Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hello, please speed up propagation of gnutls28 3.5.7-3 to testing. This is a single-bugfix upload for #848905. * 35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch, 35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch from upstream 3.5 branch: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned by PKCS#8 decryption functions when an invalid key is provided. This addresses regression on decrypting certain PKCS#8 keys. Closes: #848905 unblock gnutls28/3.5.7-3 Thanks in advance, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
[The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .changes but not in first ----------------------------------------- -rw-r--r-- root/root /usr/lib/debug/.build-id/06/92627b5d607063eb71903a721233f5901066e9.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/1e/16d3b5f659ca4250cdd1a4cf9709b8b85f53fb.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/1f/32a0a57aec655b07964a5d98497e025cae7262.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/2b/a9be2c2eb381dc4edf836d798e59bdb361412c.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/52/67bd611b093a4b73120b2b5d283543e88df4bd.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/5f/5a02703e99f9e428a82aa80b90688b13f756b8.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/7c/e5a5afbd26492c200471e1c2ba705e922b8c55.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/8f/0f41e04edf62b0a7808b48ea52470517c48b9a.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/9a/ddeb34b9f349ee50037cd28d46fc5c9112c6fe.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/c1/ead7f61001838e6d88ff1cd74ac74e22c469f4.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/c2/f5f35a3622da6852d137d9610c9f94e44e4e67.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/c5/ed28d817ac7aaf9d6a0aa028f34f13e57f7a45.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/e5/412e005b4e94b4cc8270a540bb3db74af67b19.debug Files in first .changes but not in second ----------------------------------------- -rw-r--r-- root/root /usr/lib/debug/.build-id/1e/e95a5dada2caafea18c6fb0a31662eaf74fd1b.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/25/49b7cc772d8fd074de0be00f0619db53bee1f1.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/39/bb37cbf9a096e7455e8799ee146f31942120d3.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/49/42f0c0688463070e6410365999f7a60d5bde23.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/85/be5dbc76bf55586a82cf140ae0f179b516acaf.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/97/c2ab04e6f0fa0d5ac7bf71e0e34c86fc3f3d6d.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/99/d619c6678ed0f956097d75c33cc897caf31647.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/9d/6f39cb57ee78768fb728e590d19669272f0816.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/a7/2a600aee19233e265d10b0e78447a952cb822c.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/b3/d24cdffab087bfe7d2b92c235a98d7ab0b91c8.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/cd/b980046cd934ff2b0fedb5235e56484dcfadcd.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/d5/48d9fedb88409e1a5f3e025a2d6eeae871fafd.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/d7/b94bc8d9b61dbb6da08afe0c08294819fe7bda.debug Control files of package gnutls-bin: lines which differ (wdiff format) ---------------------------------------------------------------------- Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format) ----------------------------------------------------------------------------- Build-Ids: [-1ee95a5dada2caafea18c6fb0a31662eaf74fd1b 39bb37cbf9a096e7455e8799ee146f31942120d3 85be5dbc76bf55586a82cf140ae0f179b516acaf 97c2ab04e6f0fa0d5ac7bf71e0e34c86fc3f3d6d 99d619c6678ed0f956097d75c33cc897caf31647 a72a600aee19233e265d10b0e78447a952cb822c b3d24cdffab087bfe7d2b92c235a98d7ab0b91c8 d548d9fedb88409e1a5f3e025a2d6eeae871fafd d7b94bc8d9b61dbb6da08afe0c08294819fe7bda-] {+1e16d3b5f659ca4250cdd1a4cf9709b8b85f53fb 1f32a0a57aec655b07964a5d98497e025cae7262 2ba9be2c2eb381dc4edf836d798e59bdb361412c 5267bd611b093a4b73120b2b5d283543e88df4bd 5f5a02703e99f9e428a82aa80b90688b13f756b8 7ce5a5afbd26492c200471e1c2ba705e922b8c55 8f0f41e04edf62b0a7808b48ea52470517c48b9a c2f5f35a3622da6852d137d9610c9f94e44e4e67 e5412e005b4e94b4cc8270a540bb3db74af67b19+} Depends: gnutls-bin (= [-3.5.7-2)-] {+3.5.7-3)+} Installed-Size: [-991-] {+992+} Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package gnutls-doc: lines which differ (wdiff format) ---------------------------------------------------------------------- Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls-dane0: lines which differ (wdiff format) --------------------------------------------------------------------------- Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.14), libunbound2 (>= 1.4.1) Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format) ---------------------------------------------------------------------------------- Build-Ids: [-4942f0c0688463070e6410365999f7a60d5bde23-] {+c1ead7f61001838e6d88ff1cd74ac74e22c469f4+} Depends: libgnutls-dane0 (= [-3.5.7-2)-] {+3.5.7-3)+} Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls-openssl27: lines which differ (wdiff format) ------------------------------------------------------------------------------- Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.14) Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format) -------------------------------------------------------------------------------------- Build-Ids: [-9d6f39cb57ee78768fb728e590d19669272f0816-] {+c5ed28d817ac7aaf9d6a0aa028f34f13e57f7a45+} Depends: libgnutls-openssl27 (= [-3.5.7-2)-] {+3.5.7-3)+} Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls28-dev: lines which differ (wdiff format) --------------------------------------------------------------------------- Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutls-openssl27 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutlsxx28 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutls-dane0 (= [-3.5.7-2),-] {+3.5.7-3),+} nettle-dev, libc6-dev | libc-dev, zlib1g-dev, libtasn1-6-dev, libp11-kit-dev, libidn11-dev (>= 1.31) Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls30: lines which differ (wdiff format) ----------------------------------------------------------------------- Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls30-dbgsym: lines which differ (wdiff format) ------------------------------------------------------------------------------ Build-Ids: [-2549b7cc772d8fd074de0be00f0619db53bee1f1-] {+9addeb34b9f349ee50037cd28d46fc5c9112c6fe+} Depends: libgnutls30 (= [-3.5.7-2)-] {+3.5.7-3)+} Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutlsxx28: lines which differ (wdiff format) ------------------------------------------------------------------------- Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.4), libgcc1 (>= 1:3.0), libstdc++6 (>= 5) Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format) -------------------------------------------------------------------------------- Build-Ids: [-cdb980046cd934ff2b0fedb5235e56484dcfadcd-] {+0692627b5d607063eb71903a721233f5901066e9+} Depends: libgnutlsxx28 (= [-3.5.7-2)-] {+3.5.7-3)+} Version: [-3.5.7-2-] {+3.5.7-3+} diff -Nru gnutls28-3.5.7/debian/changelog gnutls28-3.5.7/debian/changelog --- gnutls28-3.5.7/debian/changelog 2016-12-09 18:10:53.000000000 +0100 +++ gnutls28-3.5.7/debian/changelog 2016-12-20 18:47:13.000000000 +0100 @@ -1,3 +1,14 @@ +gnutls28 (3.5.7-3) unstable; urgency=medium + + * 35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch, + 35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch from + upstream 3.5 branch: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned + by PKCS#8 decryption functions when an invalid key is provided. This + addresses regression on decrypting certain PKCS#8 keys. + Closes: #848905 + + -- Andreas Metzler <ametz...@debian.org> Tue, 20 Dec 2016 18:47:13 +0100 + gnutls28 (3.5.7-2) unstable; urgency=medium * Upload to unstable. diff -Nru gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch --- gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch 2016-12-20 18:39:09.000000000 +0100 @@ -0,0 +1,25 @@ +From e62aaf4bfaf1a4280db23d9729c2d7fa0fdf97e5 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Tue, 13 Dec 2016 11:27:38 +0100 +Subject: [PATCH 1/3] pkcs8: ensure that the correct error code is returned on + decryption failure + +--- + lib/x509/privkey_pkcs8.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c +index 74bb466c6..0094a83a5 100644 +--- a/lib/x509/privkey_pkcs8.c ++++ b/lib/x509/privkey_pkcs8.c +@@ -711,6 +711,7 @@ static int pkcs8_key_decrypt(const gnutls_datum_t * raw_key, + &kdf_params, &enc_params, &tmp); + if (result < 0) { + gnutls_assert(); ++ result = GNUTLS_E_DECRYPTION_FAILED; + goto error; + } + +-- +2.11.0 + diff -Nru gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch --- gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch 2016-12-20 18:47:13.000000000 +0100 @@ -0,0 +1,143 @@ +From 441d87cdd5548dc03765cc40c3ffc15eb722b474 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Tue, 13 Dec 2016 11:41:12 +0100 +Subject: [PATCH 2/3] tests: added test for PKCS#8 encrypted key decoding + +This also verifies that the return value when attempting to +decrypt without a password is GNUTLS_E_DECRYPTION_FAILED. +--- + tests/Makefile.am | 2 +- + tests/pkcs8-key-decode-encrypted.c | 75 ++++++++++++++++++++++++++++++++++++++ + tests/pkcs8-key-decode.c | 20 ++++++---- + 3 files changed, 89 insertions(+), 8 deletions(-) + create mode 100644 tests/pkcs8-key-decode-encrypted.c + +--- /dev/null ++++ b/tests/pkcs8-key-decode-encrypted.c +@@ -0,0 +1,75 @@ ++/* ++ * Copyright (C) 2015 Red Hat, Inc. ++ * ++ * Author: Daniel Berrange ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#include <gnutls/gnutls.h> ++#include <gnutls/x509.h> ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++ ++#include "utils.h" ++ ++#define PRIVATE_KEY \ ++ "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" \ ++ "MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiebBrnqPv4owICCAAw\n" \ ++ "HQYJYIZIAWUDBAEqBBBykFR6i1My/DYFBYrz1lmABIGQ3XGpp3+v/ENC1S+X7Ay6\n" \ ++ "JoquYKuMw6yUmWoGFvPIPA9UWqMve2Uj4l2l96Sywd6iNFP63ow6pIq4wUP6REuY\n" \ ++ "ZhCgoAOQomeFqhAhkw6QJCygp5vw2rh9OZ5tiP/Ko6IDTA2rSas91nepHpQOb247\n" \ ++ "zta5XzXb5TRkBsVU8tAPADP+wS/vBCS05ne1wmhdD6c6\n" \ ++ "-----END ENCRYPTED PRIVATE KEY-----\n" ++ ++ ++static int test_decode(void) ++{ ++ gnutls_x509_privkey_t key; ++ const gnutls_datum_t data = { ++ (unsigned char *)PRIVATE_KEY, ++ strlen(PRIVATE_KEY) ++ }; ++ int err; ++ ++ if ((err = gnutls_x509_privkey_init(&key)) < 0) { ++ fail("Failed to init key %s\n", gnutls_strerror(err)); ++ } ++ ++ err = gnutls_x509_privkey_import_pkcs8(key, &data, ++ GNUTLS_X509_FMT_PEM, "", 0); ++ if (err != GNUTLS_E_DECRYPTION_FAILED) { ++ fail("Unexpected error code: %s/%d\n", gnutls_strerror(err), err); ++ } ++ ++ err = gnutls_x509_privkey_import_pkcs8(key, &data, ++ GNUTLS_X509_FMT_PEM, "password", 0); ++ if (err != 0) { ++ fail("Unexpected error code: %s\n", gnutls_strerror(err)); ++ } ++ ++ success("Loaded key\n%s", PRIVATE_KEY); ++ ++ gnutls_x509_privkey_deinit(key); ++ return 0; ++} ++ ++void doit(void) ++{ ++ test_decode(); ++} +--- a/tests/pkcs8-key-decode.c ++++ b/tests/pkcs8-key-decode.c +@@ -26,6 +26,8 @@ + #include <string.h> + #include <stdlib.h> + ++#include "utils.h" ++ + # define PRIVATE_KEY \ + "-----BEGIN PRIVATE KEY-----\n" \ + "MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr\n" \ +@@ -46,8 +48,8 @@ + "dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci\n" \ + "-----END PRIVATE KEY-----\n" + +- +-int main(void) { ++static int test_load(void) ++{ + gnutls_x509_privkey_t key; + const gnutls_datum_t data = { + (unsigned char *)PRIVATE_KEY, +@@ -56,19 +58,23 @@ int main(void) { + int err; + + if ((err = gnutls_x509_privkey_init(&key)) < 0) { +- fprintf(stderr, "Failed to init key %s\n", gnutls_strerror(err)); ++ fail("Failed to init key %s\n", gnutls_strerror(err)); + exit(1); + } + + if ((err = gnutls_x509_privkey_import(key, &data, + GNUTLS_X509_FMT_PEM)) < 0) { +- fprintf(stderr, "Failed to import key %s\n", gnutls_strerror(err)); ++ fail("Failed to import key %s\n", gnutls_strerror(err)); + exit(1); + } + +-#if 0 +- fprintf(stderr, "Loaded key\n%s", PRIVATE_KEY); +-#endif ++ success("Loaded key\n%s", PRIVATE_KEY); ++ + gnutls_x509_privkey_deinit(key); + return 0; + } ++ ++void doit(void) ++{ ++ test_load(); ++} diff -Nru gnutls28-3.5.7/debian/patches/series gnutls28-3.5.7/debian/patches/series --- gnutls28-3.5.7/debian/patches/series 2016-12-08 08:20:07.000000000 +0100 +++ gnutls28-3.5.7/debian/patches/series 2016-12-20 18:43:44.000000000 +0100 @@ -1,2 +1,4 @@ 14_version_gettextcat.diff 30_guile-snarf.diff +35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch +35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch
signature.asc
Description: PGP signature