Bug#933538: Proposed fix for stable

Hanno Stock Thu, 28 Nov 2019 09:34:14 -0800

Patch applies to version in stable.

See attached debdiff.


I have built the package in a buster chroot and installed on a buster
system where I previously encountered the bug.

This patch fixes the bug and otherwise SSL connections still seem to
work fine.

diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog     2019-06-12 19:21:23.000000000 +0200
+++ gnutls28-3.6.7/debian/changelog     2019-11-28 17:03:35.000000000 +0100
@@ -1,3 +1,13 @@
+gnutls28 (3.6.7-4+deb10u1~1.gbp7c6fcb) UNRELEASED; urgency=medium
+
+  ** SNAPSHOT build @7c6fcba7e7c4e5cfe6f7aa145ec8598876b7db97 **
+
+  * UNRELEASED
+  * 40_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
+    from upstream GIT master: Fix interop problems with gnutls 2.x. Closes: 
#933538
+
+ -- Hanno Stock <opensou...@hanno-stock.de>  Thu, 28 Nov 2019 17:03:35 +0100
+
 gnutls28 (3.6.7-4) unstable; urgency=medium
 
   * Cherry-pick important bug-fixes from 3.6.8:
diff -Nru 
gnutls28-3.6.7/debian/patches/40_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
 
gnutls28-3.6.7/debian/patches/40_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
--- 
gnutls28-3.6.7/debian/patches/40_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
gnutls28-3.6.7/debian/patches/40_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
      2019-11-28 16:54:28.000000000 +0100
@@ -0,0 +1,63 @@
+From daa49b9e455d262a1a2bc1b641e72dc004e2cb3e Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Sat, 3 Aug 2019 21:51:58 +0200
+Subject: [PATCH] _gnutls_epoch_set_keys: do not forbid random padding in
+ TLS1.x CBC ciphersuites
+
+Since some point in 3.6.x we updated the calculation of maximum record size,
+however that did not include the possibility of random record padding available
+for CBC ciphersuites which exceeds the maximum. This commit allows for larger
+sizes for these ciphersuites to account for random padding as applied by
+gnutls 2.12.x.
+
+Resolves: #811
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@gnutls.org>
+---
+ NEWS           |  4 ++++
+ lib/constate.c | 11 +++++++++--
+ lib/record.c   |  4 ++--
+ 3 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/lib/constate.c b/lib/constate.c
+index 51a4eca30..4c6ca0fd0 100644
+--- a/lib/constate.c
++++ b/lib/constate.c
+@@ -707,10 +707,17 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, 
uint16_t epoch, hs_stage_t
+                       return gnutls_assert_val(ret);
+       }
+ 
+-      if (ver->tls13_sem) {
++      /* The TLS1.3 limit of 256 additional bytes is also enforced under CBC
++       * ciphers to ensure we interoperate with gnutls 2.12.x which could add 
padding
++       * data exceeding the maximum. */
++      if (ver->tls13_sem || _gnutls_cipher_type(params->cipher) == 
CIPHER_BLOCK) {
+               session->internals.max_recv_size = 256;
+       } else {
+-              session->internals.max_recv_size = _gnutls_record_overhead(ver, 
params->cipher, params->mac, 1);
++              session->internals.max_recv_size = 0;
++      }
++
++      if (!ver->tls13_sem) {
++              session->internals.max_recv_size += 
_gnutls_record_overhead(ver, params->cipher, params->mac, 1);
+               if (session->internals.allow_large_records != 0)
+                       session->internals.max_recv_size += EXTRA_COMP_SIZE;
+       }
+diff --git a/lib/record.c b/lib/record.c
+index 39d2a16be..7c7e36561 100644
+--- a/lib/record.c
++++ b/lib/record.c
+@@ -1219,8 +1219,8 @@ static int recv_headers(gnutls_session_t session,
+ 
+       if (record->length == 0 || record->length > 
max_record_recv_size(session)) {
+               _gnutls_audit_log
+-                  (session, "Received packet with illegal length: %u\n",
+-                   (unsigned int) record->length);
++                  (session, "Received packet with illegal length: %u (max: 
%u)\n",
++                   (unsigned int) record->length, 
(unsigned)max_record_recv_size(session));
+ 
+               if (record->length == 0) {
+                       /* Empty, unencrypted records are always unexpected. */
+-- 
+2.23.0
+
diff -Nru gnutls28-3.6.7/debian/patches/series 
gnutls28-3.6.7/debian/patches/series
--- gnutls28-3.6.7/debian/patches/series        2019-06-12 19:21:15.000000000 
+0200
+++ gnutls28-3.6.7/debian/patches/series        2019-11-28 16:56:31.000000000 
+0100
@@ -5,3 +5,4 @@
 40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
 40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
 40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
+40_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch

signature.asc
Description: OpenPGP digital signature

Bug#933538: Proposed fix for stable

Reply via email to