From tim.kosse at filezilla-project.org Mon Jan 4 11:51:09 2016 From: tim.kosse at filezilla-project.org (Tim Kosse) Date: Mon, 4 Jan 2016 11:51:09 +0100 Subject: [gnutls-devel] Out-of-bounds read in gnutls_x509_ext_export_key_usage Message-ID: <568A4E9D.1060908@filezilla-project.org> Hi, there's an out-of-bounds read in gnutls_x509_ext_export_key_usage (lib/x509/x509_ext.c:1128): > uint8_t str[2]; > [...] > result = asn1_write_value(c2, "", str, 9); It reads 7 more bytes from the stack than it should. The attached patch fixes this. Regards, Tim Kosse -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls_x509_ext_export_key_usage.diff Type: text/x-c Size: 664 bytes Desc: not available URL: From nmav at gnutls.org Thu Jan 7 00:31:08 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 07 Jan 2016 00:31:08 +0100 Subject: [gnutls-devel] sloth and gnutls Message-ID: <1452123068.4840.2.camel@gnutls.org> Hi, Concerning the sloth attack described in [0] (CVE-2015-7575), note that it is the same as GNUTLS-SA-2015-2 fixed last May. regards, Nikos [0]. http://www.mitls.org/pages/attacks/SLOTH From nmav at gnutls.org Fri Jan 8 10:03:20 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 08 Jan 2016 10:03:20 +0100 Subject: [gnutls-devel] gnutls 3.3.20 Message-ID: <1452243800.8569.2.camel@gnutls.org> Hello, I've just released gnutls 3.3.20. This is a bug-fix release on the previous stable branch. * Version 3.3.20 (released 2016-01-08) ** libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey() when used with PKCS #11 keys. ** libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import their public keys from either a public key object or a certificate. That is, because private keys do not contain all the required parameters for a direct import. Reported by Jan Vcelak. ** libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11 tokens. ** libgnutls: Fixed out-of-bounds read in gnutls_x509_ext_export_key_usage(), report and patch by Tim Kosse. ** libgnutls: Handle DNS name constraints with a leading dot. Backported from 3.4.x branch. ** libgnutls: The max-record extension is no longer negotiated on DTLS. This resolves issue with the max-record being negotiated but ignored. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.20.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.20.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Fri Jan 8 10:43:03 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 08 Jan 2016 10:43:03 +0100 Subject: [gnutls-devel] gnutls 3.4.8 Message-ID: <1452246183.8569.5.camel@gnutls.org> Hello, I've just released gnutls 3.4.8. This version fixes bugs and adds minor features to the current stable branch. * Version 3.4.8 (released 2016-01-08) ** libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey() when used with PKCS #11 keys. ** libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import their public keys from either a public key object or a certificate. That is, because private keys do not contain all the required parameters for a direct import. Reported by Jan Vcelak. ** libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11 tokens. ** libgnutls: Fixed out-of-bounds read in gnutls_x509_ext_export_key_usage(), report and patch by Tim Kosse. ** libgnutls: The CHACHA20-POLY1305 ciphersuites were updated to conform to draft-ietf-tls-chacha20-poly1305-02. ** libgnutls: Several fixes in PKCS #7 signing which improve compatibility with the MacOSX tools. Reported by sskaje (#59). ** libgnutls: The max-record extension not negotiated on DTLS. This resolves issue with the max-record being negotiated but ignored. ** certtool: Added the --p7-include-cert and --p7-show-data options. ** API and ABI modifications: gnutls_pkcs7_get_embedded_data: Added Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.8.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.8.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From thomas2.klute at uni-dortmund.de Sat Jan 30 01:57:12 2016 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Sat, 30 Jan 2016 01:57:12 +0100 Subject: [gnutls-devel] Certificate generation with certtool 3.4.8: Missing Key Usage flags Message-ID: <56AC0A68.2050905@uni-dortmund.de> Hi everyone, my attempt to build mod_gnutls with GnuTLS 3.4.8 (Debian unstable) failed at the testing stage due to certificate validation errors. Looking at the certificates, I found that certtool didn't set Key Usage extensions correctly. Details below, and you're welcome to ask if you need additional information. You can find my development version of the mod_gnutls test suite code at [1]. The test suite creates a self-signed CA based on this template: > serial=1 > cn="Testing Authority" > ca > cert_signing_key > crl_signing_key This CA is then used to create certificates for a number of test entities. This works just fine with GnuTLS 3.3, but with 3.4.8 I encountered verification failures like this one when using the certificates: > Chain verification output: Not verified. The certificate is NOT > trusted. The certificate chain violates the signer's constraints. And sure enough, the Key Usage extension in the CA certificate does not look right. It's empty! > Extensions: > Basic Constraints (critical): > Certificate Authority (CA): TRUE > Key Usage (critical): > Subject Key Identifier (not critical): > be4ec811e688f076e64dd557398be8fee83902de For comparison, it looks as expected in a CA certificate created with GnuTLS 3.3.15: > Extensions: > Basic Constraints (critical): > Certificate Authority (CA): TRUE > Key Usage (critical): > Certificate signing. > CRL signing. > Subject Key Identifier (not critical): > bc128c22d91b272063e7994bf6d9adccbd2cc877 In the test suite I can work around the bug by not setting any key usage flags at all, but I still think it should be fixed. ;-) Regards, Thomas [1] https://github.com/airtower-luna/mod_gnutls/tree/master/test From nmav at gnutls.org Sat Jan 30 16:03:56 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 30 Jan 2016 16:03:56 +0100 Subject: [gnutls-devel] Certificate generation with certtool 3.4.8: Missing Key Usage flags In-Reply-To: <56AC0A68.2050905@uni-dortmund.de> References: <56AC0A68.2050905@uni-dortmund.de> Message-ID: On Sat, Jan 30, 2016 at 1:57 AM, Thomas Klute wrote: > Hi everyone, > > my attempt to build mod_gnutls with GnuTLS 3.4.8 (Debian unstable) > failed at the testing stage due to certificate validation errors. > Looking at the certificates, I found that certtool didn't set Key Usage > extensions correctly. Details below, and you're welcome to ask if you > need additional information. You can find my development version of the > mod_gnutls test suite code at [1]. Thank you Thomas. It seems I was confused as well by a fix on a call to asn1_write_value(). The calling conventions of asn1_write_value() seemed tricky. I've reverted the change and added some documentation to avoid a similar issue in the future. https://gitlab.com/gnutls/gnutls/commit/7d3caedb8df9d04eee9513cb5b3b417ae29927f5 regards, Nikos From thomas2.klute at uni-dortmund.de Sat Jan 30 23:27:15 2016 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Sat, 30 Jan 2016 23:27:15 +0100 Subject: [gnutls-devel] Certificate generation with certtool 3.4.8: Missing Key Usage flags In-Reply-To: References: <56AC0A68.2050905@uni-dortmund.de> Message-ID: <56AD38C3.10401@uni-dortmund.de> Am 30.01.2016 um 16:03 schrieb Nikos Mavrogiannopoulos: > Thank you Thomas. It seems I was confused as well by a fix on a call > to asn1_write_value(). The calling conventions of asn1_write_value() > seemed tricky. I've reverted the change and added some documentation > to avoid a similar issue in the future. > > https://gitlab.com/gnutls/gnutls/commit/7d3caedb8df9d04eee9513cb5b3b417ae29927f5 Thank you for the quick patch! The problem is gone in the current git version. :-) Regards, Thomas From ametzler at bebt.de Sun Jan 31 18:03:56 2016 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 31 Jan 2016 18:03:56 +0100 Subject: [gnutls-devel] trivial [patch] fix typos Message-ID: <20160131170356.GA17265@argenau.bebt.de> Hello, find attached a trivial patch fixing some typos found by lintian. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-some-more-typos.patch Type: text/x-diff Size: 5848 bytes Desc: not available URL: