diff options
Diffstat (limited to 'meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch')
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch | 184 |
1 files changed, 184 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch new file mode 100644 index 0000000000..49c4531a9b --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch | |||
@@ -0,0 +1,184 @@ | |||
1 | From 9edbdaa84e38b1bfb53a7d72c1de44f8de373405 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Thu, 11 Jan 2024 15:45:11 +0900 | ||
4 | Subject: [PATCH] x509: detect loop in certificate chain | ||
5 | |||
6 | There can be a loop in a certificate chain, when multiple CA | ||
7 | certificates are cross-signed with each other, such as A → B, B → C, | ||
8 | and C → A. Previously, the verification logic was not capable of | ||
9 | handling this scenario while sorting the certificates in the chain in | ||
10 | _gnutls_sort_clist, resulting in an assertion failure. This patch | ||
11 | properly detects such loop and aborts further processing in a graceful | ||
12 | manner. | ||
13 | |||
14 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
15 | |||
16 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405] | ||
17 | CVE: CVE-2024-0567 | ||
18 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
19 | --- | ||
20 | lib/x509/common.c | 4 ++ | ||
21 | tests/test-chains.h | 125 ++++++++++++++++++++++++++++++++++++++++++++ | ||
22 | 2 files changed, 129 insertions(+) | ||
23 | |||
24 | diff --git a/lib/x509/common.c b/lib/x509/common.c | ||
25 | index fad9da5..6367b03 100644 | ||
26 | --- a/lib/x509/common.c | ||
27 | +++ b/lib/x509/common.c | ||
28 | @@ -1790,6 +1790,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, | ||
29 | break; | ||
30 | } | ||
31 | |||
32 | + if (insorted[prev]) { /* loop detected */ | ||
33 | + break; | ||
34 | + } | ||
35 | + | ||
36 | sorted[i] = clist[prev]; | ||
37 | insorted[prev] = 1; | ||
38 | } | ||
39 | diff --git a/tests/test-chains.h b/tests/test-chains.h | ||
40 | index dd7ccf0..09a5461 100644 | ||
41 | --- a/tests/test-chains.h | ||
42 | +++ b/tests/test-chains.h | ||
43 | @@ -4263,6 +4263,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = { | ||
44 | NULL | ||
45 | }; | ||
46 | |||
47 | +static const char *cross_signed[] = { | ||
48 | + /* server (signed by A1) */ | ||
49 | + "-----BEGIN CERTIFICATE-----\n" | ||
50 | + "MIIBqDCCAVqgAwIBAgIUejlil+8DBffazcnMNwyOOP6yCCowBQYDK2VwMBoxGDAW\n" | ||
51 | + "BgNVBAMTD0ludGVybWVkaWF0ZSBBMTAgFw0yNDAxMTEwNjI3MjJaGA85OTk5MTIz\n" | ||
52 | + "MTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYDVQQD\n" | ||
53 | + "Ew90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQA1ZVS0PcNeTPQMZ+FuVz82AHrj\n" | ||
54 | + "qL5hWEpCDgpG4M4fxaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3Rl\n" | ||
55 | + "c3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC\n" | ||
56 | + "B4AwHQYDVR0OBBYEFGtEUv+JSt+zPoO3lu0IiObZVoiNMB8GA1UdIwQYMBaAFPnY\n" | ||
57 | + "v6Pw0IvKSqIlb6ewHyEAmTA3MAUGAytlcANBAAS2lyc87kH/aOvNKzPjqDwUYxPA\n" | ||
58 | + "CfYjyaKea2d0DZLBM5+Bjnj/4aWwTKgVTJzWhLJcLtaSdVHrXqjr9NhEhQ0=\n" | ||
59 | + "-----END CERTIFICATE-----\n", | ||
60 | + /* A1 (signed by A) */ | ||
61 | + "-----BEGIN CERTIFICATE-----\n" | ||
62 | + "MIIBUjCCAQSgAwIBAgIUe/R+NVp04e74ySw2qgI6KZgFR20wBQYDK2VwMBExDzAN\n" | ||
63 | + "BgNVBAMTBlJvb3QgQTAgFw0yNDAxMTEwNjI1MDFaGA85OTk5MTIzMTIzNTk1OVow\n" | ||
64 | + "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEExMCowBQYDK2VwAyEAlkTNqwz973sy\n" | ||
65 | + "u3whMjSiUMs77CZu5YA7Gi5KcakExrKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n" | ||
66 | + "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT52L+j8NCLykqiJW+nsB8hAJkwNzAfBgNV\n" | ||
67 | + "HSMEGDAWgBRbYgOkRGsd3Z74+CauX4htzLg0lzAFBgMrZXADQQBM0NBaFVPd3cTJ\n" | ||
68 | + "DSaZNT34fsHuJk4eagpn8mBxKQpghq4s8Ap+nYtp2KiXjcizss53PeLXVnkfyLi0\n" | ||
69 | + "TLVBHvUJ\n" | ||
70 | + "-----END CERTIFICATE-----\n", | ||
71 | + /* A (signed by B) */ | ||
72 | + "-----BEGIN CERTIFICATE-----\n" | ||
73 | + "MIIBSDCB+6ADAgECAhQtdJpg+qlPcLoRW8iiztJUD4xNvDAFBgMrZXAwETEPMA0G\n" | ||
74 | + "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MTk1OVoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
75 | + "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n" | ||
76 | + "WbnINkmOSNmOiZlGHKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
77 | + "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMB8GA1UdIwQYMBaAFJFA\n" | ||
78 | + "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBAPv674p9ek5GjRcRfVQhgN+kQlHU\n" | ||
79 | + "u774wL3Vx3fWA1E7+WchdMzcHrPoa5OKtKmxjIKUTO4SeDZL/AVpvulrWwk=\n" | ||
80 | + "-----END CERTIFICATE-----\n", | ||
81 | + /* A (signed by C) */ | ||
82 | + "-----BEGIN CERTIFICATE-----\n" | ||
83 | + "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n" | ||
84 | + "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
85 | + "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n" | ||
86 | + "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
87 | + "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n" | ||
88 | + "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n" | ||
89 | + "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n" | ||
90 | + "-----END CERTIFICATE-----\n", | ||
91 | + /* B1 (signed by B) */ | ||
92 | + "-----BEGIN CERTIFICATE-----\n" | ||
93 | + "MIIBUjCCAQSgAwIBAgIUfpmrVDc1XBA5/7QYMyGBuB9mTtUwBQYDK2VwMBExDzAN\n" | ||
94 | + "BgNVBAMTBlJvb3QgQjAgFw0yNDAxMTEwNjI1MjdaGA85OTk5MTIzMTIzNTk1OVow\n" | ||
95 | + "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEIxMCowBQYDK2VwAyEAh6ZTuJWsweVB\n" | ||
96 | + "a5fsye5iq89kWDC2Y/Hlc0htLmjzMP+jYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n" | ||
97 | + "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBTMQu37PKyLjKfPODZgxYCaayff+jAfBgNV\n" | ||
98 | + "HSMEGDAWgBSRQLNq4Oo/MPQCiLUZzjjoxthRujAFBgMrZXADQQBblmguY+lnYvOK\n" | ||
99 | + "rAZJnqpEUGfm1tIFyu3rnlE7WOVcXRXMIoNApLH2iHIipQjlvNWuSBFBTC1qdewh\n" | ||
100 | + "/e+0cgQB\n" | ||
101 | + "-----END CERTIFICATE-----\n", | ||
102 | + /* B (signed by A) */ | ||
103 | + "-----BEGIN CERTIFICATE-----\n" | ||
104 | + "MIIBSDCB+6ADAgECAhRpEm+dWNX6DMZh/nottkFfFFrXXDAFBgMrZXAwETEPMA0G\n" | ||
105 | + "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTcyNloYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
106 | + "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n" | ||
107 | + "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
108 | + "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFFti\n" | ||
109 | + "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAFvmcK3Ida5ViVYDzxKVLPcPsCHe\n" | ||
110 | + "3hxz99lBrerJC9iJSvRYTJoPBvjTxDYnBn5EFrQYMrUED+6i71lmGXNU9gs=\n" | ||
111 | + "-----END CERTIFICATE-----\n", | ||
112 | + /* B (signed by C) */ | ||
113 | + "-----BEGIN CERTIFICATE-----\n" | ||
114 | + "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n" | ||
115 | + "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
116 | + "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n" | ||
117 | + "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
118 | + "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n" | ||
119 | + "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n" | ||
120 | + "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n" | ||
121 | + "-----END CERTIFICATE-----\n", | ||
122 | + /* C1 (signed by C) */ | ||
123 | + "-----BEGIN CERTIFICATE-----\n" | ||
124 | + "MIIBUjCCAQSgAwIBAgIUSKsfY1wD3eD2VmaaK1wt5naPckMwBQYDK2VwMBExDzAN\n" | ||
125 | + "BgNVBAMTBlJvb3QgQzAgFw0yNDAxMTEwNjI1NDdaGA85OTk5MTIzMTIzNTk1OVow\n" | ||
126 | + "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEMxMCowBQYDK2VwAyEA/t7i1chZlKkV\n" | ||
127 | + "qxJOrmmyATn8XnpK+nV/iT4OMHSHfAyjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n" | ||
128 | + "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRmpF3JjoP3NiBzE5J5ANT0bvfRmjAfBgNV\n" | ||
129 | + "HSMEGDAWgBRIf1yoyLjHhGr1+UFaMt/UPhoZ8DAFBgMrZXADQQAeRBXv6WCTOp0G\n" | ||
130 | + "3wgd8bbEGrrILfpi+qH7aj/MywgkPIlppDYRQ3jL6ASd+So/408dlE0DV9DXKBi0\n" | ||
131 | + "725XUUYO\n" | ||
132 | + "-----END CERTIFICATE-----\n", | ||
133 | + /* C (signed by A) */ | ||
134 | + "-----BEGIN CERTIFICATE-----\n" | ||
135 | + "MIIBSDCB+6ADAgECAhRvbZv3SRTjDOiAbyFWHH4y0yMZkjAFBgMrZXAwETEPMA0G\n" | ||
136 | + "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTg1MVoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
137 | + "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n" | ||
138 | + "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
139 | + "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFFti\n" | ||
140 | + "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAPl+SyiOfXJnjSWx8hFMhJ7w92mn\n" | ||
141 | + "tkGifCFHBpUhYcBIMeMtLw0RBLXqaaN0EKlTFimiEkLClsU7DKYrpEEJegs=\n" | ||
142 | + "-----END CERTIFICATE-----\n", | ||
143 | + /* C (signed by B) */ | ||
144 | + "-----BEGIN CERTIFICATE-----\n" | ||
145 | + "MIIBSDCB+6ADAgECAhQU1OJWRVOLrGrgJiLwexd1/MwKkTAFBgMrZXAwETEPMA0G\n" | ||
146 | + "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MjAzMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
147 | + "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n" | ||
148 | + "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
149 | + "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFJFA\n" | ||
150 | + "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBALXeyuj8vj6Q8j4l17VzZwmJl0gN\n" | ||
151 | + "bCGoKMl0J/0NiN/fQRIsdbwQDh0RUN/RN3I6DTtB20ER6f3VdnzAh8nXkQ4=\n" | ||
152 | + "-----END CERTIFICATE-----\n", | ||
153 | + NULL | ||
154 | +}; | ||
155 | + | ||
156 | +static const char *cross_signed_ca[] = { | ||
157 | + /* A (self-signed) */ | ||
158 | + "-----BEGIN CERTIFICATE-----\n" | ||
159 | + "MIIBJzCB2qADAgECAhQs1Ur+gzPs1ISxs3Tbs700q0CZcjAFBgMrZXAwETEPMA0G\n" | ||
160 | + "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTYwMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n" | ||
161 | + "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n" | ||
162 | + "WbnINkmOSNmOiZlGHKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" | ||
163 | + "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAHrVv7E9\n" | ||
164 | + "5scuOVCH9gNRRm8Z9SUoLakRHAPnySdg6z/kI3vOgA/OM7reArpnW8l1H2FapgpL\n" | ||
165 | + "bDeZ2XJH+BdVFwg=\n" | ||
166 | + "-----END CERTIFICATE-----\n", | ||
167 | + NULL | ||
168 | +}; | ||
169 | + | ||
170 | #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) | ||
171 | # pragma GCC diagnostic push | ||
172 | # pragma GCC diagnostic ignored "-Wunused-variable" | ||
173 | @@ -4442,6 +4565,8 @@ static struct | ||
174 | rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca, | ||
175 | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM), | ||
176 | GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1}, | ||
177 | + { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, | ||
178 | + 1704955300 }, | ||
179 | { NULL, NULL, NULL, 0, 0} | ||
180 | }; | ||
181 | |||
182 | -- | ||
183 | 2.25.1 | ||
184 | |||