diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-01-19 08:23:15 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-01-24 04:04:55 -1000 |
commit | 80b4e5f953511191049f5240fb582a574165853a (patch) | |
tree | cb15aafa3e2ecda15b20fd89d08cd1222d8907c0 | |
parent | 410d7bf8cb71ec379c88b60a58cc8f2c1b4091a5 (diff) | |
download | poky-80b4e5f953511191049f5240fb582a574165853a.tar.gz |
gnutls: Fix for CVE-2024-0553 and CVE-2024-0567
CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
CVE-2024-0567
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
Upstream-Status: Backport
[https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e
&
https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405]
Reference: https://ubuntu.com/security/CVE-2024-0553
https://ubuntu.com/security/CVE-2024-0567
(From OE-Core rev: de74fd5dea8cc71af1d457b4e688cfbe0f39e4d8)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch | 125 | ||||
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch | 184 | ||||
-rw-r--r-- | meta/recipes-support/gnutls/gnutls_3.7.4.bb | 2 |
3 files changed, 311 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch new file mode 100644 index 0000000000..f15c470879 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch | |||
@@ -0,0 +1,125 @@ | |||
1 | From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Wed, 10 Jan 2024 19:13:17 +0900 | ||
4 | Subject: [PATCH] rsa-psk: minimize branching after decryption | ||
5 | |||
6 | This moves any non-trivial code between gnutls_privkey_decrypt_data2 | ||
7 | and the function return in _gnutls_proc_rsa_psk_client_kx up until the | ||
8 | decryption. This also avoids an extra memcpy to session->key.key. | ||
9 | |||
10 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
11 | |||
12 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e] | ||
13 | CVE: CVE-2024-0553 | ||
14 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
15 | --- | ||
16 | lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++---------------------- | ||
17 | 1 file changed, 35 insertions(+), 33 deletions(-) | ||
18 | |||
19 | diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c | ||
20 | index 93c2dc9..c6cfb92 100644 | ||
21 | --- a/lib/auth/rsa_psk.c | ||
22 | +++ b/lib/auth/rsa_psk.c | ||
23 | @@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, | ||
24 | int ret, dsize; | ||
25 | ssize_t data_size = _data_size; | ||
26 | gnutls_psk_server_credentials_t cred; | ||
27 | - gnutls_datum_t premaster_secret = { NULL, 0 }; | ||
28 | volatile uint8_t ver_maj, ver_min; | ||
29 | |||
30 | cred = (gnutls_psk_server_credentials_t) | ||
31 | @@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, | ||
32 | ver_maj = _gnutls_get_adv_version_major(session); | ||
33 | ver_min = _gnutls_get_adv_version_minor(session); | ||
34 | |||
35 | - premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE); | ||
36 | - if (premaster_secret.data == NULL) { | ||
37 | + /* Find the key of this username. A random value will be | ||
38 | + * filled in if the key is not found. | ||
39 | + */ | ||
40 | + ret = _gnutls_psk_pwd_find_entry(session, info->username, | ||
41 | + strlen(info->username), &pwd_psk); | ||
42 | + if (ret < 0) | ||
43 | + return gnutls_assert_val(ret); | ||
44 | + | ||
45 | + /* Allocate memory for premaster secret, and fill in the | ||
46 | + * fields except the decryption result. | ||
47 | + */ | ||
48 | + session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size; | ||
49 | + session->key.key.data = gnutls_malloc(session->key.key.size); | ||
50 | + if (session->key.key.data == NULL) { | ||
51 | gnutls_assert(); | ||
52 | + _gnutls_free_key_datum(&pwd_psk); | ||
53 | + /* No need to zeroize, as the secret is not copied in yet */ | ||
54 | + _gnutls_free_datum(&session->key.key); | ||
55 | return GNUTLS_E_MEMORY_ERROR; | ||
56 | } | ||
57 | - premaster_secret.size = GNUTLS_MASTER_SIZE; | ||
58 | |||
59 | /* Fallback value when decryption fails. Needs to be unpredictable. */ | ||
60 | - ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, | ||
61 | - premaster_secret.size); | ||
62 | + ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2, | ||
63 | + GNUTLS_MASTER_SIZE); | ||
64 | if (ret < 0) { | ||
65 | gnutls_assert(); | ||
66 | - goto cleanup; | ||
67 | + _gnutls_free_key_datum(&pwd_psk); | ||
68 | + /* No need to zeroize, as the secret is not copied in yet */ | ||
69 | + _gnutls_free_datum(&session->key.key); | ||
70 | + return ret; | ||
71 | } | ||
72 | |||
73 | + _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data); | ||
74 | + _gnutls_write_uint16(pwd_psk.size, | ||
75 | + &session->key.key.data[2 + GNUTLS_MASTER_SIZE]); | ||
76 | + memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data, | ||
77 | + pwd_psk.size); | ||
78 | + _gnutls_free_key_datum(&pwd_psk); | ||
79 | + | ||
80 | gnutls_privkey_decrypt_data2(session->internals.selected_key, 0, | ||
81 | - &ciphertext, premaster_secret.data, | ||
82 | - premaster_secret.size); | ||
83 | + &ciphertext, session->key.key.data + 2, | ||
84 | + GNUTLS_MASTER_SIZE); | ||
85 | /* After this point, any conditional on failure that cause differences | ||
86 | * in execution may create a timing or cache access pattern side | ||
87 | * channel that can be used as an oracle, so tread carefully */ | ||
88 | @@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, | ||
89 | /* This is here to avoid the version check attack | ||
90 | * discussed above. | ||
91 | */ | ||
92 | - premaster_secret.data[0] = ver_maj; | ||
93 | - premaster_secret.data[1] = ver_min; | ||
94 | + session->key.key.data[2] = ver_maj; | ||
95 | + session->key.key.data[3] = ver_min; | ||
96 | |||
97 | - /* find the key of this username | ||
98 | - */ | ||
99 | - ret = | ||
100 | - _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk); | ||
101 | - if (ret < 0) { | ||
102 | - gnutls_assert(); | ||
103 | - goto cleanup; | ||
104 | - } | ||
105 | - | ||
106 | - ret = | ||
107 | - set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret); | ||
108 | - if (ret < 0) { | ||
109 | - gnutls_assert(); | ||
110 | - goto cleanup; | ||
111 | - } | ||
112 | - | ||
113 | - ret = 0; | ||
114 | - cleanup: | ||
115 | - _gnutls_free_key_datum(&pwd_psk); | ||
116 | - _gnutls_free_temp_key_datum(&premaster_secret); | ||
117 | - | ||
118 | - return ret; | ||
119 | + return 0; | ||
120 | } | ||
121 | |||
122 | static int | ||
123 | -- | ||
124 | 2.25.1 | ||
125 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch new file mode 100644 index 0000000000..49c4531a9b --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch | |||
@@ -0,0 +1,184 @@ | |||
1 | From 9edbdaa84e38b1bfb53a7d72c1de44f8de373405 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Thu, 11 Jan 2024 15:45:11 +0900 | ||
4 | Subject: [PATCH] x509: detect loop in certificate chain | ||
5 | |||
6 | There can be a loop in a certificate chain, when multiple CA | ||
7 | certificates are cross-signed with each other, such as A → B, B → C, | ||
8 | and C → A. Previously, the verification logic was not capable of | ||
9 | handling this scenario while sorting the certificates in the chain in | ||
10 | _gnutls_sort_clist, resulting in an assertion failure. This patch | ||
11 | properly detects such loop and aborts further processing in a graceful | ||
12 | manner. | ||
13 | |||
14 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
15 | |||
16 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405] | ||
17 | CVE: CVE-2024-0567 | ||
18 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
19 | --- | ||
20 | lib/x509/common.c | 4 ++ | ||
21 | tests/test-chains.h | 125 ++++++++++++++++++++++++++++++++++++++++++++ | ||
22 | 2 files changed, 129 insertions(+) | ||
23 | |||
24 | diff --git a/lib/x509/common.c b/lib/x509/common.c | ||
25 | index fad9da5..6367b03 100644 | ||
26 | --- a/lib/x509/common.c | ||
27 | +++ b/lib/x509/common.c | ||
28 | @@ -1790,6 +1790,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, | ||
29 | break; | ||
30 | } | ||
31 | |||
32 | + if (insorted[prev]) { /* loop detected */ | ||
33 | + break; | ||
34 | + } | ||
35 | + | ||
36 | sorted[i] = clist[prev]; | ||
37 | insorted[prev] = 1; | ||
38 | } | ||
39 | diff --git a/tests/test-chains.h b/tests/test-chains.h | ||
40 | index dd7ccf0..09a5461 100644 | ||
41 | --- a/tests/test-chains.h | ||
42 | +++ b/tests/test-chains.h | ||
43 | @@ -4263,6 +4263,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = { | ||
44 | NULL | ||
45 | }; | ||
46 | |||
47 | +static const char *cross_signed[] = { | ||
48 | + /* server (signed by A1) */ | ||
49 | + "-----BEGIN CERTIFICATE-----\n" | ||
50 | + "MIIBqDCCAVqgAwIBAgIUejlil+8DBffazcnMNwyOOP6yCCowBQYDK2VwMBoxGDAW\n" | ||
51 | + "BgNVBAMTD0ludGVybWVkaWF0ZSBBMTAgFw0yNDAxMTEwNjI3MjJaGA85OTk5MTIz\n" | ||
52 | + "MTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYDVQQD\n" | ||
53 | + "Ew90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQA1ZVS0PcNeTPQMZ+FuVz82AHrj\n" | ||
54 | + "qL5hWEpCDgpG4M4fxaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3Rl\n" | ||
55 | + "c3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC\n" | ||
56 | + "B4AwHQYDVR0OBBYEFGtEUv+JSt+zPoO3lu0IiObZVoiNMB8GA1UdIwQYMBaAFPnY\n" | ||
57 | + "v6Pw0IvKSqIlb6ewHyEAmTA3MAUGAytlcANBAAS2lyc87kH/aOvNKzPjqDwUYxPA\n" | ||
58 | + "CfYjyaKea2d0DZLBM5+Bjnj/4aWwTKgVTJzWhLJcLtaSdVHrXqjr9NhEhQ0=\n" | ||
59 | + "-----END CERTIFICATE-----\n", | ||
60 | + /* A1 (signed by A) */ | ||
61 | + "-----BEGIN CERTIFICATE-----\n" | ||
62 | + "MIIBUjCCAQSgAwIBAgIUe/R+NVp04e74ySw2qgI6KZgFR20wBQYDK2VwMBExDzAN\n" | ||
63 | + "BgNVBAMTBlJvb3QgQTAgFw0yNDAxMTEwNjI1MDFaGA85OTk5MTIzMTIzNTk1OVow\n" | ||
64 | + "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEExMCowBQYDK2VwAyEAlkTNqwz973sy\n" | ||
65 | + "u3whMjSiUMs77CZu5YA7Gi5KcakExrKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n" | ||
66 | + "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT52L+j8NCLykqiJW+nsB8hAJkwNzAfBgNV\n" | ||
67 | + "HSMEGDAWgBRbYgOkRGsd3Z74+CauX4htzLg0lzAFBgMrZXADQQBM0NBaFVPd3cTJ\n" | ||
68 | + "DSaZNT34fsHuJk4eagpn8mBxKQpghq4s8Ap+nYtp2KiXjcizss53PeLXVnkfyLi0\n" | ||
69 | + "TLVBHvUJ\n" | ||
70 | + "-----END CERTIFICATE-----\n", | ||
71 | + /* A (signed by B) */ | ||
72 | + "-----BEGIN CERTIFICATE-----\n" | ||
73 | + "MIIBSDCB+6ADAgECAhQtdJpg+qlPcLoRW8iiztJUD4xNvDAFBgMrZXAwETEPMA0G\n" | ||
74 | + "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MTk1OVoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
75 | + "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n" | ||
76 | + "WbnINkmOSNmOiZlGHKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
77 | + "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMB8GA1UdIwQYMBaAFJFA\n" | ||
78 | + "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBAPv674p9ek5GjRcRfVQhgN+kQlHU\n" | ||
79 | + "u774wL3Vx3fWA1E7+WchdMzcHrPoa5OKtKmxjIKUTO4SeDZL/AVpvulrWwk=\n" | ||
80 | + "-----END CERTIFICATE-----\n", | ||
81 | + /* A (signed by C) */ | ||
82 | + "-----BEGIN CERTIFICATE-----\n" | ||
83 | + "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n" | ||
84 | + "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
85 | + "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n" | ||
86 | + "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
87 | + "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n" | ||
88 | + "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n" | ||
89 | + "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n" | ||
90 | + "-----END CERTIFICATE-----\n", | ||
91 | + /* B1 (signed by B) */ | ||
92 | + "-----BEGIN CERTIFICATE-----\n" | ||
93 | + "MIIBUjCCAQSgAwIBAgIUfpmrVDc1XBA5/7QYMyGBuB9mTtUwBQYDK2VwMBExDzAN\n" | ||
94 | + "BgNVBAMTBlJvb3QgQjAgFw0yNDAxMTEwNjI1MjdaGA85OTk5MTIzMTIzNTk1OVow\n" | ||
95 | + "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEIxMCowBQYDK2VwAyEAh6ZTuJWsweVB\n" | ||
96 | + "a5fsye5iq89kWDC2Y/Hlc0htLmjzMP+jYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n" | ||
97 | + "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBTMQu37PKyLjKfPODZgxYCaayff+jAfBgNV\n" | ||
98 | + "HSMEGDAWgBSRQLNq4Oo/MPQCiLUZzjjoxthRujAFBgMrZXADQQBblmguY+lnYvOK\n" | ||
99 | + "rAZJnqpEUGfm1tIFyu3rnlE7WOVcXRXMIoNApLH2iHIipQjlvNWuSBFBTC1qdewh\n" | ||
100 | + "/e+0cgQB\n" | ||
101 | + "-----END CERTIFICATE-----\n", | ||
102 | + /* B (signed by A) */ | ||
103 | + "-----BEGIN CERTIFICATE-----\n" | ||
104 | + "MIIBSDCB+6ADAgECAhRpEm+dWNX6DMZh/nottkFfFFrXXDAFBgMrZXAwETEPMA0G\n" | ||
105 | + "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTcyNloYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
106 | + "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n" | ||
107 | + "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
108 | + "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFFti\n" | ||
109 | + "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAFvmcK3Ida5ViVYDzxKVLPcPsCHe\n" | ||
110 | + "3hxz99lBrerJC9iJSvRYTJoPBvjTxDYnBn5EFrQYMrUED+6i71lmGXNU9gs=\n" | ||
111 | + "-----END CERTIFICATE-----\n", | ||
112 | + /* B (signed by C) */ | ||
113 | + "-----BEGIN CERTIFICATE-----\n" | ||
114 | + "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n" | ||
115 | + "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
116 | + "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n" | ||
117 | + "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
118 | + "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n" | ||
119 | + "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n" | ||
120 | + "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n" | ||
121 | + "-----END CERTIFICATE-----\n", | ||
122 | + /* C1 (signed by C) */ | ||
123 | + "-----BEGIN CERTIFICATE-----\n" | ||
124 | + "MIIBUjCCAQSgAwIBAgIUSKsfY1wD3eD2VmaaK1wt5naPckMwBQYDK2VwMBExDzAN\n" | ||
125 | + "BgNVBAMTBlJvb3QgQzAgFw0yNDAxMTEwNjI1NDdaGA85OTk5MTIzMTIzNTk1OVow\n" | ||
126 | + "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEMxMCowBQYDK2VwAyEA/t7i1chZlKkV\n" | ||
127 | + "qxJOrmmyATn8XnpK+nV/iT4OMHSHfAyjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n" | ||
128 | + "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRmpF3JjoP3NiBzE5J5ANT0bvfRmjAfBgNV\n" | ||
129 | + "HSMEGDAWgBRIf1yoyLjHhGr1+UFaMt/UPhoZ8DAFBgMrZXADQQAeRBXv6WCTOp0G\n" | ||
130 | + "3wgd8bbEGrrILfpi+qH7aj/MywgkPIlppDYRQ3jL6ASd+So/408dlE0DV9DXKBi0\n" | ||
131 | + "725XUUYO\n" | ||
132 | + "-----END CERTIFICATE-----\n", | ||
133 | + /* C (signed by A) */ | ||
134 | + "-----BEGIN CERTIFICATE-----\n" | ||
135 | + "MIIBSDCB+6ADAgECAhRvbZv3SRTjDOiAbyFWHH4y0yMZkjAFBgMrZXAwETEPMA0G\n" | ||
136 | + "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTg1MVoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
137 | + "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n" | ||
138 | + "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
139 | + "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFFti\n" | ||
140 | + "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAPl+SyiOfXJnjSWx8hFMhJ7w92mn\n" | ||
141 | + "tkGifCFHBpUhYcBIMeMtLw0RBLXqaaN0EKlTFimiEkLClsU7DKYrpEEJegs=\n" | ||
142 | + "-----END CERTIFICATE-----\n", | ||
143 | + /* C (signed by B) */ | ||
144 | + "-----BEGIN CERTIFICATE-----\n" | ||
145 | + "MIIBSDCB+6ADAgECAhQU1OJWRVOLrGrgJiLwexd1/MwKkTAFBgMrZXAwETEPMA0G\n" | ||
146 | + "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MjAzMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
147 | + "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n" | ||
148 | + "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
149 | + "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFJFA\n" | ||
150 | + "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBALXeyuj8vj6Q8j4l17VzZwmJl0gN\n" | ||
151 | + "bCGoKMl0J/0NiN/fQRIsdbwQDh0RUN/RN3I6DTtB20ER6f3VdnzAh8nXkQ4=\n" | ||
152 | + "-----END CERTIFICATE-----\n", | ||
153 | + NULL | ||
154 | +}; | ||
155 | + | ||
156 | +static const char *cross_signed_ca[] = { | ||
157 | + /* A (self-signed) */ | ||
158 | + "-----BEGIN CERTIFICATE-----\n" | ||
159 | + "MIIBJzCB2qADAgECAhQs1Ur+gzPs1ISxs3Tbs700q0CZcjAFBgMrZXAwETEPMA0G\n" | ||
160 | + "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTYwMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
161 | + "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n" | ||
162 | + "WbnINkmOSNmOiZlGHKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
163 | + "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAHrVv7E9\n" | ||
164 | + "5scuOVCH9gNRRm8Z9SUoLakRHAPnySdg6z/kI3vOgA/OM7reArpnW8l1H2FapgpL\n" | ||
165 | + "bDeZ2XJH+BdVFwg=\n" | ||
166 | + "-----END CERTIFICATE-----\n", | ||
167 | + NULL | ||
168 | +}; | ||
169 | + | ||
170 | #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) | ||
171 | # pragma GCC diagnostic push | ||
172 | # pragma GCC diagnostic ignored "-Wunused-variable" | ||
173 | @@ -4442,6 +4565,8 @@ static struct | ||
174 | rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca, | ||
175 | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM), | ||
176 | GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1}, | ||
177 | + { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, | ||
178 | + 1704955300 }, | ||
179 | { NULL, NULL, NULL, 0, 0} | ||
180 | }; | ||
181 | |||
182 | -- | ||
183 | 2.25.1 | ||
184 | |||
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 25f730b801..b290022781 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb | |||
@@ -24,6 +24,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar | |||
24 | file://CVE-2022-2509.patch \ | 24 | file://CVE-2022-2509.patch \ |
25 | file://CVE-2023-0361.patch \ | 25 | file://CVE-2023-0361.patch \ |
26 | file://CVE-2023-5981.patch \ | 26 | file://CVE-2023-5981.patch \ |
27 | file://CVE-2024-0553.patch \ | ||
28 | file://CVE-2024-0567.patch \ | ||
27 | " | 29 | " |
28 | 30 | ||
29 | SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f" | 31 | SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f" |