gnutls: Fix for CVE-2024-0553 and CVE-2024-0567

CVE-2024-0553 A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981. CVE-2024-0567 A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack. Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e & https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405] Reference: https://ubuntu.com/security/CVE-2024-0553 https://ubuntu.com/security/CVE-2024-0567 (From OE-Core rev: de74fd5dea8cc71af1d457b4e688cfbe0f39e4d8) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-01-19 08:23:15 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-01-24 04:04:55 -1000
commit: 80b4e5f953511191049f5240fb582a574165853a (patch)
tree: cb15aafa3e2ecda15b20fd89d08cd1222d8907c0
parent: 410d7bf8cb71ec379c88b60a58cc8f2c1b4091a5 (diff)
download: poky-80b4e5f953511191049f5240fb582a574165853a.tar.gz
3 files changed, 311 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
new file mode 100644
index 0000000000..f15c470879
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
@@ -0,0 +1,125 @@
+From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 10 Jan 2024 19:13:17 +0900
+Subject: [PATCH] rsa-psk: minimize branching after decryption
+This moves any non-trivial code between gnutls_privkey_decrypt_data2
+and the function return in _gnutls_proc_rsa_psk_client_kx up until the
+decryption.  This also avoids an extra memcpy to session->key.key.
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
+CVE: CVE-2024-0553
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 93c2dc9..c6cfb92 100644
+--- a/lib/auth/rsa_psk.c
+++ b/lib/auth/rsa_psk.c
+@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+        int ret, dsize;
+        ssize_t data_size = _data_size;
+        gnutls_psk_server_credentials_t cred;
+-       gnutls_datum_t premaster_secret = { NULL, 0 };
+        volatile uint8_t ver_maj, ver_min;
+ 
+        cred = (gnutls_psk_server_credentials_t)
+@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+        ver_maj = _gnutls_get_adv_version_major(session);
+        ver_min = _gnutls_get_adv_version_minor(session);
+ 
+-       premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+-       if (premaster_secret.data == NULL) {
+       /* Find the key of this username. A random value will be
+        * filled in if the key is not found.
+        */
+       ret = _gnutls_psk_pwd_find_entry(session, info->username,
+                                        strlen(info->username), &pwd_psk);
+       if (ret < 0)
+               return gnutls_assert_val(ret);
+
+       /* Allocate memory for premaster secret, and fill in the
+        * fields except the decryption result.
+        */
+       session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
+       session->key.key.data = gnutls_malloc(session->key.key.size);
+       if (session->key.key.data == NULL) {
+                gnutls_assert();
+               _gnutls_free_key_datum(&pwd_psk);
+               /* No need to zeroize, as the secret is not copied in yet */
+               _gnutls_free_datum(&session->key.key);
+                return GNUTLS_E_MEMORY_ERROR;
+        }
+-       premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+        /* Fallback value when decryption fails. Needs to be unpredictable. */
+-       ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-                        premaster_secret.size);
+       ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
+                        GNUTLS_MASTER_SIZE);
+        if (ret < 0) {
+                gnutls_assert();
+-               goto cleanup;
+               _gnutls_free_key_datum(&pwd_psk);
+               /* No need to zeroize, as the secret is not copied in yet */
+               _gnutls_free_datum(&session->key.key);
+               return ret;
+        }
+ 
+       _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
+       _gnutls_write_uint16(pwd_psk.size,
+                            &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
+       memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
+              pwd_psk.size);
+       _gnutls_free_key_datum(&pwd_psk);
+
+        gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+-                                    &ciphertext, premaster_secret.data,
+-                                    premaster_secret.size);
+                                    &ciphertext, session->key.key.data + 2,
+                                    GNUTLS_MASTER_SIZE);
+        /* After this point, any conditional on failure that cause differences
+         * in execution may create a timing or cache access pattern side
+         * channel that can be used as an oracle, so tread carefully */
+@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+        /* This is here to avoid the version check attack
+         * discussed above.
+         */
+-       premaster_secret.data[0] = ver_maj;
+-       premaster_secret.data[1] = ver_min;
+       session->key.key.data[2] = ver_maj;
+       session->key.key.data[3] = ver_min;
+ 
+-       /* find the key of this username
+-        */
+-       ret =
+-           _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
+-       if (ret < 0) {
+-               gnutls_assert();
+-               goto cleanup;
+-       }
+-
+-       ret =
+-           set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
+-       if (ret < 0) {
+-               gnutls_assert();
+-               goto cleanup;
+-       }
+-
+-       ret = 0;
+-      cleanup:
+-       _gnutls_free_key_datum(&pwd_psk);
+-       _gnutls_free_temp_key_datum(&premaster_secret);
+-
+-       return ret;
+       return 0;
+ }
+ 
+ static int
+-- 
+2.25.1
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch
new file mode 100644
index 0000000000..49c4531a9b
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch
@@ -0,0 +1,184 @@
+From 9edbdaa84e38b1bfb53a7d72c1de44f8de373405 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 11 Jan 2024 15:45:11 +0900
+Subject: [PATCH] x509: detect loop in certificate chain
+There can be a loop in a certificate chain, when multiple CA
+certificates are cross-signed with each other, such as A â†’ B, B â†’ C,
+and C â†’ A.  Previously, the verification logic was not capable of
+handling this scenario while sorting the certificates in the chain in
+_gnutls_sort_clist, resulting in an assertion failure.  This patch
+properly detects such loop and aborts further processing in a graceful
+manner.
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405]
+CVE: CVE-2024-0567
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/x509/common.c   |   4 ++
+ tests/test-chains.h | 125 ++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 129 insertions(+)
+diff --git a/lib/x509/common.c b/lib/x509/common.c
+index fad9da5..6367b03 100644
+--- a/lib/x509/common.c
+++ b/lib/x509/common.c
+@@ -1790,6 +1790,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
+                        break;
+                }
+ 
+               if (insorted[prev]) { /* loop detected */
+                       break;
+               }
+
+                sorted[i] = clist[prev];
+                insorted[prev] = 1;
+        }
+diff --git a/tests/test-chains.h b/tests/test-chains.h
+index dd7ccf0..09a5461 100644
+--- a/tests/test-chains.h
+++ b/tests/test-chains.h
+@@ -4263,6 +4263,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = {
+        NULL
+ };
+ 
+static const char *cross_signed[] = {
+       /* server (signed by A1) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBqDCCAVqgAwIBAgIUejlil+8DBffazcnMNwyOOP6yCCowBQYDK2VwMBoxGDAW\n"
+       "BgNVBAMTD0ludGVybWVkaWF0ZSBBMTAgFw0yNDAxMTEwNjI3MjJaGA85OTk5MTIz\n"
+       "MTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYDVQQD\n"
+       "Ew90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQA1ZVS0PcNeTPQMZ+FuVz82AHrj\n"
+       "qL5hWEpCDgpG4M4fxaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3Rl\n"
+       "c3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC\n"
+       "B4AwHQYDVR0OBBYEFGtEUv+JSt+zPoO3lu0IiObZVoiNMB8GA1UdIwQYMBaAFPnY\n"
+       "v6Pw0IvKSqIlb6ewHyEAmTA3MAUGAytlcANBAAS2lyc87kH/aOvNKzPjqDwUYxPA\n"
+       "CfYjyaKea2d0DZLBM5+Bjnj/4aWwTKgVTJzWhLJcLtaSdVHrXqjr9NhEhQ0=\n"
+       "-----END CERTIFICATE-----\n",
+       /* A1 (signed by A) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBUjCCAQSgAwIBAgIUe/R+NVp04e74ySw2qgI6KZgFR20wBQYDK2VwMBExDzAN\n"
+       "BgNVBAMTBlJvb3QgQTAgFw0yNDAxMTEwNjI1MDFaGA85OTk5MTIzMTIzNTk1OVow\n"
+       "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEExMCowBQYDK2VwAyEAlkTNqwz973sy\n"
+       "u3whMjSiUMs77CZu5YA7Gi5KcakExrKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
+       "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT52L+j8NCLykqiJW+nsB8hAJkwNzAfBgNV\n"
+       "HSMEGDAWgBRbYgOkRGsd3Z74+CauX4htzLg0lzAFBgMrZXADQQBM0NBaFVPd3cTJ\n"
+       "DSaZNT34fsHuJk4eagpn8mBxKQpghq4s8Ap+nYtp2KiXjcizss53PeLXVnkfyLi0\n"
+       "TLVBHvUJ\n"
+       "-----END CERTIFICATE-----\n",
+       /* A (signed by B) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBSDCB+6ADAgECAhQtdJpg+qlPcLoRW8iiztJUD4xNvDAFBgMrZXAwETEPMA0G\n"
+       "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MTk1OVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
+       "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n"
+       "WbnINkmOSNmOiZlGHKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
+       "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMB8GA1UdIwQYMBaAFJFA\n"
+       "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBAPv674p9ek5GjRcRfVQhgN+kQlHU\n"
+       "u774wL3Vx3fWA1E7+WchdMzcHrPoa5OKtKmxjIKUTO4SeDZL/AVpvulrWwk=\n"
+       "-----END CERTIFICATE-----\n",
+       /* A (signed by C) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n"
+       "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
+       "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
+       "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
+       "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n"
+       "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n"
+       "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n"
+       "-----END CERTIFICATE-----\n",
+       /* B1 (signed by B) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBUjCCAQSgAwIBAgIUfpmrVDc1XBA5/7QYMyGBuB9mTtUwBQYDK2VwMBExDzAN\n"
+       "BgNVBAMTBlJvb3QgQjAgFw0yNDAxMTEwNjI1MjdaGA85OTk5MTIzMTIzNTk1OVow\n"
+       "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEIxMCowBQYDK2VwAyEAh6ZTuJWsweVB\n"
+       "a5fsye5iq89kWDC2Y/Hlc0htLmjzMP+jYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
+       "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBTMQu37PKyLjKfPODZgxYCaayff+jAfBgNV\n"
+       "HSMEGDAWgBSRQLNq4Oo/MPQCiLUZzjjoxthRujAFBgMrZXADQQBblmguY+lnYvOK\n"
+       "rAZJnqpEUGfm1tIFyu3rnlE7WOVcXRXMIoNApLH2iHIipQjlvNWuSBFBTC1qdewh\n"
+       "/e+0cgQB\n"
+       "-----END CERTIFICATE-----\n",
+       /* B (signed by A) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBSDCB+6ADAgECAhRpEm+dWNX6DMZh/nottkFfFFrXXDAFBgMrZXAwETEPMA0G\n"
+       "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTcyNloYDzk5OTkxMjMxMjM1OTU5WjAR\n"
+       "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
+       "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
+       "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFFti\n"
+       "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAFvmcK3Ida5ViVYDzxKVLPcPsCHe\n"
+       "3hxz99lBrerJC9iJSvRYTJoPBvjTxDYnBn5EFrQYMrUED+6i71lmGXNU9gs=\n"
+       "-----END CERTIFICATE-----\n",
+       /* B (signed by C) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n"
+       "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
+       "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
+       "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
+       "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n"
+       "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n"
+       "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n"
+       "-----END CERTIFICATE-----\n",
+       /* C1 (signed by C) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBUjCCAQSgAwIBAgIUSKsfY1wD3eD2VmaaK1wt5naPckMwBQYDK2VwMBExDzAN\n"
+       "BgNVBAMTBlJvb3QgQzAgFw0yNDAxMTEwNjI1NDdaGA85OTk5MTIzMTIzNTk1OVow\n"
+       "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEMxMCowBQYDK2VwAyEA/t7i1chZlKkV\n"
+       "qxJOrmmyATn8XnpK+nV/iT4OMHSHfAyjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
+       "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRmpF3JjoP3NiBzE5J5ANT0bvfRmjAfBgNV\n"
+       "HSMEGDAWgBRIf1yoyLjHhGr1+UFaMt/UPhoZ8DAFBgMrZXADQQAeRBXv6WCTOp0G\n"
+       "3wgd8bbEGrrILfpi+qH7aj/MywgkPIlppDYRQ3jL6ASd+So/408dlE0DV9DXKBi0\n"
+       "725XUUYO\n"
+       "-----END CERTIFICATE-----\n",
+       /* C (signed by A) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBSDCB+6ADAgECAhRvbZv3SRTjDOiAbyFWHH4y0yMZkjAFBgMrZXAwETEPMA0G\n"
+       "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTg1MVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
+       "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n"
+       "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
+       "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFFti\n"
+       "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAPl+SyiOfXJnjSWx8hFMhJ7w92mn\n"
+       "tkGifCFHBpUhYcBIMeMtLw0RBLXqaaN0EKlTFimiEkLClsU7DKYrpEEJegs=\n"
+       "-----END CERTIFICATE-----\n",
+       /* C (signed by B) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBSDCB+6ADAgECAhQU1OJWRVOLrGrgJiLwexd1/MwKkTAFBgMrZXAwETEPMA0G\n"
+       "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MjAzMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
+       "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n"
+       "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
+       "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFJFA\n"
+       "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBALXeyuj8vj6Q8j4l17VzZwmJl0gN\n"
+       "bCGoKMl0J/0NiN/fQRIsdbwQDh0RUN/RN3I6DTtB20ER6f3VdnzAh8nXkQ4=\n"
+       "-----END CERTIFICATE-----\n",
+       NULL
+};
+
+static const char *cross_signed_ca[] = {
+       /* A (self-signed) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBJzCB2qADAgECAhQs1Ur+gzPs1ISxs3Tbs700q0CZcjAFBgMrZXAwETEPMA0G\n"
+       "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTYwMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
+       "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n"
+       "WbnINkmOSNmOiZlGHKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
+       "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAHrVv7E9\n"
+       "5scuOVCH9gNRRm8Z9SUoLakRHAPnySdg6z/kI3vOgA/OM7reArpnW8l1H2FapgpL\n"
+       "bDeZ2XJH+BdVFwg=\n"
+       "-----END CERTIFICATE-----\n",
+       NULL
+};
+
+ #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
+ #  pragma GCC diagnostic push
+ #  pragma GCC diagnostic ignored "-Wunused-variable"
+@@ -4442,6 +4565,8 @@ static struct
+     rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
+     GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
+     GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
+  { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0,
+    1704955300 },
+   { NULL, NULL, NULL, 0, 0}
+ };
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index 25f730b801..b290022781 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -24,6 +24,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
           file://CVE-2022-2509.patch \
           file://CVE-2023-0361.patch \
           file://CVE-2023-5981.patch \
+           file://CVE-2024-0553.patch \
+           file://CVE-2024-0567.patch \
           "
 SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-01-19 08:23:15 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-01-24 04:04:55 -1000
commit	80b4e5f953511191049f5240fb582a574165853a (patch)
tree	cb15aafa3e2ecda15b20fd89d08cd1222d8907c0
parent	410d7bf8cb71ec379c88b60a58cc8f2c1b4091a5 (diff)
download	poky-80b4e5f953511191049f5240fb582a574165853a.tar.gz

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch new file mode 100644 index 0000000000..f15c470879 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
@@ -0,0 +1,125 @@
		1	From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
		2	From: Daiki Ueno <ueno@gnu.org>
		3	Date: Wed, 10 Jan 2024 19:13:17 +0900
		4	Subject: [PATCH] rsa-psk: minimize branching after decryption
		5
		6	This moves any non-trivial code between gnutls_privkey_decrypt_data2
		7	and the function return in _gnutls_proc_rsa_psk_client_kx up until the
		8	decryption. This also avoids an extra memcpy to session->key.key.
		9
		10	Signed-off-by: Daiki Ueno <ueno@gnu.org>
		11
		12	Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
		13	CVE: CVE-2024-0553
		14	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		15	---
		16	lib/auth/rsa_psk.c \| 68 ++++++++++++++++++++++++----------------------
		17	1 file changed, 35 insertions(+), 33 deletions(-)
		18
		19	diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
		20	index 93c2dc9..c6cfb92 100644
		21	--- a/lib/auth/rsa_psk.c
		22	+++ b/lib/auth/rsa_psk.c
		23	@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
		24	int ret, dsize;
		25	ssize_t data_size = _data_size;
		26	gnutls_psk_server_credentials_t cred;
		27	- gnutls_datum_t premaster_secret = { NULL, 0 };
		28	volatile uint8_t ver_maj, ver_min;
		29
		30	cred = (gnutls_psk_server_credentials_t)
		31	@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
		32	ver_maj = _gnutls_get_adv_version_major(session);
		33	ver_min = _gnutls_get_adv_version_minor(session);
		34
		35	- premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
		36	- if (premaster_secret.data == NULL) {
		37	+ /* Find the key of this username. A random value will be
		38	+ * filled in if the key is not found.
		39	+ */
		40	+ ret = _gnutls_psk_pwd_find_entry(session, info->username,
		41	+ strlen(info->username), &pwd_psk);
		42	+ if (ret < 0)
		43	+ return gnutls_assert_val(ret);
		44	+
		45	+ /* Allocate memory for premaster secret, and fill in the
		46	+ * fields except the decryption result.
		47	+ */
		48	+ session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
		49	+ session->key.key.data = gnutls_malloc(session->key.key.size);
		50	+ if (session->key.key.data == NULL) {
		51	gnutls_assert();
		52	+ _gnutls_free_key_datum(&pwd_psk);
		53	+ /* No need to zeroize, as the secret is not copied in yet */
		54	+ _gnutls_free_datum(&session->key.key);
		55	return GNUTLS_E_MEMORY_ERROR;
		56	}
		57	- premaster_secret.size = GNUTLS_MASTER_SIZE;
		58
		59	/* Fallback value when decryption fails. Needs to be unpredictable. */
		60	- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
		61	- premaster_secret.size);
		62	+ ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
		63	+ GNUTLS_MASTER_SIZE);
		64	if (ret < 0) {
		65	gnutls_assert();
		66	- goto cleanup;
		67	+ _gnutls_free_key_datum(&pwd_psk);
		68	+ /* No need to zeroize, as the secret is not copied in yet */
		69	+ _gnutls_free_datum(&session->key.key);
		70	+ return ret;
		71	}
		72
		73	+ _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
		74	+ _gnutls_write_uint16(pwd_psk.size,
		75	+ &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
		76	+ memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
		77	+ pwd_psk.size);
		78	+ _gnutls_free_key_datum(&pwd_psk);
		79	+
		80	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
		81	- &ciphertext, premaster_secret.data,
		82	- premaster_secret.size);
		83	+ &ciphertext, session->key.key.data + 2,
		84	+ GNUTLS_MASTER_SIZE);
		85	/* After this point, any conditional on failure that cause differences
		86	* in execution may create a timing or cache access pattern side
		87	* channel that can be used as an oracle, so tread carefully */
		88	@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
		89	/* This is here to avoid the version check attack
		90	* discussed above.
		91	*/
		92	- premaster_secret.data[0] = ver_maj;
		93	- premaster_secret.data[1] = ver_min;
		94	+ session->key.key.data[2] = ver_maj;
		95	+ session->key.key.data[3] = ver_min;
		96
		97	- /* find the key of this username
		98	- */
		99	- ret =
		100	- _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
		101	- if (ret < 0) {
		102	- gnutls_assert();
		103	- goto cleanup;
		104	- }
		105	-
		106	- ret =
		107	- set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
		108	- if (ret < 0) {
		109	- gnutls_assert();
		110	- goto cleanup;
		111	- }
		112	-
		113	- ret = 0;
		114	- cleanup:
		115	- _gnutls_free_key_datum(&pwd_psk);
		116	- _gnutls_free_temp_key_datum(&premaster_secret);
		117	-
		118	- return ret;
		119	+ return 0;
		120	}
		121
		122	static int
		123	--
		124	2.25.1
		125


diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch new file mode 100644 index 0000000000..49c4531a9b --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch
@@ -0,0 +1,184 @@
		1	From 9edbdaa84e38b1bfb53a7d72c1de44f8de373405 Mon Sep 17 00:00:00 2001
		2	From: Daiki Ueno <ueno@gnu.org>
		3	Date: Thu, 11 Jan 2024 15:45:11 +0900
		4	Subject: [PATCH] x509: detect loop in certificate chain
		5
		6	There can be a loop in a certificate chain, when multiple CA
		7	certificates are cross-signed with each other, such as A â†’ B, B â†’ C,
		8	and C â†’ A. Previously, the verification logic was not capable of
		9	handling this scenario while sorting the certificates in the chain in
		10	_gnutls_sort_clist, resulting in an assertion failure. This patch
		11	properly detects such loop and aborts further processing in a graceful
		12	manner.
		13
		14	Signed-off-by: Daiki Ueno <ueno@gnu.org>
		15
		16	Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405]
		17	CVE: CVE-2024-0567
		18	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		19	---
		20	lib/x509/common.c \| 4 ++
		21	tests/test-chains.h \| 125 ++++++++++++++++++++++++++++++++++++++++++++
		22	2 files changed, 129 insertions(+)
		23
		24	diff --git a/lib/x509/common.c b/lib/x509/common.c
		25	index fad9da5..6367b03 100644
		26	--- a/lib/x509/common.c
		27	+++ b/lib/x509/common.c
		28	@@ -1790,6 +1790,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
		29	break;
		30	}
		31
		32	+ if (insorted[prev]) { /* loop detected */
		33	+ break;
		34	+ }
		35	+
		36	sorted[i] = clist[prev];
		37	insorted[prev] = 1;
		38	}
		39	diff --git a/tests/test-chains.h b/tests/test-chains.h
		40	index dd7ccf0..09a5461 100644
		41	--- a/tests/test-chains.h
		42	+++ b/tests/test-chains.h
		43	@@ -4263,6 +4263,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = {
		44	NULL
		45	};
		46
		47	+static const char *cross_signed[] = {
		48	+ /* server (signed by A1) */
		49	+ "-----BEGIN CERTIFICATE-----\n"
		50	+ "MIIBqDCCAVqgAwIBAgIUejlil+8DBffazcnMNwyOOP6yCCowBQYDK2VwMBoxGDAW\n"
		51	+ "BgNVBAMTD0ludGVybWVkaWF0ZSBBMTAgFw0yNDAxMTEwNjI3MjJaGA85OTk5MTIz\n"
		52	+ "MTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYDVQQD\n"
		53	+ "Ew90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQA1ZVS0PcNeTPQMZ+FuVz82AHrj\n"
		54	+ "qL5hWEpCDgpG4M4fxaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3Rl\n"
		55	+ "c3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC\n"
		56	+ "B4AwHQYDVR0OBBYEFGtEUv+JSt+zPoO3lu0IiObZVoiNMB8GA1UdIwQYMBaAFPnY\n"
		57	+ "v6Pw0IvKSqIlb6ewHyEAmTA3MAUGAytlcANBAAS2lyc87kH/aOvNKzPjqDwUYxPA\n"
		58	+ "CfYjyaKea2d0DZLBM5+Bjnj/4aWwTKgVTJzWhLJcLtaSdVHrXqjr9NhEhQ0=\n"
		59	+ "-----END CERTIFICATE-----\n",
		60	+ /* A1 (signed by A) */
		61	+ "-----BEGIN CERTIFICATE-----\n"
		62	+ "MIIBUjCCAQSgAwIBAgIUe/R+NVp04e74ySw2qgI6KZgFR20wBQYDK2VwMBExDzAN\n"
		63	+ "BgNVBAMTBlJvb3QgQTAgFw0yNDAxMTEwNjI1MDFaGA85OTk5MTIzMTIzNTk1OVow\n"
		64	+ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEExMCowBQYDK2VwAyEAlkTNqwz973sy\n"
		65	+ "u3whMjSiUMs77CZu5YA7Gi5KcakExrKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
		66	+ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT52L+j8NCLykqiJW+nsB8hAJkwNzAfBgNV\n"
		67	+ "HSMEGDAWgBRbYgOkRGsd3Z74+CauX4htzLg0lzAFBgMrZXADQQBM0NBaFVPd3cTJ\n"
		68	+ "DSaZNT34fsHuJk4eagpn8mBxKQpghq4s8Ap+nYtp2KiXjcizss53PeLXVnkfyLi0\n"
		69	+ "TLVBHvUJ\n"
		70	+ "-----END CERTIFICATE-----\n",
		71	+ /* A (signed by B) */
		72	+ "-----BEGIN CERTIFICATE-----\n"
		73	+ "MIIBSDCB+6ADAgECAhQtdJpg+qlPcLoRW8iiztJUD4xNvDAFBgMrZXAwETEPMA0G\n"
		74	+ "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MTk1OVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
		75	+ "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n"
		76	+ "WbnINkmOSNmOiZlGHKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
		77	+ "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMB8GA1UdIwQYMBaAFJFA\n"
		78	+ "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBAPv674p9ek5GjRcRfVQhgN+kQlHU\n"
		79	+ "u774wL3Vx3fWA1E7+WchdMzcHrPoa5OKtKmxjIKUTO4SeDZL/AVpvulrWwk=\n"
		80	+ "-----END CERTIFICATE-----\n",
		81	+ /* A (signed by C) */
		82	+ "-----BEGIN CERTIFICATE-----\n"
		83	+ "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n"
		84	+ "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
		85	+ "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
		86	+ "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
		87	+ "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n"
		88	+ "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n"
		89	+ "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n"
		90	+ "-----END CERTIFICATE-----\n",
		91	+ /* B1 (signed by B) */
		92	+ "-----BEGIN CERTIFICATE-----\n"
		93	+ "MIIBUjCCAQSgAwIBAgIUfpmrVDc1XBA5/7QYMyGBuB9mTtUwBQYDK2VwMBExDzAN\n"
		94	+ "BgNVBAMTBlJvb3QgQjAgFw0yNDAxMTEwNjI1MjdaGA85OTk5MTIzMTIzNTk1OVow\n"
		95	+ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEIxMCowBQYDK2VwAyEAh6ZTuJWsweVB\n"
		96	+ "a5fsye5iq89kWDC2Y/Hlc0htLmjzMP+jYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
		97	+ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBTMQu37PKyLjKfPODZgxYCaayff+jAfBgNV\n"
		98	+ "HSMEGDAWgBSRQLNq4Oo/MPQCiLUZzjjoxthRujAFBgMrZXADQQBblmguY+lnYvOK\n"
		99	+ "rAZJnqpEUGfm1tIFyu3rnlE7WOVcXRXMIoNApLH2iHIipQjlvNWuSBFBTC1qdewh\n"
		100	+ "/e+0cgQB\n"
		101	+ "-----END CERTIFICATE-----\n",
		102	+ /* B (signed by A) */
		103	+ "-----BEGIN CERTIFICATE-----\n"
		104	+ "MIIBSDCB+6ADAgECAhRpEm+dWNX6DMZh/nottkFfFFrXXDAFBgMrZXAwETEPMA0G\n"
		105	+ "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTcyNloYDzk5OTkxMjMxMjM1OTU5WjAR\n"
		106	+ "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
		107	+ "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
		108	+ "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFFti\n"
		109	+ "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAFvmcK3Ida5ViVYDzxKVLPcPsCHe\n"
		110	+ "3hxz99lBrerJC9iJSvRYTJoPBvjTxDYnBn5EFrQYMrUED+6i71lmGXNU9gs=\n"
		111	+ "-----END CERTIFICATE-----\n",
		112	+ /* B (signed by C) */
		113	+ "-----BEGIN CERTIFICATE-----\n"
		114	+ "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n"
		115	+ "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
		116	+ "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
		117	+ "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
		118	+ "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n"
		119	+ "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n"
		120	+ "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n"
		121	+ "-----END CERTIFICATE-----\n",
		122	+ /* C1 (signed by C) */
		123	+ "-----BEGIN CERTIFICATE-----\n"
		124	+ "MIIBUjCCAQSgAwIBAgIUSKsfY1wD3eD2VmaaK1wt5naPckMwBQYDK2VwMBExDzAN\n"
		125	+ "BgNVBAMTBlJvb3QgQzAgFw0yNDAxMTEwNjI1NDdaGA85OTk5MTIzMTIzNTk1OVow\n"
		126	+ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEMxMCowBQYDK2VwAyEA/t7i1chZlKkV\n"
		127	+ "qxJOrmmyATn8XnpK+nV/iT4OMHSHfAyjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
		128	+ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRmpF3JjoP3NiBzE5J5ANT0bvfRmjAfBgNV\n"
		129	+ "HSMEGDAWgBRIf1yoyLjHhGr1+UFaMt/UPhoZ8DAFBgMrZXADQQAeRBXv6WCTOp0G\n"
		130	+ "3wgd8bbEGrrILfpi+qH7aj/MywgkPIlppDYRQ3jL6ASd+So/408dlE0DV9DXKBi0\n"
		131	+ "725XUUYO\n"
		132	+ "-----END CERTIFICATE-----\n",
		133	+ /* C (signed by A) */
		134	+ "-----BEGIN CERTIFICATE-----\n"
		135	+ "MIIBSDCB+6ADAgECAhRvbZv3SRTjDOiAbyFWHH4y0yMZkjAFBgMrZXAwETEPMA0G\n"
		136	+ "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTg1MVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
		137	+ "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n"
		138	+ "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
		139	+ "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFFti\n"
		140	+ "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAPl+SyiOfXJnjSWx8hFMhJ7w92mn\n"
		141	+ "tkGifCFHBpUhYcBIMeMtLw0RBLXqaaN0EKlTFimiEkLClsU7DKYrpEEJegs=\n"
		142	+ "-----END CERTIFICATE-----\n",
		143	+ /* C (signed by B) */
		144	+ "-----BEGIN CERTIFICATE-----\n"
		145	+ "MIIBSDCB+6ADAgECAhQU1OJWRVOLrGrgJiLwexd1/MwKkTAFBgMrZXAwETEPMA0G\n"
		146	+ "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MjAzMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
		147	+ "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n"
		148	+ "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
		149	+ "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFJFA\n"
		150	+ "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBALXeyuj8vj6Q8j4l17VzZwmJl0gN\n"
		151	+ "bCGoKMl0J/0NiN/fQRIsdbwQDh0RUN/RN3I6DTtB20ER6f3VdnzAh8nXkQ4=\n"
		152	+ "-----END CERTIFICATE-----\n",
		153	+ NULL
		154	+};
		155	+
		156	+static const char *cross_signed_ca[] = {
		157	+ /* A (self-signed) */
		158	+ "-----BEGIN CERTIFICATE-----\n"
		159	+ "MIIBJzCB2qADAgECAhQs1Ur+gzPs1ISxs3Tbs700q0CZcjAFBgMrZXAwETEPMA0G\n"
		160	+ "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTYwMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
		161	+ "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n"
		162	+ "WbnINkmOSNmOiZlGHKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
		163	+ "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAHrVv7E9\n"
		164	+ "5scuOVCH9gNRRm8Z9SUoLakRHAPnySdg6z/kI3vOgA/OM7reArpnW8l1H2FapgpL\n"
		165	+ "bDeZ2XJH+BdVFwg=\n"
		166	+ "-----END CERTIFICATE-----\n",
		167	+ NULL
		168	+};
		169	+
		170	#if defined __clang__ \|\| __GNUC__ > 4 \|\| (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
		171	# pragma GCC diagnostic push
		172	# pragma GCC diagnostic ignored "-Wunused-variable"
		173	@@ -4442,6 +4565,8 @@ static struct
		174	rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
		175	GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
		176	GNUTLS_CERT_INSECURE_ALGORITHM \| GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
		177	+ { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0,
		178	+ 1704955300 },
		179	{ NULL, NULL, NULL, 0, 0}
		180	};
		181
		182	--
		183	2.25.1
		184


diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 25f730b801..b290022781 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -24,6 +24,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
24	file://CVE-2022-2509.patch \	24	file://CVE-2022-2509.patch \
25	file://CVE-2023-0361.patch \	25	file://CVE-2023-0361.patch \
26	file://CVE-2023-5981.patch \	26	file://CVE-2023-5981.patch \
		27	file://CVE-2024-0553.patch \
		28	file://CVE-2024-0567.patch \
27	"	29	"
28		30
29	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"	31	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"