Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hello, please speed up propagation of gnutls28 3.5.7-3 to testing. This is a single-bugfix upload for #848905. * 35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch, 35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch from upstream 3.5 branch: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned by PKCS#8 decryption functions when an invalid key is provided. This addresses regression on decrypting certain PKCS#8 keys. Closes: #848905 unblock gnutls28/3.5.7-3 Thanks in advance, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .changes but not in first
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/06/92627b5d607063eb71903a721233f5901066e9.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/1e/16d3b5f659ca4250cdd1a4cf9709b8b85f53fb.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/1f/32a0a57aec655b07964a5d98497e025cae7262.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/2b/a9be2c2eb381dc4edf836d798e59bdb361412c.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/52/67bd611b093a4b73120b2b5d283543e88df4bd.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/5f/5a02703e99f9e428a82aa80b90688b13f756b8.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/7c/e5a5afbd26492c200471e1c2ba705e922b8c55.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/8f/0f41e04edf62b0a7808b48ea52470517c48b9a.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/9a/ddeb34b9f349ee50037cd28d46fc5c9112c6fe.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/c1/ead7f61001838e6d88ff1cd74ac74e22c469f4.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/c2/f5f35a3622da6852d137d9610c9f94e44e4e67.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/c5/ed28d817ac7aaf9d6a0aa028f34f13e57f7a45.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/e5/412e005b4e94b4cc8270a540bb3db74af67b19.debug
Files in first .changes but not in second
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/1e/e95a5dada2caafea18c6fb0a31662eaf74fd1b.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/25/49b7cc772d8fd074de0be00f0619db53bee1f1.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/39/bb37cbf9a096e7455e8799ee146f31942120d3.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/49/42f0c0688463070e6410365999f7a60d5bde23.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/85/be5dbc76bf55586a82cf140ae0f179b516acaf.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/97/c2ab04e6f0fa0d5ac7bf71e0e34c86fc3f3d6d.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/99/d619c6678ed0f956097d75c33cc897caf31647.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/9d/6f39cb57ee78768fb728e590d19669272f0816.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/a7/2a600aee19233e265d10b0e78447a952cb822c.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b3/d24cdffab087bfe7d2b92c235a98d7ab0b91c8.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/cd/b980046cd934ff2b0fedb5235e56484dcfadcd.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d5/48d9fedb88409e1a5f3e025a2d6eeae871fafd.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d7/b94bc8d9b61dbb6da08afe0c08294819fe7bda.debug
Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.5.7-2-] {+3.5.7-3+}
Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Build-Ids: [-1ee95a5dada2caafea18c6fb0a31662eaf74fd1b 39bb37cbf9a096e7455e8799ee146f31942120d3 85be5dbc76bf55586a82cf140ae0f179b516acaf 97c2ab04e6f0fa0d5ac7bf71e0e34c86fc3f3d6d 99d619c6678ed0f956097d75c33cc897caf31647 a72a600aee19233e265d10b0e78447a952cb822c b3d24cdffab087bfe7d2b92c235a98d7ab0b91c8 d548d9fedb88409e1a5f3e025a2d6eeae871fafd d7b94bc8d9b61dbb6da08afe0c08294819fe7bda-] {+1e16d3b5f659ca4250cdd1a4cf9709b8b85f53fb 1f32a0a57aec655b07964a5d98497e025cae7262 2ba9be2c2eb381dc4edf836d798e59bdb361412c 5267bd611b093a4b73120b2b5d283543e88df4bd 5f5a02703e99f9e428a82aa80b90688b13f756b8 7ce5a5afbd26492c200471e1c2ba705e922b8c55 8f0f41e04edf62b0a7808b48ea52470517c48b9a c2f5f35a3622da6852d137d9610c9f94e44e4e67 e5412e005b4e94b4cc8270a540bb3db74af67b19+}
Depends: gnutls-bin (= [-3.5.7-2)-] {+3.5.7-3)+}
Installed-Size: [-991-] {+992+}
Version: [-3.5.7-2-] {+3.5.7-3+}
Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.5.7-2-] {+3.5.7-3+}
Control files of package libgnutls-dane0: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.14), libunbound2 (>= 1.4.1)
Version: [-3.5.7-2-] {+3.5.7-3+}
Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-4942f0c0688463070e6410365999f7a60d5bde23-] {+c1ead7f61001838e6d88ff1cd74ac74e22c469f4+}
Depends: libgnutls-dane0 (= [-3.5.7-2)-] {+3.5.7-3)+}
Version: [-3.5.7-2-] {+3.5.7-3+}
Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.14)
Version: [-3.5.7-2-] {+3.5.7-3+}
Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------------
Build-Ids: [-9d6f39cb57ee78768fb728e590d19669272f0816-] {+c5ed28d817ac7aaf9d6a0aa028f34f13e57f7a45+}
Depends: libgnutls-openssl27 (= [-3.5.7-2)-] {+3.5.7-3)+}
Version: [-3.5.7-2-] {+3.5.7-3+}
Control files of package libgnutls28-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutls-openssl27 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutlsxx28 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutls-dane0 (= [-3.5.7-2),-] {+3.5.7-3),+} nettle-dev, libc6-dev | libc-dev, zlib1g-dev, libtasn1-6-dev, libp11-kit-dev, libidn11-dev (>= 1.31)
Version: [-3.5.7-2-] {+3.5.7-3+}
Control files of package libgnutls30: lines which differ (wdiff format)
-----------------------------------------------------------------------
Version: [-3.5.7-2-] {+3.5.7-3+}
Control files of package libgnutls30-dbgsym: lines which differ (wdiff format)
------------------------------------------------------------------------------
Build-Ids: [-2549b7cc772d8fd074de0be00f0619db53bee1f1-] {+9addeb34b9f349ee50037cd28d46fc5c9112c6fe+}
Depends: libgnutls30 (= [-3.5.7-2)-] {+3.5.7-3)+}
Version: [-3.5.7-2-] {+3.5.7-3+}
Control files of package libgnutlsxx28: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.4), libgcc1 (>= 1:3.0), libstdc++6 (>= 5)
Version: [-3.5.7-2-] {+3.5.7-3+}
Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Build-Ids: [-cdb980046cd934ff2b0fedb5235e56484dcfadcd-] {+0692627b5d607063eb71903a721233f5901066e9+}
Depends: libgnutlsxx28 (= [-3.5.7-2)-] {+3.5.7-3)+}
Version: [-3.5.7-2-] {+3.5.7-3+}
diff -Nru gnutls28-3.5.7/debian/changelog gnutls28-3.5.7/debian/changelog
--- gnutls28-3.5.7/debian/changelog 2016-12-09 18:10:53.000000000 +0100
+++ gnutls28-3.5.7/debian/changelog 2016-12-20 18:47:13.000000000 +0100
@@ -1,3 +1,14 @@
+gnutls28 (3.5.7-3) unstable; urgency=medium
+
+ * 35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch,
+ 35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch from
+ upstream 3.5 branch: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
+ by PKCS#8 decryption functions when an invalid key is provided. This
+ addresses regression on decrypting certain PKCS#8 keys.
+ Closes: #848905
+
+ -- Andreas Metzler <ametz...@debian.org> Tue, 20 Dec 2016 18:47:13 +0100
+
gnutls28 (3.5.7-2) unstable; urgency=medium
* Upload to unstable.
diff -Nru gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch
--- gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch 2016-12-20 18:39:09.000000000 +0100
@@ -0,0 +1,25 @@
+From e62aaf4bfaf1a4280db23d9729c2d7fa0fdf97e5 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Tue, 13 Dec 2016 11:27:38 +0100
+Subject: [PATCH 1/3] pkcs8: ensure that the correct error code is returned on
+ decryption failure
+
+---
+ lib/x509/privkey_pkcs8.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
+index 74bb466c6..0094a83a5 100644
+--- a/lib/x509/privkey_pkcs8.c
++++ b/lib/x509/privkey_pkcs8.c
+@@ -711,6 +711,7 @@ static int pkcs8_key_decrypt(const gnutls_datum_t * raw_key,
+ &kdf_params, &enc_params, &tmp);
+ if (result < 0) {
+ gnutls_assert();
++ result = GNUTLS_E_DECRYPTION_FAILED;
+ goto error;
+ }
+
+--
+2.11.0
+
diff -Nru gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch
--- gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.5.7/debian/patches/35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch 2016-12-20 18:47:13.000000000 +0100
@@ -0,0 +1,143 @@
+From 441d87cdd5548dc03765cc40c3ffc15eb722b474 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Tue, 13 Dec 2016 11:41:12 +0100
+Subject: [PATCH 2/3] tests: added test for PKCS#8 encrypted key decoding
+
+This also verifies that the return value when attempting to
+decrypt without a password is GNUTLS_E_DECRYPTION_FAILED.
+---
+ tests/Makefile.am | 2 +-
+ tests/pkcs8-key-decode-encrypted.c | 75 ++++++++++++++++++++++++++++++++++++++
+ tests/pkcs8-key-decode.c | 20 ++++++----
+ 3 files changed, 89 insertions(+), 8 deletions(-)
+ create mode 100644 tests/pkcs8-key-decode-encrypted.c
+
+--- /dev/null
++++ b/tests/pkcs8-key-decode-encrypted.c
+@@ -0,0 +1,75 @@
++/*
++ * Copyright (C) 2015 Red Hat, Inc.
++ *
++ * Author: Daniel Berrange
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#include <gnutls/gnutls.h>
++#include <gnutls/x509.h>
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++
++#include "utils.h"
++
++#define PRIVATE_KEY \
++ "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" \
++ "MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiebBrnqPv4owICCAAw\n" \
++ "HQYJYIZIAWUDBAEqBBBykFR6i1My/DYFBYrz1lmABIGQ3XGpp3+v/ENC1S+X7Ay6\n" \
++ "JoquYKuMw6yUmWoGFvPIPA9UWqMve2Uj4l2l96Sywd6iNFP63ow6pIq4wUP6REuY\n" \
++ "ZhCgoAOQomeFqhAhkw6QJCygp5vw2rh9OZ5tiP/Ko6IDTA2rSas91nepHpQOb247\n" \
++ "zta5XzXb5TRkBsVU8tAPADP+wS/vBCS05ne1wmhdD6c6\n" \
++ "-----END ENCRYPTED PRIVATE KEY-----\n"
++
++
++static int test_decode(void)
++{
++ gnutls_x509_privkey_t key;
++ const gnutls_datum_t data = {
++ (unsigned char *)PRIVATE_KEY,
++ strlen(PRIVATE_KEY)
++ };
++ int err;
++
++ if ((err = gnutls_x509_privkey_init(&key)) < 0) {
++ fail("Failed to init key %s\n", gnutls_strerror(err));
++ }
++
++ err = gnutls_x509_privkey_import_pkcs8(key, &data,
++ GNUTLS_X509_FMT_PEM, "", 0);
++ if (err != GNUTLS_E_DECRYPTION_FAILED) {
++ fail("Unexpected error code: %s/%d\n", gnutls_strerror(err), err);
++ }
++
++ err = gnutls_x509_privkey_import_pkcs8(key, &data,
++ GNUTLS_X509_FMT_PEM, "password", 0);
++ if (err != 0) {
++ fail("Unexpected error code: %s\n", gnutls_strerror(err));
++ }
++
++ success("Loaded key\n%s", PRIVATE_KEY);
++
++ gnutls_x509_privkey_deinit(key);
++ return 0;
++}
++
++void doit(void)
++{
++ test_decode();
++}
+--- a/tests/pkcs8-key-decode.c
++++ b/tests/pkcs8-key-decode.c
+@@ -26,6 +26,8 @@
+ #include <string.h>
+ #include <stdlib.h>
+
++#include "utils.h"
++
+ # define PRIVATE_KEY \
+ "-----BEGIN PRIVATE KEY-----\n" \
+ "MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr\n" \
+@@ -46,8 +48,8 @@
+ "dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci\n" \
+ "-----END PRIVATE KEY-----\n"
+
+-
+-int main(void) {
++static int test_load(void)
++{
+ gnutls_x509_privkey_t key;
+ const gnutls_datum_t data = {
+ (unsigned char *)PRIVATE_KEY,
+@@ -56,19 +58,23 @@ int main(void) {
+ int err;
+
+ if ((err = gnutls_x509_privkey_init(&key)) < 0) {
+- fprintf(stderr, "Failed to init key %s\n", gnutls_strerror(err));
++ fail("Failed to init key %s\n", gnutls_strerror(err));
+ exit(1);
+ }
+
+ if ((err = gnutls_x509_privkey_import(key, &data,
+ GNUTLS_X509_FMT_PEM)) < 0) {
+- fprintf(stderr, "Failed to import key %s\n", gnutls_strerror(err));
++ fail("Failed to import key %s\n", gnutls_strerror(err));
+ exit(1);
+ }
+
+-#if 0
+- fprintf(stderr, "Loaded key\n%s", PRIVATE_KEY);
+-#endif
++ success("Loaded key\n%s", PRIVATE_KEY);
++
+ gnutls_x509_privkey_deinit(key);
+ return 0;
+ }
++
++void doit(void)
++{
++ test_load();
++}
diff -Nru gnutls28-3.5.7/debian/patches/series gnutls28-3.5.7/debian/patches/series
--- gnutls28-3.5.7/debian/patches/series 2016-12-08 08:20:07.000000000 +0100
+++ gnutls28-3.5.7/debian/patches/series 2016-12-20 18:43:44.000000000 +0100
@@ -1,2 +1,4 @@
14_version_gettextcat.diff
30_guile-snarf.diff
+35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch
+35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch
signature.asc
Description: PGP signature
