import gnutls-3.6.8-11.el8_2
This commit is contained in:
CentOS Sources
parent
080af499b0
commit
851c991dda
|
|
@ -0,0 +1,85 @@
|
|||
From c2646aeee94e71cb15c90a3147cf3b5b0ca158ca Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Tue, 2 Jun 2020 20:53:11 +0200
|
||||
Subject: [PATCH] stek: differentiate initial state from valid time window of
|
||||
TOTP
|
||||
|
||||
There was a confusion in the TOTP implementation in stek.c. When the
|
||||
mechanism is initialized at the first time, it records the timestamp
|
||||
but doesn't initialize the key. This removes the timestamp recording
|
||||
at the initialization phase, so the key is properly set later.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
---
|
||||
lib/stek.c | 17 +++++------------
|
||||
tests/resume-with-previous-stek.c | 4 ++--
|
||||
tests/tls13/prf-early.c | 8 ++++----
|
||||
3 files changed, 11 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/lib/stek.c b/lib/stek.c
|
||||
index 2f885cee3..5ab9e7d2d 100644
|
||||
--- a/lib/stek.c
|
||||
+++ b/lib/stek.c
|
||||
@@ -323,20 +323,13 @@ int _gnutls_initialize_session_ticket_key_rotation(gnutls_session_t session, con
|
||||
if (unlikely(session == NULL || key == NULL))
|
||||
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
||||
|
||||
- if (session->key.totp.last_result == 0) {
|
||||
- int64_t t;
|
||||
- memcpy(session->key.initial_stek, key->data, key->size);
|
||||
- t = totp_next(session);
|
||||
- if (t < 0)
|
||||
- return gnutls_assert_val(t);
|
||||
+ if (unlikely(session->key.totp.last_result != 0))
|
||||
+ return GNUTLS_E_INVALID_REQUEST;
|
||||
|
||||
- session->key.totp.last_result = t;
|
||||
- session->key.totp.was_rotated = 0;
|
||||
-
|
||||
- return GNUTLS_E_SUCCESS;
|
||||
- }
|
||||
+ memcpy(session->key.initial_stek, key->data, key->size);
|
||||
|
||||
- return GNUTLS_E_INVALID_REQUEST;
|
||||
+ session->key.totp.was_rotated = 0;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c
|
||||
index f212b188b..05c1c9086 100644
|
||||
--- a/tests/resume-with-previous-stek.c
|
||||
+++ b/tests/resume-with-previous-stek.c
|
||||
@@ -196,8 +196,8 @@ static void server(int fd, unsigned rounds, const char *prio)
|
||||
serverx509cred = NULL;
|
||||
}
|
||||
|
||||
- if (num_stek_rotations != 2)
|
||||
- fail("STEK should be rotated exactly twice (%d)!\n", num_stek_rotations);
|
||||
+ if (num_stek_rotations != 3)
|
||||
+ fail("STEK should be rotated exactly three times (%d)!\n", num_stek_rotations);
|
||||
|
||||
if (serverx509cred)
|
||||
gnutls_certificate_free_credentials(serverx509cred);
|
||||
diff --git a/tests/tls13/prf-early.c b/tests/tls13/prf-early.c
|
||||
index 414b1db5e..bc3196248 100644
|
||||
--- a/tests/tls13/prf-early.c
|
||||
+++ b/tests/tls13/prf-early.c
|
||||
@@ -123,10 +123,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size)
|
||||
} \
|
||||
}
|
||||
|
||||
-#define KEY_EXP_VALUE "\xc0\x1e\xc2\xa4\xb7\xb4\x04\xaa\x91\x5d\xaf\xe8\xf7\x4d\x19\xdf\xd0\xe6\x08\xd6\xb4\x3b\xcf\xca\xc9\x32\x75\x3b\xe3\x11\x19\xb1\xac\x68"
|
||||
-#define HELLO_VALUE "\x77\xdb\x10\x0b\xe8\xd0\xb9\x38\xbc\x49\xe6\xbe\xf2\x47\x2a\xcc\x6b\xea\xce\x85\x04\xd3\x9e\xd8\x06\x16\xad\xff\xcd\xbf\x4b"
|
||||
-#define CONTEXT_VALUE "\xf2\x17\x9f\xf2\x66\x56\x87\x66\xf9\x5c\x8a\xd7\x4e\x1d\x46\xee\x0e\x44\x41\x4c\xcd\xac\xcb\xc0\x31\x41\x2a\xb6\xd7\x01\x62"
|
||||
-#define NULL_CONTEXT_VALUE "\xcd\x79\x07\x93\xeb\x96\x07\x3e\xec\x78\x90\x89\xf7\x16\x42\x6d\x27\x87\x56\x7c\x7b\x60\x2b\x20\x44\xd1\xea\x0c\x89\xfb\x8b"
|
||||
+#define KEY_EXP_VALUE "\xc1\x6b\x6c\xb9\x88\x33\xd5\x28\x80\xec\x27\x87\xa2\x6f\x4b\xd0\x01\x5e\x7f\xca\xd7\xd4\x8a\x3f\xe2\x48\x92\xef\x02\x14\xfb\x81\x90\x04"
|
||||
+#define HELLO_VALUE "\x2a\x73\xd9\x74\x04\x4e\x0a\x5f\x41\x8a\x09\xcb\x45\x33\x1a\xec\xd3\xfc\xdc\x1b\x2c\x67\x26\xe4\x9c\xfe\x1f\xa5\x74\xf1\x4f"
|
||||
+#define CONTEXT_VALUE "\x87\xf6\x88\xe3\xd7\xf2\x05\xbc\xa4\x10\xa3\x48\x9f\xf5\xcf\x97\x06\x22\x4e\xfd\x18\x32\x52\x1d\xbd\x26\xf5\x5b\x21\x20\xec"
|
||||
+#define NULL_CONTEXT_VALUE "\xf9\xca\xfe\x45\x44\x96\xdb\xc5\x41\x8f\x7e\x8e\xd7\xb0\x7d\x19\x45\xaf\x09\xbc\x1e\x82\x94\xac\x55\xe5\xb9\xb4\x3b\xe8\xc0"
|
||||
|
||||
static int handshake_callback_called;
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
Version: 3.6.8
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
Patch1: gnutls-3.2.7-rpath.patch
|
||||
Patch2: gnutls-3.6.4-no-now-guile.patch
|
||||
Patch3: gnutls-3.6.5-fix-fips-signature-post.patch
|
||||
|
|
@ -15,6 +15,7 @@ Patch12: gnutls-3.6.8-decr-len.patch
|
|||
Patch13: gnutls-3.6.8-fix-aead-cipher-encryptv2.patch
|
||||
Patch14: gnutls-3.6.8-fix-cfb8-decrypt.patch
|
||||
Patch15: gnutls-3.6.12-dtls-random.patch
|
||||
Patch16: gnutls-3.6.14-totp-init.patch
|
||||
%bcond_without dane
|
||||
%if 0%{?rhel}
|
||||
%bcond_with guile
|
||||
|
|
@ -298,6 +299,9 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jun 8 2020 Daiki Ueno <dueno@redhat.com> - 3.6.8-11
|
||||
- Fix CVE-2020-13777 (#1844147)
|
||||
|
||||
* Tue Apr 21 2020 Daiki Ueno <dueno@redhat.com> - 3.6.8-10
|
||||
- Fix CVE-2020-11501 (#1826176)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue