Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
TL;DR: Charybdis 3.4 (Jessie) introduces a regression (CertFP broken) from Charybdis 3.3 (Wheezy). 7-line patch (attached) fixes the issue. Charybdis 3.4 suffers from a regression which breaks authentication in certain scenarios. The bug is now documented upstream here: https://github.com/charybdis-ircd/charybdis/pull/211 To provide some context, IRC servers support authentication through two main mechanisms: passwords and X509 certificates (or CertFP). The latter works fine in 3.3, but has been broken by a code refactoring in 3.4. Since upstream does not test our code path often (GnuTLS, used primarly to avoid OpenSSL licensing issues), this bug has been overlooked for a while. I have produced a simple patch which fixes the issue for Charybdis 3.5 here: https://github.com/charybdis-ircd/charybdis/pull/211/commits/0ff0a0592de84dec2a2f46d9f8d6e22f6c1ee467 The patch can be trivially ported to Charybdis 3.4. Such a patch is attached to this bug report. Upstream made its own version of the patch, but I do not recommend using it as it is harder to review and more difficult to backport to 3.4: https://github.com/charybdis-ircd/charybdis/commit/3288fc46483db508acf2dcdd546a5aea54401de5 If this update isn't possible, I will have to go through backports to ship 3.5 in Jessie, but that would be unfortunate because I believe that backports are more for new functionalities than fixing such regressions. Another option would be to ship 3.5 directly in Jessie, as it is now considered to be the "stable" upstream version. However, that diff is actually much larger: 299 files changed, 20157 insertions(+), 14302 deletions(-) I'd be happy to provide a debdiff if that is necessary, but that would be actually harder to use than the provided patch, which is just put in debian/patches with a proper changelog mention. Thanks for your consideration and hard work! -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (1, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-0.bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug: https://github.com/charybdis-ircd/charybdis/pull/211 will be factored into 3.5.3, so hold on before merging... >From 0ff0a0592de84dec2a2f46d9f8d6e22f6c1ee467 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org> Date: Fri, 19 Aug 2016 11:53:59 -0400 Subject: [PATCH] fix error handling in gnutls certfp support --- libratbox/src/gnutls.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/libratbox/src/gnutls.c b/libratbox/src/gnutls.c index f51211f..9bb69bb 100644 --- a/libratbox/src/gnutls.c +++ b/libratbox/src/gnutls.c @@ -608,18 +608,17 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509) return 0; - if (gnutls_x509_crt_init(&cert) < 0) - return 0; - cert_list_size = 0; cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size); - if (cert_list == NULL) + if (cert_list_size <= 0) { - gnutls_x509_crt_deinit(cert); return 0; } - if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) + if (gnutls_x509_crt_init(&cert) != GNUTLS_E_SUCCESS) + return 0; + + if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) != GNUTLS_E_SUCCESS) { gnutls_x509_crt_deinit(cert); return 0;
