summaryrefslogtreecommitdiffstats
path: root/meta-oe
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2025-10-05 14:38:47 +0200
committerGyorgy Sarvari <skandigraun@gmail.com>2025-10-12 13:08:41 +0200
commit6c5e7ee581567e6dc0abf0aab6f191a007bf10ef (patch)
tree663153cb7631869d62afa021c74a06a3b206b578 /meta-oe
parentbf9fc50ccc870f8caaa87c166535a2922175dd0d (diff)
downloadmeta-openembedded-6c5e7ee581567e6dc0abf0aab6f191a007bf10ef.tar.gz
botan: patch CVE-2022-43705
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-43705 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Diffstat (limited to 'meta-oe')
-rw-r--r--meta-oe/recipes-crypto/botan/botan/0001-add-Certificate_Store_In_Memory-c-tor-that-takes-a-v.patch31
-rw-r--r--meta-oe/recipes-crypto/botan/botan/0002-FIX-intermediates-can-sign-their-own-OCSP-responses.patch36
-rw-r--r--meta-oe/recipes-crypto/botan/botan/0003-FIX-missing-validation-of-authority-of-delegation-re.patch106
-rw-r--r--meta-oe/recipes-crypto/botan/botan/0004-review-comments.patch28
-rw-r--r--meta-oe/recipes-crypto/botan/botan_2.19.1.bb7
5 files changed, 207 insertions, 1 deletions
diff --git a/meta-oe/recipes-crypto/botan/botan/0001-add-Certificate_Store_In_Memory-c-tor-that-takes-a-v.patch b/meta-oe/recipes-crypto/botan/botan/0001-add-Certificate_Store_In_Memory-c-tor-that-takes-a-v.patch
new file mode 100644
index 0000000000..6917015a6e
--- /dev/null
+++ b/meta-oe/recipes-crypto/botan/botan/0001-add-Certificate_Store_In_Memory-c-tor-that-takes-a-v.patch
@@ -0,0 +1,31 @@
1From 6eb071078e35a6a29e3a27fb91d9449b25f1bbcc Mon Sep 17 00:00:00 2001
2From: Rene Meusel <rene.meusel@rohde-schwarz.com>
3Date: Wed, 21 Sep 2022 14:00:26 +0200
4Subject: [PATCH] add Certificate_Store_In_Memory c'tor that takes a vector of
5 certs
6
7CVE: CVE-2022-43705
8Upstream-Status: Backport [https://github.com/randombit/botan/commit/5d8d9fbf75c8b814ea609161bee525d520f5cb57]
9
10Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
11---
12 src/lib/x509/certstor.h | 6 ++++++
13 1 file changed, 6 insertions(+)
14
15diff --git a/src/lib/x509/certstor.h b/src/lib/x509/certstor.h
16index 6901589..165c414 100644
17--- a/src/lib/x509/certstor.h
18+++ b/src/lib/x509/certstor.h
19@@ -95,6 +95,12 @@ class BOTAN_PUBLIC_API(2,0) Certificate_Store_In_Memory final : public Certifica
20 */
21 explicit Certificate_Store_In_Memory(const X509_Certificate& cert);
22
23+ /**
24+ * Adds given certificate list to the store.
25+ */
26+ explicit Certificate_Store_In_Memory(std::vector<std::shared_ptr<const X509_Certificate>> certs)
27+ : m_certs(std::move(certs)) {}
28+
29 /**
30 * Create an empty store.
31 */
diff --git a/meta-oe/recipes-crypto/botan/botan/0002-FIX-intermediates-can-sign-their-own-OCSP-responses.patch b/meta-oe/recipes-crypto/botan/botan/0002-FIX-intermediates-can-sign-their-own-OCSP-responses.patch
new file mode 100644
index 0000000000..f41ee6bd98
--- /dev/null
+++ b/meta-oe/recipes-crypto/botan/botan/0002-FIX-intermediates-can-sign-their-own-OCSP-responses.patch
@@ -0,0 +1,36 @@
1From 48947029f72e2091dfbaaa5e3576d98eb7d6c34e Mon Sep 17 00:00:00 2001
2From: Rene Meusel <rene.meusel@rohde-schwarz.com>
3Date: Tue, 20 Sep 2022 17:20:52 +0200
4Subject: [PATCH] FIX: intermediates can sign their own OCSP responses
5
6Before it was possible that intermediates signed their
7own OCSP responses. I.e a compromised intermediate
8certificate allowed the attacker to sign OCSP responses
9for this very certificate.
10
11CVE: CVE-2022-43705
12Upstream-Status: Backport [https://github.com/randombit/botan/commit/1829ef9d89614da1eacdf511356bdf98a970f5f5]
13
14Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
15---
16 src/lib/x509/x509path.cpp | 7 ++++++-
17 1 file changed, 6 insertions(+), 1 deletion(-)
18
19diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
20index b5cdc27..37de6d8 100644
21--- a/src/lib/x509/x509path.cpp
22+++ b/src/lib/x509/x509path.cpp
23@@ -234,7 +234,12 @@ PKIX::check_ocsp(const std::vector<std::shared_ptr<const X509_Certificate>>& cer
24 {
25 try
26 {
27- Certificate_Status_Code ocsp_signature_status = ocsp_responses.at(i)->check_signature(trusted_certstores, cert_path);
28+ // When verifying intermediate certificates we need to truncate the
29+ // cert_path so that the intermediate under investigation becomes the
30+ // last certificate in the chain.
31+ auto ocsp_cert_path = cert_path;
32+ ocsp_cert_path.erase(ocsp_cert_path.begin(), ocsp_cert_path.begin()+i);
33+ Certificate_Status_Code ocsp_signature_status = ocsp_responses.at(i)->check_signature(trusted_certstores, ocsp_cert_path);
34
35 if(ocsp_signature_status == Certificate_Status_Code::OCSP_SIGNATURE_OK)
36 {
diff --git a/meta-oe/recipes-crypto/botan/botan/0003-FIX-missing-validation-of-authority-of-delegation-re.patch b/meta-oe/recipes-crypto/botan/botan/0003-FIX-missing-validation-of-authority-of-delegation-re.patch
new file mode 100644
index 0000000000..aab3775a8e
--- /dev/null
+++ b/meta-oe/recipes-crypto/botan/botan/0003-FIX-missing-validation-of-authority-of-delegation-re.patch
@@ -0,0 +1,106 @@
1From 3f8c9705168518c9b436c23e6d13796d683e5391 Mon Sep 17 00:00:00 2001
2From: Rene Meusel <rene.meusel@rohde-schwarz.com>
3Date: Wed, 21 Sep 2022 14:14:02 +0200
4Subject: [PATCH] FIX: missing validation of authority of delegation responder
5 cert
6
7When a responder does not sign their responses with the same CA that
8issued the certificate in question, they typically add their
9'delegation certificate' as a stapled certificate path to the response.
10So far, these delegation certificates were not checked for their
11legitimate authority to sign responses for the CA.
12
13CVE: CVE-2022-43705
14Upstream-Status: Backport [https://github.com/randombit/botan/commit/991b0159282781f2d5c06ff42a9ff00ee563e96b]
15
16Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
17---
18 src/lib/x509/ocsp.cpp | 68 ++++++++++++++++++++++++++++++++++++++++++-
19 1 file changed, 67 insertions(+), 1 deletion(-)
20
21diff --git a/src/lib/x509/ocsp.cpp b/src/lib/x509/ocsp.cpp
22index 1ca8232..fc952f6 100644
23--- a/src/lib/x509/ocsp.cpp
24+++ b/src/lib/x509/ocsp.cpp
25@@ -241,7 +241,6 @@ Certificate_Status_Code Response::check_signature(const std::vector<Certificate_
26 {
27 for(size_t i = 0; i < m_certs.size(); ++i)
28 {
29- // Check all CA certificates in the (assumed validated) EE cert path
30 if(!m_signer_name.empty() && m_certs[i].subject_dn() == m_signer_name)
31 {
32 signing_cert = std::make_shared<const X509_Certificate>(m_certs[i]);
33@@ -254,6 +253,73 @@ Certificate_Status_Code Response::check_signature(const std::vector<Certificate_
34 break;
35 }
36 }
37+
38+ // RFC 6960 4.2.2.2
39+ // OCSP signing delegation SHALL be designated by the inclusion of
40+ // id-kp-OCSPSigning in an extended key usage certificate extension
41+ // included in the OCSP response signer's certificate. This certificate
42+ // MUST be issued directly by the CA that is identified in the request.
43+ //
44+ // The CA SHOULD use the same issuing key to issue a delegation
45+ // certificate as that used to sign the certificate being checked for
46+ // revocation. Systems relying on OCSP responses MUST recognize a
47+ // delegation certificate as being issued by the CA that issued the
48+ // certificate in question only if the delegation certificate and the
49+ // certificate being checked for revocation were signed by the same key.
50+ //
51+ // I.e. it is safe to assume that the certificate's issuer also signed the
52+ // responder's certificate.
53+ //
54+ // Note: The 'SHOULD' in the second paragraph above allows for backward
55+ // compatibility to RFC 2560 that is "strongly discouraged". This
56+ // implementation explicitly _does not_ implement this backward
57+ // compatibility.
58+ if(signing_cert)
59+ {
60+ const auto issuer =
61+ Certificate_Store_In_Memory(ee_cert_path)
62+ .find_cert(signing_cert->issuer_dn(), signing_cert->authority_key_id());
63+
64+ // User did not provide the certificate path to verify the delegation
65+ if(!issuer)
66+ {
67+ return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND;
68+ }
69+
70+ if(!issuer->is_CA_cert())
71+ {
72+ return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND;
73+ }
74+
75+ // Sub-optimal fix for a vulnerability found in Botan 2.19.2 and older.
76+ //
77+ // This certificate validation is incomplete. Missing checks:
78+ // * validity check against the reference time
79+ // * revocation status check of the responder certificate
80+ // * certificate extension validations
81+ // * ... potentially more
82+ //
83+ // A more comprehensive validation will be introduced with Botan 3.0
84+ try
85+ {
86+ const auto issuer_pubkey = issuer->load_subject_public_key();
87+ const auto sig = signing_cert->verify_signature(*issuer_pubkey);
88+
89+ if(sig != Certificate_Status_Code::VERIFIED)
90+ {
91+ return Certificate_Status_Code::OCSP_SIGNATURE_ERROR;
92+ }
93+
94+ if(!signing_cert->has_ex_constraint(OID::from_string("PKIX.OCSPSigning")))
95+ {
96+ return Certificate_Status_Code::OCSP_RESPONSE_MISSING_KEYUSAGE;
97+ }
98+ }
99+ catch(const Exception& ex)
100+ {
101+ return Certificate_Status_Code::OCSP_SIGNATURE_ERROR;
102+ }
103+ }
104 }
105
106 if(!signing_cert)
diff --git a/meta-oe/recipes-crypto/botan/botan/0004-review-comments.patch b/meta-oe/recipes-crypto/botan/botan/0004-review-comments.patch
new file mode 100644
index 0000000000..5fed88df9e
--- /dev/null
+++ b/meta-oe/recipes-crypto/botan/botan/0004-review-comments.patch
@@ -0,0 +1,28 @@
1From 18e7dc2e81429e1ac4e69cbe0b530bf707d38d94 Mon Sep 17 00:00:00 2001
2From: Rene Meusel <rene.meusel@rohde-schwarz.com>
3Date: Thu, 3 Nov 2022 09:27:20 +0100
4Subject: [PATCH] review comments
5
6CVE: CVE-2022-43705
7Upstream-Status: Backport [https://github.com/randombit/botan/commit/a33689613127f319c0047fb96f092de16e7cb350]
8
9Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
10---
11 src/lib/x509/x509path.cpp | 3 +--
12 src/tests/test_x509_path.cpp | 12 +++++-------
13 2 files changed, 6 insertions(+), 9 deletions(-)
14
15diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
16index 37de6d8..6f3159a 100644
17--- a/src/lib/x509/x509path.cpp
18+++ b/src/lib/x509/x509path.cpp
19@@ -237,8 +237,7 @@ PKIX::check_ocsp(const std::vector<std::shared_ptr<const X509_Certificate>>& cer
20 // When verifying intermediate certificates we need to truncate the
21 // cert_path so that the intermediate under investigation becomes the
22 // last certificate in the chain.
23- auto ocsp_cert_path = cert_path;
24- ocsp_cert_path.erase(ocsp_cert_path.begin(), ocsp_cert_path.begin()+i);
25+ std::vector<std::shared_ptr<const X509_Certificate>> ocsp_cert_path(cert_path.begin() + i, cert_path.end());
26 Certificate_Status_Code ocsp_signature_status = ocsp_responses.at(i)->check_signature(trusted_certstores, ocsp_cert_path);
27
28 if(ocsp_signature_status == Certificate_Status_Code::OCSP_SIGNATURE_OK)
diff --git a/meta-oe/recipes-crypto/botan/botan_2.19.1.bb b/meta-oe/recipes-crypto/botan/botan_2.19.1.bb
index 4b072fc5dc..6477da4dbf 100644
--- a/meta-oe/recipes-crypto/botan/botan_2.19.1.bb
+++ b/meta-oe/recipes-crypto/botan/botan_2.19.1.bb
@@ -4,7 +4,12 @@ LICENSE = "BSD-2-Clause"
4LIC_FILES_CHKSUM = "file://license.txt;md5=f4ce98476c07c34e1793daa036960fad" 4LIC_FILES_CHKSUM = "file://license.txt;md5=f4ce98476c07c34e1793daa036960fad"
5SECTION = "libs" 5SECTION = "libs"
6 6
7SRC_URI = "https://botan.randombit.net/releases/Botan-${PV}.tar.xz" 7SRC_URI = "https://botan.randombit.net/releases/Botan-${PV}.tar.xz \
8 file://0001-add-Certificate_Store_In_Memory-c-tor-that-takes-a-v.patch \
9 file://0002-FIX-intermediates-can-sign-their-own-OCSP-responses.patch \
10 file://0003-FIX-missing-validation-of-authority-of-delegation-re.patch \
11 file://0004-review-comments.patch \
12 "
8SRC_URI[sha256sum] = "e26e00cfefda64082afdd540d3c537924f645d6a674afed2cd171005deff5560" 13SRC_URI[sha256sum] = "e26e00cfefda64082afdd540d3c537924f645d6a674afed2cd171005deff5560"
9 14
10S = "${WORKDIR}/Botan-${PV}" 15S = "${WORKDIR}/Botan-${PV}"