Accepting request 812790 from security:tls

- Fix a memory leak that could lead to a DoS attack against Samba
  servers (bsc#1172663)
  * add 0001-crypto-api-always-allocate-memory-when-serializing-i.patch
- Temporarily disable broken guile reauth test (bsc#1171565)
  * add gnutls-temporarily_disable_broken_guile_reauth_test (forwarded request 812788 from vitezslav_cizek)

OBS-URL: https://build.opensuse.org/request/show/812790
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=124

0001-crypto-api-always-allocate-memory-when-serializing-i.patch

@@ -0,0 +1,152 @@
+From 6fbff7fc8aabeee2254405f254220bbe8c05c67d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 5 Jun 2020 16:26:33 +0200
+Subject: [PATCH] crypto-api: always allocate memory when serializing iovec_t
+
+The AEAD iov interface falls back to serializing the input buffers if
+the low-level cipher doesn't support scatter/gather encryption.
+However, there was a bug in the functions used for the serialization,
+which causes memory leaks under a certain condition (i.e. the number
+of input buffers is 1).
+
+This patch makes the logic of the functions simpler, by removing a
+micro-optimization that tries to minimize the number of calls to
+malloc/free.
+
+The original problem was reported by Marius Steffen in:
+https://bugzilla.samba.org/show_bug.cgi?id=14399
+and the cause was investigated by Alexander Haase in:
+https://gitlab.com/gnutls/gnutls/-/merge_requests/1277
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/crypto-api.c        | 36 +++++++++++-------------------------
+ tests/aead-cipher-vec.c | 33 ++++++++++++++++++---------------
+ 2 files changed, 29 insertions(+), 40 deletions(-)
+
+diff --git a/lib/crypto-api.c b/lib/crypto-api.c
+index 45be64ed1f..8524f5ed4f 100644
+--- a/lib/crypto-api.c
++++ b/lib/crypto-api.c
+@@ -891,32 +891,23 @@ gnutls_aead_cipher_encrypt(gnutls_aead_cipher_hd_t handle,
+ struct iov_store_st {
+ 	void *data;
+ 	size_t size;
+-	unsigned allocated;
+ };
+ 
+ static void iov_store_free(struct iov_store_st *s)
+ {
+-	if (s->allocated) {
+-		gnutls_free(s->data);
+-		s->allocated = 0;
+-	}
++	gnutls_free(s->data);
+ }
+ 
+ static int iov_store_grow(struct iov_store_st *s, size_t length)
+ {
+-	if (s->allocated || s->data == NULL) {
+-		s->size += length;
+-		s->data = gnutls_realloc(s->data, s->size);
+-		if (s->data == NULL)
+-			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-		s->allocated = 1;
+-	} else {
+-		void *data = s->data;
+-		size_t size = s->size + length;
+-		s->data = gnutls_malloc(size);
+-		memcpy(s->data, data, s->size);
+-		s->size += length;
+-	}
++	void *data;
++
++	s->size += length;
++	data = gnutls_realloc(s->data, s->size);
++	if (data == NULL)
++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++
++	s->data = data;
+ 	return 0;
+ }
+ 
+@@ -926,11 +917,6 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
+ 	memset(dst, 0, sizeof(*dst));
+ 	if (iovcnt == 0) {
+ 		return 0;
+-	} else if (iovcnt == 1) {
+-		dst->data = iov[0].iov_base;
+-		dst->size = iov[0].iov_len;
+-		/* implies: dst->allocated = 0; */
+-		return 0;
+ 	} else {
+ 		int i;
+ 		uint8_t *p;
+@@ -944,11 +930,11 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
+ 
+ 		p = dst->data;
+ 		for (i=0;i<iovcnt;i++) {
+-			memcpy(p, iov[i].iov_base, iov[i].iov_len);
++			if (iov[i].iov_len > 0)
++				memcpy(p, iov[i].iov_base, iov[i].iov_len);
+ 			p += iov[i].iov_len;
+ 		}
+ 
+-		dst->allocated = 1;
+ 		return 0;
+ 	}
+ }
+diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c
+index fba9010d9e..6a30a35f7b 100644
+--- a/tests/aead-cipher-vec.c
++++ b/tests/aead-cipher-vec.c
+@@ -49,6 +49,7 @@ static void start(const char *name, int algo)
+ 	giovec_t auth_iov[2];
+ 	uint8_t tag[64];
+ 	size_t tag_size = 0;
++	size_t i;
+ 
+ 	key.data = key16;
+ 	key.size = gnutls_cipher_get_key_size(algo);
+@@ -82,21 +83,23 @@ static void start(const char *name, int algo)
+ 	if (ret < 0)
+ 		fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret));
+ 
+-	ret = gnutls_aead_cipher_encryptv2(ch,
+-					   iv.data, iv.size,
+-					   auth_iov, 2,
+-					   iov, 3,
+-					   tag, &tag_size);
+-	if (ret < 0)
+-		fail("could not encrypt data: %s\n", gnutls_strerror(ret));
+-
+-	ret = gnutls_aead_cipher_decryptv2(ch,
+-					   iv.data, iv.size,
+-					   auth_iov, 2,
+-					   iov, 3,
+-					   tag, tag_size);
+-	if (ret < 0)
+-		fail("could not decrypt data: %s\n", gnutls_strerror(ret));
++	for (i = 0; i < 2; i++) {
++		ret = gnutls_aead_cipher_encryptv2(ch,
++						   iv.data, iv.size,
++						   auth_iov, 2,
++						   iov, i + 1,
++						   tag, &tag_size);
++		if (ret < 0)
++			fail("could not encrypt data: %s\n", gnutls_strerror(ret));
++
++		ret = gnutls_aead_cipher_decryptv2(ch,
++						   iv.data, iv.size,
++						   auth_iov, 2,
++						   iov, i + 1,
++						   tag, tag_size);
++		if (ret < 0)
++			fail("could not decrypt data: %s\n", gnutls_strerror(ret));
++	}
+ 
+ 	gnutls_aead_cipher_deinit(ch);
+ }
+-- 
+2.25.0
+

gnutls-3.6.13.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:32041df447d9f4644570cf573c9f60358e865637d69b7e59d1159b7240b52f38
-size 5958956

gnutls-3.6.14.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63
+size 6069088

gnutls-fips_correct_nettle_soversion.patch

@@ -1,13 +0,0 @@
-Index: gnutls-3.6.12/lib/fips.c
-===================================================================
---- gnutls-3.6.12.orig/lib/fips.c	2019-06-27 06:40:43.000000000 +0200
-+++ gnutls-3.6.12/lib/fips.c	2020-03-16 09:29:39.056332128 +0100
-@@ -136,7 +136,7 @@ void _gnutls_fips_mode_reset_zombie(void
- }
- 
- #define GNUTLS_LIBRARY_NAME "libgnutls.so.30"
--#define NETTLE_LIBRARY_NAME "libnettle.so.6"
-+#define NETTLE_LIBRARY_NAME "libnettle.so.7"
- #define HOGWEED_LIBRARY_NAME "libhogweed.so.4"
- #define GMP_LIBRARY_NAME "libgmp.so.10"
- 

gnutls-temporarily_disable_broken_guile_reauth_test

@@ -0,0 +1,13 @@
+Index: gnutls-3.6.14/guile/Makefile.in
+===================================================================
+--- gnutls-3.6.14.orig/guile/Makefile.in	2020-06-03 15:05:54.000000000 +0200
++++ gnutls-3.6.14/guile/Makefile.in	2020-06-09 09:03:17.267773380 +0200
+@@ -1850,7 +1850,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap
+ TESTS = tests/anonymous-auth.scm tests/session-record-port.scm \
+ 	tests/pkcs-import-export.scm tests/errors.scm \
+ 	tests/x509-certificates.scm tests/x509-auth.scm \
+-	tests/reauth.scm tests/priorities.scm $(am__append_2)
++	tests/priorities.scm $(am__append_2)
+ TESTS_ENVIRONMENT = \
+   GUILE_AUTO_COMPILE=0				\
+   GUILE_WARN_DEPRECATED=detailed

gnutls.changes

@@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Mon Jun  8 15:41:46 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Fix a memory leak that could lead to a DoS attack against Samba
+  servers (bsc#1172663)
+  * add 0001-crypto-api-always-allocate-memory-when-serializing-i.patch
+- Temporarily disable broken guile reauth test (bsc#1171565)
+  * add gnutls-temporarily_disable_broken_guile_reauth_test
+
+-------------------------------------------------------------------
+Thu Jun  4 09:39:58 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 3.6.14
+  * libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
+    The TLS server would not bind the session ticket encryption key with a
+    value supplied by the application until the initial key rotation, allowing
+    attacker to bypass authentication in TLS 1.3 and recover previous
+    conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777)
+    [GNUTLS-SA-2020-06-03, CVSS: high]
+  * libgnutls: Fixed handling of certificate chain with cross-signed
+    intermediate CA certificates (#1008). (bsc#1172461)
+  * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
+  * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
+    (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
+    Key Identifier (AKI) properly (#989, #991).
+  * certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
+  * libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
+    Also both accelerated and non-accelerated implementations check key block
+    according to FIPS-140-2 IG A.9 (!1233).
+  * libgnutls: Added support for AES-SIV ciphers (#463).
+  * libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
+  * libgnutls: No longer use internal symbols exported from Nettle (!1235)
+  * API and ABI modifications:
+    GNUTLS_CIPHER_AES_128_SIV: Added
+    GNUTLS_CIPHER_AES_256_SIV: Added
+    GNUTLS_CIPHER_AES_192_GCM: Added
+    gnutls_pkcs7_print_signature_info: Added
+- Add key D605848ED7E69871: public key "Daiki Ueno <ueno@unixuser.org>" to
+  the keyring
+- Drop gnutls-fips_correct_nettle_soversion.patch (upstream)
+
 -------------------------------------------------------------------
 Thu Apr  2 09:32:01 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
 

gnutls.spec

@@ -28,7 +28,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.6.13
+Version:        3.6.14
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -39,8 +39,9 @@ Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.x
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
-Patch2:         gnutls-fips_correct_nettle_soversion.patch
 Patch4:         gnutls-3.6.6-set_guile_site_dir.patch
+Patch5:         0001-crypto-api-always-allocate-memory-when-serializing-i.patch
+Patch6:         gnutls-temporarily_disable_broken_guile_reauth_test
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge