--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package gnutls26. It contains a bunch of fixes from
upstream's 2.12.22 and 2.12.23 bugfix releases.
+35_TLS-CBC_timing-attack.diff (GNUTLS-SA-2013-1) TLS CBC padding timing
attack. CVE-2013-0169 CVE-2013-1619. This is the recently published
"lucky thirteen" TLS attack.
+34_pkcs11_memleak.diff Eliminated memory leak in PCKS #11
initialization. (Should be quite helpful when running valgrind
on a gnutls using package).
+31_allow_key_usage_violation.diff: Always tolerate key usage violation
errors from the side of the peer, but also notify via an audit message.
+32_record-padding-parsing.patch: Fix record padding parsing issue.
Thiis was also reported in the "lucky thirteen" paper.
+33_stricter_rsa_pkcs_1.5.diff: Fixes random handshake failures with
non-GnuTLS implementations.
The watchfile was also updated.
This brings us up to GnuTLS 2.12.23, except for these differences:
- The equivalent change of 33_stricter_rsa_pkcs_1.5.diff for the nettle
code is not included as it is not relevant for Debian's binary packages.
- 0b9d8d6f21dad85038c6de36d8fbd56271263f64 Corrected bug in PGP subpacket
encoding.
- Compatibility with libtasn1 3.x, which would require libtasn1 >=2.14.
- Updated gnulib.
- Build system fixes.
I would really to all theses fixes in squeeze (35 and 32 qualify as
serious, the other ones as important). However if that is not possible
I can provide minimal upload (just 32 and 35) for tpu.
unblock gnutls26/2.12.20-4
Thanks for consideration, cu andreas
File lists identical on package level (after any substitutions)
Control files of package gnutls26-doc: lines which differ (wdiff format)
------------------------------------------------------------------------
Installed-Size: [-5737-] {+5738+}
Version: [-2.12.20-2-] {+2.12.20-4+}
Control files of package libgnutls-dev: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-2),-] {+2.12.20-4),+} libgnutlsxx27 (= [-2.12.20-2),-] {+2.12.20-4),+} libgnutls-openssl27 (= [-2.12.20-2),-] {+2.12.20-4),+} libgcrypt11-dev (>= 1.4.0), libc6-dev | libc-dev, zlib1g-dev, libtasn1-3-dev (>= 0.3.4), libp11-kit-dev (>= 0.4)
Installed-Size: [-1883-] {+1884+}
Version: [-2.12.20-2-] {+2.12.20-4+}
Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-2),-] {+2.12.20-4),+} libc6 (>= 2.4), libp11-kit0 (>= 0.11), libtasn1-3 (>= 1.6-0)
Installed-Size: [-272-] {+273+}
Version: [-2.12.20-2-] {+2.12.20-4+}
Control files of package libgnutls26: lines which differ (wdiff format)
-----------------------------------------------------------------------
Version: [-2.12.20-2-] {+2.12.20-4+}
Control files of package libgnutls26-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-2),-] {+2.12.20-4),+} libc6 (>= 2.4), libgcrypt11 (>= 1.4.5), libp11-kit0 (>= 0.11), libtasn1-3 (>= 1.6-0), zlib1g (>= 1:1.1.4)
Installed-Size: [-4332-] {+4335+}
Version: [-2.12.20-2-] {+2.12.20-4+}
Control files of package libgnutlsxx27: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls26 (= [-2.12.20-2),-] {+2.12.20-4),+} libc6 (>= 2.1.3), libgcc1 (>= 1:4.1.1), libp11-kit0 (>= 0.11), libstdc++6 (>= 4.1.1)
Version: [-2.12.20-2-] {+2.12.20-4+}
diff -Nru gnutls26-2.12.20/debian/changelog gnutls26-2.12.20/debian/changelog
--- gnutls26-2.12.20/debian/changelog 2012-11-13 19:21:44.000000000 +0100
+++ gnutls26-2.12.20/debian/changelog 2013-02-04 19:44:26.000000000 +0100
@@ -1,3 +1,33 @@
+gnutls26 (2.12.20-4) unstable; urgency=high
+
+ * Pull fixes from 2.12.23:
+ + 34_pkcs11_memleak.diff Eliminated memory leak in PCKS #11
+ initialization.
+ + 35_TLS-CBC_timing-attack.diff (GNUTLS-SA-2013-1) TLS CBC padding timing
+ attack
+
+ -- Andreas Metzler <ametz...@debian.org> Mon, 04 Feb 2013 19:35:29 +0100
+
+gnutls26 (2.12.20-3) unstable; urgency=low
+
+ * Pull fixes from 2.12.22:
+ +31_allow_key_usage_violation.diff: Always tolerate key usage violation
+ errors from the side of the peer, but also notify via an audit message.
+ +32_record-padding-parsing.patch: Fix record padding parsing issue.
+ +33_stricter_rsa_pkcs_1.5.diff: Fixes random handshake failures with
+ non-GnuTLS implementations.
+ This brings us up to GnuTLS 2.12.22, except for these differences:
+ - The equivalent change of 33_stricter_rsa_pkcs_1.5.diff for the nettle
+ code is not included as it is not relevant for Debian's binary packages.
+ - 0b9d8d6f21dad85038c6de36d8fbd56271263f64 Corrected bug in PGP subpacket
+ encoding.
+ - Compatibility with libtasn1 3.x, which would require libtasn1 >=2.14.
+ - Updated gnulib.
+ * Update watchfile, based on Bart Martens version from q.d.o, but use a)
+ ftp.gnutls.org as mirror and b) limit the the match to 2.x versions.
+
+ -- Andreas Metzler <ametz...@debian.org> Sun, 06 Jan 2013 10:56:57 +0100
+
gnutls26 (2.12.20-2) unstable; urgency=low
* 30_strlen_on_null.diff: Fix segfault caused by running strlen() on NULL.
diff -Nru gnutls26-2.12.20/debian/patches/31_allow_key_usage_violation.diff gnutls26-2.12.20/debian/patches/31_allow_key_usage_violation.diff
--- gnutls26-2.12.20/debian/patches/31_allow_key_usage_violation.diff 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/patches/31_allow_key_usage_violation.diff 2013-01-06 10:30:38.000000000 +0100
@@ -0,0 +1,66 @@
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Description:
+ ** libgnutls: Always tolerate key usage violation errors from the side
+ of the peer, but also notify via an audit message.
+.
+ Pulled from uptream GIT, combining
+ http://gitorious.org/gnutls/gnutls/commit/afd6b636d1d9b079699afb0c3b20692edcf5b262
+ and
+ http://gitorious.org/gnutls/gnutls/commit/dbc72ae47b16c6718cb5e53d4a31205bc45d3742
+
+--- gnutls26-2.12.20.orig/lib/gnutls_sig.c
++++ gnutls26-2.12.20/lib/gnutls_sig.c
+@@ -222,7 +222,7 @@ sign_tls_hash (gnutls_session_t session,
+ if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
+ {
+ gnutls_assert ();
+- return GNUTLS_E_KEY_USAGE_VIOLATION;
++ _gnutls_debug_log("Key usage violation was detected (ignored).\n");
+ }
+
+ /* External signing. */
+@@ -270,7 +270,7 @@ es_cleanup:
+ }
+
+ static int
+-verify_tls_hash (gnutls_protocol_t ver, gnutls_cert * cert,
++verify_tls_hash (gnutls_session_t session, gnutls_protocol_t ver, gnutls_cert * cert,
+ const gnutls_datum_t * hash_concat,
+ gnutls_datum_t * signature, size_t sha1pos,
+ gnutls_pk_algorithm_t pk_algo)
+@@ -292,7 +292,7 @@ verify_tls_hash (gnutls_protocol_t ver,
+ if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
+ {
+ gnutls_assert ();
+- return GNUTLS_E_KEY_USAGE_VIOLATION;
++ _gnutls_debug_log("Key usage violation was detected (ignored).\n");
+ }
+
+ if (pk_algo == GNUTLS_PK_UNKNOWN)
+@@ -425,7 +425,7 @@ _gnutls_handshake_verify_data (gnutls_se
+ dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
+ }
+
+- ret = verify_tls_hash (ver, cert, &dconcat, signature,
++ ret = verify_tls_hash (session, ver, cert, &dconcat, signature,
+ dconcat.size -
+ _gnutls_hash_get_algo_len (hash_algo),
+ _gnutls_sign_get_pk_algorithm (algo));
+@@ -490,7 +490,7 @@ _gnutls_handshake_verify_cert_vrfy12 (gn
+ dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
+
+ ret =
+- verify_tls_hash (ver, cert, &dconcat, signature, 0,
++ verify_tls_hash (session, ver, cert, &dconcat, signature, 0,
+ cert->subject_pk_algorithm);
+ if (ret < 0)
+ {
+@@ -581,7 +581,7 @@ _gnutls_handshake_verify_cert_vrfy (gnut
+ dconcat.size = 20 + 16; /* md5+ sha */
+
+ ret =
+- verify_tls_hash (ver, cert, &dconcat, signature, 16,
++ verify_tls_hash (session, ver, cert, &dconcat, signature, 16,
+ cert->subject_pk_algorithm);
+ if (ret < 0)
+ {
diff -Nru gnutls26-2.12.20/debian/patches/32_record-padding-parsing.patch gnutls26-2.12.20/debian/patches/32_record-padding-parsing.patch
--- gnutls26-2.12.20/debian/patches/32_record-padding-parsing.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/patches/32_record-padding-parsing.patch 2013-01-06 10:32:08.000000000 +0100
@@ -0,0 +1,35 @@
+From 7b65049a81ea02a92fef934318a680afd55e98d2 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Thu, 3 Jan 2013 23:48:38 +0100
+Subject: [PATCH 07/11] Corrected bugs in record padding parsing.
+
+libgnutls: Fixed record padding parsing issue. Reported by Kenny
+Patterson and Nadhem Alfardan.
+http://gitorious.org/gnutls/gnutls/commit/7b65049a81ea02a92fef934318a680afd55e98d2
+
+
+diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
+index 6b83208..9a5d128 100644
+--- a/lib/gnutls_cipher.c
++++ b/lib/gnutls_cipher.c
+@@ -461,7 +461,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+ {
+ uint8_t MAC[MAX_HASH_SIZE];
+ uint16_t c_length;
+- uint8_t pad;
++ unsigned int pad;
+ int length;
+ uint16_t blocksize;
+ int ret, i, pad_failed = 0;
+@@ -537,7 +537,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+ /* Check the pading bytes (TLS 1.x)
+ */
+ if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0)
+- for (i = 2; i < pad; i++)
++ for (i = 2; i <= pad; i++)
+ {
+ if (ciphertext.data[ciphertext.size - i] !=
+ ciphertext.data[ciphertext.size - 1])
+--
+1.7.10.4
+
diff -Nru gnutls26-2.12.20/debian/patches/33_stricter_rsa_pkcs_1.5.diff gnutls26-2.12.20/debian/patches/33_stricter_rsa_pkcs_1.5.diff
--- gnutls26-2.12.20/debian/patches/33_stricter_rsa_pkcs_1.5.diff 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/patches/33_stricter_rsa_pkcs_1.5.diff 2013-01-06 10:46:54.000000000 +0100
@@ -0,0 +1,67 @@
+From 24c6ce144a1e071210dc33cc794690429d74456c Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Sun, 6 Jan 2013 00:11:01 +0100
+Subject: [PATCH 11/11] libgcrypt code updated with similar checks to nettle
+ code
+
+This is the gcrypt counterpart to
+http://gitorious.org/gnutls/gnutls/commit/9709393ac263d7fbd9f790c884b7b8141c6f4b13
+Stricter RSA PKCS #1 1.5 encoding and decoding. Reported
+by Kikuchi Masashi.
+http://lists.gnutls.org/pipermail/gnutls-devel/2012-December/006016.html
+
+---
+ lib/gcrypt/pk.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/lib/gcrypt/pk.c b/lib/gcrypt/pk.c
+index e3bedaf..b1ce8f9 100644
+--- a/lib/gcrypt/pk.c
++++ b/lib/gcrypt/pk.c
+@@ -121,7 +121,7 @@ _wrap_gcry_pk_encrypt (gnutls_pk_algorithm_t algo,
+ goto cleanup;
+ }
+
+- ret = _gnutls_mpi_dprint_size (res, ciphertext, plaintext->size);
++ ret = _gnutls_mpi_dprint_size (res, ciphertext, (_gnutls_mpi_get_nbits(pk_params->params[0])+7)/8);
+ _gnutls_mpi_release (&res);
+ if (ret < 0)
+ {
+@@ -164,6 +164,12 @@ _wrap_gcry_pk_decrypt (gnutls_pk_algorithm_t algo,
+ switch (algo)
+ {
+ case GNUTLS_PK_RSA:
++ if (ciphertext->size != (_gnutls_mpi_get_nbits(pk_params->params[0])+7)/8)
++ {
++ gnutls_assert ();
++ return GNUTLS_E_DECRYPTION_FAILED;
++ }
++
+ if (pk_params->params_nr >= 6)
+ rc = gcry_sexp_build (&s_pkey, NULL,
+ "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))",
+@@ -363,7 +369,7 @@ _wrap_gcry_pk_sign (gnutls_pk_algorithm_t algo, gnutls_datum_t * signature,
+ res[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+- ret = _gnutls_mpi_dprint (res[0], signature);
++ ret = _gnutls_mpi_dprint_size (res[0], signature, (_gnutls_mpi_get_nbits(pk_params->params[0])+7)/8);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+@@ -424,6 +430,12 @@ _wrap_gcry_pk_verify (gnutls_pk_algorithm_t algo,
+ pk_params->params[2], pk_params->params[3]);
+ break;
+ case GNUTLS_PK_RSA:
++ if (signature->size != (_gnutls_mpi_get_nbits(pk_params->params[0])+7)/8)
++ {
++ gnutls_assert ();
++ return GNUTLS_E_PK_SIG_VERIFY_FAILED;
++ }
++
+ if (pk_params->params_nr >= 2)
+ rc = gcry_sexp_build (&s_pkey, NULL,
+ "(public-key(rsa(n%m)(e%m)))",
+--
+1.7.10.4
+
diff -Nru gnutls26-2.12.20/debian/patches/34_pkcs11_memleak.diff gnutls26-2.12.20/debian/patches/34_pkcs11_memleak.diff
--- gnutls26-2.12.20/debian/patches/34_pkcs11_memleak.diff 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/patches/34_pkcs11_memleak.diff 2013-02-04 19:16:48.000000000 +0100
@@ -0,0 +1,36 @@
+From 433bc2bdc118ac3b8a83a5fb7d41b3cecdd73cc9 Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
+Date: Sun, 3 Feb 2013 13:13:34 -0500
+Subject: [PATCH 1/6] free allocated module name. Reported by Sam Varshavchik.
+
+This is the same fix from the 3.0 branch as:
+
+ ce7caadb "free allocated module name. Reported by Sam Varshavchik."
+
+** libgnutls: Eliminated memory leak in PCKS #11 initialization.
+Report and fix by Sam Varshavchik.
+
+diff --git a/lib/pkcs11.c b/lib/pkcs11.c
+index 59cf686..2bf6b04 100644
+--- a/lib/pkcs11.c
++++ b/lib/pkcs11.c
+@@ -441,7 +441,7 @@ static int
+ initialize_automatic_p11_kit (void)
+ {
+ struct ck_function_list **modules;
+- const char *name;
++ char *name;
+ ck_rv_t rv;
+ int i, ret;
+
+@@ -466,6 +466,7 @@ initialize_automatic_p11_kit (void)
+ gnutls_assert ();
+ _gnutls_debug_log ("Cannot add registered module: %s\n", name);
+ }
++ free(name);
+ }
+
+ free (modules);
+--
+1.7.10.4
+
diff -Nru gnutls26-2.12.20/debian/patches/35_TLS-CBC_timing-attack.diff gnutls26-2.12.20/debian/patches/35_TLS-CBC_timing-attack.diff
--- gnutls26-2.12.20/debian/patches/35_TLS-CBC_timing-attack.diff 1970-01-01 01:00:00.000000000 +0100
+++ gnutls26-2.12.20/debian/patches/35_TLS-CBC_timing-attack.diff 2013-02-04 19:24:15.000000000 +0100
@@ -0,0 +1,183 @@
+Description: avoid a timing attack in TLS CBC record parsing.
+ http://www.gnutls.org/security.html#GNUTLS-SA-2013-1
+ http://www.isg.rhul.ac.uk/tls/
+Origin: upstream, http://gitorious.org/gnutls/gnutls/commit/458c67cf98740e7b12404f6c30e0d5317d56fd30 http://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9123630704668b2946f602b910e
+Forwarded: not-needed
+Last-Update: 2013-02-04
+
+--- gnutls26-2.12.20.orig/lib/gnutls_hash_int.h
++++ gnutls26-2.12.20/lib/gnutls_hash_int.h
+@@ -97,4 +97,25 @@ void _gnutls_mac_deinit_ssl3_handshake (
+
+ int _gnutls_hash_copy (digest_hd_st * dst_handle, digest_hd_st * src_handle);
+
++/* We shouldn't need to know that, but a work-around in decoding
++ * TLS record padding requires that.
++ */
++inline static size_t
++_gnutls_get_hash_block_len (gnutls_digest_algorithm_t algo)
++{
++ switch (algo)
++ {
++ case GNUTLS_DIG_MD5:
++ case GNUTLS_DIG_SHA1:
++ case GNUTLS_DIG_RMD160:
++ case GNUTLS_DIG_SHA256:
++ case GNUTLS_DIG_SHA384:
++ case GNUTLS_DIG_SHA512:
++ case GNUTLS_DIG_SHA224:
++ return 64;
++ default:
++ return 0;
++ }
++}
++
+ #endif /* GNUTLS_HASH_INT_H */
+--- gnutls26-2.12.20.orig/lib/gnutls_cipher.c
++++ gnutls26-2.12.20/lib/gnutls_cipher.c
+@@ -1,6 +1,6 @@
+ /*
+- * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2008, 2009, 2010
+- * Free Software Foundation, Inc.
++ * Copyright (C) 2000-2013 Free Software Foundation, Inc.
++ * Copyright (C) 2013 Nikos Mavrogiannopoulos
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+@@ -448,6 +448,48 @@ _gnutls_compressed2ciphertext (gnutls_se
+ return length;
+ }
+
++static void dummy_wait(record_parameters_st * params, gnutls_datum_t* plaintext,
++ unsigned pad_failed, unsigned int pad, unsigned total, int ver)
++{
++ /* this hack is only needed on CBC ciphers */
++ if (_gnutls_cipher_is_block (params->cipher_algorithm) == CIPHER_BLOCK)
++ {
++ uint8_t MAC[MAX_HASH_SIZE];
++ unsigned len;
++ digest_hd_st td;
++ int ret;
++
++ ret = mac_init (&td, params->mac_algorithm,
++ params->read.mac_secret.data,
++ params->read.mac_secret.size, ver);
++
++ if (ret < 0)
++ return;
++
++ /* force an additional hash compression function evaluation to prevent timing
++ * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
++ */
++ if (pad_failed == 0 && pad > 0)
++ {
++ len = _gnutls_get_hash_block_len(params->mac_algorithm);
++ if (len > 0)
++ {
++ /* This is really specific to the current hash functions.
++ * It should be removed once a protocol fix is in place.
++ */
++ if ((pad+total) % len > len-9 && total % len <= len-9)
++ {
++ if (len < plaintext->size)
++ mac_hash (&td, plaintext->data, len, ver);
++ else
++ mac_hash (&td, plaintext->data, plaintext->size, ver);
++ }
++ }
++ }
++
++ mac_deinit (&td, MAC, ver);
++ }
++}
+
+ /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
+ * Returns the actual compressed packet size.
+@@ -461,12 +503,12 @@ _gnutls_ciphertext2compressed (gnutls_se
+ {
+ uint8_t MAC[MAX_HASH_SIZE];
+ uint16_t c_length;
+- unsigned int pad;
++ unsigned int pad = 0;
+ int length;
+ uint16_t blocksize;
+ int ret, i, pad_failed = 0;
+ opaque preamble[PREAMBLE_SIZE];
+- int preamble_size;
++ int preamble_size = 0;
+ int ver = gnutls_protocol_get_version (session);
+ int hash_size = _gnutls_hash_get_algo_len (params->mac_algorithm);
+
+@@ -518,31 +560,23 @@ _gnutls_ciphertext2compressed (gnutls_se
+ gnutls_assert ();
+ return GNUTLS_E_DECRYPTION_FAILED;
+ }
+- pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
+-
+- if ((int) pad > (int) ciphertext.size - hash_size)
+- {
+- gnutls_assert ();
+- _gnutls_record_log
+- ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
+- session, pad, ciphertext.size, hash_size);
+- /* We do not fail here. We check below for the
+- * the pad_failed. If zero means success.
+- */
+- pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+- }
+-
+- length = ciphertext.size - hash_size - pad;
++ pad = ciphertext.data[ciphertext.size - 1]; /* pad */
+
+- /* Check the pading bytes (TLS 1.x)
++ /* Check the pading bytes (TLS 1.x).
++ * Note that we access all 256 bytes of ciphertext for padding check
++ * because there is a timing channel in that memory access (in certain CPUs).
+ */
+ if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0)
+ for (i = 2; i <= pad; i++)
+ {
+- if (ciphertext.data[ciphertext.size - i] !=
+- ciphertext.data[ciphertext.size - 1])
++ if (ciphertext.data[ciphertext.size - i] != pad)
+ pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+ }
++
++ if (pad_failed)
++ pad = 0;
++ length = ciphertext.size - hash_size - pad - 1;
++
+ break;
+ default:
+ gnutls_assert ();
+@@ -581,24 +615,19 @@ _gnutls_ciphertext2compressed (gnutls_se
+ mac_deinit (&td, MAC, ver);
+ }
+
+- /* This one was introduced to avoid a timing attack against the TLS
+- * 1.0 protocol.
+- */
+- if (pad_failed != 0)
+- {
+- gnutls_assert ();
+- return pad_failed;
+- }
+-
+ /* HMAC was not the same.
+ */
+- if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0)
++ if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0 || pad_failed != 0)
+ {
++ gnutls_datum_t compressed = {compress_data, compress_size};
++ /* HMAC was not the same. */
++ dummy_wait(params, &compressed, pad_failed, pad, length+preamble_size, ver);
++
+ gnutls_assert ();
+ return GNUTLS_E_DECRYPTION_FAILED;
+ }
+
+- /* copy the decrypted stuff to compress_data.
++ /* copy the decrypted stuff to compressed_data.
+ */
+ if (compress_size < length)
+ {
diff -Nru gnutls26-2.12.20/debian/patches/series gnutls26-2.12.20/debian/patches/series
--- gnutls26-2.12.20/debian/patches/series 2012-11-12 19:28:53.000000000 +0100
+++ gnutls26-2.12.20/debian/patches/series 2013-02-04 19:24:30.000000000 +0100
@@ -4,3 +4,8 @@
18_gpgerrorinpkgconfig.diff
20_tests-select.diff
30_strlen_on_null.diff
+31_allow_key_usage_violation.diff
+32_record-padding-parsing.patch
+33_stricter_rsa_pkcs_1.5.diff
+34_pkcs11_memleak.diff
+35_TLS-CBC_timing-attack.diff
diff -Nru gnutls26-2.12.20/debian/watch gnutls26-2.12.20/debian/watch
--- gnutls26-2.12.20/debian/watch 2012-11-12 19:16:57.000000000 +0100
+++ gnutls26-2.12.20/debian/watch 2013-01-06 11:04:28.000000000 +0100
@@ -1,2 +1,3 @@
version=3
-ftp://ftp.gnutls.org/pub/gnutls/gnutls-(.*)\.tar\.bz2 debian uupdate
+opts=uversionmangle=s/(.*\d)(pre\d*)$/$1~$2/ \
+ftp://ftp.gnutls.org/gcrypt/gnutls/v2.(\d\d)/gnutls-(2\.\d.*)\.(?:tgz|zip|tar\.(?:gz|bz2|xz))
signature.asc
Description: Digital signature
--- End Message ---
