Fix OCSP verification errors3.5.8-5+deb9u3 gnutls28_09_stretch

38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch 38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa signatures. https://gitlab.com/gnutls/gnutls/issues/223 Thanks to Nikos Mavrogiannopoulos for the suggestion.
author: Andreas Metzler <ametzler@bebt.de> 2017-08-10 09:49:39 (GMT)
committer: Andreas Metzler <ametzler@bebt.de> 2017-08-10 09:50:03 (GMT)
commit: aebb4e1b78758d6395e17a3137f2c67a2fb7a334 (patch)
tree: ed780f42f29c9796910a8c4843442f6be74ec697
parent: 1c34c62465dca20c953aae06b31a4e0b61791932 (diff)
4 files changed, 146 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 99be09d..d740ccd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+gnutls28 (3.5.8-5+deb9u3) stretch; urgency=medium
+
+  * 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
+    38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from
+    gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa
+    signatures.
+    https://gitlab.com/gnutls/gnutls/issues/223
+    Thanks to Nikos Mavrogiannopoulos for the suggestion.
+
+ -- Andreas Metzler <ametzler@debian.org>  Sun, 23 Jul 2017 14:28:37 +0200
+
 gnutls28 (3.5.8-5+deb9u2) stretch; urgency=medium
 
   * 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from
diff --git a/debian/patches/38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch b/debian/patches/38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
new file mode 100644
index 0000000..817012d
--- /dev/null
+++ b/debian/patches/38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
@@ -0,0 +1,56 @@
+From 4115dda443f38119ad46262f7f4adc78cfa1bf83 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 30 Jun 2017 10:04:01 +0200
+Subject: [PATCH 1/2] OCSP: check the subject public key identifier field to
+ figure issuer
+
+Normally when attempting to match the 'Responder Key ID' in an OCSP response
+against the issuer certificate we check (according to RFC6960) against the
+hash of the SPKI field. However, in few certificates (see commit:
+"added ECDSA OCSP response verification"), that may not be the case. In that
+certificate, that value matches the Subject Public Key identifier field
+but not the hash.
+
+To account for these certificates, we enhance the matching to also consider
+the Subject Public Key identifier field.
+
+Relates: #223
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/x509/ocsp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
+index dcdf435d2..68e721eaa 100644
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1923,9 +1923,24 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp)
+ 
+ 	for (i = 0; i < ncerts; i++) {
+ 		if (keyid.data != NULL) {
+-			uint8_t digest[20];
++			uint8_t digest[128]; /* to support longer key IDs */
+ 			gnutls_datum_t spki;
++			size_t digest_size = sizeof(digest);
+ 
++			_gnutls_debug_log("checking key ID against SPK identifier\n");
++
++			/* check subject key identifier as well, some certificates
++			 * match that, but not the hash */
++			rc = gnutls_x509_crt_get_subject_key_id(certs[i], digest, &digest_size, NULL);
++			if (rc >= 0 && digest_size == keyid.size &&
++			    memcmp(keyid.data, digest, digest_size) == 0) {
++				signercert = certs[i];
++				goto quit;
++			}
++
++			_gnutls_debug_log("checking key ID against SPKI hash\n");
++
++			/* continue with checking the hash */
+ 			rc = _gnutls_x509_get_raw_field2(certs[i]->cert, &certs[i]->der,
+ 					  "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey",
+ 					  &spki);
+-- 
+2.13.2
+
diff --git a/debian/patches/38_02-OCSP-find_signercert-improved-DER-length-calculation.patch b/debian/patches/38_02-OCSP-find_signercert-improved-DER-length-calculation.patch
new file mode 100644
index 0000000..bdb5060
--- /dev/null
+++ b/debian/patches/38_02-OCSP-find_signercert-improved-DER-length-calculation.patch
@@ -0,0 +1,77 @@
+From 3c36d980d447251b34677c21bd4a141829c045f6 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 1 Jul 2017 10:50:57 +0200
+Subject: [PATCH 2/2] OCSP: find_signercert: improved DER length calculation
+
+Previously we were assuming a fixed amount of length bytes which
+is not correct for all possible lengths. Use libtasn1 to decode
+the length field.
+
+Resolves: #223
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+---
+ lib/x509/ocsp.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
+index 68e721eaa..321a676b3 100644
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1923,9 +1923,10 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp)
+ 
+ 	for (i = 0; i < ncerts; i++) {
+ 		if (keyid.data != NULL) {
+-			uint8_t digest[128]; /* to support longer key IDs */
++			uint8_t digest[64]; /* to support longer key IDs */
+ 			gnutls_datum_t spki;
+ 			size_t digest_size = sizeof(digest);
++			int len;
+ 
+ 			_gnutls_debug_log("checking key ID against SPK identifier\n");
+ 
+@@ -1946,19 +1947,36 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp)
+ 					  &spki);
+ 			if (rc < 0 || spki.size < 6) {
+ 				signercert = NULL;
+-				goto quit;
++				continue;
+ 			}
+ 
+ 			/* For some reason the protocol requires we skip the
+ 			 * tag, length and number of unused bits.
+ 			 */
+-			spki.data += 5;
+-			spki.size -= 5;
+-			rc = gnutls_hash_fast(GNUTLS_DIG_SHA1, spki.data, spki.size, digest);
++			if (spki.data[0] != 0x03) { /* bit string */
++				gnutls_assert();
++				signercert = NULL;
++				continue;
++			}
++
++			rc = asn1_get_length_der(spki.data+1, spki.size-1, &len);
++			if (rc <= 0) {
++				gnutls_assert();
++				signercert = NULL;
++				continue;
++			}
++			len += 1+1; /* skip unused bits as well */
++			if (len >= (int)spki.size) {
++				gnutls_assert();
++				signercert = NULL;
++				continue;
++			}
++
++			rc = gnutls_hash_fast(GNUTLS_DIG_SHA1, spki.data+len, spki.size-len, digest);
+ 			if (rc < 0) {
+ 				gnutls_assert();
+ 				signercert = NULL;
+-				goto quit;
++				continue;
+ 			}
+ 
+ 			if ((20 == keyid.size) &&
+-- 
+2.13.2
+
diff --git a/debian/patches/series b/debian/patches/series
index 0240f6d..6573306 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,5 @@
 36_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-responder-.patch
 36_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-documented-.patch
 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch
+38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
+38_02-OCSP-find_signercert-improved-DER-length-calculation.patch
author	Andreas Metzler <ametzler@bebt.de>	2017-08-10 09:49:39 (GMT)
committer	Andreas Metzler <ametzler@bebt.de>	2017-08-10 09:50:03 (GMT)
commit	aebb4e1b78758d6395e17a3137f2c67a2fb7a334 (patch)
tree	ed780f42f29c9796910a8c4843442f6be74ec697
parent	1c34c62465dca20c953aae06b31a4e0b61791932 (diff)