From tim.kosse at filezilla-project.org Mon Jan 4 11:51:09 2016
From: tim.kosse at filezilla-project.org (Tim Kosse)
Date: Mon, 4 Jan 2016 11:51:09 +0100
Subject: [gnutls-devel] Out-of-bounds read in
gnutls_x509_ext_export_key_usage
Message-ID: <568A4E9D.1060908@filezilla-project.org>
Hi,
there's an out-of-bounds read in gnutls_x509_ext_export_key_usage
(lib/x509/x509_ext.c:1128):
> uint8_t str[2];
> [...]
> result = asn1_write_value(c2, "", str, 9);
It reads 7 more bytes from the stack than it should. The attached patch
fixes this.
Regards,
Tim Kosse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls_x509_ext_export_key_usage.diff
Type: text/x-c
Size: 664 bytes
Desc: not available
URL:
From nmav at gnutls.org Thu Jan 7 00:31:08 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 07 Jan 2016 00:31:08 +0100
Subject: [gnutls-devel] sloth and gnutls
Message-ID: <1452123068.4840.2.camel@gnutls.org>
Hi,
Concerning the sloth attack described in [0] (CVE-2015-7575), note
that it is the same as GNUTLS-SA-2015-2 fixed last May.
regards,
Nikos
[0]. http://www.mitls.org/pages/attacks/SLOTH
From nmav at gnutls.org Fri Jan 8 10:03:20 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 08 Jan 2016 10:03:20 +0100
Subject: [gnutls-devel] gnutls 3.3.20
Message-ID: <1452243800.8569.2.camel@gnutls.org>
Hello,
I've just released gnutls 3.3.20. This is a bug-fix release on
the previous stable branch.
* Version 3.3.20 (released 2016-01-08)
** libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey()
when used with PKCS #11 keys.
** libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import
their public keys from either a public key object or a certificate.
That is, because private keys do not contain all the required
parameters for a direct import. Reported by Jan Vcelak.
** libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11
tokens.
** libgnutls: Fixed out-of-bounds read in
gnutls_x509_ext_export_key_usage(), report and patch by Tim Kosse.
** libgnutls: Handle DNS name constraints with a leading dot.
Backported from 3.4.x branch.
** libgnutls: The max-record extension is no longer negotiated on DTLS.
This resolves issue with the max-record being negotiated but
ignored.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
.??A list of GnuTLS mirrors can be
found at .
Here are the XZ compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.20.tar.xz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.20.tar.xz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Fri Jan 8 10:43:03 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 08 Jan 2016 10:43:03 +0100
Subject: [gnutls-devel] gnutls 3.4.8
Message-ID: <1452246183.8569.5.camel@gnutls.org>
Hello,
I've just released gnutls 3.4.8. This version fixes bugs and adds
minor features to the current stable branch.
* Version 3.4.8 (released 2016-01-08)
** libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey()
when used with PKCS #11 keys.
** libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import
their public keys from either a public key object or a certificate.
That is, because private keys do not contain all the required
parameters for a direct import. Reported by Jan Vcelak.
** libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11
tokens.
** libgnutls: Fixed out-of-bounds read in
gnutls_x509_ext_export_key_usage(), report and patch by Tim Kosse.
** libgnutls: The CHACHA20-POLY1305 ciphersuites were updated to
conform to draft-ietf-tls-chacha20-poly1305-02.
** libgnutls: Several fixes in PKCS #7 signing which improve
compatibility with the MacOSX tools. Reported by sskaje (#59).
** libgnutls: The max-record extension not negotiated on DTLS. This
resolves issue with the max-record being negotiated but ignored.
** certtool: Added the --p7-include-cert and --p7-show-data options.
** API and ABI modifications:
gnutls_pkcs7_get_embedded_data: Added
Getting the Software
====================
GnuTLS may be downloaded directly from
.??A list of GnuTLS mirrors can be
found at .
Here are the XZ compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.8.tar.xz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.8.tar.xz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From thomas2.klute at uni-dortmund.de Sat Jan 30 01:57:12 2016
From: thomas2.klute at uni-dortmund.de (Thomas Klute)
Date: Sat, 30 Jan 2016 01:57:12 +0100
Subject: [gnutls-devel] Certificate generation with certtool 3.4.8: Missing
Key Usage flags
Message-ID: <56AC0A68.2050905@uni-dortmund.de>
Hi everyone,
my attempt to build mod_gnutls with GnuTLS 3.4.8 (Debian unstable)
failed at the testing stage due to certificate validation errors.
Looking at the certificates, I found that certtool didn't set Key Usage
extensions correctly. Details below, and you're welcome to ask if you
need additional information. You can find my development version of the
mod_gnutls test suite code at [1].
The test suite creates a self-signed CA based on this template:
> serial=1
> cn="Testing Authority"
> ca
> cert_signing_key
> crl_signing_key
This CA is then used to create certificates for a number of test
entities. This works just fine with GnuTLS 3.3, but with 3.4.8 I
encountered verification failures like this one when using the certificates:
> Chain verification output: Not verified. The certificate is NOT
> trusted. The certificate chain violates the signer's constraints.
And sure enough, the Key Usage extension in the CA certificate does not
look right. It's empty!
> Extensions:
> Basic Constraints (critical):
> Certificate Authority (CA): TRUE
> Key Usage (critical):
> Subject Key Identifier (not critical):
> be4ec811e688f076e64dd557398be8fee83902de
For comparison, it looks as expected in a CA certificate created with
GnuTLS 3.3.15:
> Extensions:
> Basic Constraints (critical):
> Certificate Authority (CA): TRUE
> Key Usage (critical):
> Certificate signing.
> CRL signing.
> Subject Key Identifier (not critical):
> bc128c22d91b272063e7994bf6d9adccbd2cc877
In the test suite I can work around the bug by not setting any key usage
flags at all, but I still think it should be fixed. ;-)
Regards,
Thomas
[1] https://github.com/airtower-luna/mod_gnutls/tree/master/test
From nmav at gnutls.org Sat Jan 30 16:03:56 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 30 Jan 2016 16:03:56 +0100
Subject: [gnutls-devel] Certificate generation with certtool 3.4.8:
Missing Key Usage flags
In-Reply-To: <56AC0A68.2050905@uni-dortmund.de>
References: <56AC0A68.2050905@uni-dortmund.de>
Message-ID:
On Sat, Jan 30, 2016 at 1:57 AM, Thomas Klute
wrote:
> Hi everyone,
>
> my attempt to build mod_gnutls with GnuTLS 3.4.8 (Debian unstable)
> failed at the testing stage due to certificate validation errors.
> Looking at the certificates, I found that certtool didn't set Key Usage
> extensions correctly. Details below, and you're welcome to ask if you
> need additional information. You can find my development version of the
> mod_gnutls test suite code at [1].
Thank you Thomas. It seems I was confused as well by a fix on a call
to asn1_write_value(). The calling conventions of asn1_write_value()
seemed tricky. I've reverted the change and added some documentation
to avoid a similar issue in the future.
https://gitlab.com/gnutls/gnutls/commit/7d3caedb8df9d04eee9513cb5b3b417ae29927f5
regards,
Nikos
From thomas2.klute at uni-dortmund.de Sat Jan 30 23:27:15 2016
From: thomas2.klute at uni-dortmund.de (Thomas Klute)
Date: Sat, 30 Jan 2016 23:27:15 +0100
Subject: [gnutls-devel] Certificate generation with certtool 3.4.8:
Missing Key Usage flags
In-Reply-To:
References: <56AC0A68.2050905@uni-dortmund.de>
Message-ID: <56AD38C3.10401@uni-dortmund.de>
Am 30.01.2016 um 16:03 schrieb Nikos Mavrogiannopoulos:
> Thank you Thomas. It seems I was confused as well by a fix on a call
> to asn1_write_value(). The calling conventions of asn1_write_value()
> seemed tricky. I've reverted the change and added some documentation
> to avoid a similar issue in the future.
>
> https://gitlab.com/gnutls/gnutls/commit/7d3caedb8df9d04eee9513cb5b3b417ae29927f5
Thank you for the quick patch! The problem is gone in the current git
version. :-)
Regards,
Thomas
From ametzler at bebt.de Sun Jan 31 18:03:56 2016
From: ametzler at bebt.de (Andreas Metzler)
Date: Sun, 31 Jan 2016 18:03:56 +0100
Subject: [gnutls-devel] trivial [patch] fix typos
Message-ID: <20160131170356.GA17265@argenau.bebt.de>
Hello,
find attached a trivial patch fixing some typos found by lintian.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-some-more-typos.patch
Type: text/x-diff
Size: 5848 bytes
Desc: not available
URL: