fix
This commit is contained in:
fangxiuning
parent
7f0c36aac1
commit
eb5245a0a9
@ -0,0 +1,387 @@
|
||||
From e89378d5853d9bd0136b95aade37e23762ad9290 Mon Sep 17 00:00:00 2001
|
||||
From: Zoltan Fridrich <zfridric@redhat.com>
|
||||
Date: Mon, 17 Oct 2022 15:27:37 +0200
|
||||
Subject: [PATCH] Fix removal of duplicate certs during verification
|
||||
|
||||
Co-authored-by: Daiki Ueno <ueno@gnu.org>
|
||||
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
||||
|
||||
Reference: https://gitlab.com/gnutls/gnutls/-/commit/e89378d5853d9bd0136b95aade37e23762ad9290
|
||||
Conflict: .gitignore
|
||||
|
||||
---
|
||||
lib/x509/verify-high.c | 101 ++++---------------
|
||||
tests/Makefile.am | 2 +-
|
||||
tests/x509-verify-duplicate.c | 181 ++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 202 insertions(+), 82 deletions(-)
|
||||
create mode 100644 tests/x509-verify-duplicate.c
|
||||
|
||||
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
||||
index 5698d4f..2c070b0 100644
|
||||
--- a/lib/x509/verify-high.c
|
||||
+++ b/lib/x509/verify-high.c
|
||||
@@ -35,6 +35,8 @@
|
||||
#include <gnutls/x509-ext.h>
|
||||
#include "verify-high.h"
|
||||
#include "intprops.h"
|
||||
+#include "gl_linkedhash_list.h"
|
||||
+#include "gl_list.h"
|
||||
|
||||
struct named_cert_st {
|
||||
gnutls_x509_crt_t cert;
|
||||
@@ -68,82 +70,19 @@ struct gnutls_x509_trust_list_iter {
|
||||
|
||||
#define DEFAULT_SIZE 127
|
||||
|
||||
-struct cert_set_node_st {
|
||||
- gnutls_x509_crt_t *certs;
|
||||
- unsigned int size;
|
||||
-};
|
||||
-
|
||||
-struct cert_set_st {
|
||||
- struct cert_set_node_st *node;
|
||||
- unsigned int size;
|
||||
-};
|
||||
-
|
||||
-static int
|
||||
-cert_set_init(struct cert_set_st *set, unsigned int size)
|
||||
-{
|
||||
- memset(set, 0, sizeof(*set));
|
||||
-
|
||||
- set->size = size;
|
||||
- set->node = gnutls_calloc(size, sizeof(*set->node));
|
||||
- if (!set->node) {
|
||||
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
- }
|
||||
-
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-static void
|
||||
-cert_set_deinit(struct cert_set_st *set)
|
||||
-{
|
||||
- size_t i;
|
||||
-
|
||||
- for (i = 0; i < set->size; i++) {
|
||||
- gnutls_free(set->node[i].certs);
|
||||
- }
|
||||
-
|
||||
- gnutls_free(set->node);
|
||||
-}
|
||||
-
|
||||
static bool
|
||||
-cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
|
||||
+cert_eq(const void *cert1, const void *cert2)
|
||||
{
|
||||
- size_t hash, i;
|
||||
-
|
||||
- hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
|
||||
- hash %= set->size;
|
||||
-
|
||||
- for (i = 0; i < set->node[hash].size; i++) {
|
||||
- if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
|
||||
- return true;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- return false;
|
||||
+ const gnutls_x509_crt_t c1 = (const gnutls_x509_crt_t)cert1;
|
||||
+ const gnutls_x509_crt_t c2 = (const gnutls_x509_crt_t)cert2;
|
||||
+ return gnutls_x509_crt_equals(c1, c2);
|
||||
}
|
||||
|
||||
-static int
|
||||
-cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
|
||||
+static size_t
|
||||
+cert_hashcode(const void *cert)
|
||||
{
|
||||
- size_t hash;
|
||||
-
|
||||
- hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
|
||||
- hash %= set->size;
|
||||
-
|
||||
- if (unlikely(INT_ADD_OVERFLOW(set->node[hash].size, 1))) {
|
||||
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
- }
|
||||
-
|
||||
- set->node[hash].certs =
|
||||
- _gnutls_reallocarray_fast(set->node[hash].certs,
|
||||
- set->node[hash].size + 1,
|
||||
- sizeof(*set->node[hash].certs));
|
||||
- if (!set->node[hash].certs) {
|
||||
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
- }
|
||||
- set->node[hash].certs[set->node[hash].size] = cert;
|
||||
- set->node[hash].size++;
|
||||
-
|
||||
- return 0;
|
||||
+ const gnutls_x509_crt_t c = (const gnutls_x509_crt_t)cert;
|
||||
+ return hash_pjw_bare(c->raw_dn.data, c->raw_dn.size) % DEFAULT_MAX_VERIFY_DEPTH;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1426,7 +1365,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
unsigned have_set_name = 0;
|
||||
unsigned saved_output;
|
||||
gnutls_datum_t ip = {NULL, 0};
|
||||
- struct cert_set_st cert_set = { NULL, 0 };
|
||||
+ gl_list_t records;
|
||||
|
||||
if (cert_list == NULL || cert_list_size < 1)
|
||||
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
||||
@@ -1475,10 +1414,9 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
|
||||
cert_list = sorted;
|
||||
|
||||
- ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
|
||||
- if (ret < 0) {
|
||||
- return ret;
|
||||
- }
|
||||
+ records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false);
|
||||
+ if (records == NULL)
|
||||
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
|
||||
for (i = 0; i < cert_list_size &&
|
||||
cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
|
||||
@@ -1493,8 +1431,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
|
||||
/* Remove duplicates. Start with index 1, as the first element
|
||||
* may be re-checked after issuer retrieval. */
|
||||
- for (j = 1; j < sorted_size; j++) {
|
||||
- if (cert_set_contains(&cert_set, cert_list[i + j])) {
|
||||
+ for (j = 0; j < sorted_size; j++) {
|
||||
+ if (gl_list_search(records, cert_list[i + j])) {
|
||||
if (i + j < cert_list_size - 1) {
|
||||
memmove(&cert_list[i + j],
|
||||
&cert_list[i + j + 1],
|
||||
@@ -1511,8 +1449,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
|
||||
/* Record the certificates seen. */
|
||||
for (j = 0; j < sorted_size; j++, i++) {
|
||||
- ret = cert_set_add(&cert_set, cert_list[i]);
|
||||
- if (ret < 0) {
|
||||
+ if (!gl_list_nx_add_last(records, cert_list[i])) {
|
||||
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
@@ -1559,6 +1497,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
|
||||
/* Start again from the end of the previous segment. */
|
||||
i--;
|
||||
+ gl_list_remove(records, cert_list[i]);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1718,7 +1657,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
for (i = 0; i < retrieved_size; i++) {
|
||||
gnutls_x509_crt_deinit(retrieved[i]);
|
||||
}
|
||||
- cert_set_deinit(&cert_set);
|
||||
+ gl_list_free(records);
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index b65fb65..f92a130 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -172,7 +172,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
|
||||
crlverify mini-dtls-discard mini-record-failure openconnect-dtls12 \
|
||||
tls12-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \
|
||||
tls12-rehandshake-cert-auto tls12-rehandshake-set-prio \
|
||||
- mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
|
||||
+ mini-chain-unsorted x509-verify-duplicate x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
|
||||
mini-dtls-record-asym key-import-export priority-set priority-set2 \
|
||||
pubkey-import-export sign-is-secure spki spki-abstract rsa-rsa-pss \
|
||||
mini-dtls-fork dtls-pthread mini-key-material x509cert-invalid \
|
||||
diff --git a/tests/x509-verify-duplicate.c b/tests/x509-verify-duplicate.c
|
||||
new file mode 100644
|
||||
index 0000000..f47a8b2
|
||||
--- /dev/null
|
||||
+++ b/tests/x509-verify-duplicate.c
|
||||
@@ -0,0 +1,181 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2022 Red Hat, Inc.
|
||||
+ *
|
||||
+ * Author: Zoltan Fridrich
|
||||
+ *
|
||||
+ * This file is part of GnuTLS.
|
||||
+ *
|
||||
+ * GnuTLS is free software: you can redistribute it and/or modify it
|
||||
+ * under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation, either version 3 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * GnuTLS is distributed in the hope that it will be useful, but
|
||||
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ * General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License
|
||||
+ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
|
||||
+ */
|
||||
+
|
||||
+#ifdef HAVE_CONFIG_H
|
||||
+#include <config.h>
|
||||
+#endif
|
||||
+
|
||||
+#include <gnutls/x509.h>
|
||||
+
|
||||
+#include "utils.h"
|
||||
+
|
||||
+#define CHECK(X)\
|
||||
+{\
|
||||
+ r = X;\
|
||||
+ if (r < 0)\
|
||||
+ fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\
|
||||
+}\
|
||||
+
|
||||
+static char cert_pem[] =
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n"
|
||||
+ "MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"
|
||||
+ "EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n"
|
||||
+ "DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n"
|
||||
+ "AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n"
|
||||
+ "3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n"
|
||||
+ "GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n"
|
||||
+ "ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n"
|
||||
+ "8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n"
|
||||
+ "XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n"
|
||||
+ "HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n"
|
||||
+ "FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n"
|
||||
+ "5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n"
|
||||
+ "by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n"
|
||||
+ "JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n"
|
||||
+ "RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n"
|
||||
+ "Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n"
|
||||
+ "AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n"
|
||||
+ "RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n"
|
||||
+ "TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n"
|
||||
+ "+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n"
|
||||
+ "bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n"
|
||||
+ "DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n"
|
||||
+ "dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n"
|
||||
+ "/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n"
|
||||
+ "SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n"
|
||||
+ "QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n"
|
||||
+ "k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n"
|
||||
+ "-----END CERTIFICATE-----\n"
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n"
|
||||
+ "MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"
|
||||
+ "EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n"
|
||||
+ "DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n"
|
||||
+ "AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n"
|
||||
+ "3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n"
|
||||
+ "GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n"
|
||||
+ "ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n"
|
||||
+ "8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n"
|
||||
+ "XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n"
|
||||
+ "HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n"
|
||||
+ "FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n"
|
||||
+ "5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n"
|
||||
+ "by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n"
|
||||
+ "JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n"
|
||||
+ "RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n"
|
||||
+ "Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n"
|
||||
+ "AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n"
|
||||
+ "RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n"
|
||||
+ "TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n"
|
||||
+ "+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n"
|
||||
+ "bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n"
|
||||
+ "DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n"
|
||||
+ "dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n"
|
||||
+ "/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n"
|
||||
+ "SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n"
|
||||
+ "QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n"
|
||||
+ "k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n"
|
||||
+ "-----END CERTIFICATE-----\n"
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\n"
|
||||
+ "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
|
||||
+ "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\n"
|
||||
+ "WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\n"
|
||||
+ "RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
|
||||
+ "AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\n"
|
||||
+ "R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\n"
|
||||
+ "sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\n"
|
||||
+ "NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\n"
|
||||
+ "Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n"
|
||||
+ "/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\n"
|
||||
+ "AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\n"
|
||||
+ "Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\n"
|
||||
+ "FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\n"
|
||||
+ "AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\n"
|
||||
+ "Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\n"
|
||||
+ "gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\n"
|
||||
+ "PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\n"
|
||||
+ "ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\n"
|
||||
+ "CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\n"
|
||||
+ "lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\n"
|
||||
+ "avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\n"
|
||||
+ "yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\n"
|
||||
+ "yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\n"
|
||||
+ "hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\n"
|
||||
+ "HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\n"
|
||||
+ "MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\n"
|
||||
+ "nLRbwHOoq7hHwg==\n"
|
||||
+ "-----END CERTIFICATE-----\n"
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\n"
|
||||
+ "MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n"
|
||||
+ "DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\n"
|
||||
+ "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
|
||||
+ "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\n"
|
||||
+ "AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\n"
|
||||
+ "ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\n"
|
||||
+ "wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\n"
|
||||
+ "LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n"
|
||||
+ "4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\n"
|
||||
+ "bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\n"
|
||||
+ "sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\n"
|
||||
+ "Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\n"
|
||||
+ "FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\n"
|
||||
+ "SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\n"
|
||||
+ "PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\n"
|
||||
+ "TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
|
||||
+ "SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\n"
|
||||
+ "c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n"
|
||||
+ "+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\n"
|
||||
+ "ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\n"
|
||||
+ "b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\n"
|
||||
+ "U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\n"
|
||||
+ "MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n"
|
||||
+ "5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n"
|
||||
+ "9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\n"
|
||||
+ "WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\n"
|
||||
+ "he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\n"
|
||||
+ "Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n"
|
||||
+ "-----END CERTIFICATE-----\n";
|
||||
+
|
||||
+void doit(void)
|
||||
+{
|
||||
+ int r;
|
||||
+ unsigned i, certs_size, out;
|
||||
+ unsigned flags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME | GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
|
||||
+ gnutls_x509_trust_list_t tl;
|
||||
+ gnutls_x509_crt_t *certs = NULL;
|
||||
+ gnutls_datum_t cert = { (unsigned char *)cert_pem, sizeof(cert_pem) - 1 };
|
||||
+
|
||||
+ CHECK(gnutls_x509_crt_list_import2(&certs, &certs_size, &cert, GNUTLS_X509_FMT_PEM, 0));
|
||||
+ CHECK(gnutls_x509_trust_list_init(&tl, 0));
|
||||
+ CHECK(gnutls_x509_trust_list_add_cas(tl, certs + certs_size - 1, 1, 0));
|
||||
+ CHECK(gnutls_x509_trust_list_verify_crt(tl, certs, certs_size, flags, &out, NULL));
|
||||
+
|
||||
+ if (out)
|
||||
+ fail("Not verified\n");
|
||||
+
|
||||
+ gnutls_x509_trust_list_deinit(tl, 0);
|
||||
+ for (i = 0; i < certs_size; ++i)
|
||||
+ gnutls_x509_crt_deinit(certs[i]);
|
||||
+ gnutls_free(certs);
|
||||
+}
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -0,0 +1,419 @@
|
||||
From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Mon, 29 Jan 2024 13:52:46 +0900
|
||||
Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: remove length limit
|
||||
of
|
||||
input
|
||||
|
||||
Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
|
||||
chain verification logic crashed with assertion failure. This patch
|
||||
removes the restriction while keeping the maximum number of
|
||||
retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
|
||||
Reference:
|
||||
https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d
|
||||
Conflict:lib/x509/verify-high.c,tests/test-chains.h
|
||||
|
||||
---
|
||||
lib/gnutls_int.h | 5 +-
|
||||
lib/x509/common.c | 10 +-
|
||||
lib/x509/verify-high.c | 56 +++++++----
|
||||
tests/test-chains.h | 210 ++++++++++++++++++++++++++++++++++++++++-
|
||||
4 files changed, 258 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
|
||||
index a06d123..9706db3 100644
|
||||
--- a/lib/gnutls_int.h
|
||||
+++ b/lib/gnutls_int.h
|
||||
@@ -218,7 +218,10 @@ typedef enum record_send_state_t {
|
||||
|
||||
#define MAX_PK_PARAM_SIZE 2048
|
||||
|
||||
-/* defaults for verification functions
|
||||
+/* Defaults for verification functions.
|
||||
+ *
|
||||
+ * update many_icas in tests/test-chains.h when increasing
|
||||
+ * DEFAULT_MAX_VERIFY_DEPTH.
|
||||
*/
|
||||
#define DEFAULT_MAX_VERIFY_DEPTH 16
|
||||
#define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE*8)
|
||||
diff --git a/lib/x509/common.c b/lib/x509/common.c
|
||||
index 96e7e7c..10ee9c6 100644
|
||||
--- a/lib/x509/common.c
|
||||
+++ b/lib/x509/common.c
|
||||
@@ -1746,7 +1746,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
|
||||
bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */
|
||||
gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
|
||||
|
||||
- assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH);
|
||||
+ /* Limit the number of certificates in the chain, to avoid DoS
|
||||
+ * because of the O(n^2) sorting below. FIXME: Switch to a
|
||||
+ * topological sort algorithm which should be linear to the
|
||||
+ * number of certificates and subject-issuer relationships.
|
||||
+ */
|
||||
+ if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) {
|
||||
+ _gnutls_debug_log("too many certificates; skipping sorting\n");
|
||||
+ return 1;
|
||||
+ }
|
||||
|
||||
for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) {
|
||||
issuer[i] = -1;
|
||||
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
||||
index 02d2f0f..bbfb02e 100644
|
||||
--- a/lib/x509/verify-high.c
|
||||
+++ b/lib/x509/verify-high.c
|
||||
@@ -25,7 +25,7 @@
|
||||
#include "errors.h"
|
||||
#include <libtasn1.h>
|
||||
#include <global.h>
|
||||
-#include <num.h> /* MAX */
|
||||
+#include "num.h" /* MIN */
|
||||
#include <tls-sig.h>
|
||||
#include <str.h>
|
||||
#include <datum.h>
|
||||
@@ -1357,7 +1357,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
int ret = 0;
|
||||
unsigned int i;
|
||||
size_t hash;
|
||||
- gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
|
||||
+ gnutls_x509_crt_t *cert_list_copy = NULL;
|
||||
+ unsigned int cert_list_max_size = 0;
|
||||
gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH];
|
||||
unsigned int retrieved_size = 0;
|
||||
const char *hostname = NULL, *purpose = NULL, *email = NULL;
|
||||
@@ -1411,15 +1412,27 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
}
|
||||
}
|
||||
|
||||
- memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
|
||||
- cert_list = sorted;
|
||||
+ /* Allocate extra for retrieved certificates. */
|
||||
+ if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH,
|
||||
+ &cert_list_max_size))
|
||||
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
||||
|
||||
- records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false);
|
||||
- if (records == NULL)
|
||||
+ cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size,
|
||||
+ sizeof(gnutls_x509_crt_t));
|
||||
+ if (!cert_list_copy)
|
||||
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
|
||||
- for (i = 0; i < cert_list_size &&
|
||||
- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
|
||||
+ memcpy(cert_list_copy, cert_list,
|
||||
+ cert_list_size * sizeof(gnutls_x509_crt_t));
|
||||
+ cert_list = cert_list_copy;
|
||||
+
|
||||
+ records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false);
|
||||
+ if (records == NULL) {
|
||||
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < cert_list_size;) {
|
||||
unsigned int sorted_size = 1;
|
||||
unsigned int j, k;
|
||||
gnutls_x509_crt_t issuer;
|
||||
@@ -1431,8 +1444,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
|
||||
assert(sorted_size > 0);
|
||||
|
||||
- /* Remove duplicates. Start with index 1, as the first element
|
||||
- * may be re-checked after issuer retrieval. */
|
||||
+ /* Remove duplicates. */
|
||||
for (j = 0; j < sorted_size; j++) {
|
||||
if (gl_list_search(records, cert_list[i + j])) {
|
||||
if (i + j < cert_list_size - 1) {
|
||||
@@ -1483,17 +1495,16 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
continue;
|
||||
}
|
||||
|
||||
- ret = retrieve_issuers(list,
|
||||
- cert_list[i - 1],
|
||||
- &retrieved[retrieved_size],
|
||||
- DEFAULT_MAX_VERIFY_DEPTH -
|
||||
- MAX(retrieved_size,
|
||||
- cert_list_size));
|
||||
+ ret = retrieve_issuers(list, cert_list[i - 1], &retrieved[retrieved_size],
|
||||
+ MIN(DEFAULT_MAX_VERIFY_DEPTH - retrieved_size,
|
||||
+ cert_list_max_size - cert_list_size));
|
||||
if (ret < 0) {
|
||||
break;
|
||||
} else if (ret > 0) {
|
||||
assert((unsigned int)ret <=
|
||||
- DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
|
||||
+ DEFAULT_MAX_VERIFY_DEPTH - retrieved_size);
|
||||
+ assert((unsigned int)ret <=
|
||||
+ cert_list_max_size - cert_list_size);
|
||||
memmove(&cert_list[i + ret],
|
||||
&cert_list[i],
|
||||
(cert_list_size - i) *
|
||||
@@ -1511,8 +1522,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
}
|
||||
|
||||
cert_list_size = shorten_clist(list, cert_list, cert_list_size);
|
||||
- if (cert_list_size <= 0)
|
||||
- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
||||
+ if (cert_list_size <= 0) {
|
||||
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
|
||||
hash =
|
||||
hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.
|
||||
@@ -1663,10 +1676,13 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
}
|
||||
|
||||
cleanup:
|
||||
+ gnutls_free(cert_list_copy);
|
||||
for (i = 0; i < retrieved_size; i++) {
|
||||
gnutls_x509_crt_deinit(retrieved[i]);
|
||||
}
|
||||
- gl_list_free(records);
|
||||
+ if (records) {
|
||||
+ gl_list_free(records);
|
||||
+ }
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff --git a/tests/test-chains.h b/tests/test-chains.h
|
||||
index 07e90bb..2dbee07 100644
|
||||
--- a/tests/test-chains.h
|
||||
+++ b/tests/test-chains.h
|
||||
@@ -25,7 +25,7 @@
|
||||
|
||||
/* *INDENT-OFF* */
|
||||
|
||||
-#define MAX_CHAIN 10
|
||||
+#define MAX_CHAIN 17
|
||||
|
||||
static const char *chain_with_no_subject_id_in_ca_ok[] = {
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
@@ -4386,6 +4386,213 @@ static const char *cross_signed_ca[] = {
|
||||
NULL
|
||||
};
|
||||
|
||||
+/* This assumes DEFAULT_MAX_VERIFY_DEPTH to be 16 */
|
||||
+static const char *many_icas[] = {
|
||||
+ /* Server */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBqzCCAV2gAwIBAgIUIK3+SD3GmqJlRLZ/ESyhTzkSDL8wBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYD\n"
|
||||
+ "VQQDEw90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQAWGjx45NIJiKFsNBxxRRjm\n"
|
||||
+ "NxUT5KYK7xXr5HPVywwgLaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGC\n"
|
||||
+ "D3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8E\n"
|
||||
+ "BAMCB4AwHQYDVR0OBBYEFKgNAQWZPx76/vXqQOdIi5mTftsaMB8GA1UdIwQYMBaA\n"
|
||||
+ "FDaPsY6WAGuRtrhYJE6Gk/bg5qbdMAUGAytlcANBAMIDh8aGcIIFDTUrzfV7tnkX\n"
|
||||
+ "hHrxyFKBH/cApf6xcJQTfDXm23po627Ibp+WgLaWMY08Fn9Y2V6Ev8ADfqXNbQ8=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA16 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUSnE0PKdm/dsnZSWBh5Ct4pS6DcwwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAxq9SI8vp0QH1dDBBuZW+t+bLLROppQbjSQ4O1BEonDOjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2j7GOlgBrkba4\n"
|
||||
+ "WCROhpP24Oam3TAfBgNVHSMEGDAWgBRvdUKX0aw3nfUIdvivXGSfRO7zyjAFBgMr\n"
|
||||
+ "ZXADQQBsI2Hc7X5hXoHTvk01qMc5a1I27QHAFRARJnvIQ15wxNS2LVLzGk+AUmwr\n"
|
||||
+ "sOhBKAcVfS55uWtYdjoWQ80h238H\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA15 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUQk4XkgQVImnp6OPZas7ctwgBza4wBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAs3yVKLJd3sKbNVmj6Bxy2j1x025rksyQpZZWnCx5a+CjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRvdUKX0aw3nfUI\n"
|
||||
+ "dvivXGSfRO7zyjAfBgNVHSMEGDAWgBRhGfUXYPh4YQsdtTWYUozLphGgfzAFBgMr\n"
|
||||
+ "ZXADQQBXTtm56x6/pHXdW8dTvZLc/8RufNQrMlc23TCgX0apUnrZdTsNAb7OE4Uu\n"
|
||||
+ "9PBuxK+CC9NL/BL2hXsKvAT+NWME\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA14 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUKfwz7UUYRvYlvqwmnLJlTOS9o1AwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAXbUetQ08t+F4+IcKL++HpeclqTxXZ7cG4mwqvHmTUEWjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRhGfUXYPh4YQsd\n"
|
||||
+ "tTWYUozLphGgfzAfBgNVHSMEGDAWgBQYRQqO+V1kefF7QvNnFU1fX5H9+jAFBgMr\n"
|
||||
+ "ZXADQQAiSHNMTLPFP3oa6q13Dj8jSxF9trQDJGM1ArWffFcPZUt2U4/ODHdcMTHx\n"
|
||||
+ "kGwhIj+ghBlu6ykgu6J2wewCUooC\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA13 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUUKOs59gyCPAZzoC7zMZQSh6AnQgwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAmvqhj5GYqsXIpsr1BXBfD+2mTP/m/TEpKIYSZHM62dijYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQYRQqO+V1kefF7\n"
|
||||
+ "QvNnFU1fX5H9+jAfBgNVHSMEGDAWgBQ27HzvP5hl2xR+LOzRcPfmY5ndXjAFBgMr\n"
|
||||
+ "ZXADQQBrB3NkrYC7EQ74qgeesVOE71rW012dPOOKPAV0laR+JLEgsv9sfus+AdBF\n"
|
||||
+ "WBNwR3KeYBTi/MFDuecxBHU2m5gD\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA12 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUUQooGfH21+sR7/pSgCWm13gg2H4wBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAK2of/B4wMpk6k/KdugC5dMS+jo2fseUM7/PvXkE6HASjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ27HzvP5hl2xR+\n"
|
||||
+ "LOzRcPfmY5ndXjAfBgNVHSMEGDAWgBSJDHU0Mj1Xr0e8ErCnRK24w7XwTTAFBgMr\n"
|
||||
+ "ZXADQQDY8d2bAZpj7oGhdl2dBsCE48jEWj49da0PbgN12koAj3gf4hjMPd8G7p5z\n"
|
||||
+ "8RsURAwQmCkE8ShvdNw/Qr2tDL0E\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA11 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUW9Dw0hU2pfjXhb5Stip+mk9SndIwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAn5ISjLVV6RBWsnxDWHDicpye7SjFwGOTwzF01/psiJ2jYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSJDHU0Mj1Xr0e8\n"
|
||||
+ "ErCnRK24w7XwTTAfBgNVHSMEGDAWgBSR9UU27RI0XohiEgHDxNo/9HP4djAFBgMr\n"
|
||||
+ "ZXADQQCfQg6MDHk71vhyrEo4/5PcLb2Li5F/FKURyux7snv2TbkSdInloAqca9UR\n"
|
||||
+ "DtqHSLCNLXCNdSPr5QwIt5p29rsE\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA10 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUR4uTedG8e6MibKViQ3eX7QzXG1swBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAnslX04kSVOL5LAf1e+Ze3ggNnDJcEAxLDk8I/IhyjTyjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSR9UU27RI0Xohi\n"
|
||||
+ "EgHDxNo/9HP4djAfBgNVHSMEGDAWgBRC7US5gJYnvd5F7EN+C4anMgd2NzAFBgMr\n"
|
||||
+ "ZXADQQDo+jHt07Tvz3T5Lbz6apBrSln8xKYfJk2W1wP85XAnf7sZT9apM1bS4EyD\n"
|
||||
+ "Kckw+KG+9x7myOZz6AXJgZB5OGAO\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA9 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUSIIIRjrNpE+kEPkiJMOqaNAazvQwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAZKy7p1Gn4W/reRxKJN99+QkHt2q9aELktCKe5PqrX5ejYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRC7US5gJYnvd5F\n"
|
||||
+ "7EN+C4anMgd2NzAfBgNVHSMEGDAWgBSOhR7Ornis2x8g0J+bvTTwMnW60zAFBgMr\n"
|
||||
+ "ZXADQQA0MEcC4FgKZEAfalVpApU2to0G158MVz/WTNcSc7fnl8ifJ/g56dVHL1jr\n"
|
||||
+ "REvC/S28dn/CGAlbVXUAgxnHAbgE\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA8 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUGGFSgD95vOTSj7iFxfXA5vq6vsYwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAg3W/bTdW0fR32NeZEVMXICpa30d7rSdddLOYDvqqUO+jYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSOhR7Ornis2x8g\n"
|
||||
+ "0J+bvTTwMnW60zAfBgNVHSMEGDAWgBT3zK8Hbn9aVTAOOFY6RSxJ2o5x2jAFBgMr\n"
|
||||
+ "ZXADQQBl4gnzE463iMFg57gPvjHdVzA39sJBpiu0kUGfRcLnoRI/VOaLcx7WnJ9+\n"
|
||||
+ "c3KxPZBec76EdIoQDkTmI6m2FIAM\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA7 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUGktMGXhNuaMhKyAlecymmLD+/GIwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEA/Z1oc76hOQ0Hi+2hePaGIntnMIDqBlb7RDMjRpYONP2jYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT3zK8Hbn9aVTAO\n"
|
||||
+ "OFY6RSxJ2o5x2jAfBgNVHSMEGDAWgBSPae3JUN3jP0NgUJqDV3eYxcaM3DAFBgMr\n"
|
||||
+ "ZXADQQBMkwKaUZlvG/hax8rv3nnDv8kJOr6KVHBnxSx3hZ+8HIBT7GFm1+YDeYOB\n"
|
||||
+ "jhNg66kyeFPGXXBCe+mvNQFFjCEE\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA6 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUKn3gz5lAUpKqWlHKLKYDbOJ4rygwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAZ/eD4eTe91ddvHusm7YlLPxU4ByGFc6suAmlP1CxXkWjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSPae3JUN3jP0Ng\n"
|
||||
+ "UJqDV3eYxcaM3DAfBgNVHSMEGDAWgBT9f/qSI/jhxvGI7aMtkpraDcjBnjAFBgMr\n"
|
||||
+ "ZXADQQAMRnkmRhnLGdmJaY8B42gfyaAsqCMyds/Tw4OHYy+N48XuAxRjKkhf3szC\n"
|
||||
+ "0lY71oU043mNP1yx/dzAuCTrVSgI\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA5 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUEgEYbBXXEyGv3vOq10JQv1SBiUUwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAs2xEDPw8RVal53nX9GVwUd1blq1wjtVFC8S1V7up7MWjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT9f/qSI/jhxvGI\n"
|
||||
+ "7aMtkpraDcjBnjAfBgNVHSMEGDAWgBRBVkLu9BmCKz7HNI8md4vPpoE/7jAFBgMr\n"
|
||||
+ "ZXADQQCCufAyLijtzzmeCuO3K50rBSbGvB3FQfep7g6kVsQKM3bw/olWK5/Ji0dD\n"
|
||||
+ "ubJ0cFl1FmfAda7aVxLBtJOvO6MI\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA4 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIULj8GkaHw+92HuOTnXnXlxCy3VrEwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAiedxh4dvtwDellMAHc/pZH0MAOXobRenTUgF1yj5l12jYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRBVkLu9BmCKz7H\n"
|
||||
+ "NI8md4vPpoE/7jAfBgNVHSMEGDAWgBSDtNRgQ36KwW/ASaMyr6WeDt0STDAFBgMr\n"
|
||||
+ "ZXADQQDL8U2ckzur7CktdrVUNvfLhVCOz33d/62F28vQFHUa8h/4h+Mi1MMbXOKT\n"
|
||||
+ "1bL2TvpFpU7Fx/vcIPXDielVqr4C\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA3 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUQXl74TDDw6MQRMbQUSPa6Qrvba8wBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEA7l0jQ0f4fJRw7Qja/Hz2qn8y91SI7CokxhSf+FT+9M6jYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSDtNRgQ36KwW/A\n"
|
||||
+ "SaMyr6WeDt0STDAfBgNVHSMEGDAWgBQ2inEK4KH6ATftmybxKE1dZUzOozAFBgMr\n"
|
||||
+ "ZXADQQCnP7Oqx1epGnFnO7TrTJwcUukXDEYsINve2GeUsi8HEIeKKlMcLZ2Cnaj7\n"
|
||||
+ "5v9NGuWh3QJpmmSGpEemiv8dJc4A\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA2 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUP7Nmof8H2F1LyDkjqlYIUpGdXE8wBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAkW9Rod3CXAnha6nlaHkDbCOegq94lgmjqclA9sOIt3yjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2inEK4KH6ATft\n"
|
||||
+ "mybxKE1dZUzOozAfBgNVHSMEGDAWgBRPq/CQlK/zuXkjZvTCibu+vejD+jAFBgMr\n"
|
||||
+ "ZXADQQBU+A+uF0yrtO/yv9cRUdCoL3Y1NKM35INg8BQDnkv724cW9zk1x0q9Fuou\n"
|
||||
+ "zvfSVb8S3vT8fF5ZDOxarQs6ZH0C\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA1 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBXTCCAQ+gAwIBAgIUfUWP+AQHpdFTRKTf21mMzjaJsp0wBQYDK2VwMBkxFzAV\n"
|
||||
+ "BgNVBAMTDkdudVRMUyB0ZXN0IENBMCAXDTI0MDMxMjIyNTMzOVoYDzk5OTkxMjMx\n"
|
||||
+ "MjM1OTU5WjAdMRswGQYDVQQDDBJHbnVUTFMgdGVzdCBJQ0EgJGkwKjAFBgMrZXAD\n"
|
||||
+ "IQAVmfBAvLbT+pTD24pQrr6S0jEIFIV/qOv93yYvAUzpzKNjMGEwDwYDVR0TAQH/\n"
|
||||
+ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFE+r8JCUr/O5eSNm9MKJ\n"
|
||||
+ "u7696MP6MB8GA1UdIwQYMBaAFAFpt5wrFsqCtHc4PpluPDvwcxQLMAUGAytlcANB\n"
|
||||
+ "AC6+XZnthjlUD0TbBKRF3qT5if3Pp29Bgvutw8859unzUZW8FkHg5KeDBj9ncgJc\n"
|
||||
+ "O2tFnNH2hV6LDPJzU0rtLQc=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
+static const char *many_icas_ca[] = {
|
||||
+ /* CA (self-signed) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBNzCB6qADAgECAhRjaokcQwcrtW8tjuVFz3A33F8POjAFBgMrZXAwGTEXMBUG\n"
|
||||
+ "A1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjQwMzEyMjI1MzM5WhgPOTk5OTEyMzEy\n"
|
||||
+ "MzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMCowBQYDK2VwAyEAvoxP\n"
|
||||
+ "TNdbWktxA8qQNNH+25Cx9rzP+DxLGeI/7ODwrQGjQjBAMA8GA1UdEwEB/wQFMAMB\n"
|
||||
+ "Af8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQBabecKxbKgrR3OD6Zbjw78HMU\n"
|
||||
+ "CzAFBgMrZXADQQCP5IUD74M7WrUx20uqzrzuj+s2jnBVmLQfWf/Ucetx+oTRFeq4\n"
|
||||
+ "xZB/adWhycSeJUAB1zKqYUV9hgT8FWHbnHII\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
#if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
|
||||
# pragma GCC diagnostic push
|
||||
# pragma GCC diagnostic ignored "-Wunused-variable"
|
||||
@@ -4566,6 +4773,7 @@ static struct
|
||||
GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
|
||||
GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
|
||||
{ "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, 1704955300},
|
||||
+ { "many intermediates - ok", many_icas, many_icas_ca, 0, 0, 0, 1710284400},
|
||||
{ NULL, NULL, NULL, 0, 0}
|
||||
};
|
||||
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -0,0 +1,70 @@
|
||||
From 7e7b8ed89c93b5f95367eeab1b4f06fc2ac83581 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Wed, 7 Jun 2023 16:44:00 +0200
|
||||
Subject: [PATCH] lib: suppress false-positive -Wanalyzer-out-of-bounds
|
||||
|
||||
GCC analyzer from GCC 13 reports this:
|
||||
|
||||
verify-high.c:1471:21: error: stack-based buffer over-read [CWE-126] [-Werror=analyzer-out-of-bounds]
|
||||
1471 | if (gnutls_x509_trust_list_get_issuer(
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
1472 | list, cert_list[i - 1], &issuer,
|
||||
|
||||
This is false-positive, as i is always in a range 0 < i < cert_list_size.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
|
||||
Reference: https://gitlab.com/gnutls/gnutls/-/commit/7e7b8ed89c93b5f95367eeab1b4f06fc2ac83581
|
||||
Conflict: NA
|
||||
|
||||
---
|
||||
lib/x509/verify-high.c | 13 +++++++++++--
|
||||
1 file changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
||||
index 2c070b0..02d2f0f 100644
|
||||
--- a/lib/x509/verify-high.c
|
||||
+++ b/lib/x509/verify-high.c
|
||||
@@ -1421,7 +1421,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
for (i = 0; i < cert_list_size &&
|
||||
cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
|
||||
unsigned int sorted_size = 1;
|
||||
- unsigned int j;
|
||||
+ unsigned int j, k;
|
||||
gnutls_x509_crt_t issuer;
|
||||
|
||||
if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
|
||||
@@ -1429,6 +1429,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
cert_list_size - i);
|
||||
}
|
||||
|
||||
+ assert(sorted_size > 0);
|
||||
+
|
||||
/* Remove duplicates. Start with index 1, as the first element
|
||||
* may be re-checked after issuer retrieval. */
|
||||
for (j = 0; j < sorted_size; j++) {
|
||||
@@ -1448,13 +1450,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
}
|
||||
|
||||
/* Record the certificates seen. */
|
||||
- for (j = 0; j < sorted_size; j++, i++) {
|
||||
+ for (k = 0; k < sorted_size; k++, i++) {
|
||||
if (!gl_list_nx_add_last(records, cert_list[i])) {
|
||||
ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
+ /* Pacify GCC analyzer: the condition always holds
|
||||
+ * true as sorted_size > 0 is checked above, and the
|
||||
+ * following loop should iterate at least once so i++
|
||||
+ * is called.
|
||||
+ */
|
||||
+ assert(i > 0);
|
||||
+
|
||||
/* If the issuer of the certificate is known, no need
|
||||
* for further processing. */
|
||||
if (gnutls_x509_trust_list_get_issuer(list,
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -0,0 +1,49 @@
|
||||
From 22f837ba0bc7d13c3d738a8583566368fc12aee1 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Sat, 30 Oct 2021 08:56:07 +0200
|
||||
Subject: [PATCH] x509: fix thread-safety in gnutls_x509_trust_list_verify_crt2
|
||||
|
||||
This function previously used gnutls_x509_trust_list_get_issuer
|
||||
without GNUTLS_TL_GET_COPY flag, which is required when the function
|
||||
is called from multi-threaded application and PKCS #11 trust store is
|
||||
in use.
|
||||
|
||||
Reported and the change suggested by Remi Gacogne in:
|
||||
https://gitlab.com/gnutls/gnutls/-/issues/1277
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
|
||||
Reference: https://gitlab.com/gnutls/gnutls/-/commit/22f837ba0bc7d13c3d738a8583566368fc12aee1
|
||||
Conflict: NA
|
||||
|
||||
---
|
||||
lib/x509/verify-high.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
||||
index ab8e006ca..5698d4f37 100644
|
||||
--- a/lib/x509/verify-high.c
|
||||
+++ b/lib/x509/verify-high.c
|
||||
@@ -1102,7 +1102,8 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
|
||||
* gnutls_x509_trust_list_get_issuer:
|
||||
* @list: The list
|
||||
* @cert: is the certificate to find issuer for
|
||||
- * @issuer: Will hold the issuer if any. Should be treated as constant.
|
||||
+ * @issuer: Will hold the issuer if any. Should be treated as constant
|
||||
+ * unless %GNUTLS_TL_GET_COPY is set in @flags.
|
||||
* @flags: flags from %gnutls_trust_list_flags_t (%GNUTLS_TL_GET_COPY is applicable)
|
||||
*
|
||||
* This function will find the issuer of the given certificate.
|
||||
@@ -1521,7 +1522,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
if (gnutls_x509_trust_list_get_issuer(list,
|
||||
cert_list[i - 1],
|
||||
&issuer,
|
||||
- 0) == 0) {
|
||||
+ GNUTLS_TL_GET_COPY) == 0) {
|
||||
+ gnutls_x509_crt_deinit(issuer);
|
||||
cert_list_size = i;
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.33.0
|
||||
|
||||
12
gnutls.spec
12
gnutls.spec
@ -1,6 +1,6 @@
|
||||
Name: gnutls
|
||||
Version: 3.7.2
|
||||
Release: 14
|
||||
Release: 15
|
||||
Summary: The GNU Secure Communication Protocol Library
|
||||
|
||||
License: LGPLv2.1+ and GPLv3+
|
||||
@ -19,6 +19,10 @@ Patch8: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
|
||||
Patch9: backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
|
||||
Patch10: backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch
|
||||
Patch11: backport-add-gnulib-files.patch
|
||||
Patch12: backport-x509-fix-thread-safety-in-gnutls_x509_trust_list_ver.patch
|
||||
Patch13: backport-Fix-removal-of-duplicate-certs-during-verification.patch
|
||||
Patch14: backport-lib-suppress-false-positive-Wanalyzer-out-of-bounds.patch
|
||||
Patch15: backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch
|
||||
|
||||
%bcond_without dane
|
||||
%bcond_with guile
|
||||
@ -225,8 +229,10 @@ make check %{?_smp_mflags}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Apr 18 2024 fangxiuning <fangxiuning@huawei.com> - 3.7
|
||||
.2-14
|
||||
* Thu Apr 18 2024 fangxiuning <fangxiuning@huawei.com> - 3.7.2-15
|
||||
- fix CVE-2024-28835
|
||||
|
||||
* Thu Apr 18 2024 fangxiuning <fangxiuning@huawei.com> - 3.7.2-14
|
||||
- fix CVE-2024-28835
|
||||
|
||||
* Tue Mar 26 2024 xuraoqing <xuraoqing@huawei.com> - 3.7.2-13
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user