diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2022-08-16 16:48:40 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-08-22 14:29:48 +0100 |
commit | ae4acc9f81e8e28c0e29a5924a6d7ab6ea5aaab9 (patch) | |
tree | f851582ee1b890229e90621b880e8596b91f32d3 /meta | |
parent | cfd2eaa0e196474f5093bbe16086282553df111e (diff) | |
download | poky-ae4acc9f81e8e28c0e29a5924a6d7ab6ea5aaab9.tar.gz |
gnutls: CVE-2022-2509 Double free during gnutls_pkcs7_verify
Source: https://gitlab.com/gnutls/gnutls
MR: 120421
Type: Security Fix
Disposition: Backport from https://gitlab.com/gnutls/gnutls/-/commit/ce37f9eb265dbe9b6d597f5767449e8ee95848e2
ChangeID: f0c84c6aa8178582ac9838c453dacdf2c7cae0e5
Description:
CVE-2022-2509 gnutls: Double free during gnutls_pkcs7_verify.
(From OE-Core rev: 4cac37913d08f433668778e788f01e009dbb94bd)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch | 282 | ||||
-rw-r--r-- | meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 |
2 files changed, 283 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch b/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch new file mode 100644 index 0000000000..f8954945d0 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch | |||
@@ -0,0 +1,282 @@ | |||
1 | From 9835638d4e1f37781a47e777c76d5bb14218929b Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Tue, 16 Aug 2022 12:23:14 +0530 | ||
4 | Subject: [PATCH] CVE-2022-2509 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/ce37f9eb265dbe9b6d597f5767449e8ee95848e2] | ||
7 | CVE: CVE-2022-2509 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | NEWS | 4 + | ||
11 | lib/x509/pkcs7.c | 3 +- | ||
12 | tests/Makefile.am | 2 +- | ||
13 | tests/pkcs7-verify-double-free.c | 215 +++++++++++++++++++++++++++++++ | ||
14 | 4 files changed, 222 insertions(+), 2 deletions(-) | ||
15 | create mode 100644 tests/pkcs7-verify-double-free.c | ||
16 | |||
17 | diff --git a/NEWS b/NEWS | ||
18 | index 755a67c..ba70bb3 100644 | ||
19 | --- a/NEWS | ||
20 | +++ b/NEWS | ||
21 | @@ -7,6 +7,10 @@ See the end for copying conditions. | ||
22 | |||
23 | * Version 3.6.14 (released 2020-06-03) | ||
24 | |||
25 | +** libgnutls: Fixed double free during verification of pkcs7 signatures. | ||
26 | + Reported by Jaak Ristioja (#1383). [GNUTLS-SA-2022-07-07, CVSS: medium] | ||
27 | + [CVE-2022-2509] | ||
28 | + | ||
29 | ** libgnutls: Fixed insecure session ticket key construction, since 3.6.4. | ||
30 | The TLS server would not bind the session ticket encryption key with a | ||
31 | value supplied by the application until the initial key rotation, allowing | ||
32 | diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c | ||
33 | index 98669e8..ccbc69d 100644 | ||
34 | --- a/lib/x509/pkcs7.c | ||
35 | +++ b/lib/x509/pkcs7.c | ||
36 | @@ -1318,7 +1318,8 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl, | ||
37 | issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags); | ||
38 | |||
39 | if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) { | ||
40 | - if (prev) gnutls_x509_crt_deinit(prev); | ||
41 | + if (prev && prev != signer) | ||
42 | + gnutls_x509_crt_deinit(prev); | ||
43 | prev = issuer; | ||
44 | break; | ||
45 | } | ||
46 | diff --git a/tests/Makefile.am b/tests/Makefile.am | ||
47 | index 11a083c..cd43a0f 100644 | ||
48 | --- a/tests/Makefile.am | ||
49 | +++ b/tests/Makefile.am | ||
50 | @@ -219,7 +219,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei | ||
51 | tls-record-size-limit-asym dh-compute ecdh-compute sign-verify-data-newapi \ | ||
52 | sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \ | ||
53 | tls13-without-timeout-func buffer status-request-revoked \ | ||
54 | - set_x509_ocsp_multi_cli kdf-api keylog-func \ | ||
55 | + set_x509_ocsp_multi_cli kdf-api keylog-func pkcs7-verify-double-free \ | ||
56 | dtls_hello_random_value tls_hello_random_value x509cert-dntypes | ||
57 | |||
58 | if HAVE_SECCOMP_TESTS | ||
59 | diff --git a/tests/pkcs7-verify-double-free.c b/tests/pkcs7-verify-double-free.c | ||
60 | new file mode 100644 | ||
61 | index 0000000..fadf307 | ||
62 | --- /dev/null | ||
63 | +++ b/tests/pkcs7-verify-double-free.c | ||
64 | @@ -0,0 +1,215 @@ | ||
65 | +/* | ||
66 | + * Copyright (C) 2022 Red Hat, Inc. | ||
67 | + * | ||
68 | + * Author: Zoltan Fridrich | ||
69 | + * | ||
70 | + * This file is part of GnuTLS. | ||
71 | + * | ||
72 | + * GnuTLS is free software: you can redistribute it and/or modify it | ||
73 | + * under the terms of the GNU General Public License as published by | ||
74 | + * the Free Software Foundation, either version 3 of the License, or | ||
75 | + * (at your option) any later version. | ||
76 | + * | ||
77 | + * GnuTLS is distributed in the hope that it will be useful, but | ||
78 | + * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
79 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
80 | + * General Public License for more details. | ||
81 | + * | ||
82 | + * You should have received a copy of the GNU General Public License | ||
83 | + * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>. | ||
84 | + */ | ||
85 | + | ||
86 | +#ifdef HAVE_CONFIG_H | ||
87 | +#include <config.h> | ||
88 | +#endif | ||
89 | + | ||
90 | +#include <stdio.h> | ||
91 | +#include <gnutls/pkcs7.h> | ||
92 | +#include <gnutls/x509.h> | ||
93 | + | ||
94 | +#include "utils.h" | ||
95 | + | ||
96 | +static char rca_pem[] = | ||
97 | + "-----BEGIN CERTIFICATE-----\n" | ||
98 | + "MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n" | ||
99 | + "cGxlIENBMCAXDTE3MDcyMTE0NDMzNloYDzIyMjIwNzIxMTQ0MzM2WjAVMRMwEQYD\n" | ||
100 | + "VQQKDApFeGFtcGxlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n" | ||
101 | + "v8hnKPJ/IA0SQB/A/a0Uh+npZ67vsgIMrtTQo0r0kJkmkBz5323xO3DVuJfB3QmX\n" | ||
102 | + "v9zvoeCQLuDvWar5Aixfxgm6s5Q+yPvJj9t3NebDrU+Y4+qyewBIJUF8EF/5iBPC\n" | ||
103 | + "ZHONmzbfIRWvQWGGgb2CRcOHp2J7AY/QLB6LsWPaLjs/DHva28Q13JaTTHIpdu8v\n" | ||
104 | + "t6vHr0nXf66DN4MvtoF3N+o+v3snJCMsfXOqASi4tbWR7gtOfCfiz9uBjh0W2Dut\n" | ||
105 | + "/jclBQkJkLe6esNSM+f4YiOpctVDjmfj8yoHCp394vt0wFqhG38wsTFAyVP6qIcf\n" | ||
106 | + "5zoSu9ovEt2cTkhnZHjiiwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n" | ||
107 | + "DwEB/wQEAwIBBjAdBgNVHQ4EFgQUhjeO6Uc5imbjOl2I2ltVA27Hu9YwHwYDVR0j\n" | ||
108 | + "BBgwFoAUhjeO6Uc5imbjOl2I2ltVA27Hu9YwDQYJKoZIhvcNAQELBQADggEBAD+r\n" | ||
109 | + "i/7FsbG0OFKGF2+JOnth6NjJQcMfM8LiglqAuBUijrv7vltoZ0Z3FJH1Vi4OeMXn\n" | ||
110 | + "l7X/9tWUve0uFl75MfjDrf0+lCEdYRY1LCba2BrUgpbbkLywVUdnbsvndehegCgS\n" | ||
111 | + "jss2/zys3Hlo3ZaHlTMQ/NQ4nrxcxkjOvkZSEOqgxJTLpzm6pr7YUts4k6c6lNiB\n" | ||
112 | + "FSiJiDzsJCmWR9C3fBbUlfDfTJYGN3JwqX270KchXDElo8gNoDnF7jBMpLFFSEKm\n" | ||
113 | + "MyfbNLX/srh+CEfZaN/OZV4A3MQ0L8vQEp6M4CJhvRLIuMVabZ2coJ0AzystrOMU\n" | ||
114 | + "LirBWjg89RoAjFQ7bTE=\n" | ||
115 | + "-----END CERTIFICATE-----\n"; | ||
116 | + | ||
117 | +static char ca_pem[] = | ||
118 | + "-----BEGIN CERTIFICATE-----\n" | ||
119 | + "MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n" | ||
120 | + "cGxlIENBMCAXDTE3MDcyMTE0NDQzNFoYDzIyMjIwNzIxMTQ0NDM0WjAiMSAwHgYD\n" | ||
121 | + "VQQKDBdFeGFtcGxlIGludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD\n" | ||
122 | + "ggEPADCCAQoCggEBAKb9ACB8u//sP6MfNU1OsVw68xz3eTPLgKxS0vpqexm6iGVg\n" | ||
123 | + "ug/o9uYRLzqiEukv/eyz9WzHmY7sqlOJjOFdv92+SaNg79Jc51WHPFXgea4/qyfr\n" | ||
124 | + "4y14PGs0SNxm6T44sXurUs7cXydQVUgnq2VCaWFOTUdxXoAWkV8r8GaUoPD/klVz\n" | ||
125 | + "RqxSZVETmX1XBKhsMnnov41kRwVph2C+VfUspsbaUZaz/o/S1/nokhXRACzKsMBr\n" | ||
126 | + "obqiGxbY35uVzsmbAW5ErhQz98AWJL3Bub1fsEMXg6OEMmPH4AtX888dTIYZNw0E\n" | ||
127 | + "bUIESspz1kjJQTtVQDHTprhwz16YiSVeUonlLgMCAwEAAaNjMGEwDwYDVR0TAQH/\n" | ||
128 | + "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPBjxDWjMhjXERirKF9O\n" | ||
129 | + "o/5Cllc5MB8GA1UdIwQYMBaAFIY3julHOYpm4zpdiNpbVQNux7vWMA0GCSqGSIb3\n" | ||
130 | + "DQEBCwUAA4IBAQCTm+vv3hBa6lL5IT+Fw8aTxQ2Ne7mZ5oyazhvXYwwfKNMX3SML\n" | ||
131 | + "W2JdPaL64ZwbxxxYvW401o5Z0CEgru3YFrsqB/hEdl0Uf8UWWJmE1rRa+miTmbjt\n" | ||
132 | + "lrLNCWdrs6CiwvsPITTHg7jevB4KyZYsTSxQFcyr3N3xF+6EmOTC4IkhPPnXYXcp\n" | ||
133 | + "248ih+WOavSYoRvzgB/Dip1WnPYU2mfIV3O8JReRryngA0TzWCLPLUoWR3R4jwtC\n" | ||
134 | + "+1uSLoqaenz3qv3F1WEbke37az9YJuXx/5D8CqFQiZ62TUUtI6fYd8mkMBM4Qfh6\n" | ||
135 | + "NW9XrCkI9wlpL5K9HllhuW0BhKeJkuPpyQ2p\n" | ||
136 | + "-----END CERTIFICATE-----\n"; | ||
137 | + | ||
138 | +static char ee_pem[] = | ||
139 | + "-----BEGIN CERTIFICATE-----\n" | ||
140 | + "MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdFeGFt\n" | ||
141 | + "cGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzdaGA8yMjIyMDcyMTE0\n" | ||
142 | + "NDUzN1owFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEBBQAD\n" | ||
143 | + "ggEPADCCAQoCggEBAMb1uuxppBFY+WVD45iyHUq7DkIJNNOI/JRaybVJfPktWq2E\n" | ||
144 | + "eNe7XhV05KKnqZTbDO2iYqNHqGhZ8pz/IstDRTZP3z/q1vXTG0P9Gx28rEy5TaUY\n" | ||
145 | + "QjtD+ZoFUQm0ORMDBjd8jikqtJ87hKeuOPMH4rzdydotMaPQSm7KLzHBGBr6gg7z\n" | ||
146 | + "g1IxPWkhMyHapoMqqrhjwjzoTY97UIXpZTEoIA+KpEC8f9CciBtL0i1MPBjWozB6\n" | ||
147 | + "Jma9q5iEwZXuRr3cnPYeIPlK2drgDZCMuSFcYiT8ApLw5OhKqY1m2EvfZ2ox2s9R\n" | ||
148 | + "68/HzYdPi3kZwiNEtlBvMlpt5yKBJAflp76d7DkCAwEAAaNuMGwwCwYDVR0PBAQD\n" | ||
149 | + "AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUc+Mi\n" | ||
150 | + "kr8WMCk00SQo+P2iggp/oQkwHwYDVR0jBBgwFoAU8GPENaMyGNcRGKsoX06j/kKW\n" | ||
151 | + "VzkwDQYJKoZIhvcNAQELBQADggEBAKU9+CUR0Jcfybd1+8Aqgh1RH96yQygnVuyt\n" | ||
152 | + "Na9rFz4fM3ij9tGXDHXrkZw8bW1dWLU9quu8zeTxKxc3aiDIw739Alz0tukttDo7\n" | ||
153 | + "dW7YqIb77zsIsWB9p7G9dlxT6ieUy+5IKk69BbeK8KR0vAciAG4KVQxPhuPy/LGX\n" | ||
154 | + "PzqlJIJ4h61s3UOroReHPB1keLZgpORqrvtpClOmABH9TLFRJA/WFg8Q2XYB/p0x\n" | ||
155 | + "l/pWiaoBC+8wK9cDoMUK5yOwXeuCLffCb+UlAD0+z/qxJ2pisE8E9X8rRKRrWI+i\n" | ||
156 | + "G7LtJCEn86EQK8KuRlJxKgj8lClZhoULB0oL4jbblBuNow9WRmM=\n" | ||
157 | + "-----END CERTIFICATE-----\n"; | ||
158 | + | ||
159 | +static char msg_pem[] = | ||
160 | + "-----BEGIN PKCS7-----\n" | ||
161 | + "MIIK2QYJKoZIhvcNAQcCoIIKyjCCCsYCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\n" | ||
162 | + "hvcNAQcBoIIJTzCCAwowggHyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwFTETMBEG\n" | ||
163 | + "A1UECgwKRXhhbXBsZSBDQTAgFw0xNzA3MjExNDQzMjFaGA8yMjIyMDcyMTE0NDMy\n" | ||
164 | + "MVowFTETMBEGA1UECgwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" | ||
165 | + "ADCCAQoCggEBAL51eyE4j8wAKQKMGlO9HEY2iaGvsdPSJmidSdmCi1jnNK39Lx4Y\n" | ||
166 | + "31h279hSHF5wtI6VM91HHfeLf1mjEZHlKrXXJQzBPLpbHWapD778drHBitOP8e56\n" | ||
167 | + "fDMIfofLV4tkMk8690vPe4cJH1UHGspMyz6EQF9kPRaW80XtMV/6dalgL/9Esmaw\n" | ||
168 | + "XBNPJAS1VutDuXQkJ/3/rWFLmkpYHHtGPjX782YRmT1s+VOVTsLqmKx0TEL8A381\n" | ||
169 | + "bbElHPUAMjPcyWR5qqA8KWnS5Dwqk3LwI0AvuhQytCq0S7Xl4DXauvxwTRXv0UU7\n" | ||
170 | + "W8r3MLAw9DnlnJiD/RFjw5rbGO3wMePk/qUCAwEAAaNjMGEwDwYDVR0TAQH/BAUw\n" | ||
171 | + "AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIh2KRoKJoe2VtpOwWMkRAkR\n" | ||
172 | + "mLWKMB8GA1UdIwQYMBaAFIh2KRoKJoe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEB\n" | ||
173 | + "CwUAA4IBAQBovvlOjoy0MCT5U0eWfcPQQjY4Ssrn3IiPNlVkqSNo+FHX+2baTLVQ\n" | ||
174 | + "5QTHxwXwzdIJiwtjFWDdGEQXqmuIvnFG+u/whGbeg6oQygfnQ5Y+q6epOxCsPgLQ\n" | ||
175 | + "mKKEaF7mvh8DauUx4QSbYCNGCctOZuB1vlN9bJ3/5QbH+2pFPOfCr5CAyPDwHo6S\n" | ||
176 | + "qO3yPcutRwT9xS7gXEHM9HhLp+DmdCGh4eVBPiFilyZm1d92lWxU8oxoSfXgzDT/\n" | ||
177 | + "GCzlMykNZNs4JD9QmiRClP/3U0dQbOhah/Fda+N+L90xaqEgGcvwKKZa3pzo59pl\n" | ||
178 | + "BbkcIP4YPyHeinwkgAn5UVJg9DOxNCS0MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG\n" | ||
179 | + "9w0BAQsFADAVMRMwEQYDVQQKDApFeGFtcGxlIENBMCAXDTE3MDcyMTE0NDQxM1oY\n" | ||
180 | + "DzIyMjIwNzIxMTQ0NDEzWjAiMSAwHgYDVQQKDBdFeGFtcGxlIGludGVybWVkaWF0\n" | ||
181 | + "ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPFDEvDANwvhviu\n" | ||
182 | + "pwXTvaKyxyX94jVu1wgAhIRyQBVRiMbrn8MEufLG8oA0vKd8s92gv/lWe1jFb2rn\n" | ||
183 | + "91jMkZWsjWjiJFD6SzqFfBo+XxOGikEqO1MAf92UqavmSGlXVRG1Vy7T7dWibZP0\n" | ||
184 | + "WODhHYWayR0Y6owSz5IqNfrHXzDME+lSJxHgRFI7pK+b0OgiVmvyXDKFPvyU6GrP\n" | ||
185 | + "lxXDi/XbjyPvC5gpiwtTgm+s8KERwmdlfZUNjkh2PpHx1g1joijHT3wIvO/Pek1E\n" | ||
186 | + "C+Xs6w3XxGgL6TTL7FDuv4AjZVX9KK66/yBhX3aN8bkqAg+hs9XNk3zzWC0XEFOS\n" | ||
187 | + "Qoh2va0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n" | ||
188 | + "HQYDVR0OBBYEFHwi/7dUWGjkMWJctOm7MCjjQj1cMB8GA1UdIwQYMBaAFIh2KRoK\n" | ||
189 | + "Joe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEBCwUAA4IBAQCF6sHCBdYRwBwvfCve\n" | ||
190 | + "og9cPnmPqZrG4AtmSvtoSsMvgvKb/4z3/gG8oPtTBkeRcAHoMoEp/oA+B2ylwIAc\n" | ||
191 | + "S5U7jx+lYH/Pqih0X/OcOLbaMv8uzGSGQxk+L9LuuIT6E/THfRRIPEvkDkzC+/uk\n" | ||
192 | + "7vUbG17bSEWeF0o/6sjzAY2aH1jnbCDyu0UC78GXkc6bZ5QlH98uLMDMrOmqcZjS\n" | ||
193 | + "JFfvuRDQyKV5yBdBkYaobsIWSQDsgYxJzf/2y8c3r+HXqT+jhrXPWJ3btgMPxpu7\n" | ||
194 | + "E8KmoFgp9EM+48oYlXJ66rk08/KjaVmgN7R+Hm3e2+MFT2kme4fBKalLjcazTe3x\n" | ||
195 | + "0FisMIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdF\n" | ||
196 | + "eGFtcGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzBaGA8yMjIyMDcy\n" | ||
197 | + "MTE0NDUzMVowFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEB\n" | ||
198 | + "BQADggEPADCCAQoCggEBAMjhSqhdD5RjmOm6W3hG7zkgKBP9whRN/SipcdEMlkgc\n" | ||
199 | + "F/U3QMu66qIfKwheNdWalC1JLtruLDWP92ysa6Vw+CCG8aSax1AgB//RKQB7kgPA\n" | ||
200 | + "9js9hi/oCdBmCv2HJxhWSLz+MVoxgzW4C7S9FenI+btxe/99Uw4nOw7kwjsYDLKr\n" | ||
201 | + "tMw8myv7aCW/63CuBYGtohiZupM3RI3kKFcZots+KRPLlZpjv+I2h9xSln8VxKNb\n" | ||
202 | + "XiMrYwGfHB7iX7ghe1TvFjKatEUhsqa7AvIq7nfe/cyq97f0ODQO814njgZtk5iQ\n" | ||
203 | + "JVavXHdhTVaypt1HdAFMuHX5UATylHxx9tRCgSIijUsCAwEAAaNuMGwwCwYDVR0P\n" | ||
204 | + "BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU\n" | ||
205 | + "31+vHl4E/2Jpnwinbzf+d7usshcwHwYDVR0jBBgwFoAUfCL/t1RYaOQxYly06bsw\n" | ||
206 | + "KONCPVwwDQYJKoZIhvcNAQELBQADggEBAAWe63DcNwmleQ3INFGDJZ/m2I/R/cBa\n" | ||
207 | + "nnrxgR5Ey1ljHdA/x1z1JLTGmGVwqGExs5DNG9Q//Pmc9pZ1yPa8J4Xf8AvFcmkY\n" | ||
208 | + "mWoH1HvW0xu/RF1UN5SAoD2PRQ+Vq4OSPD58IlEu/u4o1wZV7Wl91Cv6VNpiAb63\n" | ||
209 | + "j9PA1YacOpOtcRqG59Vuj9HFm9f30ejHVo2+KJcpo290cR3Zg4fOm8mtjeMdt/QS\n" | ||
210 | + "Atq+RqPAQ7yxqvEEv8zPIZj2kAOQm3mh/yYqBrR68lQUD/dBTP7ApIZkhUK3XK6U\n" | ||
211 | + "nf9JvoF6Fn2+Cnqb//FLBgHSnoeqeQNwDLUXTsD02iYxHzJrhokSY4YxggFQMIIB\n" | ||
212 | + "TAIBATAnMCIxIDAeBgNVBAoMF0V4YW1wbGUgaW50ZXJtZWRpYXRlIENBAgEBMAsG\n" | ||
213 | + "CWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQATHg6wNsBcs/Ub1GQfKwTpKCk5\n" | ||
214 | + "8QXuNnZ0u7b6mKgrSY2Gf47fpL2aRgaR+BAQncbctu5EH/IL38pWjaGtOhFAj/5q\n" | ||
215 | + "7luVQW11kuyJN3Bd/dtLqawWOwMmAIEigw6X50l5ZHnEVzFfxt+RKTNhk4XWVtbi\n" | ||
216 | + "2iIlITOplW0rnvxYAwCxKL9ocaB7etK8au7ixMxbFp75Ts4iLX8dhlAFdCuFCk8k\n" | ||
217 | + "B8mi9HHuwr3QYRqMPW61hu1wBL3yB8eoZNOwPXb0gkIh6ZvgptxgQzm/cc+Iw9fP\n" | ||
218 | + "QkR0fTM7ElJ5QZmSV98AUbZDHmDvpmcjcUxfSPMc3IoT8T300usRu7QHqKJi\n" | ||
219 | + "-----END PKCS7-----\n"; | ||
220 | + | ||
221 | +const gnutls_datum_t rca_datum = { (void *)rca_pem, sizeof(rca_pem) - 1 }; | ||
222 | +const gnutls_datum_t ca_datum = { (void *)ca_pem, sizeof(ca_pem) - 1 }; | ||
223 | +const gnutls_datum_t ee_datum = { (void *)ee_pem, sizeof(ee_pem) - 1 }; | ||
224 | +const gnutls_datum_t msg_datum = { (void *)msg_pem, sizeof(msg_pem) - 1 }; | ||
225 | + | ||
226 | +static void tls_log_func(int level, const char *str) | ||
227 | +{ | ||
228 | + fprintf(stderr, "%s |<%d>| %s", "err", level, str); | ||
229 | +} | ||
230 | + | ||
231 | +#define CHECK(X)\ | ||
232 | +{\ | ||
233 | + r = X;\ | ||
234 | + if (r < 0)\ | ||
235 | + fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\ | ||
236 | +}\ | ||
237 | + | ||
238 | +void doit(void) | ||
239 | +{ | ||
240 | + int r; | ||
241 | + gnutls_x509_crt_t rca_cert = NULL; | ||
242 | + gnutls_x509_crt_t ca_cert = NULL; | ||
243 | + gnutls_x509_crt_t ee_cert = NULL; | ||
244 | + gnutls_x509_trust_list_t tlist = NULL; | ||
245 | + gnutls_pkcs7_t pkcs7 = NULL; | ||
246 | + gnutls_datum_t data = { (unsigned char *)"xxx", 3 }; | ||
247 | + | ||
248 | + if (debug) { | ||
249 | + gnutls_global_set_log_function(tls_log_func); | ||
250 | + gnutls_global_set_log_level(4711); | ||
251 | + } | ||
252 | + | ||
253 | + // Import certificates | ||
254 | + CHECK(gnutls_x509_crt_init(&rca_cert)); | ||
255 | + CHECK(gnutls_x509_crt_import(rca_cert, &rca_datum, GNUTLS_X509_FMT_PEM)); | ||
256 | + CHECK(gnutls_x509_crt_init(&ca_cert)); | ||
257 | + CHECK(gnutls_x509_crt_import(ca_cert, &ca_datum, GNUTLS_X509_FMT_PEM)); | ||
258 | + CHECK(gnutls_x509_crt_init(&ee_cert)); | ||
259 | + CHECK(gnutls_x509_crt_import(ee_cert, &ee_datum, GNUTLS_X509_FMT_PEM)); | ||
260 | + | ||
261 | + // Setup trust store | ||
262 | + CHECK(gnutls_x509_trust_list_init(&tlist, 0)); | ||
263 | + CHECK(gnutls_x509_trust_list_add_named_crt(tlist, rca_cert, "rca", 3, 0)); | ||
264 | + CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ca_cert, "ca", 2, 0)); | ||
265 | + CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ee_cert, "ee", 2, 0)); | ||
266 | + | ||
267 | + // Setup pkcs7 structure | ||
268 | + CHECK(gnutls_pkcs7_init(&pkcs7)); | ||
269 | + CHECK(gnutls_pkcs7_import(pkcs7, &msg_datum, GNUTLS_X509_FMT_PEM)); | ||
270 | + | ||
271 | + // Signature verification | ||
272 | + gnutls_pkcs7_verify(pkcs7, tlist, NULL, 0, 0, &data, 0); | ||
273 | + | ||
274 | + gnutls_x509_crt_deinit(rca_cert); | ||
275 | + gnutls_x509_crt_deinit(ca_cert); | ||
276 | + gnutls_x509_crt_deinit(ee_cert); | ||
277 | + gnutls_x509_trust_list_deinit(tlist, 0); | ||
278 | + gnutls_pkcs7_deinit(pkcs7); | ||
279 | +} | ||
280 | -- | ||
281 | 2.25.1 | ||
282 | |||
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb index 0c68da7c54..e9af71c7bd 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb | |||
@@ -25,6 +25,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar | |||
25 | file://CVE-2020-24659.patch \ | 25 | file://CVE-2020-24659.patch \ |
26 | file://CVE-2021-20231.patch \ | 26 | file://CVE-2021-20231.patch \ |
27 | file://CVE-2021-20232.patch \ | 27 | file://CVE-2021-20232.patch \ |
28 | file://CVE-2022-2509.patch \ | ||
28 | " | 29 | " |
29 | 30 | ||
30 | SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" | 31 | SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" |