diff options
-rw-r--r-- | meta/classes/rootfs-postcommands.bbclass | 4 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc-version.inc | 2 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.35.bb | 2 | ||||
-rw-r--r-- | meta/recipes-core/images/build-appliance-image_15.0.0.bb | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.17.13.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch | 95 | ||||
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2024-28834.patch | 457 | ||||
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch | 406 | ||||
-rw-r--r-- | meta/recipes-support/gnutls/gnutls_3.7.4.bb | 2 |
9 files changed, 967 insertions, 4 deletions
diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass index 5c0b3ec37c..f7517c66dc 100644 --- a/meta/classes/rootfs-postcommands.bbclass +++ b/meta/classes/rootfs-postcommands.bbclass | |||
@@ -119,7 +119,9 @@ read_only_rootfs_hook () { | |||
119 | # Also tweak the key location for dropbear in the same way. | 119 | # Also tweak the key location for dropbear in the same way. |
120 | if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then | 120 | if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then |
121 | if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then | 121 | if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then |
122 | echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear | 122 | if ! grep -q "^DROPBEAR_RSAKEY_DIR=" ${IMAGE_ROOTFS}/etc/default/dropbear ; then |
123 | echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear | ||
124 | fi | ||
123 | fi | 125 | fi |
124 | fi | 126 | fi |
125 | fi | 127 | fi |
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index e0d47f283b..cd8c7ecf94 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc | |||
@@ -1,6 +1,6 @@ | |||
1 | SRCBRANCH ?= "release/2.35/master" | 1 | SRCBRANCH ?= "release/2.35/master" |
2 | PV = "2.35" | 2 | PV = "2.35" |
3 | SRCREV_glibc ?= "c84018a05aec80f5ee6f682db0da1130b0196aef" | 3 | SRCREV_glibc ?= "36280d1ce5e245aabefb877fe4d3c6cff95dabfa" |
4 | SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" | 4 | SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" |
5 | 5 | ||
6 | GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" | 6 | GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" |
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb index 751427517f..74d7f753d8 100644 --- a/meta/recipes-core/glibc/glibc_2.35.bb +++ b/meta/recipes-core/glibc/glibc_2.35.bb | |||
@@ -24,7 +24,7 @@ CVE_CHECK_IGNORE += "CVE-2019-1010025" | |||
24 | CVE_CHECK_IGNORE += "CVE-2023-4527" | 24 | CVE_CHECK_IGNORE += "CVE-2023-4527" |
25 | 25 | ||
26 | # To avoid these in cve-check reports since the recipe version did not change | 26 | # To avoid these in cve-check reports since the recipe version did not change |
27 | CVE_CHECK_IGNORE += "CVE-2023-0687 CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156" | 27 | CVE_CHECK_IGNORE += "CVE-2023-0687 CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156 CVE-2024-2961" |
28 | 28 | ||
29 | DEPENDS += "gperf-native bison-native" | 29 | DEPENDS += "gperf-native bison-native" |
30 | 30 | ||
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb index aef8b3055b..57274262ba 100644 --- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb | |||
@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx" | |||
24 | 24 | ||
25 | inherit core-image setuptools3 | 25 | inherit core-image setuptools3 |
26 | 26 | ||
27 | SRCREV ?= "ff7353b24f11f9ba8760f04b678e805fd2590073" | 27 | SRCREV ?= "700eac59a68baaba3361ed40ab14fe55e66f8211" |
28 | SRC_URI = "git://git.yoctoproject.org/poky;branch=kirkstone \ | 28 | SRC_URI = "git://git.yoctoproject.org/poky;branch=kirkstone \ |
29 | file://Yocto_Build_Appliance.vmx \ | 29 | file://Yocto_Build_Appliance.vmx \ |
30 | file://Yocto_Build_Appliance.vmxf \ | 30 | file://Yocto_Build_Appliance.vmxf \ |
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 768961de2c..95fb572362 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc | |||
@@ -55,6 +55,7 @@ SRC_URI += "\ | |||
55 | file://CVE-2023-45290.patch \ | 55 | file://CVE-2023-45290.patch \ |
56 | file://CVE-2024-24784.patch \ | 56 | file://CVE-2024-24784.patch \ |
57 | file://CVE-2024-24785.patch \ | 57 | file://CVE-2024-24785.patch \ |
58 | file://CVE-2023-45288.patch \ | ||
58 | " | 59 | " |
59 | SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" | 60 | SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" |
60 | 61 | ||
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch new file mode 100644 index 0000000000..741e7be89a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch | |||
@@ -0,0 +1,95 @@ | |||
1 | From e55d7cf8435ba4e58d4a5694e63b391821d4ee9b Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Neil <dneil@google.com> | ||
3 | Date: Thu, 28 Mar 2024 16:57:51 -0700 | ||
4 | Subject: [PATCH] [release-branch.go1.22] net/http: update bundled | ||
5 | golang.org/x/net/http2 | ||
6 | |||
7 | Disable cmd/internal/moddeps test, since this update includes PRIVATE | ||
8 | track fixes. | ||
9 | |||
10 | Fixes CVE-2023-45288 | ||
11 | For #65051 | ||
12 | Fixes #66298 | ||
13 | |||
14 | Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8 | ||
15 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197227 | ||
16 | Reviewed-by: Tatiana Bradley <tatianabradley@google.com> | ||
17 | Run-TryBot: Damien Neil <dneil@google.com> | ||
18 | Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> | ||
19 | Reviewed-on: https://go-review.googlesource.com/c/go/+/576076 | ||
20 | Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> | ||
21 | TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> | ||
22 | Reviewed-by: Than McIntosh <thanm@google.com> | ||
23 | |||
24 | Upstream-Status: Backport [https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b] | ||
25 | CVE: CVE-2023-45288 | ||
26 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
27 | --- | ||
28 | src/cmd/internal/moddeps/moddeps_test.go | 1 + | ||
29 | src/net/http/h2_bundle.go | 31 ++++++++++++++++++++++++ | ||
30 | 2 files changed, 32 insertions(+) | ||
31 | |||
32 | diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go | ||
33 | index d48d43f..250bde4 100644 | ||
34 | --- a/src/cmd/internal/moddeps/moddeps_test.go | ||
35 | +++ b/src/cmd/internal/moddeps/moddeps_test.go | ||
36 | @@ -34,6 +34,7 @@ import ( | ||
37 | // See issues 36852, 41409, and 43687. | ||
38 | // (Also see golang.org/issue/27348.) | ||
39 | func TestAllDependencies(t *testing.T) { | ||
40 | + t.Skip("TODO(#65051): 1.22.2 contains unreleased changes from vendored modules") | ||
41 | t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from vendored modules") | ||
42 | t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules") | ||
43 | |||
44 | diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go | ||
45 | index 9d6abd8..10ff193 100644 | ||
46 | --- a/src/net/http/h2_bundle.go | ||
47 | +++ b/src/net/http/h2_bundle.go | ||
48 | @@ -2842,6 +2842,7 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr | ||
49 | if size > remainSize { | ||
50 | hdec.SetEmitEnabled(false) | ||
51 | mh.Truncated = true | ||
52 | + remainSize = 0 | ||
53 | return | ||
54 | } | ||
55 | remainSize -= size | ||
56 | @@ -2854,6 +2855,36 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr | ||
57 | var hc http2headersOrContinuation = hf | ||
58 | for { | ||
59 | frag := hc.HeaderBlockFragment() | ||
60 | + | ||
61 | + // Avoid parsing large amounts of headers that we will then discard. | ||
62 | + // If the sender exceeds the max header list size by too much, | ||
63 | + // skip parsing the fragment and close the connection. | ||
64 | + // | ||
65 | + // "Too much" is either any CONTINUATION frame after we've already | ||
66 | + // exceeded the max header list size (in which case remainSize is 0), | ||
67 | + // or a frame whose encoded size is more than twice the remaining | ||
68 | + // header list bytes we're willing to accept. | ||
69 | + if int64(len(frag)) > int64(2*remainSize) { | ||
70 | + if http2VerboseLogs { | ||
71 | + log.Printf("http2: header list too large") | ||
72 | + } | ||
73 | + // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
74 | + // but the struture of the server's frame writer makes this difficult. | ||
75 | + return nil, http2ConnectionError(http2ErrCodeProtocol) | ||
76 | + } | ||
77 | + | ||
78 | + // Also close the connection after any CONTINUATION frame following an | ||
79 | + // invalid header, since we stop tracking the size of the headers after | ||
80 | + // an invalid one. | ||
81 | + if invalid != nil { | ||
82 | + if http2VerboseLogs { | ||
83 | + log.Printf("http2: invalid header: %v", invalid) | ||
84 | + } | ||
85 | + // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
86 | + // but the struture of the server's frame writer makes this difficult. | ||
87 | + return nil, http2ConnectionError(http2ErrCodeProtocol) | ||
88 | + } | ||
89 | + | ||
90 | if _, err := hdec.Write(frag); err != nil { | ||
91 | return nil, http2ConnectionError(http2ErrCodeCompression) | ||
92 | } | ||
93 | -- | ||
94 | 2.25.1 | ||
95 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-28834.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-28834.patch new file mode 100644 index 0000000000..6c06fc2782 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-28834.patch | |||
@@ -0,0 +1,457 @@ | |||
1 | From 1c4701ffc342259fc5965d5a0de90d87f780e3e5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Fri, 12 Jan 2024 17:56:58 +0900 | ||
4 | Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA | ||
5 | |||
6 | This removes function calls that potentially leak bit-length of a | ||
7 | private key used to calculate a nonce in deterministic ECDSA. Namely: | ||
8 | |||
9 | - _gnutls_dsa_compute_k has been rewritten to work on always | ||
10 | zero-padded mp_limb_t arrays instead of mpz_t | ||
11 | - rnd_mpz_func has been replaced with rnd_datum_func, which is backed | ||
12 | by a byte array instead of an mpz_t value | ||
13 | |||
14 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
15 | |||
16 | CVE: CVE-2024-28834 | ||
17 | |||
18 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/1c4701ffc342259fc5965d5a0de90d87f780e3e5] | ||
19 | |||
20 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
21 | --- | ||
22 | lib/nettle/int/dsa-compute-k.c | 86 ++++++++++++++++++++----------- | ||
23 | lib/nettle/int/dsa-compute-k.h | 32 +++++++++--- | ||
24 | lib/nettle/int/ecdsa-compute-k.c | 32 +++--------- | ||
25 | lib/nettle/int/ecdsa-compute-k.h | 8 +-- | ||
26 | lib/nettle/pk.c | 78 +++++++++++++++++++--------- | ||
27 | tests/sign-verify-deterministic.c | 2 +- | ||
28 | 6 files changed, 141 insertions(+), 97 deletions(-) | ||
29 | |||
30 | diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c | ||
31 | index 3f5105a..f937693 100644 | ||
32 | --- a/lib/nettle/int/dsa-compute-k.c | ||
33 | +++ b/lib/nettle/int/dsa-compute-k.c | ||
34 | @@ -31,33 +31,39 @@ | ||
35 | #include "mpn-base256.h" | ||
36 | #include <string.h> | ||
37 | |||
38 | -#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) | ||
39 | - | ||
40 | -/* The maximum size of q, chosen from the fact that we support | ||
41 | - * 521-bit elliptic curve generator and 512-bit DSA subgroup at | ||
42 | - * maximum. */ | ||
43 | -#define MAX_Q_BITS 521 | ||
44 | -#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8) | ||
45 | -#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS) | ||
46 | - | ||
47 | -#define MAX_HASH_BITS (MAX_HASH_SIZE * 8) | ||
48 | -#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS) | ||
49 | - | ||
50 | -int | ||
51 | -_gnutls_dsa_compute_k(mpz_t k, | ||
52 | - const mpz_t q, | ||
53 | - const mpz_t x, | ||
54 | - gnutls_mac_algorithm_t mac, | ||
55 | - const uint8_t *digest, | ||
56 | - size_t length) | ||
57 | +/* For mini-gmp */ | ||
58 | +#ifndef GMP_LIMB_BITS | ||
59 | +#define GMP_LIMB_BITS GMP_NUMB_BITS | ||
60 | +#endif | ||
61 | + | ||
62 | +static inline int is_zero_limb(mp_limb_t x) | ||
63 | +{ | ||
64 | + x |= (x << 1); | ||
65 | + return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1); | ||
66 | +} | ||
67 | + | ||
68 | +static int sec_zero_p(const mp_limb_t *ap, mp_size_t n) | ||
69 | +{ | ||
70 | + volatile mp_limb_t w; | ||
71 | + mp_size_t i; | ||
72 | + | ||
73 | + for (i = 0, w = 0; i < n; i++) | ||
74 | + w |= ap[i]; | ||
75 | + | ||
76 | + | ||
77 | + return is_zero_limb(w); | ||
78 | +} | ||
79 | + | ||
80 | +int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x, | ||
81 | + mp_size_t qn, mp_bitcnt_t q_bits, | ||
82 | + gnutls_mac_algorithm_t mac, | ||
83 | + const uint8_t *digest, | ||
84 | + size_t length) | ||
85 | { | ||
86 | uint8_t V[MAX_HASH_SIZE]; | ||
87 | uint8_t K[MAX_HASH_SIZE]; | ||
88 | uint8_t xp[MAX_Q_SIZE]; | ||
89 | uint8_t tp[MAX_Q_SIZE]; | ||
90 | - mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)]; | ||
91 | - mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2); | ||
92 | - mp_size_t qn = mpz_size(q); | ||
93 | mp_bitcnt_t h_bits = length * 8; | ||
94 | mp_size_t hn = BITS_TO_LIMBS(h_bits); | ||
95 | size_t nbytes = (q_bits + 7) / 8; | ||
96 | @@ -66,6 +72,7 @@ _gnutls_dsa_compute_k(mpz_t k, | ||
97 | mp_limb_t cy; | ||
98 | gnutls_hmac_hd_t hd; | ||
99 | int ret = 0; | ||
100 | + mp_limb_t scratch[MAX_Q_LIMBS]; | ||
101 | |||
102 | if (unlikely(q_bits > MAX_Q_BITS)) | ||
103 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); | ||
104 | @@ -73,7 +80,7 @@ _gnutls_dsa_compute_k(mpz_t k, | ||
105 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); | ||
106 | |||
107 | /* int2octets(x) */ | ||
108 | - mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn); | ||
109 | + mpn_get_base256(xp, nbytes, x, qn); | ||
110 | |||
111 | /* bits2octets(h) */ | ||
112 | mpn_set_base256(h, hn, digest, length); | ||
113 | @@ -97,12 +104,12 @@ _gnutls_dsa_compute_k(mpz_t k, | ||
114 | mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS); | ||
115 | } | ||
116 | |||
117 | - cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn); | ||
118 | + cy = mpn_sub_n(h, h, q, qn); | ||
119 | /* Fall back to addmul_1, if nettle is linked with mini-gmp. */ | ||
120 | #ifdef mpn_cnd_add_n | ||
121 | - mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn); | ||
122 | + mpn_cnd_add_n(cy, h, h, q, qn); | ||
123 | #else | ||
124 | - mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0); | ||
125 | + mpn_addmul_1(h, q, qn, cy != 0); | ||
126 | #endif | ||
127 | mpn_get_base256(tp, nbytes, h, qn); | ||
128 | |||
129 | @@ -178,12 +185,8 @@ _gnutls_dsa_compute_k(mpz_t k, | ||
130 | if (tlen * 8 > q_bits) | ||
131 | mpn_rshift (h, h, qn, tlen * 8 - q_bits); | ||
132 | /* Check if k is in [1,q-1] */ | ||
133 | - if (!mpn_zero_p (h, qn) && | ||
134 | - mpn_cmp (h, mpz_limbs_read(q), qn) < 0) { | ||
135 | - mpn_copyi(mpz_limbs_write(k, qn), h, qn); | ||
136 | - mpz_limbs_finish(k, qn); | ||
137 | + if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn)) | ||
138 | break; | ||
139 | - } | ||
140 | |||
141 | ret = gnutls_hmac_init(&hd, mac, K, length); | ||
142 | if (ret < 0) | ||
143 | @@ -207,3 +210,24 @@ _gnutls_dsa_compute_k(mpz_t k, | ||
144 | |||
145 | return ret; | ||
146 | } | ||
147 | + | ||
148 | +/* cancel-out dsa_sign's addition of 1 to random data */ | ||
149 | +void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h, | ||
150 | + mp_size_t n) | ||
151 | +{ | ||
152 | + /* Fall back to sub_1, if nettle is linked with mini-gmp. */ | ||
153 | +#ifdef mpn_sec_sub_1 | ||
154 | + mp_limb_t t[MAX_Q_LIMBS]; | ||
155 | + | ||
156 | + mpn_sec_sub_1(h, h, n, 1, t); | ||
157 | +#else | ||
158 | + mpn_sub_1(h, h, n, 1); | ||
159 | +#endif | ||
160 | + mpn_get_base256(k, nbytes, h, n); | ||
161 | +} | ||
162 | + | ||
163 | +void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h, | ||
164 | + mp_size_t n) | ||
165 | +{ | ||
166 | + mpn_get_base256(k, nbytes, h, n); | ||
167 | +} | ||
168 | diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h | ||
169 | index 64e90e0..778c484 100644 | ||
170 | --- a/lib/nettle/int/dsa-compute-k.h | ||
171 | +++ b/lib/nettle/int/dsa-compute-k.h | ||
172 | @@ -26,12 +26,30 @@ | ||
173 | #include <gnutls/gnutls.h> | ||
174 | #include <nettle/bignum.h> /* includes gmp.h */ | ||
175 | |||
176 | -int | ||
177 | -_gnutls_dsa_compute_k(mpz_t k, | ||
178 | - const mpz_t q, | ||
179 | - const mpz_t x, | ||
180 | - gnutls_mac_algorithm_t mac, | ||
181 | - const uint8_t *digest, | ||
182 | - size_t length); | ||
183 | +#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) | ||
184 | + | ||
185 | +/* The maximum size of q, chosen from the fact that we support | ||
186 | + * 521-bit elliptic curve generator and 512-bit DSA subgroup at | ||
187 | + * maximum. */ | ||
188 | +#define MAX_Q_BITS 521 | ||
189 | +#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8) | ||
190 | +#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS) | ||
191 | + | ||
192 | +#define MAX_HASH_BITS (MAX_HASH_SIZE * 8) | ||
193 | +#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS) | ||
194 | + | ||
195 | +#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS) | ||
196 | + | ||
197 | +int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x, | ||
198 | + mp_size_t qn, mp_bitcnt_t q_bits, | ||
199 | + gnutls_mac_algorithm_t mac, | ||
200 | + const uint8_t *digest, | ||
201 | + size_t length); | ||
202 | + | ||
203 | +void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h, | ||
204 | + mp_size_t n); | ||
205 | + | ||
206 | +void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h, | ||
207 | + mp_size_t n); | ||
208 | |||
209 | #endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */ | ||
210 | diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c | ||
211 | index 94914eb..fc3b2ba 100644 | ||
212 | --- a/lib/nettle/int/ecdsa-compute-k.c | ||
213 | +++ b/lib/nettle/int/ecdsa-compute-k.c | ||
214 | @@ -29,39 +29,38 @@ | ||
215 | #include "dsa-compute-k.h" | ||
216 | #include "gnutls_int.h" | ||
217 | |||
218 | -static inline int | ||
219 | -_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve) | ||
220 | +int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve) | ||
221 | { | ||
222 | switch (curve) { | ||
223 | #ifdef ENABLE_NON_SUITEB_CURVES | ||
224 | case GNUTLS_ECC_CURVE_SECP192R1: | ||
225 | - mpz_init_set_str(*q, | ||
226 | + mpz_init_set_str(q, | ||
227 | "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836" | ||
228 | "146BC9B1B4D22831", | ||
229 | 16); | ||
230 | return 0; | ||
231 | case GNUTLS_ECC_CURVE_SECP224R1: | ||
232 | - mpz_init_set_str(*q, | ||
233 | + mpz_init_set_str(q, | ||
234 | "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2" | ||
235 | "E0B8F03E13DD29455C5C2A3D", | ||
236 | 16); | ||
237 | return 0; | ||
238 | #endif | ||
239 | case GNUTLS_ECC_CURVE_SECP256R1: | ||
240 | - mpz_init_set_str(*q, | ||
241 | + mpz_init_set_str(q, | ||
242 | "FFFFFFFF00000000FFFFFFFFFFFFFFFF" | ||
243 | "BCE6FAADA7179E84F3B9CAC2FC632551", | ||
244 | 16); | ||
245 | return 0; | ||
246 | case GNUTLS_ECC_CURVE_SECP384R1: | ||
247 | - mpz_init_set_str(*q, | ||
248 | + mpz_init_set_str(q, | ||
249 | "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" | ||
250 | "FFFFFFFFFFFFFFFFC7634D81F4372DDF" | ||
251 | "581A0DB248B0A77AECEC196ACCC52973", | ||
252 | 16); | ||
253 | return 0; | ||
254 | case GNUTLS_ECC_CURVE_SECP521R1: | ||
255 | - mpz_init_set_str(*q, | ||
256 | + mpz_init_set_str(q, | ||
257 | "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" | ||
258 | "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" | ||
259 | "FFA51868783BF2F966B7FCC0148F709A" | ||
260 | @@ -74,22 +73,3 @@ _gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve) | ||
261 | } | ||
262 | } | ||
263 | |||
264 | -int | ||
265 | -_gnutls_ecdsa_compute_k (mpz_t k, | ||
266 | - gnutls_ecc_curve_t curve, | ||
267 | - const mpz_t x, | ||
268 | - gnutls_mac_algorithm_t mac, | ||
269 | - const uint8_t *digest, | ||
270 | - size_t length) | ||
271 | -{ | ||
272 | - mpz_t q; | ||
273 | - int ret; | ||
274 | - | ||
275 | - ret = _gnutls_ecc_curve_to_dsa_q(&q, curve); | ||
276 | - if (ret < 0) | ||
277 | - return gnutls_assert_val(ret); | ||
278 | - | ||
279 | - ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length); | ||
280 | - mpz_clear(q); | ||
281 | - return ret; | ||
282 | -} | ||
283 | diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h | ||
284 | index 7ca401d..a7e612b 100644 | ||
285 | --- a/lib/nettle/int/ecdsa-compute-k.h | ||
286 | +++ b/lib/nettle/int/ecdsa-compute-k.h | ||
287 | @@ -26,12 +26,6 @@ | ||
288 | #include <gnutls/gnutls.h> | ||
289 | #include <nettle/bignum.h> /* includes gmp.h */ | ||
290 | |||
291 | -int | ||
292 | -_gnutls_ecdsa_compute_k (mpz_t k, | ||
293 | - gnutls_ecc_curve_t curve, | ||
294 | - const mpz_t x, | ||
295 | - gnutls_mac_algorithm_t mac, | ||
296 | - const uint8_t *digest, | ||
297 | - size_t length); | ||
298 | +int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve); | ||
299 | |||
300 | #endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */ | ||
301 | diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c | ||
302 | index eba246f..799cc9d 100644 | ||
303 | --- a/lib/nettle/pk.c | ||
304 | +++ b/lib/nettle/pk.c | ||
305 | @@ -97,10 +97,16 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data) | ||
306 | } | ||
307 | } | ||
308 | |||
309 | -static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) | ||
310 | +static void rnd_datum_func(void *ctx, size_t length, uint8_t *data) | ||
311 | { | ||
312 | - mpz_t *k = _ctx; | ||
313 | - nettle_mpz_get_str_256 (length, data, *k); | ||
314 | + gnutls_datum_t *d = ctx; | ||
315 | + | ||
316 | + if (length > d->size) { | ||
317 | + memset(data, 0, length - d->size); | ||
318 | + memcpy(data + (length - d->size), d->data, d->size); | ||
319 | + } else { | ||
320 | + memcpy(data, d->data, length); | ||
321 | + } | ||
322 | } | ||
323 | |||
324 | static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data) | ||
325 | @@ -1076,7 +1082,11 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, | ||
326 | struct dsa_signature sig; | ||
327 | int curve_id = pk_params->curve; | ||
328 | const struct ecc_curve *curve; | ||
329 | - mpz_t k; | ||
330 | + mpz_t q; | ||
331 | + /* 521-bit elliptic curve generator at maximum */ | ||
332 | + uint8_t buf[(521 + 7) / 8]; | ||
333 | + gnutls_datum_t k = { NULL, 0 }; | ||
334 | + | ||
335 | void *random_ctx; | ||
336 | nettle_random_func *random_func; | ||
337 | |||
338 | @@ -1123,19 +1133,31 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, | ||
339 | hash_len = vdata->size; | ||
340 | } | ||
341 | |||
342 | - mpz_init(k); | ||
343 | + mpz_init(q); | ||
344 | + | ||
345 | if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST || | ||
346 | (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) { | ||
347 | - ret = _gnutls_ecdsa_compute_k(k, | ||
348 | - curve_id, | ||
349 | - pk_params->params[ECC_K], | ||
350 | - DIG_TO_MAC(sign_params->dsa_dig), | ||
351 | - vdata->data, | ||
352 | - vdata->size); | ||
353 | + mp_limb_t h[DSA_COMPUTE_K_ITCH]; | ||
354 | + | ||
355 | + ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id); | ||
356 | if (ret < 0) | ||
357 | goto ecdsa_cleanup; | ||
358 | + | ||
359 | + ret = _gnutls_dsa_compute_k( | ||
360 | + h, mpz_limbs_read(q), priv.p, | ||
361 | + ecc_size(priv.ecc), ecc_bit_size(priv.ecc), | ||
362 | + DIG_TO_MAC(sign_params->dsa_dig), vdata->data, | ||
363 | + vdata->size); | ||
364 | + if (ret < 0) | ||
365 | + goto ecdsa_cleanup; | ||
366 | + k.data = buf; | ||
367 | + k.size = (ecc_bit_size(priv.ecc) + 7) / 8; | ||
368 | + | ||
369 | + _gnutls_ecdsa_compute_k_finish(k.data, k.size, h, | ||
370 | + ecc_size(priv.ecc)); | ||
371 | + | ||
372 | random_ctx = &k; | ||
373 | - random_func = rnd_mpz_func; | ||
374 | + random_func = rnd_datum_func; | ||
375 | } else { | ||
376 | random_ctx = NULL; | ||
377 | random_func = rnd_nonce_func; | ||
378 | @@ -1156,7 +1178,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, | ||
379 | ecdsa_cleanup: | ||
380 | dsa_signature_clear(&sig); | ||
381 | ecc_scalar_zclear(&priv); | ||
382 | - mpz_clear(k); | ||
383 | + mpz_clear(q); | ||
384 | |||
385 | if (ret < 0) { | ||
386 | gnutls_assert(); | ||
387 | @@ -1169,7 +1191,10 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, | ||
388 | struct dsa_params pub; | ||
389 | bigint_t priv; | ||
390 | struct dsa_signature sig; | ||
391 | - mpz_t k; | ||
392 | + /* 512-bit DSA subgroup at maximum */ | ||
393 | + uint8_t buf[(512 + 7) / 8]; | ||
394 | + gnutls_datum_t k = { NULL, 0 }; | ||
395 | + | ||
396 | void *random_ctx; | ||
397 | nettle_random_func *random_func; | ||
398 | |||
399 | @@ -1196,21 +1221,25 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, | ||
400 | hash_len = vdata->size; | ||
401 | } | ||
402 | |||
403 | - mpz_init(k); | ||
404 | if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST || | ||
405 | (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) { | ||
406 | - ret = _gnutls_dsa_compute_k(k, | ||
407 | - pub.q, | ||
408 | - TOMPZ(priv), | ||
409 | - DIG_TO_MAC(sign_params->dsa_dig), | ||
410 | - vdata->data, | ||
411 | - vdata->size); | ||
412 | + mp_limb_t h[DSA_COMPUTE_K_ITCH]; | ||
413 | + ret = _gnutls_dsa_compute_k( | ||
414 | + h, mpz_limbs_read(pub.q), | ||
415 | + mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q), | ||
416 | + mpz_sizeinbase(pub.q, 2), | ||
417 | + DIG_TO_MAC(sign_params->dsa_dig), vdata->data, | ||
418 | + vdata->size); | ||
419 | if (ret < 0) | ||
420 | goto dsa_fail; | ||
421 | - /* cancel-out dsa_sign's addition of 1 to random data */ | ||
422 | - mpz_sub_ui (k, k, 1); | ||
423 | + k.data = buf; | ||
424 | + k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8; | ||
425 | + | ||
426 | + _gnutls_dsa_compute_k_finish(k.data, k.size, h, | ||
427 | + mpz_size(pub.q)); | ||
428 | + | ||
429 | random_ctx = &k; | ||
430 | - random_func = rnd_mpz_func; | ||
431 | + random_func = rnd_datum_func; | ||
432 | } else { | ||
433 | random_ctx = NULL; | ||
434 | random_func = rnd_nonce_func; | ||
435 | @@ -1230,7 +1259,6 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, | ||
436 | |||
437 | dsa_fail: | ||
438 | dsa_signature_clear(&sig); | ||
439 | - mpz_clear(k); | ||
440 | |||
441 | if (ret < 0) { | ||
442 | gnutls_assert(); | ||
443 | diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c | ||
444 | index 6e90728..25aa553 100644 | ||
445 | --- a/tests/sign-verify-deterministic.c | ||
446 | +++ b/tests/sign-verify-deterministic.c | ||
447 | @@ -197,7 +197,7 @@ void doit(void) | ||
448 | &signature); | ||
449 | if (ret < 0) | ||
450 | testfail("gnutls_pubkey_verify_data2\n"); | ||
451 | - success(" - pass"); | ||
452 | + success(" - pass\n"); | ||
453 | |||
454 | next: | ||
455 | gnutls_free(signature.data); | ||
456 | -- | ||
457 | 2.40.0 | ||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch new file mode 100644 index 0000000000..0341df8bd9 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch | |||
@@ -0,0 +1,406 @@ | |||
1 | From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Mon, 29 Jan 2024 13:52:46 +0900 | ||
4 | Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: remove length limit of | ||
5 | input | ||
6 | |||
7 | Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the | ||
8 | chain verification logic crashed with assertion failure. This patch | ||
9 | removes the restriction while keeping the maximum number of | ||
10 | retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH. | ||
11 | |||
12 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
13 | |||
14 | CVE: CVE-2024-28835 | ||
15 | |||
16 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d] | ||
17 | |||
18 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
19 | --- | ||
20 | lib/gnutls_int.h | 5 +- | ||
21 | lib/x509/common.c | 10 +- | ||
22 | lib/x509/verify-high.c | 43 ++++++--- | ||
23 | tests/test-chains.h | 211 ++++++++++++++++++++++++++++++++++++++++- | ||
24 | 4 files changed, 252 insertions(+), 17 deletions(-) | ||
25 | |||
26 | diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h | ||
27 | index b2a3ae6..5127996 100644 | ||
28 | --- a/lib/gnutls_int.h | ||
29 | +++ b/lib/gnutls_int.h | ||
30 | @@ -221,7 +221,10 @@ typedef enum record_send_state_t { | ||
31 | |||
32 | #define MAX_PK_PARAM_SIZE 2048 | ||
33 | |||
34 | -/* defaults for verification functions | ||
35 | +/* Defaults for verification functions. | ||
36 | + * | ||
37 | + * update many_icas in tests/test-chains.h when increasing | ||
38 | + * DEFAULT_MAX_VERIFY_DEPTH. | ||
39 | */ | ||
40 | #define DEFAULT_MAX_VERIFY_DEPTH 16 | ||
41 | #define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE*8) | ||
42 | diff --git a/lib/x509/common.c b/lib/x509/common.c | ||
43 | index 6367b03..8f8c1f8 100644 | ||
44 | --- a/lib/x509/common.c | ||
45 | +++ b/lib/x509/common.c | ||
46 | @@ -1749,7 +1749,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, | ||
47 | bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */ | ||
48 | gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH]; | ||
49 | |||
50 | - assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH); | ||
51 | + /* Limit the number of certificates in the chain, to avoid DoS | ||
52 | + * because of the O(n^2) sorting below. FIXME: Switch to a | ||
53 | + * topological sort algorithm which should be linear to the | ||
54 | + * number of certificates and subject-issuer relationships. | ||
55 | + */ | ||
56 | + if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) { | ||
57 | + _gnutls_debug_log("too many certificates; skipping sorting\n"); | ||
58 | + return 1; | ||
59 | + } | ||
60 | |||
61 | for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) { | ||
62 | issuer[i] = -1; | ||
63 | diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c | ||
64 | index 5698d4f..a957511 100644 | ||
65 | --- a/lib/x509/verify-high.c | ||
66 | +++ b/lib/x509/verify-high.c | ||
67 | @@ -25,7 +25,7 @@ | ||
68 | #include "errors.h" | ||
69 | #include <libtasn1.h> | ||
70 | #include <global.h> | ||
71 | -#include <num.h> /* MAX */ | ||
72 | +#include <num.h> /* MIN */ | ||
73 | #include <tls-sig.h> | ||
74 | #include <str.h> | ||
75 | #include <datum.h> | ||
76 | @@ -1418,7 +1418,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, | ||
77 | int ret = 0; | ||
78 | unsigned int i; | ||
79 | size_t hash; | ||
80 | - gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH]; | ||
81 | + gnutls_x509_crt_t *cert_list_copy = NULL; | ||
82 | + unsigned int cert_list_max_size = 0; | ||
83 | gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH]; | ||
84 | unsigned int retrieved_size = 0; | ||
85 | const char *hostname = NULL, *purpose = NULL, *email = NULL; | ||
86 | @@ -1472,16 +1473,26 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, | ||
87 | } | ||
88 | } | ||
89 | |||
90 | - memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); | ||
91 | - cert_list = sorted; | ||
92 | + /* Allocate extra for retrieved certificates. */ | ||
93 | + if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH, | ||
94 | + &cert_list_max_size)) | ||
95 | + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); | ||
96 | + | ||
97 | + cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size, | ||
98 | + sizeof(gnutls_x509_crt_t)); | ||
99 | + if (!cert_list_copy) | ||
100 | + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); | ||
101 | + | ||
102 | + memcpy(cert_list_copy, cert_list, | ||
103 | + cert_list_size * sizeof(gnutls_x509_crt_t)); | ||
104 | + cert_list = cert_list_copy; | ||
105 | |||
106 | ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH); | ||
107 | if (ret < 0) { | ||
108 | return ret; | ||
109 | } | ||
110 | |||
111 | - for (i = 0; i < cert_list_size && | ||
112 | - cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { | ||
113 | + for (i = 0; i < cert_list_size;) { | ||
114 | unsigned int sorted_size = 1; | ||
115 | unsigned int j; | ||
116 | gnutls_x509_crt_t issuer; | ||
117 | @@ -1491,8 +1502,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, | ||
118 | cert_list_size - i); | ||
119 | } | ||
120 | |||
121 | - /* Remove duplicates. Start with index 1, as the first element | ||
122 | - * may be re-checked after issuer retrieval. */ | ||
123 | + /* Remove duplicates. */ | ||
124 | for (j = 1; j < sorted_size; j++) { | ||
125 | if (cert_set_contains(&cert_set, cert_list[i + j])) { | ||
126 | if (i + j < cert_list_size - 1) { | ||
127 | @@ -1539,14 +1549,16 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, | ||
128 | ret = retrieve_issuers(list, | ||
129 | cert_list[i - 1], | ||
130 | &retrieved[retrieved_size], | ||
131 | - DEFAULT_MAX_VERIFY_DEPTH - | ||
132 | - MAX(retrieved_size, | ||
133 | - cert_list_size)); | ||
134 | + MIN(DEFAULT_MAX_VERIFY_DEPTH - retrieved_size, | ||
135 | + cert_list_max_size - cert_list_size)); | ||
136 | if (ret < 0) { | ||
137 | break; | ||
138 | } else if (ret > 0) { | ||
139 | assert((unsigned int)ret <= | ||
140 | - DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); | ||
141 | + DEFAULT_MAX_VERIFY_DEPTH - retrieved_size); | ||
142 | + assert((unsigned int)ret <= | ||
143 | + cert_list_max_size - cert_list_size); | ||
144 | + | ||
145 | memmove(&cert_list[i + ret], | ||
146 | &cert_list[i], | ||
147 | (cert_list_size - i) * | ||
148 | @@ -1563,8 +1575,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, | ||
149 | } | ||
150 | |||
151 | cert_list_size = shorten_clist(list, cert_list, cert_list_size); | ||
152 | - if (cert_list_size <= 0) | ||
153 | - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); | ||
154 | + if (cert_list_size <= 0) { | ||
155 | + ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); | ||
156 | + goto cleanup; | ||
157 | + } | ||
158 | |||
159 | hash = | ||
160 | hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn. | ||
161 | @@ -1715,6 +1729,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, | ||
162 | } | ||
163 | |||
164 | cleanup: | ||
165 | + gnutls_free(cert_list_copy); | ||
166 | for (i = 0; i < retrieved_size; i++) { | ||
167 | gnutls_x509_crt_deinit(retrieved[i]); | ||
168 | } | ||
169 | diff --git a/tests/test-chains.h b/tests/test-chains.h | ||
170 | index 09a5461..dd872a9 100644 | ||
171 | --- a/tests/test-chains.h | ||
172 | +++ b/tests/test-chains.h | ||
173 | @@ -25,7 +25,7 @@ | ||
174 | |||
175 | /* *INDENT-OFF* */ | ||
176 | |||
177 | -#define MAX_CHAIN 10 | ||
178 | +#define MAX_CHAIN 17 | ||
179 | |||
180 | static const char *chain_with_no_subject_id_in_ca_ok[] = { | ||
181 | "-----BEGIN CERTIFICATE-----\n" | ||
182 | @@ -4386,6 +4386,213 @@ static const char *cross_signed_ca[] = { | ||
183 | NULL | ||
184 | }; | ||
185 | |||
186 | +/* This assumes DEFAULT_MAX_VERIFY_DEPTH to be 16 */ | ||
187 | +static const char *many_icas[] = { | ||
188 | + /* Server */ | ||
189 | + "-----BEGIN CERTIFICATE-----\n" | ||
190 | + "MIIBqzCCAV2gAwIBAgIUIK3+SD3GmqJlRLZ/ESyhTzkSDL8wBQYDK2VwMB0xGzAZ\n" | ||
191 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
192 | + "MTIzMTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYD\n" | ||
193 | + "VQQDEw90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQAWGjx45NIJiKFsNBxxRRjm\n" | ||
194 | + "NxUT5KYK7xXr5HPVywwgLaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGC\n" | ||
195 | + "D3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8E\n" | ||
196 | + "BAMCB4AwHQYDVR0OBBYEFKgNAQWZPx76/vXqQOdIi5mTftsaMB8GA1UdIwQYMBaA\n" | ||
197 | + "FDaPsY6WAGuRtrhYJE6Gk/bg5qbdMAUGAytlcANBAMIDh8aGcIIFDTUrzfV7tnkX\n" | ||
198 | + "hHrxyFKBH/cApf6xcJQTfDXm23po627Ibp+WgLaWMY08Fn9Y2V6Ev8ADfqXNbQ8=\n" | ||
199 | + "-----END CERTIFICATE-----\n", | ||
200 | + /* ICA16 */ | ||
201 | + "-----BEGIN CERTIFICATE-----\n" | ||
202 | + "MIIBYTCCAROgAwIBAgIUSnE0PKdm/dsnZSWBh5Ct4pS6DcwwBQYDK2VwMB0xGzAZ\n" | ||
203 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
204 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
205 | + "K2VwAyEAxq9SI8vp0QH1dDBBuZW+t+bLLROppQbjSQ4O1BEonDOjYzBhMA8GA1Ud\n" | ||
206 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2j7GOlgBrkba4\n" | ||
207 | + "WCROhpP24Oam3TAfBgNVHSMEGDAWgBRvdUKX0aw3nfUIdvivXGSfRO7zyjAFBgMr\n" | ||
208 | + "ZXADQQBsI2Hc7X5hXoHTvk01qMc5a1I27QHAFRARJnvIQ15wxNS2LVLzGk+AUmwr\n" | ||
209 | + "sOhBKAcVfS55uWtYdjoWQ80h238H\n" | ||
210 | + "-----END CERTIFICATE-----\n", | ||
211 | + /* ICA15 */ | ||
212 | + "-----BEGIN CERTIFICATE-----\n" | ||
213 | + "MIIBYTCCAROgAwIBAgIUQk4XkgQVImnp6OPZas7ctwgBza4wBQYDK2VwMB0xGzAZ\n" | ||
214 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
215 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
216 | + "K2VwAyEAs3yVKLJd3sKbNVmj6Bxy2j1x025rksyQpZZWnCx5a+CjYzBhMA8GA1Ud\n" | ||
217 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRvdUKX0aw3nfUI\n" | ||
218 | + "dvivXGSfRO7zyjAfBgNVHSMEGDAWgBRhGfUXYPh4YQsdtTWYUozLphGgfzAFBgMr\n" | ||
219 | + "ZXADQQBXTtm56x6/pHXdW8dTvZLc/8RufNQrMlc23TCgX0apUnrZdTsNAb7OE4Uu\n" | ||
220 | + "9PBuxK+CC9NL/BL2hXsKvAT+NWME\n" | ||
221 | + "-----END CERTIFICATE-----\n", | ||
222 | + /* ICA14 */ | ||
223 | + "-----BEGIN CERTIFICATE-----\n" | ||
224 | + "MIIBYTCCAROgAwIBAgIUKfwz7UUYRvYlvqwmnLJlTOS9o1AwBQYDK2VwMB0xGzAZ\n" | ||
225 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
226 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
227 | + "K2VwAyEAXbUetQ08t+F4+IcKL++HpeclqTxXZ7cG4mwqvHmTUEWjYzBhMA8GA1Ud\n" | ||
228 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRhGfUXYPh4YQsd\n" | ||
229 | + "tTWYUozLphGgfzAfBgNVHSMEGDAWgBQYRQqO+V1kefF7QvNnFU1fX5H9+jAFBgMr\n" | ||
230 | + "ZXADQQAiSHNMTLPFP3oa6q13Dj8jSxF9trQDJGM1ArWffFcPZUt2U4/ODHdcMTHx\n" | ||
231 | + "kGwhIj+ghBlu6ykgu6J2wewCUooC\n" | ||
232 | + "-----END CERTIFICATE-----\n", | ||
233 | + /* ICA13 */ | ||
234 | + "-----BEGIN CERTIFICATE-----\n" | ||
235 | + "MIIBYTCCAROgAwIBAgIUUKOs59gyCPAZzoC7zMZQSh6AnQgwBQYDK2VwMB0xGzAZ\n" | ||
236 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
237 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
238 | + "K2VwAyEAmvqhj5GYqsXIpsr1BXBfD+2mTP/m/TEpKIYSZHM62dijYzBhMA8GA1Ud\n" | ||
239 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQYRQqO+V1kefF7\n" | ||
240 | + "QvNnFU1fX5H9+jAfBgNVHSMEGDAWgBQ27HzvP5hl2xR+LOzRcPfmY5ndXjAFBgMr\n" | ||
241 | + "ZXADQQBrB3NkrYC7EQ74qgeesVOE71rW012dPOOKPAV0laR+JLEgsv9sfus+AdBF\n" | ||
242 | + "WBNwR3KeYBTi/MFDuecxBHU2m5gD\n" | ||
243 | + "-----END CERTIFICATE-----\n", | ||
244 | + /* ICA12 */ | ||
245 | + "-----BEGIN CERTIFICATE-----\n" | ||
246 | + "MIIBYTCCAROgAwIBAgIUUQooGfH21+sR7/pSgCWm13gg2H4wBQYDK2VwMB0xGzAZ\n" | ||
247 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
248 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
249 | + "K2VwAyEAK2of/B4wMpk6k/KdugC5dMS+jo2fseUM7/PvXkE6HASjYzBhMA8GA1Ud\n" | ||
250 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ27HzvP5hl2xR+\n" | ||
251 | + "LOzRcPfmY5ndXjAfBgNVHSMEGDAWgBSJDHU0Mj1Xr0e8ErCnRK24w7XwTTAFBgMr\n" | ||
252 | + "ZXADQQDY8d2bAZpj7oGhdl2dBsCE48jEWj49da0PbgN12koAj3gf4hjMPd8G7p5z\n" | ||
253 | + "8RsURAwQmCkE8ShvdNw/Qr2tDL0E\n" | ||
254 | + "-----END CERTIFICATE-----\n", | ||
255 | + /* ICA11 */ | ||
256 | + "-----BEGIN CERTIFICATE-----\n" | ||
257 | + "MIIBYTCCAROgAwIBAgIUW9Dw0hU2pfjXhb5Stip+mk9SndIwBQYDK2VwMB0xGzAZ\n" | ||
258 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
259 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
260 | + "K2VwAyEAn5ISjLVV6RBWsnxDWHDicpye7SjFwGOTwzF01/psiJ2jYzBhMA8GA1Ud\n" | ||
261 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSJDHU0Mj1Xr0e8\n" | ||
262 | + "ErCnRK24w7XwTTAfBgNVHSMEGDAWgBSR9UU27RI0XohiEgHDxNo/9HP4djAFBgMr\n" | ||
263 | + "ZXADQQCfQg6MDHk71vhyrEo4/5PcLb2Li5F/FKURyux7snv2TbkSdInloAqca9UR\n" | ||
264 | + "DtqHSLCNLXCNdSPr5QwIt5p29rsE\n" | ||
265 | + "-----END CERTIFICATE-----\n", | ||
266 | + /* ICA10 */ | ||
267 | + "-----BEGIN CERTIFICATE-----\n" | ||
268 | + "MIIBYTCCAROgAwIBAgIUR4uTedG8e6MibKViQ3eX7QzXG1swBQYDK2VwMB0xGzAZ\n" | ||
269 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
270 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
271 | + "K2VwAyEAnslX04kSVOL5LAf1e+Ze3ggNnDJcEAxLDk8I/IhyjTyjYzBhMA8GA1Ud\n" | ||
272 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSR9UU27RI0Xohi\n" | ||
273 | + "EgHDxNo/9HP4djAfBgNVHSMEGDAWgBRC7US5gJYnvd5F7EN+C4anMgd2NzAFBgMr\n" | ||
274 | + "ZXADQQDo+jHt07Tvz3T5Lbz6apBrSln8xKYfJk2W1wP85XAnf7sZT9apM1bS4EyD\n" | ||
275 | + "Kckw+KG+9x7myOZz6AXJgZB5OGAO\n" | ||
276 | + "-----END CERTIFICATE-----\n", | ||
277 | + /* ICA9 */ | ||
278 | + "-----BEGIN CERTIFICATE-----\n" | ||
279 | + "MIIBYTCCAROgAwIBAgIUSIIIRjrNpE+kEPkiJMOqaNAazvQwBQYDK2VwMB0xGzAZ\n" | ||
280 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
281 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
282 | + "K2VwAyEAZKy7p1Gn4W/reRxKJN99+QkHt2q9aELktCKe5PqrX5ejYzBhMA8GA1Ud\n" | ||
283 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRC7US5gJYnvd5F\n" | ||
284 | + "7EN+C4anMgd2NzAfBgNVHSMEGDAWgBSOhR7Ornis2x8g0J+bvTTwMnW60zAFBgMr\n" | ||
285 | + "ZXADQQA0MEcC4FgKZEAfalVpApU2to0G158MVz/WTNcSc7fnl8ifJ/g56dVHL1jr\n" | ||
286 | + "REvC/S28dn/CGAlbVXUAgxnHAbgE\n" | ||
287 | + "-----END CERTIFICATE-----\n", | ||
288 | + /* ICA8 */ | ||
289 | + "-----BEGIN CERTIFICATE-----\n" | ||
290 | + "MIIBYTCCAROgAwIBAgIUGGFSgD95vOTSj7iFxfXA5vq6vsYwBQYDK2VwMB0xGzAZ\n" | ||
291 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
292 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
293 | + "K2VwAyEAg3W/bTdW0fR32NeZEVMXICpa30d7rSdddLOYDvqqUO+jYzBhMA8GA1Ud\n" | ||
294 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSOhR7Ornis2x8g\n" | ||
295 | + "0J+bvTTwMnW60zAfBgNVHSMEGDAWgBT3zK8Hbn9aVTAOOFY6RSxJ2o5x2jAFBgMr\n" | ||
296 | + "ZXADQQBl4gnzE463iMFg57gPvjHdVzA39sJBpiu0kUGfRcLnoRI/VOaLcx7WnJ9+\n" | ||
297 | + "c3KxPZBec76EdIoQDkTmI6m2FIAM\n" | ||
298 | + "-----END CERTIFICATE-----\n", | ||
299 | + /* ICA7 */ | ||
300 | + "-----BEGIN CERTIFICATE-----\n" | ||
301 | + "MIIBYTCCAROgAwIBAgIUGktMGXhNuaMhKyAlecymmLD+/GIwBQYDK2VwMB0xGzAZ\n" | ||
302 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
303 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
304 | + "K2VwAyEA/Z1oc76hOQ0Hi+2hePaGIntnMIDqBlb7RDMjRpYONP2jYzBhMA8GA1Ud\n" | ||
305 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT3zK8Hbn9aVTAO\n" | ||
306 | + "OFY6RSxJ2o5x2jAfBgNVHSMEGDAWgBSPae3JUN3jP0NgUJqDV3eYxcaM3DAFBgMr\n" | ||
307 | + "ZXADQQBMkwKaUZlvG/hax8rv3nnDv8kJOr6KVHBnxSx3hZ+8HIBT7GFm1+YDeYOB\n" | ||
308 | + "jhNg66kyeFPGXXBCe+mvNQFFjCEE\n" | ||
309 | + "-----END CERTIFICATE-----\n", | ||
310 | + /* ICA6 */ | ||
311 | + "-----BEGIN CERTIFICATE-----\n" | ||
312 | + "MIIBYTCCAROgAwIBAgIUKn3gz5lAUpKqWlHKLKYDbOJ4rygwBQYDK2VwMB0xGzAZ\n" | ||
313 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
314 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
315 | + "K2VwAyEAZ/eD4eTe91ddvHusm7YlLPxU4ByGFc6suAmlP1CxXkWjYzBhMA8GA1Ud\n" | ||
316 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSPae3JUN3jP0Ng\n" | ||
317 | + "UJqDV3eYxcaM3DAfBgNVHSMEGDAWgBT9f/qSI/jhxvGI7aMtkpraDcjBnjAFBgMr\n" | ||
318 | + "ZXADQQAMRnkmRhnLGdmJaY8B42gfyaAsqCMyds/Tw4OHYy+N48XuAxRjKkhf3szC\n" | ||
319 | + "0lY71oU043mNP1yx/dzAuCTrVSgI\n" | ||
320 | + "-----END CERTIFICATE-----\n", | ||
321 | + /* ICA5 */ | ||
322 | + "-----BEGIN CERTIFICATE-----\n" | ||
323 | + "MIIBYTCCAROgAwIBAgIUEgEYbBXXEyGv3vOq10JQv1SBiUUwBQYDK2VwMB0xGzAZ\n" | ||
324 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
325 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
326 | + "K2VwAyEAs2xEDPw8RVal53nX9GVwUd1blq1wjtVFC8S1V7up7MWjYzBhMA8GA1Ud\n" | ||
327 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT9f/qSI/jhxvGI\n" | ||
328 | + "7aMtkpraDcjBnjAfBgNVHSMEGDAWgBRBVkLu9BmCKz7HNI8md4vPpoE/7jAFBgMr\n" | ||
329 | + "ZXADQQCCufAyLijtzzmeCuO3K50rBSbGvB3FQfep7g6kVsQKM3bw/olWK5/Ji0dD\n" | ||
330 | + "ubJ0cFl1FmfAda7aVxLBtJOvO6MI\n" | ||
331 | + "-----END CERTIFICATE-----\n", | ||
332 | + /* ICA4 */ | ||
333 | + "-----BEGIN CERTIFICATE-----\n" | ||
334 | + "MIIBYTCCAROgAwIBAgIULj8GkaHw+92HuOTnXnXlxCy3VrEwBQYDK2VwMB0xGzAZ\n" | ||
335 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
336 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
337 | + "K2VwAyEAiedxh4dvtwDellMAHc/pZH0MAOXobRenTUgF1yj5l12jYzBhMA8GA1Ud\n" | ||
338 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRBVkLu9BmCKz7H\n" | ||
339 | + "NI8md4vPpoE/7jAfBgNVHSMEGDAWgBSDtNRgQ36KwW/ASaMyr6WeDt0STDAFBgMr\n" | ||
340 | + "ZXADQQDL8U2ckzur7CktdrVUNvfLhVCOz33d/62F28vQFHUa8h/4h+Mi1MMbXOKT\n" | ||
341 | + "1bL2TvpFpU7Fx/vcIPXDielVqr4C\n" | ||
342 | + "-----END CERTIFICATE-----\n", | ||
343 | + /* ICA3 */ | ||
344 | + "-----BEGIN CERTIFICATE-----\n" | ||
345 | + "MIIBYTCCAROgAwIBAgIUQXl74TDDw6MQRMbQUSPa6Qrvba8wBQYDK2VwMB0xGzAZ\n" | ||
346 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
347 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
348 | + "K2VwAyEA7l0jQ0f4fJRw7Qja/Hz2qn8y91SI7CokxhSf+FT+9M6jYzBhMA8GA1Ud\n" | ||
349 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSDtNRgQ36KwW/A\n" | ||
350 | + "SaMyr6WeDt0STDAfBgNVHSMEGDAWgBQ2inEK4KH6ATftmybxKE1dZUzOozAFBgMr\n" | ||
351 | + "ZXADQQCnP7Oqx1epGnFnO7TrTJwcUukXDEYsINve2GeUsi8HEIeKKlMcLZ2Cnaj7\n" | ||
352 | + "5v9NGuWh3QJpmmSGpEemiv8dJc4A\n" | ||
353 | + "-----END CERTIFICATE-----\n", | ||
354 | + /* ICA2 */ | ||
355 | + "-----BEGIN CERTIFICATE-----\n" | ||
356 | + "MIIBYTCCAROgAwIBAgIUP7Nmof8H2F1LyDkjqlYIUpGdXE8wBQYDK2VwMB0xGzAZ\n" | ||
357 | + "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" | ||
358 | + "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" | ||
359 | + "K2VwAyEAkW9Rod3CXAnha6nlaHkDbCOegq94lgmjqclA9sOIt3yjYzBhMA8GA1Ud\n" | ||
360 | + "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2inEK4KH6ATft\n" | ||
361 | + "mybxKE1dZUzOozAfBgNVHSMEGDAWgBRPq/CQlK/zuXkjZvTCibu+vejD+jAFBgMr\n" | ||
362 | + "ZXADQQBU+A+uF0yrtO/yv9cRUdCoL3Y1NKM35INg8BQDnkv724cW9zk1x0q9Fuou\n" | ||
363 | + "zvfSVb8S3vT8fF5ZDOxarQs6ZH0C\n" | ||
364 | + "-----END CERTIFICATE-----\n", | ||
365 | + /* ICA1 */ | ||
366 | + "-----BEGIN CERTIFICATE-----\n" | ||
367 | + "MIIBXTCCAQ+gAwIBAgIUfUWP+AQHpdFTRKTf21mMzjaJsp0wBQYDK2VwMBkxFzAV\n" | ||
368 | + "BgNVBAMTDkdudVRMUyB0ZXN0IENBMCAXDTI0MDMxMjIyNTMzOVoYDzk5OTkxMjMx\n" | ||
369 | + "MjM1OTU5WjAdMRswGQYDVQQDDBJHbnVUTFMgdGVzdCBJQ0EgJGkwKjAFBgMrZXAD\n" | ||
370 | + "IQAVmfBAvLbT+pTD24pQrr6S0jEIFIV/qOv93yYvAUzpzKNjMGEwDwYDVR0TAQH/\n" | ||
371 | + "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFE+r8JCUr/O5eSNm9MKJ\n" | ||
372 | + "u7696MP6MB8GA1UdIwQYMBaAFAFpt5wrFsqCtHc4PpluPDvwcxQLMAUGAytlcANB\n" | ||
373 | + "AC6+XZnthjlUD0TbBKRF3qT5if3Pp29Bgvutw8859unzUZW8FkHg5KeDBj9ncgJc\n" | ||
374 | + "O2tFnNH2hV6LDPJzU0rtLQc=\n" | ||
375 | + "-----END CERTIFICATE-----\n", | ||
376 | + NULL | ||
377 | +}; | ||
378 | + | ||
379 | +static const char *many_icas_ca[] = { | ||
380 | + /* CA (self-signed) */ | ||
381 | + "-----BEGIN CERTIFICATE-----\n" | ||
382 | + "MIIBNzCB6qADAgECAhRjaokcQwcrtW8tjuVFz3A33F8POjAFBgMrZXAwGTEXMBUG\n" | ||
383 | + "A1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjQwMzEyMjI1MzM5WhgPOTk5OTEyMzEy\n" | ||
384 | + "MzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMCowBQYDK2VwAyEAvoxP\n" | ||
385 | + "TNdbWktxA8qQNNH+25Cx9rzP+DxLGeI/7ODwrQGjQjBAMA8GA1UdEwEB/wQFMAMB\n" | ||
386 | + "Af8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQBabecKxbKgrR3OD6Zbjw78HMU\n" | ||
387 | + "CzAFBgMrZXADQQCP5IUD74M7WrUx20uqzrzuj+s2jnBVmLQfWf/Ucetx+oTRFeq4\n" | ||
388 | + "xZB/adWhycSeJUAB1zKqYUV9hgT8FWHbnHII\n" | ||
389 | + "-----END CERTIFICATE-----\n", | ||
390 | + NULL | ||
391 | +}; | ||
392 | + | ||
393 | #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) | ||
394 | # pragma GCC diagnostic push | ||
395 | # pragma GCC diagnostic ignored "-Wunused-variable" | ||
396 | @@ -4567,6 +4774,8 @@ static struct | ||
397 | GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1}, | ||
398 | { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, | ||
399 | 1704955300 }, | ||
400 | + { "many intermediates - ok", many_icas, many_icas_ca, 0, 0, 0, | ||
401 | + 1710284400 }, | ||
402 | { NULL, NULL, NULL, 0, 0} | ||
403 | }; | ||
404 | |||
405 | -- | ||
406 | 2.40.0 | ||
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index b290022781..9f502e3f7c 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb | |||
@@ -26,6 +26,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar | |||
26 | file://CVE-2023-5981.patch \ | 26 | file://CVE-2023-5981.patch \ |
27 | file://CVE-2024-0553.patch \ | 27 | file://CVE-2024-0553.patch \ |
28 | file://CVE-2024-0567.patch \ | 28 | file://CVE-2024-0567.patch \ |
29 | file://CVE-2024-28834.patch \ | ||
30 | file://CVE-2024-28835.patch \ | ||
29 | " | 31 | " |
30 | 32 | ||
31 | SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f" | 33 | SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f" |