1 files changed, 14 insertions, 15 deletions

diff --git a/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch b/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch
index e85c16a..d87bb10 100644
--- a/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch
+++ b/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch
@@ -1,7 +1,7 @@
-From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001
+From c176c35e17d0add934785cb8db1a6c2d14ae9659 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Mon, 23 Oct 2023 09:26:57 +0900
-Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
+Subject: [PATCH 11/29] auth/rsa_psk: side-step potential side-channel
 
 This removes branching that depends on secret data, porting changes
 for regular RSA key exchange from
@@ -13,10 +13,10 @@ depending on the branching.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 ---
  lib/auth/rsa.c     |  2 +-
- lib/auth/rsa_psk.c | 90 ++++++++++++++++++----------------------------
- lib/gnutls_int.h   |  4 ---
+ lib/auth/rsa_psk.c | 93 +++++++++++++++++-----------------------------
+ lib/gnutls_int.h   |  4 --
  lib/priority.c     |  1 -
- 4 files changed, 35 insertions(+), 62 deletions(-)
+ 4 files changed, 35 insertions(+), 65 deletions(-)
 
 --- a/lib/auth/rsa.c
 +++ b/lib/auth/rsa.c
@@ -55,7 +55,7 @@ Signed-off-by: Daiki Ueno <ueno@gnu.org>
  	    _gnutls_get_cred(session, GNUTLS_CRD_PSK);
  
  	if (cred == NULL) {
-@@ -327,75 +326,53 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
+@@ -327,75 +326,51 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
  		gnutls_assert();
  		return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
  	}
@@ -101,6 +101,10 @@ Signed-off-by: Daiki Ueno <ueno@gnu.org>
  
 +	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
 +	if (premaster_secret.data == NULL) {
++		gnutls_assert();
++		return GNUTLS_E_MEMORY_ERROR;
++	}
++	premaster_secret.size = GNUTLS_MASTER_SIZE;
  
 -	if (randomize_key != 0) {
 -		premaster_secret.size = GNUTLS_MASTER_SIZE;
@@ -122,19 +126,14 @@ Signed-off-by: Daiki Ueno <ueno@gnu.org>
 -	} else {
 -		premaster_secret.data = plaintext.data;
 -		premaster_secret.size = plaintext.size;
-+		gnutls_assert();
-+		return GNUTLS_E_MEMORY_ERROR;
- 	}
-+	premaster_secret.size = GNUTLS_MASTER_SIZE;
-+
 +	/* Fallback value when decryption fails. Needs to be unpredictable. */
 +	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
 +			 premaster_secret.size);
 +	if (ret < 0) {
 +		gnutls_assert();
 +		goto cleanup;
-+	}
-+
+ 	}
+ 
 +	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
 +				     &ciphertext, premaster_secret.data,
 +				     premaster_secret.size);
@@ -152,11 +151,11 @@ Signed-off-by: Daiki Ueno <ueno@gnu.org>
 +	 * in the paper "Attacking RSA-based sessions in SSL/TLS" by
 +	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
 +	 */
- 
++
  	/* This is here to avoid the version check attack
  	 * discussed above.
  	 */
- 
+-
 -	premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
 -	premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
 +	premaster_secret.data[0] = ver_maj;