* NAME_DNS */ + if (type == 0) { /* NAME_DNS */ - if (!_gnutls_dnsname_is_valid((char *)p, len)) { -+ _gnutls_debug_log("HSK[%p]: recieve server name: '%.*s'\n", session, len, p); -+ /* fix ipv6 format server name invaild problem */ -+ if (!_gnutls_dnsname_is_valid((char*)p, len) && !_gnutls_ipv6_is_valid((char*)p, len)) { - _gnutls_handshake_log - ("HSK[%p]: Server name is not acceptable: '%.*s'\n", - session, (int)len, p); ++ _gnutls_debug_log("HSK[%p]: recieve server name: '%.*s'\n", session, len, p); ++ /* fix ipv6 format server name invaild problem */ ++ if (!_gnutls_dnsname_is_valid((char*)p, len) && !_gnutls_ipv6_is_valid((char*)p, len)) { + _gnutls_handshake_log( + "HSK[%p]: Server name is not acceptable: '%.*s'\n", + session, (int)len, p); diff --git a/lib/str.h b/lib/str.h -index 9f0e7d6..e0bca4b 100644 +index 1f670cd..aa4b5b2 100644 --- a/lib/str.h +++ b/lib/str.h -@@ -60,6 +60,16 @@ inline static unsigned _gnutls_str_is_print(const char *str, unsigned size) +@@ -64,6 +64,16 @@ inline static unsigned _gnutls_str_is_print(const char *str, unsigned size) return 1; } @@ -48,5 +49,5 @@ index 9f0e7d6..e0bca4b 100644 { unsigned i; -- -2.19.1 +2.33.0 diff --git a/gnutls-3.8.0.tar.xz b/gnutls-3.8.0.tar.xz deleted file mode 100644 index caa33cf..0000000 Binary files a/gnutls-3.8.0.tar.xz and /dev/null differ diff --git a/gnutls-3.8.0.tar.xz.sig b/gnutls-3.8.0.tar.xz.sig deleted file mode 100644 index f0f983a..0000000 Binary files a/gnutls-3.8.0.tar.xz.sig and /dev/null differ diff --git a/gnutls-3.8.2.tar.xz b/gnutls-3.8.2.tar.xz new file mode 100644 index 0000000..914c17a Binary files /dev/null and b/gnutls-3.8.2.tar.xz differ diff --git a/gnutls-3.8.2.tar.xz.sig b/gnutls-3.8.2.tar.xz.sig new file mode 100644 index 0000000..88ecb9b Binary files /dev/null and b/gnutls-3.8.2.tar.xz.sig differ diff --git a/gnutls.spec b/gnutls.spec index dbd25b3..99bca99 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ Name: gnutls -Version: 3.8.0 -Release: 3 +Version: 3.8.2 +Release: 1 Summary: The GNU Secure Communication Protocol Library License: LGPLv2.1+ and GPLv3+ @@ -9,9 +9,8 @@ Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz.sig Patch0: fix-ipv6-handshake-failed.patch -Patch1: backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch -Patch2: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch -Patch3: backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch +Patch1: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch +Patch2: backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch %bcond_without dane %bcond_with guile @@ -201,6 +200,22 @@ make check %{?_smp_mflags} %endif %changelog +* Mon Jan 29 2024 xuraoqing - 3.8.2-1 +- update to 3.8.2 +- some API and ABI modifications, see NEWS for details +- New option --attime to specify current time +- libgnutls: Add a mechanism to control whether to enforce extended master secret (RFC 7627) +- libgnutls: Add additional PBKDF limit checks in FIPS mode as defined in SP 800-132 +- libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to %GNUTLS_NO_DEFAULT_EXTENSIONS. +- libgnutls: Add support for RFC 9258 external PSK importer. +- libgnutls: ClientHello extensions are randomized by default, + To make fingerprinting harder, TLS extensions in ClientHello messages are shuffled. +- gnutls-cli: New option --starttls-name. +- libgnutls: transparent KTLS support is extended to FreeBSD kernel. +- libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452). +- libgnutls: Add API functions to perform ECDH and DH key agreement. +- libgnutls: Fix timing side-channel inside RSA-PSK key exchange(CVE-2023-5981). + * Wed Jan 17 2024 xuraoqing - 3.8.0-3 - fix CVE-2024-0553 and CVE-2024-0567