summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/systemd/systemd/CVE-2018-21029.patch')
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2018-21029.patch120
1 files changed, 120 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch b/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch
new file mode 100644
index 0000000000..8d3801a248
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch
@@ -0,0 +1,120 @@
1From 3f9d9289ee8730a81a0464539f4e1ba2d23d0ce9 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
3Date: Tue, 3 Mar 2020 23:31:25 +0000
4Subject: [PATCH] systemd-resolved: use hostname for certificate validation in
5 DoT
6
7Widely accepted certificates for IP addresses are expensive and only
8affordable for larger organizations. Therefore if the user provides
9the hostname in the DNS= option, we should use it instead of the IP
10address.
11
12(cherry picked from commit eec394f10bbfcc3d2fc8504ad8ff5be44231abd5)
13
14CVE: CVE-2018-21029
15Upstream-Status: Backport [ff26d281aec0877b43269f18c6282cd79a7f5529]
16Signed-off-by: Marek Vasut <marex@denx.de>
17---
18 man/resolved.conf.xml | 16 +++++++++++-----
19 src/resolve/resolved-dnstls-gnutls.c | 20 ++++++++++++--------
20 src/resolve/resolved-dnstls-openssl.c | 15 +++++++++++----
21 3 files changed, 34 insertions(+), 17 deletions(-)
22
23diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
24index 818000145b..37161ebcbc 100644
25--- a/man/resolved.conf.xml
26+++ b/man/resolved.conf.xml
27@@ -193,11 +193,17 @@
28 <varlistentry>
29 <term><varname>DNSOverTLS=</varname></term>
30 <listitem>
31- <para>Takes a boolean argument or <literal>opportunistic</literal>.
32- If true all connections to the server will be encrypted. Note that
33- this mode requires a DNS server that supports DNS-over-TLS and has
34- a valid certificate for it's IP. If the DNS server does not support
35- DNS-over-TLS all DNS requests will fail. When set to <literal>opportunistic</literal>
36+ <para>Takes a boolean argument or <literal>opportunistic</literal>. If
37+ true all connections to the server will be encrypted. Note that this
38+ mode requires a DNS server that supports DNS-over-TLS and has a valid
39+ certificate. If the hostname was specified in <varname>DNS=</varname>
40+ by using the format format <literal>address#server_name</literal> it
41+ is used to validate its certificate and also to enable Server Name
42+ Indication (SNI) when opening a TLS connection. Otherwise
43+ the certificate is checked against the server's IP.
44+ If the DNS server does not support DNS-over-TLS all DNS requests will fail.</para>
45+
46+ <para>When set to <literal>opportunistic</literal>
47 DNS request are attempted to send encrypted with DNS-over-TLS.
48 If the DNS server does not support TLS, DNS-over-TLS is disabled.
49 Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
50diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
51index ed0a31e8bf..c7215723a7 100644
52--- a/src/resolve/resolved-dnstls-gnutls.c
53+++ b/src/resolve/resolved-dnstls-gnutls.c
54@@ -56,15 +56,19 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
55 }
56
57 if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
58- stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
59- if (server->family == AF_INET) {
60- stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
61- stream->dnstls_data.validation.size = 4;
62- } else {
63- stream->dnstls_data.validation.data = server->address.in6.s6_addr;
64- stream->dnstls_data.validation.size = 16;
65+ if (server->server_name)
66+ gnutls_session_set_verify_cert(gs, server->server_name, 0);
67+ else {
68+ stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
69+ if (server->family == AF_INET) {
70+ stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
71+ stream->dnstls_data.validation.size = 4;
72+ } else {
73+ stream->dnstls_data.validation.data = server->address.in6.s6_addr;
74+ stream->dnstls_data.validation.size = 16;
75+ }
76+ gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
77 }
78- gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
79 }
80
81 gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
82diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c
83index 85e202ff74..007aedaa5b 100644
84--- a/src/resolve/resolved-dnstls-openssl.c
85+++ b/src/resolve/resolved-dnstls-openssl.c
86@@ -6,6 +6,7 @@
87
88 #include <openssl/bio.h>
89 #include <openssl/err.h>
90+#include <openssl/x509v3.h>
91
92 #include "io-util.h"
93 #include "resolved-dns-stream.h"
94@@ -78,13 +79,19 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
95
96 if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
97 X509_VERIFY_PARAM *v;
98- const unsigned char *ip;
99
100 SSL_set_verify(s, SSL_VERIFY_PEER, NULL);
101 v = SSL_get0_param(s);
102- ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
103- if (!X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)))
104- return -ECONNREFUSED;
105+ if (server->server_name) {
106+ X509_VERIFY_PARAM_set_hostflags(v, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
107+ if (X509_VERIFY_PARAM_set1_host(v, server->server_name, 0) == 0)
108+ return -ECONNREFUSED;
109+ } else {
110+ const unsigned char *ip;
111+ ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
112+ if (X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)) == 0)
113+ return -ECONNREFUSED;
114+ }
115 }
116
117 ERR_clear_error();
118--
1192.40.1
120
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-12 17:11:46 +0000