diff options
Diffstat (limited to 'meta/recipes-support/gnutls')
10 files changed, 925 insertions, 1 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch new file mode 100644 index 0000000000..6fe7a21e33 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Fri, 29 Jan 2021 14:06:32 +0100 | ||
4 | Subject: [PATCH] key_share: avoid use-after-free around realloc | ||
5 | |||
6 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
7 | |||
8 | https://gitlab.com/gnutls/gnutls/-/commit/15beb4b193b2714d88107e7dffca781798684e7e | ||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2021-CVE-2021-20231 | ||
11 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
12 | --- | ||
13 | lib/ext/key_share.c | 12 +++++------- | ||
14 | 1 file changed, 5 insertions(+), 7 deletions(-) | ||
15 | |||
16 | diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c | ||
17 | index ab8abf8fe6..a8c4bb5cff 100644 | ||
18 | --- a/lib/ext/key_share.c | ||
19 | +++ b/lib/ext/key_share.c | ||
20 | @@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session, | ||
21 | { | ||
22 | unsigned i; | ||
23 | int ret; | ||
24 | - unsigned char *lengthp; | ||
25 | - unsigned int cur_length; | ||
26 | unsigned int generated = 0; | ||
27 | const gnutls_group_entry_st *group; | ||
28 | const version_entry_st *ver; | ||
29 | |||
30 | /* this extension is only being sent on client side */ | ||
31 | if (session->security_parameters.entity == GNUTLS_CLIENT) { | ||
32 | + unsigned int length_pos; | ||
33 | + | ||
34 | ver = _gnutls_version_max(session); | ||
35 | if (unlikely(ver == NULL || ver->key_shares == 0)) | ||
36 | return 0; | ||
37 | @@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session, | ||
38 | if (!have_creds_for_tls13(session)) | ||
39 | return 0; | ||
40 | |||
41 | - /* write the total length later */ | ||
42 | - lengthp = &extdata->data[extdata->length]; | ||
43 | + length_pos = extdata->length; | ||
44 | |||
45 | ret = | ||
46 | _gnutls_buffer_append_prefix(extdata, 16, 0); | ||
47 | if (ret < 0) | ||
48 | return gnutls_assert_val(ret); | ||
49 | |||
50 | - cur_length = extdata->length; | ||
51 | - | ||
52 | if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */ | ||
53 | group = get_group(session); | ||
54 | if (unlikely(group == NULL)) | ||
55 | @@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session, | ||
56 | } | ||
57 | |||
58 | /* copy actual length */ | ||
59 | - _gnutls_write_uint16(extdata->length - cur_length, lengthp); | ||
60 | + _gnutls_write_uint16(extdata->length - length_pos - 2, | ||
61 | + &extdata->data[length_pos]); | ||
62 | |||
63 | } else { /* server */ | ||
64 | ver = get_version(session); | ||
65 | -- | ||
66 | GitLab | ||
67 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch new file mode 100644 index 0000000000..e13917cddb --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Fri, 29 Jan 2021 14:06:50 +0100 | ||
4 | Subject: [PATCH] pre_shared_key: avoid use-after-free around realloc | ||
5 | |||
6 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
7 | |||
8 | https://gitlab.com/gnutls/gnutls/-/commit/75a937d97f4fefc6f9b08e3791f151445f551cb3 | ||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2021-CVE-2021-20232 | ||
11 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
12 | --- | ||
13 | lib/ext/pre_shared_key.c | 15 ++++++++++++--- | ||
14 | 1 file changed, 12 insertions(+), 3 deletions(-) | ||
15 | |||
16 | diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c | ||
17 | index a042c6488e..380bf39ed5 100644 | ||
18 | --- a/lib/ext/pre_shared_key.c | ||
19 | +++ b/lib/ext/pre_shared_key.c | ||
20 | @@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session, | ||
21 | size_t spos; | ||
22 | gnutls_datum_t username = {NULL, 0}; | ||
23 | gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0}; | ||
24 | - gnutls_datum_t client_hello; | ||
25 | + unsigned client_hello_len; | ||
26 | unsigned next_idx; | ||
27 | const mac_entry_st *prf_res = NULL; | ||
28 | const mac_entry_st *prf_psk = NULL; | ||
29 | @@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session, | ||
30 | assert(extdata->length >= sizeof(mbuffer_st)); | ||
31 | assert(ext_offset >= (ssize_t)sizeof(mbuffer_st)); | ||
32 | ext_offset -= sizeof(mbuffer_st); | ||
33 | - client_hello.data = extdata->data+sizeof(mbuffer_st); | ||
34 | - client_hello.size = extdata->length-sizeof(mbuffer_st); | ||
35 | + client_hello_len = extdata->length-sizeof(mbuffer_st); | ||
36 | |||
37 | next_idx = 0; | ||
38 | |||
39 | @@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session, | ||
40 | } | ||
41 | |||
42 | if (prf_res && rkey.size > 0) { | ||
43 | + gnutls_datum_t client_hello; | ||
44 | + | ||
45 | + client_hello.data = extdata->data+sizeof(mbuffer_st); | ||
46 | + client_hello.size = client_hello_len; | ||
47 | + | ||
48 | ret = compute_psk_binder(session, prf_res, | ||
49 | binders_len, binders_pos, | ||
50 | ext_offset, &rkey, &client_hello, 1, | ||
51 | @@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session, | ||
52 | } | ||
53 | |||
54 | if (prf_psk && user_key.size > 0 && info) { | ||
55 | + gnutls_datum_t client_hello; | ||
56 | + | ||
57 | + client_hello.data = extdata->data+sizeof(mbuffer_st); | ||
58 | + client_hello.size = client_hello_len; | ||
59 | + | ||
60 | ret = compute_psk_binder(session, prf_psk, | ||
61 | binders_len, binders_pos, | ||
62 | ext_offset, &user_key, &client_hello, 0, | ||
63 | -- | ||
64 | GitLab | ||
65 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch new file mode 100644 index 0000000000..0bcb55e573 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Wed, 22 Dec 2021 09:12:25 +0100 | ||
4 | Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length | ||
5 | input | ||
6 | |||
7 | As Nettle's hash update functions internally call memcpy, providing | ||
8 | zero-length input may cause undefined behavior. | ||
9 | |||
10 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
11 | |||
12 | https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568 | ||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2021-4209 | ||
15 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
16 | --- | ||
17 | lib/nettle/mac.c | 4 +++- | ||
18 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c | ||
21 | index f9d4d7a8df..35e070fab0 100644 | ||
22 | --- a/lib/nettle/mac.c | ||
23 | +++ b/lib/nettle/mac.c | ||
24 | @@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo, | ||
25 | if (ret < 0) | ||
26 | return gnutls_assert_val(ret); | ||
27 | |||
28 | - ctx.update(&ctx, text_size, text); | ||
29 | + if (text_size > 0) { | ||
30 | + ctx.update(&ctx, text_size, text); | ||
31 | + } | ||
32 | ctx.digest(&ctx, ctx.length, digest); | ||
33 | |||
34 | return 0; | ||
35 | -- | ||
36 | GitLab | ||
37 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch b/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch new file mode 100644 index 0000000000..f8954945d0 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch | |||
@@ -0,0 +1,282 @@ | |||
1 | From 9835638d4e1f37781a47e777c76d5bb14218929b Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Tue, 16 Aug 2022 12:23:14 +0530 | ||
4 | Subject: [PATCH] CVE-2022-2509 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/ce37f9eb265dbe9b6d597f5767449e8ee95848e2] | ||
7 | CVE: CVE-2022-2509 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | NEWS | 4 + | ||
11 | lib/x509/pkcs7.c | 3 +- | ||
12 | tests/Makefile.am | 2 +- | ||
13 | tests/pkcs7-verify-double-free.c | 215 +++++++++++++++++++++++++++++++ | ||
14 | 4 files changed, 222 insertions(+), 2 deletions(-) | ||
15 | create mode 100644 tests/pkcs7-verify-double-free.c | ||
16 | |||
17 | diff --git a/NEWS b/NEWS | ||
18 | index 755a67c..ba70bb3 100644 | ||
19 | --- a/NEWS | ||
20 | +++ b/NEWS | ||
21 | @@ -7,6 +7,10 @@ See the end for copying conditions. | ||
22 | |||
23 | * Version 3.6.14 (released 2020-06-03) | ||
24 | |||
25 | +** libgnutls: Fixed double free during verification of pkcs7 signatures. | ||
26 | + Reported by Jaak Ristioja (#1383). [GNUTLS-SA-2022-07-07, CVSS: medium] | ||
27 | + [CVE-2022-2509] | ||
28 | + | ||
29 | ** libgnutls: Fixed insecure session ticket key construction, since 3.6.4. | ||
30 | The TLS server would not bind the session ticket encryption key with a | ||
31 | value supplied by the application until the initial key rotation, allowing | ||
32 | diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c | ||
33 | index 98669e8..ccbc69d 100644 | ||
34 | --- a/lib/x509/pkcs7.c | ||
35 | +++ b/lib/x509/pkcs7.c | ||
36 | @@ -1318,7 +1318,8 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl, | ||
37 | issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags); | ||
38 | |||
39 | if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) { | ||
40 | - if (prev) gnutls_x509_crt_deinit(prev); | ||
41 | + if (prev && prev != signer) | ||
42 | + gnutls_x509_crt_deinit(prev); | ||
43 | prev = issuer; | ||
44 | break; | ||
45 | } | ||
46 | diff --git a/tests/Makefile.am b/tests/Makefile.am | ||
47 | index 11a083c..cd43a0f 100644 | ||
48 | --- a/tests/Makefile.am | ||
49 | +++ b/tests/Makefile.am | ||
50 | @@ -219,7 +219,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei | ||
51 | tls-record-size-limit-asym dh-compute ecdh-compute sign-verify-data-newapi \ | ||
52 | sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \ | ||
53 | tls13-without-timeout-func buffer status-request-revoked \ | ||
54 | - set_x509_ocsp_multi_cli kdf-api keylog-func \ | ||
55 | + set_x509_ocsp_multi_cli kdf-api keylog-func pkcs7-verify-double-free \ | ||
56 | dtls_hello_random_value tls_hello_random_value x509cert-dntypes | ||
57 | |||
58 | if HAVE_SECCOMP_TESTS | ||
59 | diff --git a/tests/pkcs7-verify-double-free.c b/tests/pkcs7-verify-double-free.c | ||
60 | new file mode 100644 | ||
61 | index 0000000..fadf307 | ||
62 | --- /dev/null | ||
63 | +++ b/tests/pkcs7-verify-double-free.c | ||
64 | @@ -0,0 +1,215 @@ | ||
65 | +/* | ||
66 | + * Copyright (C) 2022 Red Hat, Inc. | ||
67 | + * | ||
68 | + * Author: Zoltan Fridrich | ||
69 | + * | ||
70 | + * This file is part of GnuTLS. | ||
71 | + * | ||
72 | + * GnuTLS is free software: you can redistribute it and/or modify it | ||
73 | + * under the terms of the GNU General Public License as published by | ||
74 | + * the Free Software Foundation, either version 3 of the License, or | ||
75 | + * (at your option) any later version. | ||
76 | + * | ||
77 | + * GnuTLS is distributed in the hope that it will be useful, but | ||
78 | + * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
79 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
80 | + * General Public License for more details. | ||
81 | + * | ||
82 | + * You should have received a copy of the GNU General Public License | ||
83 | + * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>. | ||
84 | + */ | ||
85 | + | ||
86 | +#ifdef HAVE_CONFIG_H | ||
87 | +#include <config.h> | ||
88 | +#endif | ||
89 | + | ||
90 | +#include <stdio.h> | ||
91 | +#include <gnutls/pkcs7.h> | ||
92 | +#include <gnutls/x509.h> | ||
93 | + | ||
94 | +#include "utils.h" | ||
95 | + | ||
96 | +static char rca_pem[] = | ||
97 | + "-----BEGIN CERTIFICATE-----\n" | ||
98 | + "MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n" | ||
99 | + "cGxlIENBMCAXDTE3MDcyMTE0NDMzNloYDzIyMjIwNzIxMTQ0MzM2WjAVMRMwEQYD\n" | ||
100 | + "VQQKDApFeGFtcGxlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n" | ||
101 | + "v8hnKPJ/IA0SQB/A/a0Uh+npZ67vsgIMrtTQo0r0kJkmkBz5323xO3DVuJfB3QmX\n" | ||
102 | + "v9zvoeCQLuDvWar5Aixfxgm6s5Q+yPvJj9t3NebDrU+Y4+qyewBIJUF8EF/5iBPC\n" | ||
103 | + "ZHONmzbfIRWvQWGGgb2CRcOHp2J7AY/QLB6LsWPaLjs/DHva28Q13JaTTHIpdu8v\n" | ||
104 | + "t6vHr0nXf66DN4MvtoF3N+o+v3snJCMsfXOqASi4tbWR7gtOfCfiz9uBjh0W2Dut\n" | ||
105 | + "/jclBQkJkLe6esNSM+f4YiOpctVDjmfj8yoHCp394vt0wFqhG38wsTFAyVP6qIcf\n" | ||
106 | + "5zoSu9ovEt2cTkhnZHjiiwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n" | ||
107 | + "DwEB/wQEAwIBBjAdBgNVHQ4EFgQUhjeO6Uc5imbjOl2I2ltVA27Hu9YwHwYDVR0j\n" | ||
108 | + "BBgwFoAUhjeO6Uc5imbjOl2I2ltVA27Hu9YwDQYJKoZIhvcNAQELBQADggEBAD+r\n" | ||
109 | + "i/7FsbG0OFKGF2+JOnth6NjJQcMfM8LiglqAuBUijrv7vltoZ0Z3FJH1Vi4OeMXn\n" | ||
110 | + "l7X/9tWUve0uFl75MfjDrf0+lCEdYRY1LCba2BrUgpbbkLywVUdnbsvndehegCgS\n" | ||
111 | + "jss2/zys3Hlo3ZaHlTMQ/NQ4nrxcxkjOvkZSEOqgxJTLpzm6pr7YUts4k6c6lNiB\n" | ||
112 | + "FSiJiDzsJCmWR9C3fBbUlfDfTJYGN3JwqX270KchXDElo8gNoDnF7jBMpLFFSEKm\n" | ||
113 | + "MyfbNLX/srh+CEfZaN/OZV4A3MQ0L8vQEp6M4CJhvRLIuMVabZ2coJ0AzystrOMU\n" | ||
114 | + "LirBWjg89RoAjFQ7bTE=\n" | ||
115 | + "-----END CERTIFICATE-----\n"; | ||
116 | + | ||
117 | +static char ca_pem[] = | ||
118 | + "-----BEGIN CERTIFICATE-----\n" | ||
119 | + "MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n" | ||
120 | + "cGxlIENBMCAXDTE3MDcyMTE0NDQzNFoYDzIyMjIwNzIxMTQ0NDM0WjAiMSAwHgYD\n" | ||
121 | + "VQQKDBdFeGFtcGxlIGludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD\n" | ||
122 | + "ggEPADCCAQoCggEBAKb9ACB8u//sP6MfNU1OsVw68xz3eTPLgKxS0vpqexm6iGVg\n" | ||
123 | + "ug/o9uYRLzqiEukv/eyz9WzHmY7sqlOJjOFdv92+SaNg79Jc51WHPFXgea4/qyfr\n" | ||
124 | + "4y14PGs0SNxm6T44sXurUs7cXydQVUgnq2VCaWFOTUdxXoAWkV8r8GaUoPD/klVz\n" | ||
125 | + "RqxSZVETmX1XBKhsMnnov41kRwVph2C+VfUspsbaUZaz/o/S1/nokhXRACzKsMBr\n" | ||
126 | + "obqiGxbY35uVzsmbAW5ErhQz98AWJL3Bub1fsEMXg6OEMmPH4AtX888dTIYZNw0E\n" | ||
127 | + "bUIESspz1kjJQTtVQDHTprhwz16YiSVeUonlLgMCAwEAAaNjMGEwDwYDVR0TAQH/\n" | ||
128 | + "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPBjxDWjMhjXERirKF9O\n" | ||
129 | + "o/5Cllc5MB8GA1UdIwQYMBaAFIY3julHOYpm4zpdiNpbVQNux7vWMA0GCSqGSIb3\n" | ||
130 | + "DQEBCwUAA4IBAQCTm+vv3hBa6lL5IT+Fw8aTxQ2Ne7mZ5oyazhvXYwwfKNMX3SML\n" | ||
131 | + "W2JdPaL64ZwbxxxYvW401o5Z0CEgru3YFrsqB/hEdl0Uf8UWWJmE1rRa+miTmbjt\n" | ||
132 | + "lrLNCWdrs6CiwvsPITTHg7jevB4KyZYsTSxQFcyr3N3xF+6EmOTC4IkhPPnXYXcp\n" | ||
133 | + "248ih+WOavSYoRvzgB/Dip1WnPYU2mfIV3O8JReRryngA0TzWCLPLUoWR3R4jwtC\n" | ||
134 | + "+1uSLoqaenz3qv3F1WEbke37az9YJuXx/5D8CqFQiZ62TUUtI6fYd8mkMBM4Qfh6\n" | ||
135 | + "NW9XrCkI9wlpL5K9HllhuW0BhKeJkuPpyQ2p\n" | ||
136 | + "-----END CERTIFICATE-----\n"; | ||
137 | + | ||
138 | +static char ee_pem[] = | ||
139 | + "-----BEGIN CERTIFICATE-----\n" | ||
140 | + "MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdFeGFt\n" | ||
141 | + "cGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzdaGA8yMjIyMDcyMTE0\n" | ||
142 | + "NDUzN1owFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEBBQAD\n" | ||
143 | + "ggEPADCCAQoCggEBAMb1uuxppBFY+WVD45iyHUq7DkIJNNOI/JRaybVJfPktWq2E\n" | ||
144 | + "eNe7XhV05KKnqZTbDO2iYqNHqGhZ8pz/IstDRTZP3z/q1vXTG0P9Gx28rEy5TaUY\n" | ||
145 | + "QjtD+ZoFUQm0ORMDBjd8jikqtJ87hKeuOPMH4rzdydotMaPQSm7KLzHBGBr6gg7z\n" | ||
146 | + "g1IxPWkhMyHapoMqqrhjwjzoTY97UIXpZTEoIA+KpEC8f9CciBtL0i1MPBjWozB6\n" | ||
147 | + "Jma9q5iEwZXuRr3cnPYeIPlK2drgDZCMuSFcYiT8ApLw5OhKqY1m2EvfZ2ox2s9R\n" | ||
148 | + "68/HzYdPi3kZwiNEtlBvMlpt5yKBJAflp76d7DkCAwEAAaNuMGwwCwYDVR0PBAQD\n" | ||
149 | + "AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUc+Mi\n" | ||
150 | + "kr8WMCk00SQo+P2iggp/oQkwHwYDVR0jBBgwFoAU8GPENaMyGNcRGKsoX06j/kKW\n" | ||
151 | + "VzkwDQYJKoZIhvcNAQELBQADggEBAKU9+CUR0Jcfybd1+8Aqgh1RH96yQygnVuyt\n" | ||
152 | + "Na9rFz4fM3ij9tGXDHXrkZw8bW1dWLU9quu8zeTxKxc3aiDIw739Alz0tukttDo7\n" | ||
153 | + "dW7YqIb77zsIsWB9p7G9dlxT6ieUy+5IKk69BbeK8KR0vAciAG4KVQxPhuPy/LGX\n" | ||
154 | + "PzqlJIJ4h61s3UOroReHPB1keLZgpORqrvtpClOmABH9TLFRJA/WFg8Q2XYB/p0x\n" | ||
155 | + "l/pWiaoBC+8wK9cDoMUK5yOwXeuCLffCb+UlAD0+z/qxJ2pisE8E9X8rRKRrWI+i\n" | ||
156 | + "G7LtJCEn86EQK8KuRlJxKgj8lClZhoULB0oL4jbblBuNow9WRmM=\n" | ||
157 | + "-----END CERTIFICATE-----\n"; | ||
158 | + | ||
159 | +static char msg_pem[] = | ||
160 | + "-----BEGIN PKCS7-----\n" | ||
161 | + "MIIK2QYJKoZIhvcNAQcCoIIKyjCCCsYCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\n" | ||
162 | + "hvcNAQcBoIIJTzCCAwowggHyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwFTETMBEG\n" | ||
163 | + "A1UECgwKRXhhbXBsZSBDQTAgFw0xNzA3MjExNDQzMjFaGA8yMjIyMDcyMTE0NDMy\n" | ||
164 | + "MVowFTETMBEGA1UECgwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" | ||
165 | + "ADCCAQoCggEBAL51eyE4j8wAKQKMGlO9HEY2iaGvsdPSJmidSdmCi1jnNK39Lx4Y\n" | ||
166 | + "31h279hSHF5wtI6VM91HHfeLf1mjEZHlKrXXJQzBPLpbHWapD778drHBitOP8e56\n" | ||
167 | + "fDMIfofLV4tkMk8690vPe4cJH1UHGspMyz6EQF9kPRaW80XtMV/6dalgL/9Esmaw\n" | ||
168 | + "XBNPJAS1VutDuXQkJ/3/rWFLmkpYHHtGPjX782YRmT1s+VOVTsLqmKx0TEL8A381\n" | ||
169 | + "bbElHPUAMjPcyWR5qqA8KWnS5Dwqk3LwI0AvuhQytCq0S7Xl4DXauvxwTRXv0UU7\n" | ||
170 | + "W8r3MLAw9DnlnJiD/RFjw5rbGO3wMePk/qUCAwEAAaNjMGEwDwYDVR0TAQH/BAUw\n" | ||
171 | + "AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIh2KRoKJoe2VtpOwWMkRAkR\n" | ||
172 | + "mLWKMB8GA1UdIwQYMBaAFIh2KRoKJoe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEB\n" | ||
173 | + "CwUAA4IBAQBovvlOjoy0MCT5U0eWfcPQQjY4Ssrn3IiPNlVkqSNo+FHX+2baTLVQ\n" | ||
174 | + "5QTHxwXwzdIJiwtjFWDdGEQXqmuIvnFG+u/whGbeg6oQygfnQ5Y+q6epOxCsPgLQ\n" | ||
175 | + "mKKEaF7mvh8DauUx4QSbYCNGCctOZuB1vlN9bJ3/5QbH+2pFPOfCr5CAyPDwHo6S\n" | ||
176 | + "qO3yPcutRwT9xS7gXEHM9HhLp+DmdCGh4eVBPiFilyZm1d92lWxU8oxoSfXgzDT/\n" | ||
177 | + "GCzlMykNZNs4JD9QmiRClP/3U0dQbOhah/Fda+N+L90xaqEgGcvwKKZa3pzo59pl\n" | ||
178 | + "BbkcIP4YPyHeinwkgAn5UVJg9DOxNCS0MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG\n" | ||
179 | + "9w0BAQsFADAVMRMwEQYDVQQKDApFeGFtcGxlIENBMCAXDTE3MDcyMTE0NDQxM1oY\n" | ||
180 | + "DzIyMjIwNzIxMTQ0NDEzWjAiMSAwHgYDVQQKDBdFeGFtcGxlIGludGVybWVkaWF0\n" | ||
181 | + "ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPFDEvDANwvhviu\n" | ||
182 | + "pwXTvaKyxyX94jVu1wgAhIRyQBVRiMbrn8MEufLG8oA0vKd8s92gv/lWe1jFb2rn\n" | ||
183 | + "91jMkZWsjWjiJFD6SzqFfBo+XxOGikEqO1MAf92UqavmSGlXVRG1Vy7T7dWibZP0\n" | ||
184 | + "WODhHYWayR0Y6owSz5IqNfrHXzDME+lSJxHgRFI7pK+b0OgiVmvyXDKFPvyU6GrP\n" | ||
185 | + "lxXDi/XbjyPvC5gpiwtTgm+s8KERwmdlfZUNjkh2PpHx1g1joijHT3wIvO/Pek1E\n" | ||
186 | + "C+Xs6w3XxGgL6TTL7FDuv4AjZVX9KK66/yBhX3aN8bkqAg+hs9XNk3zzWC0XEFOS\n" | ||
187 | + "Qoh2va0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n" | ||
188 | + "HQYDVR0OBBYEFHwi/7dUWGjkMWJctOm7MCjjQj1cMB8GA1UdIwQYMBaAFIh2KRoK\n" | ||
189 | + "Joe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEBCwUAA4IBAQCF6sHCBdYRwBwvfCve\n" | ||
190 | + "og9cPnmPqZrG4AtmSvtoSsMvgvKb/4z3/gG8oPtTBkeRcAHoMoEp/oA+B2ylwIAc\n" | ||
191 | + "S5U7jx+lYH/Pqih0X/OcOLbaMv8uzGSGQxk+L9LuuIT6E/THfRRIPEvkDkzC+/uk\n" | ||
192 | + "7vUbG17bSEWeF0o/6sjzAY2aH1jnbCDyu0UC78GXkc6bZ5QlH98uLMDMrOmqcZjS\n" | ||
193 | + "JFfvuRDQyKV5yBdBkYaobsIWSQDsgYxJzf/2y8c3r+HXqT+jhrXPWJ3btgMPxpu7\n" | ||
194 | + "E8KmoFgp9EM+48oYlXJ66rk08/KjaVmgN7R+Hm3e2+MFT2kme4fBKalLjcazTe3x\n" | ||
195 | + "0FisMIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdF\n" | ||
196 | + "eGFtcGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzBaGA8yMjIyMDcy\n" | ||
197 | + "MTE0NDUzMVowFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEB\n" | ||
198 | + "BQADggEPADCCAQoCggEBAMjhSqhdD5RjmOm6W3hG7zkgKBP9whRN/SipcdEMlkgc\n" | ||
199 | + "F/U3QMu66qIfKwheNdWalC1JLtruLDWP92ysa6Vw+CCG8aSax1AgB//RKQB7kgPA\n" | ||
200 | + "9js9hi/oCdBmCv2HJxhWSLz+MVoxgzW4C7S9FenI+btxe/99Uw4nOw7kwjsYDLKr\n" | ||
201 | + "tMw8myv7aCW/63CuBYGtohiZupM3RI3kKFcZots+KRPLlZpjv+I2h9xSln8VxKNb\n" | ||
202 | + "XiMrYwGfHB7iX7ghe1TvFjKatEUhsqa7AvIq7nfe/cyq97f0ODQO814njgZtk5iQ\n" | ||
203 | + "JVavXHdhTVaypt1HdAFMuHX5UATylHxx9tRCgSIijUsCAwEAAaNuMGwwCwYDVR0P\n" | ||
204 | + "BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU\n" | ||
205 | + "31+vHl4E/2Jpnwinbzf+d7usshcwHwYDVR0jBBgwFoAUfCL/t1RYaOQxYly06bsw\n" | ||
206 | + "KONCPVwwDQYJKoZIhvcNAQELBQADggEBAAWe63DcNwmleQ3INFGDJZ/m2I/R/cBa\n" | ||
207 | + "nnrxgR5Ey1ljHdA/x1z1JLTGmGVwqGExs5DNG9Q//Pmc9pZ1yPa8J4Xf8AvFcmkY\n" | ||
208 | + "mWoH1HvW0xu/RF1UN5SAoD2PRQ+Vq4OSPD58IlEu/u4o1wZV7Wl91Cv6VNpiAb63\n" | ||
209 | + "j9PA1YacOpOtcRqG59Vuj9HFm9f30ejHVo2+KJcpo290cR3Zg4fOm8mtjeMdt/QS\n" | ||
210 | + "Atq+RqPAQ7yxqvEEv8zPIZj2kAOQm3mh/yYqBrR68lQUD/dBTP7ApIZkhUK3XK6U\n" | ||
211 | + "nf9JvoF6Fn2+Cnqb//FLBgHSnoeqeQNwDLUXTsD02iYxHzJrhokSY4YxggFQMIIB\n" | ||
212 | + "TAIBATAnMCIxIDAeBgNVBAoMF0V4YW1wbGUgaW50ZXJtZWRpYXRlIENBAgEBMAsG\n" | ||
213 | + "CWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQATHg6wNsBcs/Ub1GQfKwTpKCk5\n" | ||
214 | + "8QXuNnZ0u7b6mKgrSY2Gf47fpL2aRgaR+BAQncbctu5EH/IL38pWjaGtOhFAj/5q\n" | ||
215 | + "7luVQW11kuyJN3Bd/dtLqawWOwMmAIEigw6X50l5ZHnEVzFfxt+RKTNhk4XWVtbi\n" | ||
216 | + "2iIlITOplW0rnvxYAwCxKL9ocaB7etK8au7ixMxbFp75Ts4iLX8dhlAFdCuFCk8k\n" | ||
217 | + "B8mi9HHuwr3QYRqMPW61hu1wBL3yB8eoZNOwPXb0gkIh6ZvgptxgQzm/cc+Iw9fP\n" | ||
218 | + "QkR0fTM7ElJ5QZmSV98AUbZDHmDvpmcjcUxfSPMc3IoT8T300usRu7QHqKJi\n" | ||
219 | + "-----END PKCS7-----\n"; | ||
220 | + | ||
221 | +const gnutls_datum_t rca_datum = { (void *)rca_pem, sizeof(rca_pem) - 1 }; | ||
222 | +const gnutls_datum_t ca_datum = { (void *)ca_pem, sizeof(ca_pem) - 1 }; | ||
223 | +const gnutls_datum_t ee_datum = { (void *)ee_pem, sizeof(ee_pem) - 1 }; | ||
224 | +const gnutls_datum_t msg_datum = { (void *)msg_pem, sizeof(msg_pem) - 1 }; | ||
225 | + | ||
226 | +static void tls_log_func(int level, const char *str) | ||
227 | +{ | ||
228 | + fprintf(stderr, "%s |<%d>| %s", "err", level, str); | ||
229 | +} | ||
230 | + | ||
231 | +#define CHECK(X)\ | ||
232 | +{\ | ||
233 | + r = X;\ | ||
234 | + if (r < 0)\ | ||
235 | + fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\ | ||
236 | +}\ | ||
237 | + | ||
238 | +void doit(void) | ||
239 | +{ | ||
240 | + int r; | ||
241 | + gnutls_x509_crt_t rca_cert = NULL; | ||
242 | + gnutls_x509_crt_t ca_cert = NULL; | ||
243 | + gnutls_x509_crt_t ee_cert = NULL; | ||
244 | + gnutls_x509_trust_list_t tlist = NULL; | ||
245 | + gnutls_pkcs7_t pkcs7 = NULL; | ||
246 | + gnutls_datum_t data = { (unsigned char *)"xxx", 3 }; | ||
247 | + | ||
248 | + if (debug) { | ||
249 | + gnutls_global_set_log_function(tls_log_func); | ||
250 | + gnutls_global_set_log_level(4711); | ||
251 | + } | ||
252 | + | ||
253 | + // Import certificates | ||
254 | + CHECK(gnutls_x509_crt_init(&rca_cert)); | ||
255 | + CHECK(gnutls_x509_crt_import(rca_cert, &rca_datum, GNUTLS_X509_FMT_PEM)); | ||
256 | + CHECK(gnutls_x509_crt_init(&ca_cert)); | ||
257 | + CHECK(gnutls_x509_crt_import(ca_cert, &ca_datum, GNUTLS_X509_FMT_PEM)); | ||
258 | + CHECK(gnutls_x509_crt_init(&ee_cert)); | ||
259 | + CHECK(gnutls_x509_crt_import(ee_cert, &ee_datum, GNUTLS_X509_FMT_PEM)); | ||
260 | + | ||
261 | + // Setup trust store | ||
262 | + CHECK(gnutls_x509_trust_list_init(&tlist, 0)); | ||
263 | + CHECK(gnutls_x509_trust_list_add_named_crt(tlist, rca_cert, "rca", 3, 0)); | ||
264 | + CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ca_cert, "ca", 2, 0)); | ||
265 | + CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ee_cert, "ee", 2, 0)); | ||
266 | + | ||
267 | + // Setup pkcs7 structure | ||
268 | + CHECK(gnutls_pkcs7_init(&pkcs7)); | ||
269 | + CHECK(gnutls_pkcs7_import(pkcs7, &msg_datum, GNUTLS_X509_FMT_PEM)); | ||
270 | + | ||
271 | + // Signature verification | ||
272 | + gnutls_pkcs7_verify(pkcs7, tlist, NULL, 0, 0, &data, 0); | ||
273 | + | ||
274 | + gnutls_x509_crt_deinit(rca_cert); | ||
275 | + gnutls_x509_crt_deinit(ca_cert); | ||
276 | + gnutls_x509_crt_deinit(ee_cert); | ||
277 | + gnutls_x509_trust_list_deinit(tlist, 0); | ||
278 | + gnutls_pkcs7_deinit(pkcs7); | ||
279 | +} | ||
280 | -- | ||
281 | 2.25.1 | ||
282 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch new file mode 100644 index 0000000000..943f4ca704 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch | |||
@@ -0,0 +1,85 @@ | |||
1 | From 80a6ce8ddb02477cd724cd5b2944791aaddb702a Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Sosedkin <asosedkin@redhat.com> | ||
3 | Date: Tue, 9 Aug 2022 16:05:53 +0200 | ||
4 | Subject: [PATCH] auth/rsa: side-step potential side-channel | ||
5 | |||
6 | Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com> | ||
7 | Signed-off-by: Hubert Kario <hkario@redhat.com> | ||
8 | Tested-by: Hubert Kario <hkario@redhat.com> | ||
9 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80a6ce8ddb02477cd724cd5b2944791aaddb702a | ||
10 | https://gitlab.com/gnutls/gnutls/-/commit/4b7ff428291c7ed77c6d2635577c83a43bbae558] | ||
11 | CVE: CVE-2023-0361 | ||
12 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
13 | --- | ||
14 | lib/auth/rsa.c | 30 +++--------------------------- | ||
15 | 1 file changed, 3 insertions(+), 27 deletions(-) | ||
16 | |||
17 | diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c | ||
18 | index 8108ee8..858701f 100644 | ||
19 | --- a/lib/auth/rsa.c | ||
20 | +++ b/lib/auth/rsa.c | ||
21 | @@ -155,13 +155,10 @@ static int | ||
22 | proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, | ||
23 | size_t _data_size) | ||
24 | { | ||
25 | - const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n"; | ||
26 | gnutls_datum_t ciphertext; | ||
27 | int ret, dsize; | ||
28 | ssize_t data_size = _data_size; | ||
29 | volatile uint8_t ver_maj, ver_min; | ||
30 | - volatile uint8_t check_ver_min; | ||
31 | - volatile uint32_t ok; | ||
32 | |||
33 | #ifdef ENABLE_SSL3 | ||
34 | if (get_num_version(session) == GNUTLS_SSL3) { | ||
35 | @@ -187,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, | ||
36 | |||
37 | ver_maj = _gnutls_get_adv_version_major(session); | ||
38 | ver_min = _gnutls_get_adv_version_minor(session); | ||
39 | - check_ver_min = (session->internals.allow_wrong_pms == 0); | ||
40 | |||
41 | session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE); | ||
42 | if (session->key.key.data == NULL) { | ||
43 | @@ -206,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, | ||
44 | return ret; | ||
45 | } | ||
46 | |||
47 | - ret = | ||
48 | - gnutls_privkey_decrypt_data2(session->internals.selected_key, | ||
49 | - 0, &ciphertext, session->key.key.data, | ||
50 | - session->key.key.size); | ||
51 | + gnutls_privkey_decrypt_data2(session->internals.selected_key, | ||
52 | + 0, &ciphertext, session->key.key.data, | ||
53 | + session->key.key.size); | ||
54 | /* After this point, any conditional on failure that cause differences | ||
55 | * in execution may create a timing or cache access pattern side | ||
56 | * channel that can be used as an oracle, so treat very carefully */ | ||
57 | @@ -225,25 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, | ||
58 | * Vlastimil Klima, Ondej Pokorny and Tomas Rosa. | ||
59 | */ | ||
60 | |||
61 | - /* ok is 0 in case of error and 1 in case of success. */ | ||
62 | - | ||
63 | - /* if ret < 0 */ | ||
64 | - ok = CONSTCHECK_EQUAL(ret, 0); | ||
65 | - /* session->key.key.data[0] must equal ver_maj */ | ||
66 | - ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj); | ||
67 | - /* if check_ver_min then session->key.key.data[1] must equal ver_min */ | ||
68 | - ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) & | ||
69 | - CONSTCHECK_EQUAL(session->key.key.data[1], ver_min); | ||
70 | - | ||
71 | - if (ok) { | ||
72 | - /* call logging function unconditionally so all branches are | ||
73 | - * indistinguishable for timing and cache access when debug | ||
74 | - * logging is disabled */ | ||
75 | - _gnutls_no_log("%s", attack_error); | ||
76 | - } else { | ||
77 | - _gnutls_debug_log("%s", attack_error); | ||
78 | - } | ||
79 | - | ||
80 | /* This is here to avoid the version check attack | ||
81 | * discussed above. | ||
82 | */ | ||
83 | -- | ||
84 | 2.25.1 | ||
85 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch new file mode 100644 index 0000000000..c518cfa0ac --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch | |||
@@ -0,0 +1,206 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001 | ||
4 | From: Daiki Ueno <ueno@gnu.org> | ||
5 | Date: Mon, 23 Oct 2023 09:26:57 +0900 | ||
6 | Subject: [PATCH] auth/rsa_psk: side-step potential side-channel | ||
7 | |||
8 | This removes branching that depends on secret data, porting changes | ||
9 | for regular RSA key exchange from | ||
10 | 4804febddc2ed958e5ae774de2a8f85edeeff538 and | ||
11 | 80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the | ||
12 | allow_wrong_pms as it was used sorely to control debug output | ||
13 | depending on the branching. | ||
14 | |||
15 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
16 | |||
17 | Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz | ||
18 | Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d] | ||
19 | CVE: CVE-2023-5981 | ||
20 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
21 | --- | ||
22 | lib/auth/rsa.c | 2 +- | ||
23 | lib/auth/rsa_psk.c | 90 ++++++++++++++++++---------------------------- | ||
24 | lib/gnutls_int.h | 4 --- | ||
25 | lib/priority.c | 1 - | ||
26 | 4 files changed, 35 insertions(+), 62 deletions(-) | ||
27 | |||
28 | --- a/lib/auth/rsa.c | ||
29 | +++ b/lib/auth/rsa.c | ||
30 | @@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t sess | ||
31 | session->key.key.size); | ||
32 | /* After this point, any conditional on failure that cause differences | ||
33 | * in execution may create a timing or cache access pattern side | ||
34 | - * channel that can be used as an oracle, so treat very carefully */ | ||
35 | + * channel that can be used as an oracle, so tread carefully */ | ||
36 | |||
37 | /* Error handling logic: | ||
38 | * In case decryption fails then don't inform the peer. Just use the | ||
39 | --- a/lib/auth/rsa_psk.c | ||
40 | +++ b/lib/auth/rsa_psk.c | ||
41 | @@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se | ||
42 | { | ||
43 | gnutls_datum_t username; | ||
44 | psk_auth_info_t info; | ||
45 | - gnutls_datum_t plaintext; | ||
46 | gnutls_datum_t ciphertext; | ||
47 | gnutls_datum_t pwd_psk = { NULL, 0 }; | ||
48 | int ret, dsize; | ||
49 | - int randomize_key = 0; | ||
50 | ssize_t data_size = _data_size; | ||
51 | gnutls_psk_server_credentials_t cred; | ||
52 | gnutls_datum_t premaster_secret = { NULL, 0 }; | ||
53 | + volatile uint8_t ver_maj, ver_min; | ||
54 | |||
55 | cred = (gnutls_psk_server_credentials_t) | ||
56 | _gnutls_get_cred(session, GNUTLS_CRD_PSK); | ||
57 | @@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se | ||
58 | } | ||
59 | ciphertext.size = dsize; | ||
60 | |||
61 | - ret = | ||
62 | - gnutls_privkey_decrypt_data(session->internals.selected_key, 0, | ||
63 | - &ciphertext, &plaintext); | ||
64 | - if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) { | ||
65 | - /* In case decryption fails then don't inform | ||
66 | - * the peer. Just use a random key. (in order to avoid | ||
67 | - * attack against pkcs-1 formatting). | ||
68 | - */ | ||
69 | - gnutls_assert(); | ||
70 | - _gnutls_debug_log | ||
71 | - ("auth_rsa_psk: Possible PKCS #1 format attack\n"); | ||
72 | - if (ret >= 0) { | ||
73 | - gnutls_free(plaintext.data); | ||
74 | - } | ||
75 | - randomize_key = 1; | ||
76 | - } else { | ||
77 | - /* If the secret was properly formatted, then | ||
78 | - * check the version number. | ||
79 | - */ | ||
80 | - if (_gnutls_get_adv_version_major(session) != | ||
81 | - plaintext.data[0] | ||
82 | - || (session->internals.allow_wrong_pms == 0 | ||
83 | - && _gnutls_get_adv_version_minor(session) != | ||
84 | - plaintext.data[1])) { | ||
85 | - /* No error is returned here, if the version number check | ||
86 | - * fails. We proceed normally. | ||
87 | - * That is to defend against the attack described in the paper | ||
88 | - * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima, | ||
89 | - * Ondej Pokorny and Tomas Rosa. | ||
90 | - */ | ||
91 | - gnutls_assert(); | ||
92 | - _gnutls_debug_log | ||
93 | - ("auth_rsa: Possible PKCS #1 version check format attack\n"); | ||
94 | - } | ||
95 | - } | ||
96 | + ver_maj = _gnutls_get_adv_version_major(session); | ||
97 | + ver_min = _gnutls_get_adv_version_minor(session); | ||
98 | |||
99 | + premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE); | ||
100 | + if (premaster_secret.data == NULL) { | ||
101 | + gnutls_assert(); | ||
102 | + return GNUTLS_E_MEMORY_ERROR; | ||
103 | + } | ||
104 | + premaster_secret.size = GNUTLS_MASTER_SIZE; | ||
105 | |||
106 | - if (randomize_key != 0) { | ||
107 | - premaster_secret.size = GNUTLS_MASTER_SIZE; | ||
108 | - premaster_secret.data = | ||
109 | - gnutls_malloc(premaster_secret.size); | ||
110 | - if (premaster_secret.data == NULL) { | ||
111 | - gnutls_assert(); | ||
112 | - return GNUTLS_E_MEMORY_ERROR; | ||
113 | - } | ||
114 | - | ||
115 | - /* we do not need strong random numbers here. | ||
116 | - */ | ||
117 | - ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, | ||
118 | - premaster_secret.size); | ||
119 | - if (ret < 0) { | ||
120 | - gnutls_assert(); | ||
121 | - goto cleanup; | ||
122 | - } | ||
123 | - } else { | ||
124 | - premaster_secret.data = plaintext.data; | ||
125 | - premaster_secret.size = plaintext.size; | ||
126 | + /* Fallback value when decryption fails. Needs to be unpredictable. */ | ||
127 | + ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, | ||
128 | + premaster_secret.size); | ||
129 | + if (ret < 0) { | ||
130 | + gnutls_assert(); | ||
131 | + goto cleanup; | ||
132 | } | ||
133 | |||
134 | + gnutls_privkey_decrypt_data2(session->internals.selected_key, 0, | ||
135 | + &ciphertext, premaster_secret.data, | ||
136 | + premaster_secret.size); | ||
137 | + /* After this point, any conditional on failure that cause differences | ||
138 | + * in execution may create a timing or cache access pattern side | ||
139 | + * channel that can be used as an oracle, so tread carefully */ | ||
140 | + | ||
141 | + /* Error handling logic: | ||
142 | + * In case decryption fails then don't inform the peer. Just use the | ||
143 | + * random key previously generated. (in order to avoid attack against | ||
144 | + * pkcs-1 formatting). | ||
145 | + * | ||
146 | + * If we get version mismatches no error is returned either. We | ||
147 | + * proceed normally. This is to defend against the attack described | ||
148 | + * in the paper "Attacking RSA-based sessions in SSL/TLS" by | ||
149 | + * Vlastimil Klima, Ondej Pokorny and Tomas Rosa. | ||
150 | + */ | ||
151 | + | ||
152 | /* This is here to avoid the version check attack | ||
153 | * discussed above. | ||
154 | */ | ||
155 | - | ||
156 | - premaster_secret.data[0] = _gnutls_get_adv_version_major(session); | ||
157 | - premaster_secret.data[1] = _gnutls_get_adv_version_minor(session); | ||
158 | + premaster_secret.data[0] = ver_maj; | ||
159 | + premaster_secret.data[1] = ver_min; | ||
160 | |||
161 | /* find the key of this username | ||
162 | */ | ||
163 | --- a/lib/gnutls_int.h | ||
164 | +++ b/lib/gnutls_int.h | ||
165 | @@ -989,7 +989,6 @@ struct gnutls_priority_st { | ||
166 | bool _no_etm; | ||
167 | bool _no_ext_master_secret; | ||
168 | bool _allow_key_usage_violation; | ||
169 | - bool _allow_wrong_pms; | ||
170 | bool _dumbfw; | ||
171 | unsigned int _dh_prime_bits; /* old (deprecated) variable */ | ||
172 | |||
173 | @@ -1007,7 +1006,6 @@ struct gnutls_priority_st { | ||
174 | (x)->no_etm = 1; \ | ||
175 | (x)->no_ext_master_secret = 1; \ | ||
176 | (x)->allow_key_usage_violation = 1; \ | ||
177 | - (x)->allow_wrong_pms = 1; \ | ||
178 | (x)->dumbfw = 1 | ||
179 | |||
180 | #define ENABLE_PRIO_COMPAT(x) \ | ||
181 | @@ -1016,7 +1014,6 @@ struct gnutls_priority_st { | ||
182 | (x)->_no_etm = 1; \ | ||
183 | (x)->_no_ext_master_secret = 1; \ | ||
184 | (x)->_allow_key_usage_violation = 1; \ | ||
185 | - (x)->_allow_wrong_pms = 1; \ | ||
186 | (x)->_dumbfw = 1 | ||
187 | |||
188 | /* DH and RSA parameters types. | ||
189 | @@ -1141,7 +1138,6 @@ typedef struct { | ||
190 | bool no_etm; | ||
191 | bool no_ext_master_secret; | ||
192 | bool allow_key_usage_violation; | ||
193 | - bool allow_wrong_pms; | ||
194 | bool dumbfw; | ||
195 | |||
196 | /* old (deprecated) variable. This is used for both srp_prime_bits | ||
197 | --- a/lib/priority.c | ||
198 | +++ b/lib/priority.c | ||
199 | @@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t ses | ||
200 | COPY_TO_INTERNALS(no_etm); | ||
201 | COPY_TO_INTERNALS(no_ext_master_secret); | ||
202 | COPY_TO_INTERNALS(allow_key_usage_violation); | ||
203 | - COPY_TO_INTERNALS(allow_wrong_pms); | ||
204 | COPY_TO_INTERNALS(dumbfw); | ||
205 | COPY_TO_INTERNALS(dh_prime_bits); | ||
206 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch new file mode 100644 index 0000000000..f15c470879 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch | |||
@@ -0,0 +1,125 @@ | |||
1 | From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Wed, 10 Jan 2024 19:13:17 +0900 | ||
4 | Subject: [PATCH] rsa-psk: minimize branching after decryption | ||
5 | |||
6 | This moves any non-trivial code between gnutls_privkey_decrypt_data2 | ||
7 | and the function return in _gnutls_proc_rsa_psk_client_kx up until the | ||
8 | decryption. This also avoids an extra memcpy to session->key.key. | ||
9 | |||
10 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
11 | |||
12 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e] | ||
13 | CVE: CVE-2024-0553 | ||
14 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
15 | --- | ||
16 | lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++---------------------- | ||
17 | 1 file changed, 35 insertions(+), 33 deletions(-) | ||
18 | |||
19 | diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c | ||
20 | index 93c2dc9..c6cfb92 100644 | ||
21 | --- a/lib/auth/rsa_psk.c | ||
22 | +++ b/lib/auth/rsa_psk.c | ||
23 | @@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, | ||
24 | int ret, dsize; | ||
25 | ssize_t data_size = _data_size; | ||
26 | gnutls_psk_server_credentials_t cred; | ||
27 | - gnutls_datum_t premaster_secret = { NULL, 0 }; | ||
28 | volatile uint8_t ver_maj, ver_min; | ||
29 | |||
30 | cred = (gnutls_psk_server_credentials_t) | ||
31 | @@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, | ||
32 | ver_maj = _gnutls_get_adv_version_major(session); | ||
33 | ver_min = _gnutls_get_adv_version_minor(session); | ||
34 | |||
35 | - premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE); | ||
36 | - if (premaster_secret.data == NULL) { | ||
37 | + /* Find the key of this username. A random value will be | ||
38 | + * filled in if the key is not found. | ||
39 | + */ | ||
40 | + ret = _gnutls_psk_pwd_find_entry(session, info->username, | ||
41 | + strlen(info->username), &pwd_psk); | ||
42 | + if (ret < 0) | ||
43 | + return gnutls_assert_val(ret); | ||
44 | + | ||
45 | + /* Allocate memory for premaster secret, and fill in the | ||
46 | + * fields except the decryption result. | ||
47 | + */ | ||
48 | + session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size; | ||
49 | + session->key.key.data = gnutls_malloc(session->key.key.size); | ||
50 | + if (session->key.key.data == NULL) { | ||
51 | gnutls_assert(); | ||
52 | + _gnutls_free_key_datum(&pwd_psk); | ||
53 | + /* No need to zeroize, as the secret is not copied in yet */ | ||
54 | + _gnutls_free_datum(&session->key.key); | ||
55 | return GNUTLS_E_MEMORY_ERROR; | ||
56 | } | ||
57 | - premaster_secret.size = GNUTLS_MASTER_SIZE; | ||
58 | |||
59 | /* Fallback value when decryption fails. Needs to be unpredictable. */ | ||
60 | - ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, | ||
61 | - premaster_secret.size); | ||
62 | + ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2, | ||
63 | + GNUTLS_MASTER_SIZE); | ||
64 | if (ret < 0) { | ||
65 | gnutls_assert(); | ||
66 | - goto cleanup; | ||
67 | + _gnutls_free_key_datum(&pwd_psk); | ||
68 | + /* No need to zeroize, as the secret is not copied in yet */ | ||
69 | + _gnutls_free_datum(&session->key.key); | ||
70 | + return ret; | ||
71 | } | ||
72 | |||
73 | + _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data); | ||
74 | + _gnutls_write_uint16(pwd_psk.size, | ||
75 | + &session->key.key.data[2 + GNUTLS_MASTER_SIZE]); | ||
76 | + memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data, | ||
77 | + pwd_psk.size); | ||
78 | + _gnutls_free_key_datum(&pwd_psk); | ||
79 | + | ||
80 | gnutls_privkey_decrypt_data2(session->internals.selected_key, 0, | ||
81 | - &ciphertext, premaster_secret.data, | ||
82 | - premaster_secret.size); | ||
83 | + &ciphertext, session->key.key.data + 2, | ||
84 | + GNUTLS_MASTER_SIZE); | ||
85 | /* After this point, any conditional on failure that cause differences | ||
86 | * in execution may create a timing or cache access pattern side | ||
87 | * channel that can be used as an oracle, so tread carefully */ | ||
88 | @@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, | ||
89 | /* This is here to avoid the version check attack | ||
90 | * discussed above. | ||
91 | */ | ||
92 | - premaster_secret.data[0] = ver_maj; | ||
93 | - premaster_secret.data[1] = ver_min; | ||
94 | + session->key.key.data[2] = ver_maj; | ||
95 | + session->key.key.data[3] = ver_min; | ||
96 | |||
97 | - /* find the key of this username | ||
98 | - */ | ||
99 | - ret = | ||
100 | - _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk); | ||
101 | - if (ret < 0) { | ||
102 | - gnutls_assert(); | ||
103 | - goto cleanup; | ||
104 | - } | ||
105 | - | ||
106 | - ret = | ||
107 | - set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret); | ||
108 | - if (ret < 0) { | ||
109 | - gnutls_assert(); | ||
110 | - goto cleanup; | ||
111 | - } | ||
112 | - | ||
113 | - ret = 0; | ||
114 | - cleanup: | ||
115 | - _gnutls_free_key_datum(&pwd_psk); | ||
116 | - _gnutls_free_temp_key_datum(&premaster_secret); | ||
117 | - | ||
118 | - return ret; | ||
119 | + return 0; | ||
120 | } | ||
121 | |||
122 | static int | ||
123 | -- | ||
124 | 2.25.1 | ||
125 | |||
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb index 51578b4b3b..a1451daf2c 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb | |||
@@ -1,5 +1,7 @@ | |||
1 | SUMMARY = "GNU Transport Layer Security Library" | 1 | SUMMARY = "GNU Transport Layer Security Library" |
2 | HOMEPAGE = "http://www.gnu.org/software/gnutls/" | 2 | DESCRIPTION = "a secure communications library implementing the SSL, \ |
3 | TLS and DTLS protocols and technologies around them." | ||
4 | HOMEPAGE = "https://gnutls.org/" | ||
3 | BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls" | 5 | BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls" |
4 | 6 | ||
5 | LICENSE = "GPLv3+ & LGPLv2.1+" | 7 | LICENSE = "GPLv3+ & LGPLv2.1+" |
@@ -21,6 +23,13 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar | |||
21 | file://arm_eabi.patch \ | 23 | file://arm_eabi.patch \ |
22 | file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \ | 24 | file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \ |
23 | file://CVE-2020-24659.patch \ | 25 | file://CVE-2020-24659.patch \ |
26 | file://CVE-2021-20231.patch \ | ||
27 | file://CVE-2021-20232.patch \ | ||
28 | file://CVE-2022-2509.patch \ | ||
29 | file://CVE-2021-4209.patch \ | ||
30 | file://CVE-2023-0361.patch \ | ||
31 | file://CVE-2023-5981.patch \ | ||
32 | file://CVE-2024-0553.patch \ | ||
24 | " | 33 | " |
25 | 34 | ||
26 | SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" | 35 | SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" |
diff --git a/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch b/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch new file mode 100644 index 0000000000..9a8ceecbe7 --- /dev/null +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 22fd12b290adea788122044cb58dc9e77754644f Mon Sep 17 00:00:00 2001 | ||
2 | From: Vivek Kumbhar <vkumbhar@mvista.com> | ||
3 | Date: Thu, 17 Nov 2022 12:07:50 +0530 | ||
4 | Subject: [PATCH] CVE-2021-46848 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5] | ||
7 | CVE: CVE-2021-46848 | ||
8 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
9 | |||
10 | Fix ETYPE_OK off by one array size check. | ||
11 | --- | ||
12 | NEWS | 4 ++++ | ||
13 | lib/int.h | 2 +- | ||
14 | 2 files changed, 5 insertions(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/NEWS b/NEWS | ||
17 | index f042481..d8f684e 100644 | ||
18 | --- a/NEWS | ||
19 | +++ b/NEWS | ||
20 | @@ -1,5 +1,9 @@ | ||
21 | GNU Libtasn1 NEWS -*- outline -*- | ||
22 | |||
23 | +* Noteworthy changes in release ?.? (????-??-??) [?] | ||
24 | +- Fix ETYPE_OK out of bounds read. Closes: #32. | ||
25 | +- Update gnulib files and various maintenance fixes. | ||
26 | + | ||
27 | * Noteworthy changes in release 4.16.0 (released 2020-02-01) [stable] | ||
28 | - asn1_decode_simple_ber: added support for constructed definite | ||
29 | octet strings. This allows this function decode the whole set of | ||
30 | diff --git a/lib/int.h b/lib/int.h | ||
31 | index ea16257..c877282 100644 | ||
32 | --- a/lib/int.h | ||
33 | +++ b/lib/int.h | ||
34 | @@ -97,7 +97,7 @@ typedef struct tag_and_class_st | ||
35 | #define ETYPE_TAG(etype) (_asn1_tags[etype].tag) | ||
36 | #define ETYPE_CLASS(etype) (_asn1_tags[etype].class) | ||
37 | #define ETYPE_OK(etype) (((etype) != ASN1_ETYPE_INVALID && \ | ||
38 | - (etype) <= _asn1_tags_size && \ | ||
39 | + (etype) < _asn1_tags_size && \ | ||
40 | _asn1_tags[(etype)].desc != NULL)?1:0) | ||
41 | |||
42 | #define ETYPE_IS_STRING(etype) ((etype == ASN1_ETYPE_GENERALSTRING || \ | ||
43 | -- | ||
44 | 2.25.1 | ||
45 | |||
diff --git a/meta/recipes-support/gnutls/libtasn1_4.16.0.bb b/meta/recipes-support/gnutls/libtasn1_4.16.0.bb index 8337b70241..d2b3c492ec 100644 --- a/meta/recipes-support/gnutls/libtasn1_4.16.0.bb +++ b/meta/recipes-support/gnutls/libtasn1_4.16.0.bb | |||
@@ -1,4 +1,6 @@ | |||
1 | SUMMARY = "Library for ASN.1 and DER manipulation" | 1 | SUMMARY = "Library for ASN.1 and DER manipulation" |
2 | DESCRIPTION = "A highly portable C library that encodes and decodes \ | ||
3 | DER/BER data following an ASN.1 schema. " | ||
2 | HOMEPAGE = "http://www.gnu.org/software/libtasn1/" | 4 | HOMEPAGE = "http://www.gnu.org/software/libtasn1/" |
3 | 5 | ||
4 | LICENSE = "GPLv3+ & LGPLv2.1+" | 6 | LICENSE = "GPLv3+ & LGPLv2.1+" |
@@ -10,6 +12,7 @@ LIC_FILES_CHKSUM = "file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \ | |||
10 | 12 | ||
11 | SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \ | 13 | SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \ |
12 | file://dont-depend-on-help2man.patch \ | 14 | file://dont-depend-on-help2man.patch \ |
15 | file://CVE-2021-46848.patch \ | ||
13 | " | 16 | " |
14 | 17 | ||
15 | DEPENDS = "bison-native" | 18 | DEPENDS = "bison-native" |