fix x509 endless drop and pkcs12 iterations

backport-do-not-go-try-calculating-pdkdf2-with-0-iterations.patch

@@ -0,0 +1,30 @@
+From 495aa9b57a3ce3ee546a0498ef232b4aa47d0f51 Mon Sep 17 00:00:00 2001
+From: Dmitry Baryshkov <dbaryshkov@gmail.com>
+Date: Tue, 28 Jan 2020 13:05:14 +0300
+Subject: [PATCH] pkcs12: do not go try calculating pbkdf2 with 0 iterations
+
+Nettle will abort on a call to pbkdf2 if iterations is 0. Add check to
+GnuTLS PKCS12 GOST code to check that iter is not 0.
+
+Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
+---
+ .../dcbb6c7d385ddf87823849890768b022dc9e1eff     | Bin 0 -> 1011 bytes
+ lib/x509/pkcs12.c                                |   3 +++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
+index 8c3310d066..6324fb25a3 100644
+--- a/lib/x509/pkcs12.c
++++ b/lib/x509/pkcs12.c
+@@ -867,6 +867,9 @@ _gnutls_pkcs12_gost_string_to_key(gnutls_mac_algorithm_t algo,
+ 	size_t temp_len = sizeof(temp);
+ 	unsigned int pass_len = 0;
+ 
++	if (iter == 0)
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
+ 	if (pass)
+ 		pass_len = strlen(pass);
+ 
+-- 
+2.26.2

backport-x509-drop-endless-loop-in-print_crl.patch

@@ -0,0 +1,34 @@
+From 283af4cd77058ba7fea8cff59c83d3f3f0231f9f Mon Sep 17 00:00:00 2001
+From: Dmitry Baryshkov <dbaryshkov@gmail.com>
+Date: Tue, 10 Mar 2020 22:41:54 +0300
+Subject: [PATCH] x509: apply same fix to print_crl
+
+Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
+---
+ lib/x509/output.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/output.c b/lib/x509/output.c
+index 6f829b06ac..c54902fe4d 100644
+--- a/lib/x509/output.c
++++ b/lib/x509/output.c
+@@ -2290,14 +2290,13 @@ print_crl(gnutls_buffer_st * str, gnutls_x509_crl_t crl, int notsigned)
+ 								 oid,
+ 								 &sizeof_oid,
+ 								 &critical);
++			if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
++				break;
+ 			if (err < 0) {
+-				if (err ==
+-				    GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+-					break;
+ 				addf(str,
+ 				     "error: get_extension_info: %s\n",
+ 				     gnutls_strerror(err));
+-				continue;
++				break;
+ 			}
+ 
+ 			if (i == 0)
+-- 
+2.26.2

backport-x509-drop-endless-loop-in-print_crq.patch

@@ -0,0 +1,34 @@
+From 12609f4f97fb9a60d663f81571c07f7d297da0b3 Mon Sep 17 00:00:00 2001
+From: Dmitry Baryshkov <dbaryshkov@gmail.com>
+Date: Tue, 10 Mar 2020 22:42:02 +0300
+Subject: [PATCH] x509: apply same fix to print_crq
+
+Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
+---
+ lib/x509/output.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/output.c b/lib/x509/output.c
+index c54902fe4d..be179f5f39 100644
+--- a/lib/x509/output.c
++++ b/lib/x509/output.c
+@@ -2660,14 +2660,13 @@ print_crq(gnutls_buffer_st * str, gnutls_x509_crq_t cert,
+ 			    gnutls_x509_crq_get_attribute_info(cert, i,
+ 							       oid,
+ 							       &sizeof_oid);
++			if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
++				break;
+ 			if (err < 0) {
+-				if (err ==
+-				    GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+-					break;
+ 				addf(str,
+ 				     "error: get_extension_info: %s\n",
+ 				     gnutls_strerror(err));
+-				continue;
++				break;
+ 			}
+ 
+ 			if (i == 0)
+-- 
+2.26.2

backport-x509-drop-endless-loop-in-print_extensions.patch

@@ -0,0 +1,38 @@
+From e04f45d0283a80c990a9e1d7537ab871b769fdaf Mon Sep 17 00:00:00 2001
+From: Dmitry Baryshkov <dbaryshkov@gmail.com>
+Date: Tue, 10 Mar 2020 12:12:36 +0300
+Subject: [PATCH] x509: drop endless loop in print_extensions
+
+If crq is malformed in extensions part, print_extensions() might loop
+endlessly because gnutls_x509_crq_get_extension_info would return
+unhandled GNUTLS_ASN1_DER_ERROR looping over extension index, rather
+than bailing out. Fix this by handling this error code properly. Found
+thanks to oss-fuzz.
+
+Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
+---
+ lib/x509/output.c                                 |   6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/x509/output.c b/lib/x509/output.c
+index 2aa78b478..6f829b06a 100644
+--- a/lib/x509/output.c
++++ b/lib/x509/output.c
+@@ -1281,12 +1281,12 @@ print_extensions(gnutls_buffer_st * str, const char *prefix, int type,
+ 			return;
+ 		}
+ 
++		if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
++			break;
+ 		if (err < 0) {
+-			if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+-				break;
+ 			addf(str, "error: get_extension_info: %s\n",
+ 			     gnutls_strerror(err));
+-			continue;
++			break;
+ 		}
+ 
+ 		if (i == 0)
+-- 
+2.26.2

gnutls.spec

@@ -1,6 +1,6 @@
 Name: gnutls
 Version: 3.6.9
-Release: 6
+Release: 7
 Summary: The GNU Secure Communication Protocol Library
 
 License: LGPLv2.1+ and GPLv3+
@@ -9,6 +9,10 @@ Source0: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz
 Source1: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz.sig
 Patch0: fix-ipv6-handshake-failed.patch
 Patch1: fix-CVE-2020-11501-zeroed-random.patch
+Patch2: backport-x509-drop-endless-loop-in-print_extensions.patch
+Patch3: backport-x509-drop-endless-loop-in-print_crl.patch
+Patch4: backport-x509-drop-endless-loop-in-print_crq.patch
+Patch5: backport-do-not-go-try-calculating-pdkdf2-with-0-iterations.patch
 
 %bcond_without dane
 %bcond_with guile
@@ -195,6 +199,9 @@ make check %{?_smp_mflags}
 %endif
 
 %changelog
+* Mon Jun 8 2020 Anakin Zhang <benjamin93@163.com> - 3.6.9-7
+- fix x509 drop endless loop and pkcs12 iterations
+
 * Wed Apr 22 2020 Anakin Zhang <benjamin93@163.com> - 3.6.9-6
 - fix CVE-2020-11501