Version in base suite: 3.7.1-5+deb11u2

Base version: gnutls28_3.7.1-5+deb11u2
Target version: gnutls28_3.7.1-5+deb11u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gnutls28/gnutls28_3.7.1-5+deb11u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gnutls28/gnutls28_3.7.1-5+deb11u3.dsc

 changelog                                                    |    7 
 patches/61_01-auth-rsa-side-step-potential-side-channel.patc |   53 ++++++
 patches/61_02-rsa-remove-dead-code.patch                     |   84 +++++++++++
 patches/series                                               |    2 
 4 files changed, 146 insertions(+)

diff -Nru gnutls28-3.7.1/debian/changelog gnutls28-3.7.1/debian/changelog
--- gnutls28-3.7.1/debian/changelog	2022-08-07 14:30:17.000000000 +0000
+++ gnutls28-3.7.1/debian/changelog	2023-02-12 12:59:45.000000000 +0000
@@ -1,3 +1,10 @@
+gnutls28 (3.7.1-5+deb11u3) bullseye-security; urgency=high
+
+  * Fix timing sidechannel vulnerability in RSA decryption.
+    GNUTLS-SA-2020-07-14 CVE-2023-0361
+
+ -- Andreas Metzler <ametzler@debian.org>  Sun, 12 Feb 2023 13:59:45 +0100
+
 gnutls28 (3.7.1-5+deb11u2) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru gnutls28-3.7.1/debian/patches/61_01-auth-rsa-side-step-potential-side-channel.patc gnutls28-3.7.1/debian/patches/61_01-auth-rsa-side-step-potential-side-channel.patc
--- gnutls28-3.7.1/debian/patches/61_01-auth-rsa-side-step-potential-side-channel.patc	1970-01-01 00:00:00.000000000 +0000
+++ gnutls28-3.7.1/debian/patches/61_01-auth-rsa-side-step-potential-side-channel.patc	2023-02-12 07:05:01.000000000 +0000
@@ -0,0 +1,53 @@
+From c149dd0767f32789e391280cb1eb06b7eb7c6bce Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Tue, 9 Aug 2022 16:05:53 +0200
+Subject: [PATCH 1/3] auth/rsa: side-step potential side-channel
+
+Remove branching that depends on secret data.
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+Signed-off-by: Hubert Kario <hkario@redhat.com>
+Tested-by: Hubert Kario <hkario@redhat.com>
+---
+ lib/auth/rsa.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 8108ee841d..6b158bacb2 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -153,11 +153,10 @@ _gnutls_get_public_rsa_params(gnutls_session_t session,
+ 
+ static int
+ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 		   size_t _data_size)
+ {
+-	const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
+ 	gnutls_datum_t ciphertext;
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+ 	volatile uint8_t ver_maj, ver_min;
+ 	volatile uint8_t check_ver_min;
+@@ -233,19 +232,10 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
+ 	/* if check_ver_min then session->key.key.data[1] must equal ver_min */
+ 	ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+ 	        CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+ 
+-	if (ok) {
+-		/* call logging function unconditionally so all branches are
+-		 * indistinguishable for timing and cache access when debug
+-		 * logging is disabled */
+-		_gnutls_no_log("%s", attack_error);
+-	} else {
+-		_gnutls_debug_log("%s", attack_error);
+-	}
+-
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+ 	session->key.key.data[0] = ver_maj;
+ 	session->key.key.data[1] = ver_min;
+-- 
+2.39.1
+
diff -Nru gnutls28-3.7.1/debian/patches/61_02-rsa-remove-dead-code.patch gnutls28-3.7.1/debian/patches/61_02-rsa-remove-dead-code.patch
--- gnutls28-3.7.1/debian/patches/61_02-rsa-remove-dead-code.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls28-3.7.1/debian/patches/61_02-rsa-remove-dead-code.patch	2023-02-12 07:05:01.000000000 +0000
@@ -0,0 +1,84 @@
+From 7c963102ec2119eecc1789b993aabe5edfd75f3b Mon Sep 17 00:00:00 2001
+From: Hubert Kario <hkario@redhat.com>
+Date: Wed, 8 Feb 2023 14:32:09 +0100
+Subject: [PATCH 2/3] rsa: remove dead code
+
+since the `ok` variable isn't used any more, we can remove all code
+used to calculate it
+
+Signed-off-by: Hubert Kario <hkario@redhat.com>
+---
+ lib/auth/rsa.c | 20 +++-----------------
+ 1 file changed, 3 insertions(+), 17 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 6b158bacb2..858701fe6e 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -157,12 +157,10 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ {
+ 	gnutls_datum_t ciphertext;
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+ 	volatile uint8_t ver_maj, ver_min;
+-	volatile uint8_t check_ver_min;
+-	volatile uint32_t ok;
+ 
+ #ifdef ENABLE_SSL3
+ 	if (get_num_version(session) == GNUTLS_SSL3) {
+ 		/* SSL 3.0 
+ 		 */
+@@ -184,11 +182,10 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 		ciphertext.size = dsize;
+ 	}
+ 
+ 	ver_maj = _gnutls_get_adv_version_major(session);
+ 	ver_min = _gnutls_get_adv_version_minor(session);
+-	check_ver_min = (session->internals.allow_wrong_pms == 0);
+ 
+ 	session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+ 	if (session->key.key.data == NULL) {
+ 		gnutls_assert();
+ 		return GNUTLS_E_MEMORY_ERROR;
+@@ -203,14 +200,13 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 		session->key.key.size = 0;
+ 		gnutls_assert();
+ 		return ret;
+ 	}
+ 
+-	ret =
+-	    gnutls_privkey_decrypt_data2(session->internals.selected_key,
+-					 0, &ciphertext, session->key.key.data,
+-					 session->key.key.size);
++	gnutls_privkey_decrypt_data2(session->internals.selected_key,
++				     0, &ciphertext, session->key.key.data,
++				     session->key.key.size);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+ 	 * channel that can be used as an oracle, so treat very carefully */
+ 
+ 	/* Error handling logic:
+@@ -222,20 +218,10 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	 * proceed normally. This is to defend against the attack described
+ 	 * in the paper "Attacking RSA-based sessions in SSL/TLS" by
+ 	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
+ 	 */
+ 
+-	/* ok is 0 in case of error and 1 in case of success. */
+-
+-	/* if ret < 0 */
+-	ok = CONSTCHECK_EQUAL(ret, 0);
+-	/* session->key.key.data[0] must equal ver_maj */
+-	ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
+-	/* if check_ver_min then session->key.key.data[1] must equal ver_min */
+-	ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+-	        CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+-
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+ 	session->key.key.data[0] = ver_maj;
+ 	session->key.key.data[1] = ver_min;
+-- 
+2.39.1
+
diff -Nru gnutls28-3.7.1/debian/patches/series gnutls28-3.7.1/debian/patches/series
--- gnutls28-3.7.1/debian/patches/series	2022-08-07 14:30:17.000000000 +0000
+++ gnutls28-3.7.1/debian/patches/series	2023-02-12 07:06:24.000000000 +0000
@@ -21,3 +21,5 @@
 56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch
 56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch
 60-Fix-double-free-during-gnutls_pkcs7_verify.patch
+61_01-auth-rsa-side-step-potential-side-channel.patc
+61_02-rsa-remove-dead-code.patch