[gnutls-devel] Problem with proxied connections on 3.5.3

[Nikos Mavrogiannopoulos]

On Fri, 2016-09-16 at 19:28 +0200, Andreas Metzler wrote:
> On 2016-08-28 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> > 
> > On Fri, Aug 26, 2016 at 7:18 PM, Andreas Metzler <ametzler at bebt.de>
> > wrote:
> > > 
> > > Hello,
> > > 
> > > this is https://bugs.debian.org/835342 reported by
> [...]
> > 
> > Something is wrong there. I don't see any changes in gnutls code
> > that
> > could result to it. Could the user bisect since 3.5.2 and try to
> > figure out the change that causes that issue? Is there a
> > reproducer?
> [...]
> 
> Hello,
> yes, there is a reproducer, and we now have git bisect:
> --------------------------------------------------------------
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835342#49>
> Hey there,
> After struggling a bit with the process of "bisecting", I think I got
> something :).
> You can view git bisect log here http://pastebin.com/sj1ZbbqA
> 
> c801a15bca9ea8f3f7abd4be48bebd36c54eeba2 is the first bad commit
> commit c801a15bca9ea8f3f7abd4be48bebd36c54eeba2
> Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
> Date:   Mon Aug 1 10:48:46 2016 +0200
> 
>     nettle: use rsa_*_key_prepare
> 
>     Previously we calculated the size of the key directly, but
>     by using the rsa_*_key_prepare we benefit from any checks that
>     may be introduced in the future. Specifically any checks for
> invalid
>     public keys (e.g., keys that may crash the underlying gmp
> functions).

Thank you. Could I have a capture of the session? My speculation is
that the user is under man-in-the-middle attack and the presented RSA
public key in the certificate is rejected by rsa_public_key_prepare().
If that is run with nettle 3.2, then only check is whether the N is <
96 bits which is way too small even for an attacker. Later versions (in
git) have an additional check for N being even. A capture and the
nettle version used will shed some light on the issue.

regards,
Nikos