!119 update to 3.8.2

From: @xuraoqing Reviewed-by: @zcfsite Signed-off-by: @zcfsite
2024-01-29 09:34:40 +00:00 · 2024-01-29 09:34:40 +00:00 · 85a0d88563
commit 85a0d88563
parent db477d677e ecee7e4bf3
9 changed files with 70 additions and 261 deletions
--- a/backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch
+++ b/backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch
@ -1,209 +0,0 @@
 From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001                                                                                                                 
 From: Daiki Ueno <ueno@gnu.org>
 Date: Mon, 23 Oct 2023 09:26:57 +0900
 Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
 This removes branching that depends on secret data, porting changes
 for regular RSA key exchange from
 4804febddc2ed958e5ae774de2a8f85edeeff538 and
 80a6ce8ddb02477cd724cd5b2944791aaddb702a.  This also removes the
 allow_wrong_pms as it was used sorely to control debug output
 depending on the branching.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 Conflict::rsa_psk.c
 ---
 lib/auth/rsa.c     |  2 +-
 lib/auth/rsa_psk.c | 90 ++++++++++++++++++----------------------------
 lib/gnutls_int.h   |  4 ---
 lib/priority.c     |  1 -
 4 files changed, 35 insertions(+), 62 deletions(-)
 diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
 index 492ec11..dd0fea1 100644
 --- a/lib/auth/rsa.c
 +++ b/lib/auth/rsa.c
@@ -206,7 +206,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, size_t _data_size)
 				     session->key.key.size);
 	/* After this point, any conditional on failure that cause differences
 	 * in execution may create a timing or cache access pattern side
 -	 * channel that can be used as an oracle, so treat very carefully */
 +	 * channel that can be used as an oracle, so tread carefully */
 	/* Error handling logic:
 	 * In case decryption fails then don't inform the peer. Just use the
 diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
 index c1e9ac4..289ecbd 100644
 --- a/lib/auth/rsa_psk.c
 +++ b/lib/auth/rsa_psk.c
@@ -255,14 +255,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
 {
 	gnutls_datum_t username;
 	psk_auth_info_t info;
 -	gnutls_datum_t plaintext;
 	gnutls_datum_t ciphertext;
 	gnutls_datum_t pwd_psk = { NULL, 0 };
 	int ret, dsize;
 -	int randomize_key = 0;
 	ssize_t data_size = _data_size;
 	gnutls_psk_server_credentials_t cred;
 	gnutls_datum_t premaster_secret = { NULL, 0 };
 +	volatile uint8_t ver_maj, ver_min;
 	cred = (gnutls_psk_server_credentials_t)
 	    _gnutls_get_cred(session, GNUTLS_CRD_PSK);
@@ -320,68 +319,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
 	}
 	ciphertext.size = dsize;
 -	ret =
 -	    gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
 -					&ciphertext, &plaintext);
 -	if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
 -		/* In case decryption fails then don't inform
 -		 * the peer. Just use a random key. (in order to avoid
 -		 * attack against pkcs-1 formatting).
 -		 */
 +	ver_maj = _gnutls_get_adv_version_major(session);
 +	ver_min = _gnutls_get_adv_version_minor(session);
 +
 +	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
 +	if (premaster_secret.data == NULL) {
 		gnutls_assert();
 -		_gnutls_debug_log
 -		    ("auth_rsa_psk: Possible PKCS #1 format attack\n");
 -		if (ret >= 0) {
 -			gnutls_free(plaintext.data);
 -		}
 -		randomize_key = 1;
 -	} else {
 -		/* If the secret was properly formatted, then
 -		 * check the version number.
 -		 */
 -		if (_gnutls_get_adv_version_major(session) != plaintext.data[0]
 -		    || (session->internals.allow_wrong_pms == 0
 -			&& _gnutls_get_adv_version_minor(session) !=
 -			plaintext.data[1])) {
 -			/* No error is returned here, if the version number check
 -			 * fails. We proceed normally.
 -			 * That is to defend against the attack described in the paper
 -			 * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
 -			 * Ondej Pokorny and Tomas Rosa.
 -			 */
 -			gnutls_assert();
 -			_gnutls_debug_log
 -			    ("auth_rsa: Possible PKCS #1 version check format attack\n");
 -		}
 +		return GNUTLS_E_MEMORY_ERROR;
 	}
 +	premaster_secret.size = GNUTLS_MASTER_SIZE;
 -	if (randomize_key != 0) {
 -		premaster_secret.size = GNUTLS_MASTER_SIZE;
 -		premaster_secret.data = gnutls_malloc(premaster_secret.size);
 -		if (premaster_secret.data == NULL) {
 -			gnutls_assert();
 -			return GNUTLS_E_MEMORY_ERROR;
 -		}
 -
 -		/* we do not need strong random numbers here.
 -		 */
 -		ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
 -				 premaster_secret.size);
 -		if (ret < 0) {
 -			gnutls_assert();
 -			goto cleanup;
 -		}
 -	} else {
 -		premaster_secret.data = plaintext.data;
 -		premaster_secret.size = plaintext.size;
 +	/* Fallback value when decryption fails. Needs to be unpredictable. */
 +	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
 +			 premaster_secret.size);
 +	if (ret < 0) {
 +		gnutls_assert();
 +		goto cleanup;
 	}
 +	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
 +				     &ciphertext, premaster_secret.data,
 +				     premaster_secret.size);
 +	/* After this point, any conditional on failure that cause differences
 +	 * in execution may create a timing or cache access pattern side
 +	 * channel that can be used as an oracle, so tread carefully */
 +
 +	/* Error handling logic:
 +	 * In case decryption fails then don't inform the peer. Just use the
 +	 * random key previously generated. (in order to avoid attack against
 +	 * pkcs-1 formatting).
 +	 *
 +	 * If we get version mismatches no error is returned either. We
 +	 * proceed normally. This is to defend against the attack described
 +	 * in the paper "Attacking RSA-based sessions in SSL/TLS" by
 +	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
 +	 */
 +
 	/* This is here to avoid the version check attack
 	 * discussed above.
 	 */
 -
 -	premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
 -	premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
 +	premaster_secret.data[0] = ver_maj;
 +	premaster_secret.data[1] = ver_min;
 	/* find the key of this username
 	 */
 diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
 index 969454b..034059a 100644
 --- a/lib/gnutls_int.h
 +++ b/lib/gnutls_int.h
@@ -977,7 +977,6 @@ struct gnutls_priority_st {
 	bool _no_etm;
 	bool _no_ext_master_secret;
 	bool _allow_key_usage_violation;
 -	bool _allow_wrong_pms;
 	bool _dumbfw;
 	unsigned int _dh_prime_bits;	/* old (deprecated) variable */
@@ -995,7 +994,6 @@ struct gnutls_priority_st {
 	      (x)->no_etm = 1; \
 	      (x)->no_ext_master_secret = 1; \
 	      (x)->allow_key_usage_violation = 1; \
 -	      (x)->allow_wrong_pms = 1; \
 	      (x)->dumbfw = 1
 # define ENABLE_PRIO_COMPAT(x) \
@@ -1004,7 +1002,6 @@ struct gnutls_priority_st {
 	      (x)->_no_etm = 1; \
 	      (x)->_no_ext_master_secret = 1; \
 	      (x)->_allow_key_usage_violation = 1; \
 -	      (x)->_allow_wrong_pms = 1; \
 	      (x)->_dumbfw = 1
 /* DH and RSA parameters types.
@@ -1129,7 +1126,6 @@ typedef struct {
 	bool no_etm;
 	bool no_ext_master_secret;
 	bool allow_key_usage_violation;
 -	bool allow_wrong_pms;
 	bool dumbfw;
 	/* old (deprecated) variable. This is used for both srp_prime_bits
 diff --git a/lib/priority.c b/lib/priority.c
 index 154929e..8dd9c42 100644
 --- a/lib/priority.c
 +++ b/lib/priority.c
@@ -725,7 +725,6 @@ int gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority)
 	COPY_TO_INTERNALS(no_etm);
 	COPY_TO_INTERNALS(no_ext_master_secret);
 	COPY_TO_INTERNALS(allow_key_usage_violation);
 -	COPY_TO_INTERNALS(allow_wrong_pms);
 	COPY_TO_INTERNALS(dumbfw);
 	COPY_TO_INTERNALS(dh_prime_bits);
 -- 
 2.33.0
--- a/backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
+++ b/backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
@ -10,24 +10,25 @@ decryption.  This also avoids an extra memcpy to session->key.key.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 Reference: https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e
-Conflicts: lib/auth/rsa_psk.c
+Conflicts: NA
 ---
- lib/auth/rsa_psk.c | 70 ++++++++++++++++++++++++----------------------
+ lib/auth/rsa_psk.c | 69 ++++++++++++++++++++++++----------------------
- 1 file changed, 36 insertions(+), 34 deletions(-)
+ 1 file changed, 36 insertions(+), 33 deletions(-)
 diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
-index 289ecbd..4043a64 100644
+index 99f908460..399fb4da1 100644
 --- a/lib/auth/rsa_psk.c
 +++ b/lib/auth/rsa_psk.c
-@@ -260,7 +260,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+@@ -256,7 +256,6 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
 	int ret, dsize;
 	ssize_t data_size = _data_size;
 	gnutls_psk_server_credentials_t cred;
 -	gnutls_datum_t premaster_secret = { NULL, 0 };
 	volatile uint8_t ver_maj, ver_min;
- 	cred = (gnutls_psk_server_credentials_t)
+ 	cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred(
-@@ -322,24 +321,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+@@ -318,24 +317,49 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
 	ver_maj = _gnutls_get_adv_version_major(session);
 	ver_min = _gnutls_get_adv_version_minor(session);
@ -37,7 +38,8 @@ index 289ecbd..4043a64 100644
 +	 * filled in if the key is not found.
 +	 */
 +	ret = _gnutls_psk_pwd_find_entry(session, info->username,
-+					 strlen(info->username), &pwd_psk);
+					 strlen(info->username), &pwd_psk,
 +					 NULL);
 +	if (ret < 0)
 +		return gnutls_assert_val(ret);
 +
@ -84,7 +86,7 @@ index 289ecbd..4043a64 100644
 	/* After this point, any conditional on failure that cause differences
 	 * in execution may create a timing or cache access pattern side
 	 * channel that can be used as an oracle, so tread carefully */
-@@ -358,31 +381,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+@@ -354,31 +378,10 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
 	/* This is here to avoid the version check attack
 	 * discussed above.
 	 */
@ -93,14 +95,16 @@ index 289ecbd..4043a64 100644
 -
 -	/* find the key of this username
 -	 */
-	ret =
+-	ret = _gnutls_psk_pwd_find_entry(session, info->username,
-	    _gnutls_psk_pwd_find_entry(session, info->username,
+-					 strlen(info->username), &pwd_psk,
-				       strlen(info->username), &pwd_psk);
+-					 NULL);
 -	if (ret < 0) {
 -		gnutls_assert();
 -		goto cleanup;
 -	}
-
+	session->key.key.data[2] = ver_maj;
 +	session->key.key.data[3] = ver_min;
 -	ret = set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
 -	if (ret < 0) {
 -		gnutls_assert();
@ -108,18 +112,15 @@ index 289ecbd..4043a64 100644
 -	}
 -
 -	ret = 0;
- cleanup:
+-cleanup:
 -	_gnutls_free_key_datum(&pwd_psk);
 -	_gnutls_free_temp_key_datum(&premaster_secret);
 -
 -	return ret;
 +	session->key.key.data[2] = ver_maj;
 +	session->key.key.data[3] = ver_min;
 +	
 +	return 0;
 }
- static int
+ static int _gnutls_proc_rsa_psk_server_kx(gnutls_session_t session,
 -- 
 2.33.0
--- a/backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
+++ b/backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
@ -17,18 +17,18 @@ manner.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 Reference: https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405
-Conflict:  tests/test-chains.h
+Conflict:  NA
 ---
 lib/x509/common.c   |   4 ++
- tests/test-chains.h | 124 ++++++++++++++++++++++++++++++++++++++++++++
+ tests/test-chains.h | 125 ++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 128 insertions(+)
+ 2 files changed, 129 insertions(+)
 diff --git a/lib/x509/common.c b/lib/x509/common.c
-index 2cc95c9..44317ba 100644
+index 861cace4c..d749a062c 100644
 --- a/lib/x509/common.c
 +++ b/lib/x509/common.c
-@@ -1771,6 +1771,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t * clist,
+@@ -1741,6 +1741,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
 			break;
 		}
@ -40,10 +40,10 @@ index 2cc95c9..44317ba 100644
 		insorted[prev] = 1;
 	}
 diff --git a/tests/test-chains.h b/tests/test-chains.h
-index 6355f28..c11a097 100644
+index 9ce23764d..3e559fecd 100644
 --- a/tests/test-chains.h
 +++ b/tests/test-chains.h
-@@ -4263,6 +4263,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = {
+@@ -4260,6 +4260,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = {
 	NULL
 };
@ -171,14 +171,15 @@ index 6355f28..c11a097 100644
 +};
 +
 #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
- #  pragma GCC diagnostic push
+ #pragma GCC diagnostic push
- #  pragma GCC diagnostic ignored "-Wunused-variable"
+ #pragma GCC diagnostic ignored "-Wunused-variable"
-@@ -4442,6 +4565,7 @@ static struct
+@@ -4571,6 +4694,8 @@ static struct {
     rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
 	  GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
-     GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
+ 	  GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL,
-+  { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, 1704955300},
+ 	  1620118136, 1 },
-   { NULL, NULL, NULL, 0, 0}
+	{ "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0,
 +	  1704955300 },
 	{ NULL, NULL, NULL, 0, 0 }
 };
 -- 
--- a/fix-ipv6-handshake-failed.patch
+++ b/fix-ipv6-handshake-failed.patch
@ -6,16 +6,17 @@ Subject: [PATCH] fix ipv6 handshake failed
 reason: fix ipv6 handshake failed
 Signed-off-by: lvying <lvying6@huawei.com>
 ---
 lib/ext/server_name.c |  4 +++-
 lib/str.h             | 10 ++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c
-index 259dc99..f61c1f2 100644
+index a7329d0..7be1ca1 100644
 --- a/lib/ext/server_name.c
 +++ b/lib/ext/server_name.c
-@@ -112,7 +112,9 @@ _gnutls_server_name_recv_params(gnutls_session_t session,
+@@ -108,7 +108,9 @@ static int _gnutls_server_name_recv_params(gnutls_session_t session,
 			DECR_LEN(data_size, len);
 			if (type == 0) { /* NAME_DNS */
@ -23,14 +24,14 @@ index 259dc99..f61c1f2 100644
 +				_gnutls_debug_log("HSK[%p]: recieve server name: '%.*s'\n", session, len, p);
 +				/* fix ipv6 format server name invaild problem */
 +				if (!_gnutls_dnsname_is_valid((char*)p, len) && !_gnutls_ipv6_is_valid((char*)p, len)) {
- 					_gnutls_handshake_log
+ 					_gnutls_handshake_log(
- 					    ("HSK[%p]: Server name is not acceptable: '%.*s'\n",
+ 						"HSK[%p]: Server name is not acceptable: '%.*s'\n",
 						session, (int)len, p);
 diff --git a/lib/str.h b/lib/str.h
-index 9f0e7d6..e0bca4b 100644
+index 1f670cd..aa4b5b2 100644
 --- a/lib/str.h
 +++ b/lib/str.h
-@@ -60,6 +60,16 @@ inline static unsigned _gnutls_str_is_print(const char *str, unsigned size)
+@@ -64,6 +64,16 @@ inline static unsigned _gnutls_str_is_print(const char *str, unsigned size)
 	return 1;
 }
@ -48,5 +49,5 @@ index 9f0e7d6..e0bca4b 100644
 {
 	unsigned i;
 -- 
-2.19.1
+2.33.0
--- a/gnutls-3.8.0.tar.xz
+++ b/gnutls-3.8.0.tar.xz
--- a/gnutls-3.8.0.tar.xz.sig
+++ b/gnutls-3.8.0.tar.xz.sig
--- a/gnutls-3.8.2.tar.xz
+++ b/gnutls-3.8.2.tar.xz
--- a/gnutls-3.8.2.tar.xz.sig
+++ b/gnutls-3.8.2.tar.xz.sig
--- a/gnutls.spec
+++ b/gnutls.spec
@ -1,6 +1,6 @@
 Name: gnutls
-Version: 3.8.0
+Version: 3.8.2
-Release: 3
+Release: 1
 Summary: The GNU Secure Communication Protocol Library
 License: LGPLv2.1+ and GPLv3+
@ -9,9 +9,8 @@ Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz
 Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz.sig
 Patch0: fix-ipv6-handshake-failed.patch
-Patch1: backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch
+Patch1: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
-Patch2: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
+Patch2: backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
 Patch3: backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
 %bcond_without dane
 %bcond_with guile
@ -201,6 +200,22 @@ make check %{?_smp_mflags}
 %endif
 %changelog
 * Mon Jan 29 2024 xuraoqing <xuraoqing@huawei.com> - 3.8.2-1
 - update to 3.8.2
 - some API and ABI modifications, see NEWS for details
 - New option --attime to specify current time
 - libgnutls: Add a mechanism to control whether to enforce extended master secret (RFC 7627)
 - libgnutls: Add additional PBKDF limit checks in FIPS mode as defined in SP 800-132
 - libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to %GNUTLS_NO_DEFAULT_EXTENSIONS.
 - libgnutls: Add support for RFC 9258 external PSK importer.
 - libgnutls: ClientHello extensions are randomized by default,
             To make fingerprinting harder, TLS extensions in ClientHello messages are shuffled.
 - gnutls-cli: New option --starttls-name.
 - libgnutls: transparent KTLS support is extended to FreeBSD kernel.
 - libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452).
 - libgnutls: Add API functions to perform ECDH and DH key agreement.
 - libgnutls: Fix timing side-channel inside RSA-PSK key exchange(CVE-2023-5981).
 * Wed Jan 17 2024 xuraoqing <xuraoqing@huawei.com> - 3.8.0-3
 - fix CVE-2024-0553 and CVE-2024-0567