2 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch b/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch
new file mode 100644
index 0000000000..8d3801a248
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch
@@ -0,0 +1,120 @@
+From 3f9d9289ee8730a81a0464539f4e1ba2d23d0ce9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Tue, 3 Mar 2020 23:31:25 +0000
+Subject: [PATCH] systemd-resolved: use hostname for certificate validation in
+ DoT
+Widely accepted certificates for IP addresses are expensive and only
+affordable for larger organizations. Therefore if the user provides
+the hostname in the DNS= option, we should use it instead of the IP
+address.
+(cherry picked from commit eec394f10bbfcc3d2fc8504ad8ff5be44231abd5)
+CVE: CVE-2018-21029
+Upstream-Status: Backport [ff26d281aec0877b43269f18c6282cd79a7f5529]
+Signed-off-by: Marek Vasut <marex@denx.de>
+---
+ man/resolved.conf.xml                 | 16 +++++++++++-----
+ src/resolve/resolved-dnstls-gnutls.c  | 20 ++++++++++++--------
+ src/resolve/resolved-dnstls-openssl.c | 15 +++++++++++----
+ 3 files changed, 34 insertions(+), 17 deletions(-)
+diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
+index 818000145b..37161ebcbc 100644
+--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
+@@ -193,11 +193,17 @@
+       <varlistentry>
+         <term><varname>DNSOverTLS=</varname></term>
+         <listitem>
+-        <para>Takes a boolean argument or <literal>opportunistic</literal>.
+-        If true all connections to the server will be encrypted. Note that
+-        this mode requires a DNS server that supports DNS-over-TLS and has
+-        a valid certificate for it's IP. If the DNS server does not support
+-        DNS-over-TLS all DNS requests will fail. When set to <literal>opportunistic</literal>
+        <para>Takes a boolean argument or <literal>opportunistic</literal>. If
+        true all connections to the server will be encrypted. Note that this
+        mode requires a DNS server that supports DNS-over-TLS and has a valid
+        certificate. If the hostname was specified in <varname>DNS=</varname>
+        by using the format format <literal>address#server_name</literal> it
+        is used to validate its certificate and also to enable Server Name
+        Indication (SNI) when opening a TLS connection. Otherwise
+        the certificate is checked against the server's IP.
+        If the DNS server does not support DNS-over-TLS all DNS requests will fail.</para>
+
+        <para>When set to <literal>opportunistic</literal>
+         DNS request are attempted to send encrypted with DNS-over-TLS.
+         If the DNS server does not support TLS, DNS-over-TLS is disabled.
+         Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
+diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
+index ed0a31e8bf..c7215723a7 100644
+--- a/src/resolve/resolved-dnstls-gnutls.c
+++ b/src/resolve/resolved-dnstls-gnutls.c
+@@ -56,15 +56,19 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
+         }
+ 
+         if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
+-                stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
+-                if (server->family == AF_INET) {
+-                        stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
+-                        stream->dnstls_data.validation.size = 4;
+-                } else {
+-                        stream->dnstls_data.validation.data = server->address.in6.s6_addr;
+-                        stream->dnstls_data.validation.size = 16;
+                if (server->server_name)
+                        gnutls_session_set_verify_cert(gs, server->server_name, 0);
+                else {
+                        stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
+                        if (server->family == AF_INET) {
+                                stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
+                                stream->dnstls_data.validation.size = 4;
+                        } else {
+                                stream->dnstls_data.validation.data = server->address.in6.s6_addr;
+                                stream->dnstls_data.validation.size = 16;
+                        }
+                        gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
+                 }
+-                gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
+         }
+ 
+         gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
+diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c
+index 85e202ff74..007aedaa5b 100644
+--- a/src/resolve/resolved-dnstls-openssl.c
+++ b/src/resolve/resolved-dnstls-openssl.c
+@@ -6,6 +6,7 @@
+ 
+ #include <openssl/bio.h>
+ #include <openssl/err.h>
+#include <openssl/x509v3.h>
+ 
+ #include "io-util.h"
+ #include "resolved-dns-stream.h"
+@@ -78,13 +79,19 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
+ 
+         if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
+                 X509_VERIFY_PARAM *v;
+-                const unsigned char *ip;
+ 
+                 SSL_set_verify(s, SSL_VERIFY_PEER, NULL);
+                 v = SSL_get0_param(s);
+-                ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
+-                if (!X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)))
+-                        return -ECONNREFUSED;
+                if (server->server_name) {
+                        X509_VERIFY_PARAM_set_hostflags(v, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+                        if (X509_VERIFY_PARAM_set1_host(v, server->server_name, 0) == 0)
+                                return -ECONNREFUSED;
+                } else {
+                        const unsigned char *ip;
+                        ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
+                        if (X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)) == 0)
+                                return -ECONNREFUSED;
+                }
+         }
+ 
+         ERR_clear_error();
+-- 
+2.40.1
diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index bd66d82932..8b2f47b92f 100644
--- a/meta/recipes-core/systemd/systemd_244.5.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -31,6 +31,7 @@ SRC_URI += "file://touchscreen.rules \
           file://network-fix-Link-reference-counter-issue.patch \
           file://rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch \
           file://rm-rf-optionally-fsync-after-removing-directory-tree.patch \
+           file://CVE-2018-21029.patch \
           file://CVE-2021-3997-1.patch \
           file://CVE-2021-3997-2.patch \
           file://CVE-2021-3997-3.patch \

diff --git a/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch b/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch new file mode 100644 index 0000000000..8d3801a248 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch
@@ -0,0 +1,120 @@
		1	From 3f9d9289ee8730a81a0464539f4e1ba2d23d0ce9 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
		3	Date: Tue, 3 Mar 2020 23:31:25 +0000
		4	Subject: [PATCH] systemd-resolved: use hostname for certificate validation in
		5	DoT
		6
		7	Widely accepted certificates for IP addresses are expensive and only
		8	affordable for larger organizations. Therefore if the user provides
		9	the hostname in the DNS= option, we should use it instead of the IP
		10	address.
		11
		12	(cherry picked from commit eec394f10bbfcc3d2fc8504ad8ff5be44231abd5)
		13
		14	CVE: CVE-2018-21029
		15	Upstream-Status: Backport [ff26d281aec0877b43269f18c6282cd79a7f5529]
		16	Signed-off-by: Marek Vasut <marex@denx.de>
		17	---
		18	man/resolved.conf.xml \| 16 +++++++++++-----
		19	src/resolve/resolved-dnstls-gnutls.c \| 20 ++++++++++++--------
		20	src/resolve/resolved-dnstls-openssl.c \| 15 +++++++++++----
		21	3 files changed, 34 insertions(+), 17 deletions(-)
		22
		23	diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
		24	index 818000145b..37161ebcbc 100644
		25	--- a/man/resolved.conf.xml
		26	+++ b/man/resolved.conf.xml
		27	@@ -193,11 +193,17 @@
		28	<varlistentry>
		29	<term><varname>DNSOverTLS=</varname></term>
		30	<listitem>
		31	- <para>Takes a boolean argument or <literal>opportunistic</literal>.
		32	- If true all connections to the server will be encrypted. Note that
		33	- this mode requires a DNS server that supports DNS-over-TLS and has
		34	- a valid certificate for it's IP. If the DNS server does not support
		35	- DNS-over-TLS all DNS requests will fail. When set to <literal>opportunistic</literal>
		36	+ <para>Takes a boolean argument or <literal>opportunistic</literal>. If
		37	+ true all connections to the server will be encrypted. Note that this
		38	+ mode requires a DNS server that supports DNS-over-TLS and has a valid
		39	+ certificate. If the hostname was specified in <varname>DNS=</varname>
		40	+ by using the format format <literal>address#server_name</literal> it
		41	+ is used to validate its certificate and also to enable Server Name
		42	+ Indication (SNI) when opening a TLS connection. Otherwise
		43	+ the certificate is checked against the server's IP.
		44	+ If the DNS server does not support DNS-over-TLS all DNS requests will fail.</para>
		45	+
		46	+ <para>When set to <literal>opportunistic</literal>
		47	DNS request are attempted to send encrypted with DNS-over-TLS.
		48	If the DNS server does not support TLS, DNS-over-TLS is disabled.
		49	Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
		50	diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
		51	index ed0a31e8bf..c7215723a7 100644
		52	--- a/src/resolve/resolved-dnstls-gnutls.c
		53	+++ b/src/resolve/resolved-dnstls-gnutls.c
		54	@@ -56,15 +56,19 @@ int dnstls_stream_connect_tls(DnsStream stream, DnsServer server) {
		55	}
		56
		57	if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
		58	- stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
		59	- if (server->family == AF_INET) {
		60	- stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
		61	- stream->dnstls_data.validation.size = 4;
		62	- } else {
		63	- stream->dnstls_data.validation.data = server->address.in6.s6_addr;
		64	- stream->dnstls_data.validation.size = 16;
		65	+ if (server->server_name)
		66	+ gnutls_session_set_verify_cert(gs, server->server_name, 0);
		67	+ else {
		68	+ stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
		69	+ if (server->family == AF_INET) {
		70	+ stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
		71	+ stream->dnstls_data.validation.size = 4;
		72	+ } else {
		73	+ stream->dnstls_data.validation.data = server->address.in6.s6_addr;
		74	+ stream->dnstls_data.validation.size = 16;
		75	+ }
		76	+ gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
		77	}
		78	- gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
		79	}
		80
		81	gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
		82	diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c
		83	index 85e202ff74..007aedaa5b 100644
		84	--- a/src/resolve/resolved-dnstls-openssl.c
		85	+++ b/src/resolve/resolved-dnstls-openssl.c
		86	@@ -6,6 +6,7 @@
		87
		88	#include <openssl/bio.h>
		89	#include <openssl/err.h>
		90	+#include <openssl/x509v3.h>
		91
		92	#include "io-util.h"
		93	#include "resolved-dns-stream.h"
		94	@@ -78,13 +79,19 @@ int dnstls_stream_connect_tls(DnsStream stream, DnsServer server) {
		95
		96	if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
		97	X509_VERIFY_PARAM *v;
		98	- const unsigned char *ip;
		99
		100	SSL_set_verify(s, SSL_VERIFY_PEER, NULL);
		101	v = SSL_get0_param(s);
		102	- ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
		103	- if (!X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)))
		104	- return -ECONNREFUSED;
		105	+ if (server->server_name) {
		106	+ X509_VERIFY_PARAM_set_hostflags(v, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
		107	+ if (X509_VERIFY_PARAM_set1_host(v, server->server_name, 0) == 0)
		108	+ return -ECONNREFUSED;
		109	+ } else {
		110	+ const unsigned char *ip;
		111	+ ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
		112	+ if (X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)) == 0)
		113	+ return -ECONNREFUSED;
		114	+ }
		115	}
		116
		117	ERR_clear_error();
		118	--
		119	2.40.1
		120


diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb index bd66d82932..8b2f47b92f 100644 --- a/meta/recipes-core/systemd/systemd_244.5.bb +++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -31,6 +31,7 @@ SRC_URI += "file://touchscreen.rules \
31	file://network-fix-Link-reference-counter-issue.patch \	31	file://network-fix-Link-reference-counter-issue.patch \
32	file://rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch \	32	file://rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch \
33	file://rm-rf-optionally-fsync-after-removing-directory-tree.patch \	33	file://rm-rf-optionally-fsync-after-removing-directory-tree.patch \
		34	file://CVE-2018-21029.patch \
34	file://CVE-2021-3997-1.patch \	35	file://CVE-2021-3997-1.patch \
35	file://CVE-2021-3997-2.patch \	36	file://CVE-2021-3997-2.patch \
36	file://CVE-2021-3997-3.patch \	37	file://CVE-2021-3997-3.patch \