gnutls: fix CVE-2024-28835

A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command. (From OE-Core rev: e63819fbabbde3d12df06ae302da70ab990df26d) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2024-04-19 14:11:00 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-05-02 06:21:09 -0700
commit: 43b8c2ab9f4a19ce36a03050dabea44616f7e4fc (patch)
tree: ffd7085c792f9ac011e0a231409290c63fc67ed5 /meta
parent: 65303b3236d7eb31a27a8a4e59c1004077725b5b (diff)
download: poky-43b8c2ab9f4a19ce36a03050dabea44616f7e4fc.tar.gz
2 files changed, 407 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch
new file mode 100644
index 0000000000..0341df8bd9
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch
@@ -0,0 +1,406 @@
+From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 29 Jan 2024 13:52:46 +0900
+Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: remove length limit of
+ input
+Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
+chain verification logic crashed with assertion failure.  This patch
+removes the restriction while keeping the maximum number of
+retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+CVE: CVE-2024-28835
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/gnutls_int.h       |   5 +-
+ lib/x509/common.c      |  10 +-
+ lib/x509/verify-high.c |  43 ++++++---
+ tests/test-chains.h    | 211 ++++++++++++++++++++++++++++++++++++++++-
+ 4 files changed, 252 insertions(+), 17 deletions(-)
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index b2a3ae6..5127996 100644
+--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
+@@ -221,7 +221,10 @@ typedef enum record_send_state_t {
+ #define MAX_PK_PARAM_SIZE 2048
+-/* defaults for verification functions
+/* Defaults for verification functions.
+ *
+ * update many_icas in tests/test-chains.h when increasing
+ * DEFAULT_MAX_VERIFY_DEPTH.
+  */
+ #define DEFAULT_MAX_VERIFY_DEPTH 16
+ #define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE*8)
+diff --git a/lib/x509/common.c b/lib/x509/common.c
+index 6367b03..8f8c1f8 100644
+--- a/lib/x509/common.c
+++ b/lib/x509/common.c
+@@ -1749,7 +1749,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
+        bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */
+        gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
+-       assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH);
+        /* Limit the number of certificates in the chain, to avoid DoS
+        * because of the O(n^2) sorting below.  FIXME: Switch to a
+        * topological sort algorithm which should be linear to the
+        * number of certificates and subject-issuer relationships.
+        */
+       if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) {
+               _gnutls_debug_log("too many certificates; skipping sorting\n");
+               return 1;
+       }
+        for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) {
+                issuer[i] = -1;
+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
+index 5698d4f..a957511 100644
+--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
+@@ -25,7 +25,7 @@
+ #include "errors.h"
+ #include <libtasn1.h>
+ #include <global.h>
+-#include <num.h>               /* MAX */
+#include <num.h>               /* MIN */
+ #include <tls-sig.h>
+ #include <str.h>
+ #include <datum.h>
+@@ -1418,7 +1418,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+        int ret = 0;
+        unsigned int i;
+        size_t hash;
+-       gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
+       gnutls_x509_crt_t *cert_list_copy = NULL;
+       unsigned int cert_list_max_size = 0;
+        gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH];
+        unsigned int retrieved_size = 0;
+        const char *hostname = NULL, *purpose = NULL, *email = NULL;
+@@ -1472,16 +1473,26 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+                }
+        }
+-       memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
+-       cert_list = sorted;
+       /* Allocate extra for retrieved certificates. */
+       if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH,
+                       &cert_list_max_size))
+               return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+       cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size,
+                                             sizeof(gnutls_x509_crt_t));
+       if (!cert_list_copy)
+               return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+       memcpy(cert_list_copy, cert_list,
+              cert_list_size * sizeof(gnutls_x509_crt_t));
+       cert_list = cert_list_copy;
+        ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
+        if (ret < 0) {
+                return ret;
+        }
+-       for (i = 0; i < cert_list_size &&
+-                    cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
+       for (i = 0; i < cert_list_size;) {
+                unsigned int sorted_size = 1;
+                unsigned int j;
+                gnutls_x509_crt_t issuer;
+@@ -1491,8 +1502,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+                                                         cert_list_size - i);
+                }
+-               /* Remove duplicates. Start with index 1, as the first element
+-                * may be re-checked after issuer retrieval. */
+               /* Remove duplicates. */
+                for (j = 1; j < sorted_size; j++) {
+                        if (cert_set_contains(&cert_set, cert_list[i + j])) {
+                                if (i + j < cert_list_size - 1) {
+@@ -1539,14 +1549,16 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+                ret = retrieve_issuers(list,
+                                       cert_list[i - 1],
+                                       &retrieved[retrieved_size],
+-                                      DEFAULT_MAX_VERIFY_DEPTH -
+-                                      MAX(retrieved_size,
+-                                          cert_list_size));
+                                      MIN(DEFAULT_MAX_VERIFY_DEPTH - retrieved_size,
+                                           cert_list_max_size - cert_list_size));
+                if (ret < 0) {
+                        break;
+                } else if (ret > 0) {
+                        assert((unsigned int)ret <=
+-                              DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
+                               DEFAULT_MAX_VERIFY_DEPTH - retrieved_size);
+                       assert((unsigned int)ret <=
+                              cert_list_max_size - cert_list_size);
+
+                        memmove(&cert_list[i + ret],
+                                &cert_list[i],
+                                (cert_list_size - i) *
+@@ -1563,8 +1575,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+        }
+        cert_list_size = shorten_clist(list, cert_list, cert_list_size);
+-       if (cert_list_size <= 0)
+-               return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+       if (cert_list_size <= 0) {
+               ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+               goto cleanup;
+       }
+        hash =
+            hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.
+@@ -1715,6 +1729,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+        }
+  cleanup:
+       gnutls_free(cert_list_copy);
+        for (i = 0; i < retrieved_size; i++) {
+                gnutls_x509_crt_deinit(retrieved[i]);
+        }
+diff --git a/tests/test-chains.h b/tests/test-chains.h
+index 09a5461..dd872a9 100644
+--- a/tests/test-chains.h
+++ b/tests/test-chains.h
+@@ -25,7 +25,7 @@
+ /* *INDENT-OFF* */
+-#define MAX_CHAIN 10
+#define MAX_CHAIN 17
+ static const char *chain_with_no_subject_id_in_ca_ok[] = {
+        "-----BEGIN CERTIFICATE-----\n"
+@@ -4386,6 +4386,213 @@ static const char *cross_signed_ca[] = {
+        NULL
+ };
+/* This assumes DEFAULT_MAX_VERIFY_DEPTH to be 16 */
+static const char *many_icas[] = {
+       /* Server */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBqzCCAV2gAwIBAgIUIK3+SD3GmqJlRLZ/ESyhTzkSDL8wBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYD\n"
+       "VQQDEw90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQAWGjx45NIJiKFsNBxxRRjm\n"
+       "NxUT5KYK7xXr5HPVywwgLaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGC\n"
+       "D3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8E\n"
+       "BAMCB4AwHQYDVR0OBBYEFKgNAQWZPx76/vXqQOdIi5mTftsaMB8GA1UdIwQYMBaA\n"
+       "FDaPsY6WAGuRtrhYJE6Gk/bg5qbdMAUGAytlcANBAMIDh8aGcIIFDTUrzfV7tnkX\n"
+       "hHrxyFKBH/cApf6xcJQTfDXm23po627Ibp+WgLaWMY08Fn9Y2V6Ev8ADfqXNbQ8=\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA16 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUSnE0PKdm/dsnZSWBh5Ct4pS6DcwwBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAxq9SI8vp0QH1dDBBuZW+t+bLLROppQbjSQ4O1BEonDOjYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2j7GOlgBrkba4\n"
+       "WCROhpP24Oam3TAfBgNVHSMEGDAWgBRvdUKX0aw3nfUIdvivXGSfRO7zyjAFBgMr\n"
+       "ZXADQQBsI2Hc7X5hXoHTvk01qMc5a1I27QHAFRARJnvIQ15wxNS2LVLzGk+AUmwr\n"
+       "sOhBKAcVfS55uWtYdjoWQ80h238H\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA15 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUQk4XkgQVImnp6OPZas7ctwgBza4wBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAs3yVKLJd3sKbNVmj6Bxy2j1x025rksyQpZZWnCx5a+CjYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRvdUKX0aw3nfUI\n"
+       "dvivXGSfRO7zyjAfBgNVHSMEGDAWgBRhGfUXYPh4YQsdtTWYUozLphGgfzAFBgMr\n"
+       "ZXADQQBXTtm56x6/pHXdW8dTvZLc/8RufNQrMlc23TCgX0apUnrZdTsNAb7OE4Uu\n"
+       "9PBuxK+CC9NL/BL2hXsKvAT+NWME\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA14 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUKfwz7UUYRvYlvqwmnLJlTOS9o1AwBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAXbUetQ08t+F4+IcKL++HpeclqTxXZ7cG4mwqvHmTUEWjYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRhGfUXYPh4YQsd\n"
+       "tTWYUozLphGgfzAfBgNVHSMEGDAWgBQYRQqO+V1kefF7QvNnFU1fX5H9+jAFBgMr\n"
+       "ZXADQQAiSHNMTLPFP3oa6q13Dj8jSxF9trQDJGM1ArWffFcPZUt2U4/ODHdcMTHx\n"
+       "kGwhIj+ghBlu6ykgu6J2wewCUooC\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA13 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUUKOs59gyCPAZzoC7zMZQSh6AnQgwBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAmvqhj5GYqsXIpsr1BXBfD+2mTP/m/TEpKIYSZHM62dijYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQYRQqO+V1kefF7\n"
+       "QvNnFU1fX5H9+jAfBgNVHSMEGDAWgBQ27HzvP5hl2xR+LOzRcPfmY5ndXjAFBgMr\n"
+       "ZXADQQBrB3NkrYC7EQ74qgeesVOE71rW012dPOOKPAV0laR+JLEgsv9sfus+AdBF\n"
+       "WBNwR3KeYBTi/MFDuecxBHU2m5gD\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA12 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUUQooGfH21+sR7/pSgCWm13gg2H4wBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAK2of/B4wMpk6k/KdugC5dMS+jo2fseUM7/PvXkE6HASjYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ27HzvP5hl2xR+\n"
+       "LOzRcPfmY5ndXjAfBgNVHSMEGDAWgBSJDHU0Mj1Xr0e8ErCnRK24w7XwTTAFBgMr\n"
+       "ZXADQQDY8d2bAZpj7oGhdl2dBsCE48jEWj49da0PbgN12koAj3gf4hjMPd8G7p5z\n"
+       "8RsURAwQmCkE8ShvdNw/Qr2tDL0E\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA11 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUW9Dw0hU2pfjXhb5Stip+mk9SndIwBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAn5ISjLVV6RBWsnxDWHDicpye7SjFwGOTwzF01/psiJ2jYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSJDHU0Mj1Xr0e8\n"
+       "ErCnRK24w7XwTTAfBgNVHSMEGDAWgBSR9UU27RI0XohiEgHDxNo/9HP4djAFBgMr\n"
+       "ZXADQQCfQg6MDHk71vhyrEo4/5PcLb2Li5F/FKURyux7snv2TbkSdInloAqca9UR\n"
+       "DtqHSLCNLXCNdSPr5QwIt5p29rsE\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA10 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUR4uTedG8e6MibKViQ3eX7QzXG1swBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAnslX04kSVOL5LAf1e+Ze3ggNnDJcEAxLDk8I/IhyjTyjYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSR9UU27RI0Xohi\n"
+       "EgHDxNo/9HP4djAfBgNVHSMEGDAWgBRC7US5gJYnvd5F7EN+C4anMgd2NzAFBgMr\n"
+       "ZXADQQDo+jHt07Tvz3T5Lbz6apBrSln8xKYfJk2W1wP85XAnf7sZT9apM1bS4EyD\n"
+       "Kckw+KG+9x7myOZz6AXJgZB5OGAO\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA9 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUSIIIRjrNpE+kEPkiJMOqaNAazvQwBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAZKy7p1Gn4W/reRxKJN99+QkHt2q9aELktCKe5PqrX5ejYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRC7US5gJYnvd5F\n"
+       "7EN+C4anMgd2NzAfBgNVHSMEGDAWgBSOhR7Ornis2x8g0J+bvTTwMnW60zAFBgMr\n"
+       "ZXADQQA0MEcC4FgKZEAfalVpApU2to0G158MVz/WTNcSc7fnl8ifJ/g56dVHL1jr\n"
+       "REvC/S28dn/CGAlbVXUAgxnHAbgE\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA8 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUGGFSgD95vOTSj7iFxfXA5vq6vsYwBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAg3W/bTdW0fR32NeZEVMXICpa30d7rSdddLOYDvqqUO+jYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSOhR7Ornis2x8g\n"
+       "0J+bvTTwMnW60zAfBgNVHSMEGDAWgBT3zK8Hbn9aVTAOOFY6RSxJ2o5x2jAFBgMr\n"
+       "ZXADQQBl4gnzE463iMFg57gPvjHdVzA39sJBpiu0kUGfRcLnoRI/VOaLcx7WnJ9+\n"
+       "c3KxPZBec76EdIoQDkTmI6m2FIAM\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA7 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUGktMGXhNuaMhKyAlecymmLD+/GIwBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEA/Z1oc76hOQ0Hi+2hePaGIntnMIDqBlb7RDMjRpYONP2jYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT3zK8Hbn9aVTAO\n"
+       "OFY6RSxJ2o5x2jAfBgNVHSMEGDAWgBSPae3JUN3jP0NgUJqDV3eYxcaM3DAFBgMr\n"
+       "ZXADQQBMkwKaUZlvG/hax8rv3nnDv8kJOr6KVHBnxSx3hZ+8HIBT7GFm1+YDeYOB\n"
+       "jhNg66kyeFPGXXBCe+mvNQFFjCEE\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA6 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUKn3gz5lAUpKqWlHKLKYDbOJ4rygwBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAZ/eD4eTe91ddvHusm7YlLPxU4ByGFc6suAmlP1CxXkWjYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSPae3JUN3jP0Ng\n"
+       "UJqDV3eYxcaM3DAfBgNVHSMEGDAWgBT9f/qSI/jhxvGI7aMtkpraDcjBnjAFBgMr\n"
+       "ZXADQQAMRnkmRhnLGdmJaY8B42gfyaAsqCMyds/Tw4OHYy+N48XuAxRjKkhf3szC\n"
+       "0lY71oU043mNP1yx/dzAuCTrVSgI\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA5 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUEgEYbBXXEyGv3vOq10JQv1SBiUUwBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAs2xEDPw8RVal53nX9GVwUd1blq1wjtVFC8S1V7up7MWjYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT9f/qSI/jhxvGI\n"
+       "7aMtkpraDcjBnjAfBgNVHSMEGDAWgBRBVkLu9BmCKz7HNI8md4vPpoE/7jAFBgMr\n"
+       "ZXADQQCCufAyLijtzzmeCuO3K50rBSbGvB3FQfep7g6kVsQKM3bw/olWK5/Ji0dD\n"
+       "ubJ0cFl1FmfAda7aVxLBtJOvO6MI\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA4 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIULj8GkaHw+92HuOTnXnXlxCy3VrEwBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAiedxh4dvtwDellMAHc/pZH0MAOXobRenTUgF1yj5l12jYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRBVkLu9BmCKz7H\n"
+       "NI8md4vPpoE/7jAfBgNVHSMEGDAWgBSDtNRgQ36KwW/ASaMyr6WeDt0STDAFBgMr\n"
+       "ZXADQQDL8U2ckzur7CktdrVUNvfLhVCOz33d/62F28vQFHUa8h/4h+Mi1MMbXOKT\n"
+       "1bL2TvpFpU7Fx/vcIPXDielVqr4C\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA3 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUQXl74TDDw6MQRMbQUSPa6Qrvba8wBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEA7l0jQ0f4fJRw7Qja/Hz2qn8y91SI7CokxhSf+FT+9M6jYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSDtNRgQ36KwW/A\n"
+       "SaMyr6WeDt0STDAfBgNVHSMEGDAWgBQ2inEK4KH6ATftmybxKE1dZUzOozAFBgMr\n"
+       "ZXADQQCnP7Oqx1epGnFnO7TrTJwcUukXDEYsINve2GeUsi8HEIeKKlMcLZ2Cnaj7\n"
+       "5v9NGuWh3QJpmmSGpEemiv8dJc4A\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA2 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBYTCCAROgAwIBAgIUP7Nmof8H2F1LyDkjqlYIUpGdXE8wBQYDK2VwMB0xGzAZ\n"
+       "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
+       "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
+       "K2VwAyEAkW9Rod3CXAnha6nlaHkDbCOegq94lgmjqclA9sOIt3yjYzBhMA8GA1Ud\n"
+       "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2inEK4KH6ATft\n"
+       "mybxKE1dZUzOozAfBgNVHSMEGDAWgBRPq/CQlK/zuXkjZvTCibu+vejD+jAFBgMr\n"
+       "ZXADQQBU+A+uF0yrtO/yv9cRUdCoL3Y1NKM35INg8BQDnkv724cW9zk1x0q9Fuou\n"
+       "zvfSVb8S3vT8fF5ZDOxarQs6ZH0C\n"
+       "-----END CERTIFICATE-----\n",
+       /* ICA1 */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBXTCCAQ+gAwIBAgIUfUWP+AQHpdFTRKTf21mMzjaJsp0wBQYDK2VwMBkxFzAV\n"
+       "BgNVBAMTDkdudVRMUyB0ZXN0IENBMCAXDTI0MDMxMjIyNTMzOVoYDzk5OTkxMjMx\n"
+       "MjM1OTU5WjAdMRswGQYDVQQDDBJHbnVUTFMgdGVzdCBJQ0EgJGkwKjAFBgMrZXAD\n"
+       "IQAVmfBAvLbT+pTD24pQrr6S0jEIFIV/qOv93yYvAUzpzKNjMGEwDwYDVR0TAQH/\n"
+       "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFE+r8JCUr/O5eSNm9MKJ\n"
+       "u7696MP6MB8GA1UdIwQYMBaAFAFpt5wrFsqCtHc4PpluPDvwcxQLMAUGAytlcANB\n"
+       "AC6+XZnthjlUD0TbBKRF3qT5if3Pp29Bgvutw8859unzUZW8FkHg5KeDBj9ncgJc\n"
+       "O2tFnNH2hV6LDPJzU0rtLQc=\n"
+       "-----END CERTIFICATE-----\n",
+       NULL
+};
+
+static const char *many_icas_ca[] = {
+       /* CA (self-signed) */
+       "-----BEGIN CERTIFICATE-----\n"
+       "MIIBNzCB6qADAgECAhRjaokcQwcrtW8tjuVFz3A33F8POjAFBgMrZXAwGTEXMBUG\n"
+       "A1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjQwMzEyMjI1MzM5WhgPOTk5OTEyMzEy\n"
+       "MzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMCowBQYDK2VwAyEAvoxP\n"
+       "TNdbWktxA8qQNNH+25Cx9rzP+DxLGeI/7ODwrQGjQjBAMA8GA1UdEwEB/wQFMAMB\n"
+       "Af8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQBabecKxbKgrR3OD6Zbjw78HMU\n"
+       "CzAFBgMrZXADQQCP5IUD74M7WrUx20uqzrzuj+s2jnBVmLQfWf/Ucetx+oTRFeq4\n"
+       "xZB/adWhycSeJUAB1zKqYUV9hgT8FWHbnHII\n"
+       "-----END CERTIFICATE-----\n",
+       NULL
+};
+
+ #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
+ #  pragma GCC diagnostic push
+ #  pragma GCC diagnostic ignored "-Wunused-variable"
+@@ -4567,6 +4774,8 @@ static struct
+     GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
+   { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0,
+     1704955300 },
+  { "many intermediates - ok", many_icas, many_icas_ca, 0, 0, 0,
+    1710284400 },
+   { NULL, NULL, NULL, 0, 0}
+ };
+--
+2.40.0
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index 3c4ecc4f59..9f502e3f7c 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -27,6 +27,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
           file://CVE-2024-0553.patch \
           file://CVE-2024-0567.patch \
           file://CVE-2024-28834.patch \
+           file://CVE-2024-28835.patch \
           "
 SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
author	Archana Polampalli <archana.polampalli@windriver.com>	2024-04-19 14:11:00 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-05-02 06:21:09 -0700
commit	43b8c2ab9f4a19ce36a03050dabea44616f7e4fc (patch)
tree	ffd7085c792f9ac011e0a231409290c63fc67ed5 /meta
parent	65303b3236d7eb31a27a8a4e59c1004077725b5b (diff)
download	poky-43b8c2ab9f4a19ce36a03050dabea44616f7e4fc.tar.gz

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch new file mode 100644 index 0000000000..0341df8bd9 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch
@@ -0,0 +1,406 @@
		1	From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001
		2	From: Daiki Ueno <ueno@gnu.org>
		3	Date: Mon, 29 Jan 2024 13:52:46 +0900
		4	Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: remove length limit of
		5	input
		6
		7	Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
		8	chain verification logic crashed with assertion failure. This patch
		9	removes the restriction while keeping the maximum number of
		10	retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
		11
		12	Signed-off-by: Daiki Ueno <ueno@gnu.org>
		13
		14	CVE: CVE-2024-28835
		15
		16	Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d]
		17
		18	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		19	---
		20	lib/gnutls_int.h \| 5 +-
		21	lib/x509/common.c \| 10 +-
		22	lib/x509/verify-high.c \| 43 ++++++---
		23	tests/test-chains.h \| 211 ++++++++++++++++++++++++++++++++++++++++-
		24	4 files changed, 252 insertions(+), 17 deletions(-)
		25
		26	diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
		27	index b2a3ae6..5127996 100644
		28	--- a/lib/gnutls_int.h
		29	+++ b/lib/gnutls_int.h
		30	@@ -221,7 +221,10 @@ typedef enum record_send_state_t {
		31
		32	#define MAX_PK_PARAM_SIZE 2048
		33
		34	-/* defaults for verification functions
		35	+/* Defaults for verification functions.
		36	+ *
		37	+ * update many_icas in tests/test-chains.h when increasing
		38	+ * DEFAULT_MAX_VERIFY_DEPTH.
		39	*/
		40	#define DEFAULT_MAX_VERIFY_DEPTH 16
		41	#define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE*8)
		42	diff --git a/lib/x509/common.c b/lib/x509/common.c
		43	index 6367b03..8f8c1f8 100644
		44	--- a/lib/x509/common.c
		45	+++ b/lib/x509/common.c
		46	@@ -1749,7 +1749,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
		47	bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */
		48	gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
		49
		50	- assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH);
		51	+ /* Limit the number of certificates in the chain, to avoid DoS
		52	+ * because of the O(n^2) sorting below. FIXME: Switch to a
		53	+ * topological sort algorithm which should be linear to the
		54	+ * number of certificates and subject-issuer relationships.
		55	+ */
		56	+ if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) {
		57	+ _gnutls_debug_log("too many certificates; skipping sorting\n");
		58	+ return 1;
		59	+ }
		60
		61	for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) {
		62	issuer[i] = -1;
		63	diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
		64	index 5698d4f..a957511 100644
		65	--- a/lib/x509/verify-high.c
		66	+++ b/lib/x509/verify-high.c
		67	@@ -25,7 +25,7 @@
		68	#include "errors.h"
		69	#include <libtasn1.h>
		70	#include <global.h>
		71	-#include <num.h> /* MAX */
		72	+#include <num.h> /* MIN */
		73	#include <tls-sig.h>
		74	#include <str.h>
		75	#include <datum.h>
		76	@@ -1418,7 +1418,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
		77	int ret = 0;
		78	unsigned int i;
		79	size_t hash;
		80	- gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
		81	+ gnutls_x509_crt_t *cert_list_copy = NULL;
		82	+ unsigned int cert_list_max_size = 0;
		83	gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH];
		84	unsigned int retrieved_size = 0;
		85	const char hostname = NULL, purpose = NULL, *email = NULL;
		86	@@ -1472,16 +1473,26 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
		87	}
		88	}
		89
		90	- memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
		91	- cert_list = sorted;
		92	+ /* Allocate extra for retrieved certificates. */
		93	+ if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH,
		94	+ &cert_list_max_size))
		95	+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
		96	+
		97	+ cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size,
		98	+ sizeof(gnutls_x509_crt_t));
		99	+ if (!cert_list_copy)
		100	+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
		101	+
		102	+ memcpy(cert_list_copy, cert_list,
		103	+ cert_list_size * sizeof(gnutls_x509_crt_t));
		104	+ cert_list = cert_list_copy;
		105
		106	ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
		107	if (ret < 0) {
		108	return ret;
		109	}
		110
		111	- for (i = 0; i < cert_list_size &&
		112	- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
		113	+ for (i = 0; i < cert_list_size;) {
		114	unsigned int sorted_size = 1;
		115	unsigned int j;
		116	gnutls_x509_crt_t issuer;
		117	@@ -1491,8 +1502,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
		118	cert_list_size - i);
		119	}
		120
		121	- /* Remove duplicates. Start with index 1, as the first element
		122	- * may be re-checked after issuer retrieval. */
		123	+ /* Remove duplicates. */
		124	for (j = 1; j < sorted_size; j++) {
		125	if (cert_set_contains(&cert_set, cert_list[i + j])) {
		126	if (i + j < cert_list_size - 1) {
		127	@@ -1539,14 +1549,16 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
		128	ret = retrieve_issuers(list,
		129	cert_list[i - 1],
		130	&retrieved[retrieved_size],
		131	- DEFAULT_MAX_VERIFY_DEPTH -
		132	- MAX(retrieved_size,
		133	- cert_list_size));
		134	+ MIN(DEFAULT_MAX_VERIFY_DEPTH - retrieved_size,
		135	+ cert_list_max_size - cert_list_size));
		136	if (ret < 0) {
		137	break;
		138	} else if (ret > 0) {
		139	assert((unsigned int)ret <=
		140	- DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
		141	+ DEFAULT_MAX_VERIFY_DEPTH - retrieved_size);
		142	+ assert((unsigned int)ret <=
		143	+ cert_list_max_size - cert_list_size);
		144	+
		145	memmove(&cert_list[i + ret],
		146	&cert_list[i],
		147	(cert_list_size - i) *
		148	@@ -1563,8 +1575,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
		149	}
		150
		151	cert_list_size = shorten_clist(list, cert_list, cert_list_size);
		152	- if (cert_list_size <= 0)
		153	- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
		154	+ if (cert_list_size <= 0) {
		155	+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
		156	+ goto cleanup;
		157	+ }
		158
		159	hash =
		160	hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.
		161	@@ -1715,6 +1729,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
		162	}
		163
		164	cleanup:
		165	+ gnutls_free(cert_list_copy);
		166	for (i = 0; i < retrieved_size; i++) {
		167	gnutls_x509_crt_deinit(retrieved[i]);
		168	}
		169	diff --git a/tests/test-chains.h b/tests/test-chains.h
		170	index 09a5461..dd872a9 100644
		171	--- a/tests/test-chains.h
		172	+++ b/tests/test-chains.h
		173	@@ -25,7 +25,7 @@
		174
		175	/* INDENT-OFF */
		176
		177	-#define MAX_CHAIN 10
		178	+#define MAX_CHAIN 17
		179
		180	static const char *chain_with_no_subject_id_in_ca_ok[] = {
		181	"-----BEGIN CERTIFICATE-----\n"
		182	@@ -4386,6 +4386,213 @@ static const char *cross_signed_ca[] = {
		183	NULL
		184	};
		185
		186	+/* This assumes DEFAULT_MAX_VERIFY_DEPTH to be 16 */
		187	+static const char *many_icas[] = {
		188	+ /* Server */
		189	+ "-----BEGIN CERTIFICATE-----\n"
		190	+ "MIIBqzCCAV2gAwIBAgIUIK3+SD3GmqJlRLZ/ESyhTzkSDL8wBQYDK2VwMB0xGzAZ\n"
		191	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		192	+ "MTIzMTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYD\n"
		193	+ "VQQDEw90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQAWGjx45NIJiKFsNBxxRRjm\n"
		194	+ "NxUT5KYK7xXr5HPVywwgLaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGC\n"
		195	+ "D3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8E\n"
		196	+ "BAMCB4AwHQYDVR0OBBYEFKgNAQWZPx76/vXqQOdIi5mTftsaMB8GA1UdIwQYMBaA\n"
		197	+ "FDaPsY6WAGuRtrhYJE6Gk/bg5qbdMAUGAytlcANBAMIDh8aGcIIFDTUrzfV7tnkX\n"
		198	+ "hHrxyFKBH/cApf6xcJQTfDXm23po627Ibp+WgLaWMY08Fn9Y2V6Ev8ADfqXNbQ8=\n"
		199	+ "-----END CERTIFICATE-----\n",
		200	+ /* ICA16 */
		201	+ "-----BEGIN CERTIFICATE-----\n"
		202	+ "MIIBYTCCAROgAwIBAgIUSnE0PKdm/dsnZSWBh5Ct4pS6DcwwBQYDK2VwMB0xGzAZ\n"
		203	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		204	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		205	+ "K2VwAyEAxq9SI8vp0QH1dDBBuZW+t+bLLROppQbjSQ4O1BEonDOjYzBhMA8GA1Ud\n"
		206	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2j7GOlgBrkba4\n"
		207	+ "WCROhpP24Oam3TAfBgNVHSMEGDAWgBRvdUKX0aw3nfUIdvivXGSfRO7zyjAFBgMr\n"
		208	+ "ZXADQQBsI2Hc7X5hXoHTvk01qMc5a1I27QHAFRARJnvIQ15wxNS2LVLzGk+AUmwr\n"
		209	+ "sOhBKAcVfS55uWtYdjoWQ80h238H\n"
		210	+ "-----END CERTIFICATE-----\n",
		211	+ /* ICA15 */
		212	+ "-----BEGIN CERTIFICATE-----\n"
		213	+ "MIIBYTCCAROgAwIBAgIUQk4XkgQVImnp6OPZas7ctwgBza4wBQYDK2VwMB0xGzAZ\n"
		214	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		215	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		216	+ "K2VwAyEAs3yVKLJd3sKbNVmj6Bxy2j1x025rksyQpZZWnCx5a+CjYzBhMA8GA1Ud\n"
		217	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRvdUKX0aw3nfUI\n"
		218	+ "dvivXGSfRO7zyjAfBgNVHSMEGDAWgBRhGfUXYPh4YQsdtTWYUozLphGgfzAFBgMr\n"
		219	+ "ZXADQQBXTtm56x6/pHXdW8dTvZLc/8RufNQrMlc23TCgX0apUnrZdTsNAb7OE4Uu\n"
		220	+ "9PBuxK+CC9NL/BL2hXsKvAT+NWME\n"
		221	+ "-----END CERTIFICATE-----\n",
		222	+ /* ICA14 */
		223	+ "-----BEGIN CERTIFICATE-----\n"
		224	+ "MIIBYTCCAROgAwIBAgIUKfwz7UUYRvYlvqwmnLJlTOS9o1AwBQYDK2VwMB0xGzAZ\n"
		225	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		226	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		227	+ "K2VwAyEAXbUetQ08t+F4+IcKL++HpeclqTxXZ7cG4mwqvHmTUEWjYzBhMA8GA1Ud\n"
		228	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRhGfUXYPh4YQsd\n"
		229	+ "tTWYUozLphGgfzAfBgNVHSMEGDAWgBQYRQqO+V1kefF7QvNnFU1fX5H9+jAFBgMr\n"
		230	+ "ZXADQQAiSHNMTLPFP3oa6q13Dj8jSxF9trQDJGM1ArWffFcPZUt2U4/ODHdcMTHx\n"
		231	+ "kGwhIj+ghBlu6ykgu6J2wewCUooC\n"
		232	+ "-----END CERTIFICATE-----\n",
		233	+ /* ICA13 */
		234	+ "-----BEGIN CERTIFICATE-----\n"
		235	+ "MIIBYTCCAROgAwIBAgIUUKOs59gyCPAZzoC7zMZQSh6AnQgwBQYDK2VwMB0xGzAZ\n"
		236	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		237	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		238	+ "K2VwAyEAmvqhj5GYqsXIpsr1BXBfD+2mTP/m/TEpKIYSZHM62dijYzBhMA8GA1Ud\n"
		239	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQYRQqO+V1kefF7\n"
		240	+ "QvNnFU1fX5H9+jAfBgNVHSMEGDAWgBQ27HzvP5hl2xR+LOzRcPfmY5ndXjAFBgMr\n"
		241	+ "ZXADQQBrB3NkrYC7EQ74qgeesVOE71rW012dPOOKPAV0laR+JLEgsv9sfus+AdBF\n"
		242	+ "WBNwR3KeYBTi/MFDuecxBHU2m5gD\n"
		243	+ "-----END CERTIFICATE-----\n",
		244	+ /* ICA12 */
		245	+ "-----BEGIN CERTIFICATE-----\n"
		246	+ "MIIBYTCCAROgAwIBAgIUUQooGfH21+sR7/pSgCWm13gg2H4wBQYDK2VwMB0xGzAZ\n"
		247	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		248	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		249	+ "K2VwAyEAK2of/B4wMpk6k/KdugC5dMS+jo2fseUM7/PvXkE6HASjYzBhMA8GA1Ud\n"
		250	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ27HzvP5hl2xR+\n"
		251	+ "LOzRcPfmY5ndXjAfBgNVHSMEGDAWgBSJDHU0Mj1Xr0e8ErCnRK24w7XwTTAFBgMr\n"
		252	+ "ZXADQQDY8d2bAZpj7oGhdl2dBsCE48jEWj49da0PbgN12koAj3gf4hjMPd8G7p5z\n"
		253	+ "8RsURAwQmCkE8ShvdNw/Qr2tDL0E\n"
		254	+ "-----END CERTIFICATE-----\n",
		255	+ /* ICA11 */
		256	+ "-----BEGIN CERTIFICATE-----\n"
		257	+ "MIIBYTCCAROgAwIBAgIUW9Dw0hU2pfjXhb5Stip+mk9SndIwBQYDK2VwMB0xGzAZ\n"
		258	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		259	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		260	+ "K2VwAyEAn5ISjLVV6RBWsnxDWHDicpye7SjFwGOTwzF01/psiJ2jYzBhMA8GA1Ud\n"
		261	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSJDHU0Mj1Xr0e8\n"
		262	+ "ErCnRK24w7XwTTAfBgNVHSMEGDAWgBSR9UU27RI0XohiEgHDxNo/9HP4djAFBgMr\n"
		263	+ "ZXADQQCfQg6MDHk71vhyrEo4/5PcLb2Li5F/FKURyux7snv2TbkSdInloAqca9UR\n"
		264	+ "DtqHSLCNLXCNdSPr5QwIt5p29rsE\n"
		265	+ "-----END CERTIFICATE-----\n",
		266	+ /* ICA10 */
		267	+ "-----BEGIN CERTIFICATE-----\n"
		268	+ "MIIBYTCCAROgAwIBAgIUR4uTedG8e6MibKViQ3eX7QzXG1swBQYDK2VwMB0xGzAZ\n"
		269	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		270	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		271	+ "K2VwAyEAnslX04kSVOL5LAf1e+Ze3ggNnDJcEAxLDk8I/IhyjTyjYzBhMA8GA1Ud\n"
		272	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSR9UU27RI0Xohi\n"
		273	+ "EgHDxNo/9HP4djAfBgNVHSMEGDAWgBRC7US5gJYnvd5F7EN+C4anMgd2NzAFBgMr\n"
		274	+ "ZXADQQDo+jHt07Tvz3T5Lbz6apBrSln8xKYfJk2W1wP85XAnf7sZT9apM1bS4EyD\n"
		275	+ "Kckw+KG+9x7myOZz6AXJgZB5OGAO\n"
		276	+ "-----END CERTIFICATE-----\n",
		277	+ /* ICA9 */
		278	+ "-----BEGIN CERTIFICATE-----\n"
		279	+ "MIIBYTCCAROgAwIBAgIUSIIIRjrNpE+kEPkiJMOqaNAazvQwBQYDK2VwMB0xGzAZ\n"
		280	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		281	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		282	+ "K2VwAyEAZKy7p1Gn4W/reRxKJN99+QkHt2q9aELktCKe5PqrX5ejYzBhMA8GA1Ud\n"
		283	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRC7US5gJYnvd5F\n"
		284	+ "7EN+C4anMgd2NzAfBgNVHSMEGDAWgBSOhR7Ornis2x8g0J+bvTTwMnW60zAFBgMr\n"
		285	+ "ZXADQQA0MEcC4FgKZEAfalVpApU2to0G158MVz/WTNcSc7fnl8ifJ/g56dVHL1jr\n"
		286	+ "REvC/S28dn/CGAlbVXUAgxnHAbgE\n"
		287	+ "-----END CERTIFICATE-----\n",
		288	+ /* ICA8 */
		289	+ "-----BEGIN CERTIFICATE-----\n"
		290	+ "MIIBYTCCAROgAwIBAgIUGGFSgD95vOTSj7iFxfXA5vq6vsYwBQYDK2VwMB0xGzAZ\n"
		291	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		292	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		293	+ "K2VwAyEAg3W/bTdW0fR32NeZEVMXICpa30d7rSdddLOYDvqqUO+jYzBhMA8GA1Ud\n"
		294	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSOhR7Ornis2x8g\n"
		295	+ "0J+bvTTwMnW60zAfBgNVHSMEGDAWgBT3zK8Hbn9aVTAOOFY6RSxJ2o5x2jAFBgMr\n"
		296	+ "ZXADQQBl4gnzE463iMFg57gPvjHdVzA39sJBpiu0kUGfRcLnoRI/VOaLcx7WnJ9+\n"
		297	+ "c3KxPZBec76EdIoQDkTmI6m2FIAM\n"
		298	+ "-----END CERTIFICATE-----\n",
		299	+ /* ICA7 */
		300	+ "-----BEGIN CERTIFICATE-----\n"
		301	+ "MIIBYTCCAROgAwIBAgIUGktMGXhNuaMhKyAlecymmLD+/GIwBQYDK2VwMB0xGzAZ\n"
		302	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		303	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		304	+ "K2VwAyEA/Z1oc76hOQ0Hi+2hePaGIntnMIDqBlb7RDMjRpYONP2jYzBhMA8GA1Ud\n"
		305	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT3zK8Hbn9aVTAO\n"
		306	+ "OFY6RSxJ2o5x2jAfBgNVHSMEGDAWgBSPae3JUN3jP0NgUJqDV3eYxcaM3DAFBgMr\n"
		307	+ "ZXADQQBMkwKaUZlvG/hax8rv3nnDv8kJOr6KVHBnxSx3hZ+8HIBT7GFm1+YDeYOB\n"
		308	+ "jhNg66kyeFPGXXBCe+mvNQFFjCEE\n"
		309	+ "-----END CERTIFICATE-----\n",
		310	+ /* ICA6 */
		311	+ "-----BEGIN CERTIFICATE-----\n"
		312	+ "MIIBYTCCAROgAwIBAgIUKn3gz5lAUpKqWlHKLKYDbOJ4rygwBQYDK2VwMB0xGzAZ\n"
		313	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		314	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		315	+ "K2VwAyEAZ/eD4eTe91ddvHusm7YlLPxU4ByGFc6suAmlP1CxXkWjYzBhMA8GA1Ud\n"
		316	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSPae3JUN3jP0Ng\n"
		317	+ "UJqDV3eYxcaM3DAfBgNVHSMEGDAWgBT9f/qSI/jhxvGI7aMtkpraDcjBnjAFBgMr\n"
		318	+ "ZXADQQAMRnkmRhnLGdmJaY8B42gfyaAsqCMyds/Tw4OHYy+N48XuAxRjKkhf3szC\n"
		319	+ "0lY71oU043mNP1yx/dzAuCTrVSgI\n"
		320	+ "-----END CERTIFICATE-----\n",
		321	+ /* ICA5 */
		322	+ "-----BEGIN CERTIFICATE-----\n"
		323	+ "MIIBYTCCAROgAwIBAgIUEgEYbBXXEyGv3vOq10JQv1SBiUUwBQYDK2VwMB0xGzAZ\n"
		324	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		325	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		326	+ "K2VwAyEAs2xEDPw8RVal53nX9GVwUd1blq1wjtVFC8S1V7up7MWjYzBhMA8GA1Ud\n"
		327	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT9f/qSI/jhxvGI\n"
		328	+ "7aMtkpraDcjBnjAfBgNVHSMEGDAWgBRBVkLu9BmCKz7HNI8md4vPpoE/7jAFBgMr\n"
		329	+ "ZXADQQCCufAyLijtzzmeCuO3K50rBSbGvB3FQfep7g6kVsQKM3bw/olWK5/Ji0dD\n"
		330	+ "ubJ0cFl1FmfAda7aVxLBtJOvO6MI\n"
		331	+ "-----END CERTIFICATE-----\n",
		332	+ /* ICA4 */
		333	+ "-----BEGIN CERTIFICATE-----\n"
		334	+ "MIIBYTCCAROgAwIBAgIULj8GkaHw+92HuOTnXnXlxCy3VrEwBQYDK2VwMB0xGzAZ\n"
		335	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		336	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		337	+ "K2VwAyEAiedxh4dvtwDellMAHc/pZH0MAOXobRenTUgF1yj5l12jYzBhMA8GA1Ud\n"
		338	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRBVkLu9BmCKz7H\n"
		339	+ "NI8md4vPpoE/7jAfBgNVHSMEGDAWgBSDtNRgQ36KwW/ASaMyr6WeDt0STDAFBgMr\n"
		340	+ "ZXADQQDL8U2ckzur7CktdrVUNvfLhVCOz33d/62F28vQFHUa8h/4h+Mi1MMbXOKT\n"
		341	+ "1bL2TvpFpU7Fx/vcIPXDielVqr4C\n"
		342	+ "-----END CERTIFICATE-----\n",
		343	+ /* ICA3 */
		344	+ "-----BEGIN CERTIFICATE-----\n"
		345	+ "MIIBYTCCAROgAwIBAgIUQXl74TDDw6MQRMbQUSPa6Qrvba8wBQYDK2VwMB0xGzAZ\n"
		346	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		347	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		348	+ "K2VwAyEA7l0jQ0f4fJRw7Qja/Hz2qn8y91SI7CokxhSf+FT+9M6jYzBhMA8GA1Ud\n"
		349	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSDtNRgQ36KwW/A\n"
		350	+ "SaMyr6WeDt0STDAfBgNVHSMEGDAWgBQ2inEK4KH6ATftmybxKE1dZUzOozAFBgMr\n"
		351	+ "ZXADQQCnP7Oqx1epGnFnO7TrTJwcUukXDEYsINve2GeUsi8HEIeKKlMcLZ2Cnaj7\n"
		352	+ "5v9NGuWh3QJpmmSGpEemiv8dJc4A\n"
		353	+ "-----END CERTIFICATE-----\n",
		354	+ /* ICA2 */
		355	+ "-----BEGIN CERTIFICATE-----\n"
		356	+ "MIIBYTCCAROgAwIBAgIUP7Nmof8H2F1LyDkjqlYIUpGdXE8wBQYDK2VwMB0xGzAZ\n"
		357	+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
		358	+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
		359	+ "K2VwAyEAkW9Rod3CXAnha6nlaHkDbCOegq94lgmjqclA9sOIt3yjYzBhMA8GA1Ud\n"
		360	+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2inEK4KH6ATft\n"
		361	+ "mybxKE1dZUzOozAfBgNVHSMEGDAWgBRPq/CQlK/zuXkjZvTCibu+vejD+jAFBgMr\n"
		362	+ "ZXADQQBU+A+uF0yrtO/yv9cRUdCoL3Y1NKM35INg8BQDnkv724cW9zk1x0q9Fuou\n"
		363	+ "zvfSVb8S3vT8fF5ZDOxarQs6ZH0C\n"
		364	+ "-----END CERTIFICATE-----\n",
		365	+ /* ICA1 */
		366	+ "-----BEGIN CERTIFICATE-----\n"
		367	+ "MIIBXTCCAQ+gAwIBAgIUfUWP+AQHpdFTRKTf21mMzjaJsp0wBQYDK2VwMBkxFzAV\n"
		368	+ "BgNVBAMTDkdudVRMUyB0ZXN0IENBMCAXDTI0MDMxMjIyNTMzOVoYDzk5OTkxMjMx\n"
		369	+ "MjM1OTU5WjAdMRswGQYDVQQDDBJHbnVUTFMgdGVzdCBJQ0EgJGkwKjAFBgMrZXAD\n"
		370	+ "IQAVmfBAvLbT+pTD24pQrr6S0jEIFIV/qOv93yYvAUzpzKNjMGEwDwYDVR0TAQH/\n"
		371	+ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFE+r8JCUr/O5eSNm9MKJ\n"
		372	+ "u7696MP6MB8GA1UdIwQYMBaAFAFpt5wrFsqCtHc4PpluPDvwcxQLMAUGAytlcANB\n"
		373	+ "AC6+XZnthjlUD0TbBKRF3qT5if3Pp29Bgvutw8859unzUZW8FkHg5KeDBj9ncgJc\n"
		374	+ "O2tFnNH2hV6LDPJzU0rtLQc=\n"
		375	+ "-----END CERTIFICATE-----\n",
		376	+ NULL
		377	+};
		378	+
		379	+static const char *many_icas_ca[] = {
		380	+ /* CA (self-signed) */
		381	+ "-----BEGIN CERTIFICATE-----\n"
		382	+ "MIIBNzCB6qADAgECAhRjaokcQwcrtW8tjuVFz3A33F8POjAFBgMrZXAwGTEXMBUG\n"
		383	+ "A1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjQwMzEyMjI1MzM5WhgPOTk5OTEyMzEy\n"
		384	+ "MzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMCowBQYDK2VwAyEAvoxP\n"
		385	+ "TNdbWktxA8qQNNH+25Cx9rzP+DxLGeI/7ODwrQGjQjBAMA8GA1UdEwEB/wQFMAMB\n"
		386	+ "Af8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQBabecKxbKgrR3OD6Zbjw78HMU\n"
		387	+ "CzAFBgMrZXADQQCP5IUD74M7WrUx20uqzrzuj+s2jnBVmLQfWf/Ucetx+oTRFeq4\n"
		388	+ "xZB/adWhycSeJUAB1zKqYUV9hgT8FWHbnHII\n"
		389	+ "-----END CERTIFICATE-----\n",
		390	+ NULL
		391	+};
		392	+
		393	#if defined __clang__ \|\| __GNUC__ > 4 \|\| (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
		394	# pragma GCC diagnostic push
		395	# pragma GCC diagnostic ignored "-Wunused-variable"
		396	@@ -4567,6 +4774,8 @@ static struct
		397	GNUTLS_CERT_INSECURE_ALGORITHM \| GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
		398	{ "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0,
		399	1704955300 },
		400	+ { "many intermediates - ok", many_icas, many_icas_ca, 0, 0, 0,
		401	+ 1710284400 },
		402	{ NULL, NULL, NULL, 0, 0}
		403	};
		404
		405	--
		406	2.40.0


diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 3c4ecc4f59..9f502e3f7c 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -27,6 +27,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
27	file://CVE-2024-0553.patch \	27	file://CVE-2024-0553.patch \
28	file://CVE-2024-0567.patch \	28	file://CVE-2024-0567.patch \
29	file://CVE-2024-28834.patch \	29	file://CVE-2024-28834.patch \
		30	file://CVE-2024-28835.patch \
30	"	31	"
31		32
32	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"	33	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"