From eb5245a0a95276caba6337978e9bfad07c90cd35 Mon Sep 17 00:00:00 2001 From: fangxiuning Date: Thu, 18 Apr 2024 19:05:41 +0800 Subject: [PATCH] fix --- ...-duplicate-certs-during-verification.patch | 387 ++++++++++++++++ ...t_list_verify_crt2-remove-length-lim.patch | 419 ++++++++++++++++++ ...lse-positive-Wanalyzer-out-of-bounds.patch | 70 +++ ...safety-in-gnutls_x509_trust_list_ver.patch | 49 ++ gnutls.spec | 12 +- 5 files changed, 934 insertions(+), 3 deletions(-) create mode 100644 backport-Fix-removal-of-duplicate-certs-during-verification.patch create mode 100644 backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch create mode 100644 backport-lib-suppress-false-positive-Wanalyzer-out-of-bounds.patch create mode 100644 backport-x509-fix-thread-safety-in-gnutls_x509_trust_list_ver.patch diff --git a/backport-Fix-removal-of-duplicate-certs-during-verification.patch b/backport-Fix-removal-of-duplicate-certs-during-verification.patch new file mode 100644 index 0000000..a6b0940 --- /dev/null +++ b/backport-Fix-removal-of-duplicate-certs-during-verification.patch @@ -0,0 +1,387 @@ +From e89378d5853d9bd0136b95aade37e23762ad9290 Mon Sep 17 00:00:00 2001 +From: Zoltan Fridrich +Date: Mon, 17 Oct 2022 15:27:37 +0200 +Subject: [PATCH] Fix removal of duplicate certs during verification + +Co-authored-by: Daiki Ueno +Signed-off-by: Zoltan Fridrich + +Reference: https://gitlab.com/gnutls/gnutls/-/commit/e89378d5853d9bd0136b95aade37e23762ad9290 +Conflict: .gitignore + +--- + lib/x509/verify-high.c | 101 ++++--------------- + tests/Makefile.am | 2 +- + tests/x509-verify-duplicate.c | 181 ++++++++++++++++++++++++++++++++++ + 3 files changed, 202 insertions(+), 82 deletions(-) + create mode 100644 tests/x509-verify-duplicate.c + +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index 5698d4f..2c070b0 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -35,6 +35,8 @@ + #include + #include "verify-high.h" + #include "intprops.h" ++#include "gl_linkedhash_list.h" ++#include "gl_list.h" + + struct named_cert_st { + gnutls_x509_crt_t cert; +@@ -68,82 +70,19 @@ struct gnutls_x509_trust_list_iter { + + #define DEFAULT_SIZE 127 + +-struct cert_set_node_st { +- gnutls_x509_crt_t *certs; +- unsigned int size; +-}; +- +-struct cert_set_st { +- struct cert_set_node_st *node; +- unsigned int size; +-}; +- +-static int +-cert_set_init(struct cert_set_st *set, unsigned int size) +-{ +- memset(set, 0, sizeof(*set)); +- +- set->size = size; +- set->node = gnutls_calloc(size, sizeof(*set->node)); +- if (!set->node) { +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- } +- +- return 0; +-} +- +-static void +-cert_set_deinit(struct cert_set_st *set) +-{ +- size_t i; +- +- for (i = 0; i < set->size; i++) { +- gnutls_free(set->node[i].certs); +- } +- +- gnutls_free(set->node); +-} +- + static bool +-cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert) ++cert_eq(const void *cert1, const void *cert2) + { +- size_t hash, i; +- +- hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); +- hash %= set->size; +- +- for (i = 0; i < set->node[hash].size; i++) { +- if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) { +- return true; +- } +- } +- +- return false; ++ const gnutls_x509_crt_t c1 = (const gnutls_x509_crt_t)cert1; ++ const gnutls_x509_crt_t c2 = (const gnutls_x509_crt_t)cert2; ++ return gnutls_x509_crt_equals(c1, c2); + } + +-static int +-cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert) ++static size_t ++cert_hashcode(const void *cert) + { +- size_t hash; +- +- hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); +- hash %= set->size; +- +- if (unlikely(INT_ADD_OVERFLOW(set->node[hash].size, 1))) { +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- } +- +- set->node[hash].certs = +- _gnutls_reallocarray_fast(set->node[hash].certs, +- set->node[hash].size + 1, +- sizeof(*set->node[hash].certs)); +- if (!set->node[hash].certs) { +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- } +- set->node[hash].certs[set->node[hash].size] = cert; +- set->node[hash].size++; +- +- return 0; ++ const gnutls_x509_crt_t c = (const gnutls_x509_crt_t)cert; ++ return hash_pjw_bare(c->raw_dn.data, c->raw_dn.size) % DEFAULT_MAX_VERIFY_DEPTH; + } + + /** +@@ -1426,7 +1365,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + unsigned have_set_name = 0; + unsigned saved_output; + gnutls_datum_t ip = {NULL, 0}; +- struct cert_set_st cert_set = { NULL, 0 }; ++ gl_list_t records; + + if (cert_list == NULL || cert_list_size < 1) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); +@@ -1475,10 +1414,9 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); + cert_list = sorted; + +- ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH); +- if (ret < 0) { +- return ret; +- } ++ records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false); ++ if (records == NULL) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + for (i = 0; i < cert_list_size && + cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { +@@ -1493,8 +1431,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + + /* Remove duplicates. Start with index 1, as the first element + * may be re-checked after issuer retrieval. */ +- for (j = 1; j < sorted_size; j++) { +- if (cert_set_contains(&cert_set, cert_list[i + j])) { ++ for (j = 0; j < sorted_size; j++) { ++ if (gl_list_search(records, cert_list[i + j])) { + if (i + j < cert_list_size - 1) { + memmove(&cert_list[i + j], + &cert_list[i + j + 1], +@@ -1511,8 +1449,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + + /* Record the certificates seen. */ + for (j = 0; j < sorted_size; j++, i++) { +- ret = cert_set_add(&cert_set, cert_list[i]); +- if (ret < 0) { ++ if (!gl_list_nx_add_last(records, cert_list[i])) { ++ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + goto cleanup; + } + } +@@ -1559,6 +1497,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + + /* Start again from the end of the previous segment. */ + i--; ++ gl_list_remove(records, cert_list[i]); + } + } + +@@ -1718,7 +1657,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + for (i = 0; i < retrieved_size; i++) { + gnutls_x509_crt_deinit(retrieved[i]); + } +- cert_set_deinit(&cert_set); ++ gl_list_free(records); + return ret; + } + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index b65fb65..f92a130 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -172,7 +172,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei + crlverify mini-dtls-discard mini-record-failure openconnect-dtls12 \ + tls12-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \ + tls12-rehandshake-cert-auto tls12-rehandshake-set-prio \ +- mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \ ++ mini-chain-unsorted x509-verify-duplicate x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \ + mini-dtls-record-asym key-import-export priority-set priority-set2 \ + pubkey-import-export sign-is-secure spki spki-abstract rsa-rsa-pss \ + mini-dtls-fork dtls-pthread mini-key-material x509cert-invalid \ +diff --git a/tests/x509-verify-duplicate.c b/tests/x509-verify-duplicate.c +new file mode 100644 +index 0000000..f47a8b2 +--- /dev/null ++++ b/tests/x509-verify-duplicate.c +@@ -0,0 +1,181 @@ ++/* ++ * Copyright (C) 2022 Red Hat, Inc. ++ * ++ * Author: Zoltan Fridrich ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software: you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS. If not, see . ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++ ++#include "utils.h" ++ ++#define CHECK(X)\ ++{\ ++ r = X;\ ++ if (r < 0)\ ++ fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\ ++}\ ++ ++static char cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n" ++ "MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n" ++ "EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n" ++ "DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n" ++ "AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n" ++ "3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n" ++ "GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n" ++ "ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n" ++ "8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n" ++ "XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n" ++ "HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n" ++ "FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n" ++ "5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n" ++ "by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n" ++ "JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n" ++ "RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n" ++ "Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n" ++ "AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n" ++ "RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n" ++ "TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n" ++ "+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n" ++ "bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n" ++ "DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n" ++ "dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n" ++ "/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n" ++ "SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n" ++ "QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n" ++ "k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n" ++ "-----END CERTIFICATE-----\n" ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n" ++ "MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n" ++ "EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n" ++ "DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n" ++ "AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n" ++ "3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n" ++ "GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n" ++ "ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n" ++ "8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n" ++ "XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n" ++ "HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n" ++ "FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n" ++ "5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n" ++ "by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n" ++ "JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n" ++ "RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n" ++ "Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n" ++ "AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n" ++ "RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n" ++ "TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n" ++ "+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n" ++ "bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n" ++ "DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n" ++ "dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n" ++ "/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n" ++ "SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n" ++ "QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n" ++ "k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n" ++ "-----END CERTIFICATE-----\n" ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\n" ++ "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n" ++ "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\n" ++ "WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\n" ++ "RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n" ++ "AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\n" ++ "R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\n" ++ "sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\n" ++ "NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\n" ++ "Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n" ++ "/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\n" ++ "AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\n" ++ "Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\n" ++ "FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\n" ++ "AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\n" ++ "Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\n" ++ "gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\n" ++ "PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\n" ++ "ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\n" ++ "CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\n" ++ "lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\n" ++ "avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\n" ++ "yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\n" ++ "yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\n" ++ "hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\n" ++ "HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\n" ++ "MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\n" ++ "nLRbwHOoq7hHwg==\n" ++ "-----END CERTIFICATE-----\n" ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\n" ++ "MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n" ++ "DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\n" ++ "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n" ++ "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\n" ++ "AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\n" ++ "ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\n" ++ "wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\n" ++ "LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n" ++ "4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\n" ++ "bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\n" ++ "sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\n" ++ "Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\n" ++ "FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\n" ++ "SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\n" ++ "PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\n" ++ "TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n" ++ "SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\n" ++ "c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n" ++ "+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\n" ++ "ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\n" ++ "b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\n" ++ "U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\n" ++ "MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n" ++ "5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n" ++ "9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\n" ++ "WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\n" ++ "he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\n" ++ "Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n" ++ "-----END CERTIFICATE-----\n"; ++ ++void doit(void) ++{ ++ int r; ++ unsigned i, certs_size, out; ++ unsigned flags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME | GNUTLS_VERIFY_DISABLE_TIME_CHECKS; ++ gnutls_x509_trust_list_t tl; ++ gnutls_x509_crt_t *certs = NULL; ++ gnutls_datum_t cert = { (unsigned char *)cert_pem, sizeof(cert_pem) - 1 }; ++ ++ CHECK(gnutls_x509_crt_list_import2(&certs, &certs_size, &cert, GNUTLS_X509_FMT_PEM, 0)); ++ CHECK(gnutls_x509_trust_list_init(&tl, 0)); ++ CHECK(gnutls_x509_trust_list_add_cas(tl, certs + certs_size - 1, 1, 0)); ++ CHECK(gnutls_x509_trust_list_verify_crt(tl, certs, certs_size, flags, &out, NULL)); ++ ++ if (out) ++ fail("Not verified\n"); ++ ++ gnutls_x509_trust_list_deinit(tl, 0); ++ for (i = 0; i < certs_size; ++i) ++ gnutls_x509_crt_deinit(certs[i]); ++ gnutls_free(certs); ++} +-- +2.33.0 + diff --git a/backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch b/backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch new file mode 100644 index 0000000..55121e0 --- /dev/null +++ b/backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch @@ -0,0 +1,419 @@ +From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 29 Jan 2024 13:52:46 +0900 +Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: remove length limit +of + input + +Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the +chain verification logic crashed with assertion failure. This patch +removes the restriction while keeping the maximum number of +retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH. + +Signed-off-by: Daiki Ueno + +Reference: +https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d +Conflict:lib/x509/verify-high.c,tests/test-chains.h + +--- + lib/gnutls_int.h | 5 +- + lib/x509/common.c | 10 +- + lib/x509/verify-high.c | 56 +++++++---- + tests/test-chains.h | 210 ++++++++++++++++++++++++++++++++++++++++- + 4 files changed, 258 insertions(+), 23 deletions(-) + +diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h +index a06d123..9706db3 100644 +--- a/lib/gnutls_int.h ++++ b/lib/gnutls_int.h +@@ -218,7 +218,10 @@ typedef enum record_send_state_t { + + #define MAX_PK_PARAM_SIZE 2048 + +-/* defaults for verification functions ++/* Defaults for verification functions. ++ * ++ * update many_icas in tests/test-chains.h when increasing ++ * DEFAULT_MAX_VERIFY_DEPTH. + */ + #define DEFAULT_MAX_VERIFY_DEPTH 16 + #define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE*8) +diff --git a/lib/x509/common.c b/lib/x509/common.c +index 96e7e7c..10ee9c6 100644 +--- a/lib/x509/common.c ++++ b/lib/x509/common.c +@@ -1746,7 +1746,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, + bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */ + gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH]; + +- assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH); ++ /* Limit the number of certificates in the chain, to avoid DoS ++ * because of the O(n^2) sorting below. FIXME: Switch to a ++ * topological sort algorithm which should be linear to the ++ * number of certificates and subject-issuer relationships. ++ */ ++ if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) { ++ _gnutls_debug_log("too many certificates; skipping sorting\n"); ++ return 1; ++ } + + for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) { + issuer[i] = -1; +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index 02d2f0f..bbfb02e 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -25,7 +25,7 @@ + #include "errors.h" + #include + #include +-#include /* MAX */ ++#include "num.h" /* MIN */ + #include + #include + #include +@@ -1357,7 +1357,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + int ret = 0; + unsigned int i; + size_t hash; +- gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH]; ++ gnutls_x509_crt_t *cert_list_copy = NULL; ++ unsigned int cert_list_max_size = 0; + gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH]; + unsigned int retrieved_size = 0; + const char *hostname = NULL, *purpose = NULL, *email = NULL; +@@ -1411,15 +1412,27 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + } + } + +- memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); +- cert_list = sorted; ++ /* Allocate extra for retrieved certificates. */ ++ if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH, ++ &cert_list_max_size)) ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + +- records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false); +- if (records == NULL) ++ cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size, ++ sizeof(gnutls_x509_crt_t)); ++ if (!cert_list_copy) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + +- for (i = 0; i < cert_list_size && +- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { ++ memcpy(cert_list_copy, cert_list, ++ cert_list_size * sizeof(gnutls_x509_crt_t)); ++ cert_list = cert_list_copy; ++ ++ records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false); ++ if (records == NULL) { ++ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ goto cleanup; ++ } ++ ++ for (i = 0; i < cert_list_size;) { + unsigned int sorted_size = 1; + unsigned int j, k; + gnutls_x509_crt_t issuer; +@@ -1431,8 +1444,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + + assert(sorted_size > 0); + +- /* Remove duplicates. Start with index 1, as the first element +- * may be re-checked after issuer retrieval. */ ++ /* Remove duplicates. */ + for (j = 0; j < sorted_size; j++) { + if (gl_list_search(records, cert_list[i + j])) { + if (i + j < cert_list_size - 1) { +@@ -1483,17 +1495,16 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + continue; + } + +- ret = retrieve_issuers(list, +- cert_list[i - 1], +- &retrieved[retrieved_size], +- DEFAULT_MAX_VERIFY_DEPTH - +- MAX(retrieved_size, +- cert_list_size)); ++ ret = retrieve_issuers(list, cert_list[i - 1], &retrieved[retrieved_size], ++ MIN(DEFAULT_MAX_VERIFY_DEPTH - retrieved_size, ++ cert_list_max_size - cert_list_size)); + if (ret < 0) { + break; + } else if (ret > 0) { + assert((unsigned int)ret <= +- DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); ++ DEFAULT_MAX_VERIFY_DEPTH - retrieved_size); ++ assert((unsigned int)ret <= ++ cert_list_max_size - cert_list_size); + memmove(&cert_list[i + ret], + &cert_list[i], + (cert_list_size - i) * +@@ -1511,8 +1522,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + } + + cert_list_size = shorten_clist(list, cert_list, cert_list_size); +- if (cert_list_size <= 0) +- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ if (cert_list_size <= 0) { ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ goto cleanup; ++ } + + hash = + hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn. +@@ -1663,10 +1676,13 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + } + + cleanup: ++ gnutls_free(cert_list_copy); + for (i = 0; i < retrieved_size; i++) { + gnutls_x509_crt_deinit(retrieved[i]); + } +- gl_list_free(records); ++ if (records) { ++ gl_list_free(records); ++ } + return ret; + } + +diff --git a/tests/test-chains.h b/tests/test-chains.h +index 07e90bb..2dbee07 100644 +--- a/tests/test-chains.h ++++ b/tests/test-chains.h +@@ -25,7 +25,7 @@ + + /* *INDENT-OFF* */ + +-#define MAX_CHAIN 10 ++#define MAX_CHAIN 17 + + static const char *chain_with_no_subject_id_in_ca_ok[] = { + "-----BEGIN CERTIFICATE-----\n" +@@ -4386,6 +4386,213 @@ static const char *cross_signed_ca[] = { + NULL + }; + ++/* This assumes DEFAULT_MAX_VERIFY_DEPTH to be 16 */ ++static const char *many_icas[] = { ++ /* Server */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBqzCCAV2gAwIBAgIUIK3+SD3GmqJlRLZ/ESyhTzkSDL8wBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYD\n" ++ "VQQDEw90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQAWGjx45NIJiKFsNBxxRRjm\n" ++ "NxUT5KYK7xXr5HPVywwgLaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGC\n" ++ "D3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8E\n" ++ "BAMCB4AwHQYDVR0OBBYEFKgNAQWZPx76/vXqQOdIi5mTftsaMB8GA1UdIwQYMBaA\n" ++ "FDaPsY6WAGuRtrhYJE6Gk/bg5qbdMAUGAytlcANBAMIDh8aGcIIFDTUrzfV7tnkX\n" ++ "hHrxyFKBH/cApf6xcJQTfDXm23po627Ibp+WgLaWMY08Fn9Y2V6Ev8ADfqXNbQ8=\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA16 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUSnE0PKdm/dsnZSWBh5Ct4pS6DcwwBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAxq9SI8vp0QH1dDBBuZW+t+bLLROppQbjSQ4O1BEonDOjYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2j7GOlgBrkba4\n" ++ "WCROhpP24Oam3TAfBgNVHSMEGDAWgBRvdUKX0aw3nfUIdvivXGSfRO7zyjAFBgMr\n" ++ "ZXADQQBsI2Hc7X5hXoHTvk01qMc5a1I27QHAFRARJnvIQ15wxNS2LVLzGk+AUmwr\n" ++ "sOhBKAcVfS55uWtYdjoWQ80h238H\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA15 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUQk4XkgQVImnp6OPZas7ctwgBza4wBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAs3yVKLJd3sKbNVmj6Bxy2j1x025rksyQpZZWnCx5a+CjYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRvdUKX0aw3nfUI\n" ++ "dvivXGSfRO7zyjAfBgNVHSMEGDAWgBRhGfUXYPh4YQsdtTWYUozLphGgfzAFBgMr\n" ++ "ZXADQQBXTtm56x6/pHXdW8dTvZLc/8RufNQrMlc23TCgX0apUnrZdTsNAb7OE4Uu\n" ++ "9PBuxK+CC9NL/BL2hXsKvAT+NWME\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA14 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUKfwz7UUYRvYlvqwmnLJlTOS9o1AwBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAXbUetQ08t+F4+IcKL++HpeclqTxXZ7cG4mwqvHmTUEWjYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRhGfUXYPh4YQsd\n" ++ "tTWYUozLphGgfzAfBgNVHSMEGDAWgBQYRQqO+V1kefF7QvNnFU1fX5H9+jAFBgMr\n" ++ "ZXADQQAiSHNMTLPFP3oa6q13Dj8jSxF9trQDJGM1ArWffFcPZUt2U4/ODHdcMTHx\n" ++ "kGwhIj+ghBlu6ykgu6J2wewCUooC\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA13 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUUKOs59gyCPAZzoC7zMZQSh6AnQgwBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAmvqhj5GYqsXIpsr1BXBfD+2mTP/m/TEpKIYSZHM62dijYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQYRQqO+V1kefF7\n" ++ "QvNnFU1fX5H9+jAfBgNVHSMEGDAWgBQ27HzvP5hl2xR+LOzRcPfmY5ndXjAFBgMr\n" ++ "ZXADQQBrB3NkrYC7EQ74qgeesVOE71rW012dPOOKPAV0laR+JLEgsv9sfus+AdBF\n" ++ "WBNwR3KeYBTi/MFDuecxBHU2m5gD\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA12 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUUQooGfH21+sR7/pSgCWm13gg2H4wBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAK2of/B4wMpk6k/KdugC5dMS+jo2fseUM7/PvXkE6HASjYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ27HzvP5hl2xR+\n" ++ "LOzRcPfmY5ndXjAfBgNVHSMEGDAWgBSJDHU0Mj1Xr0e8ErCnRK24w7XwTTAFBgMr\n" ++ "ZXADQQDY8d2bAZpj7oGhdl2dBsCE48jEWj49da0PbgN12koAj3gf4hjMPd8G7p5z\n" ++ "8RsURAwQmCkE8ShvdNw/Qr2tDL0E\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA11 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUW9Dw0hU2pfjXhb5Stip+mk9SndIwBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAn5ISjLVV6RBWsnxDWHDicpye7SjFwGOTwzF01/psiJ2jYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSJDHU0Mj1Xr0e8\n" ++ "ErCnRK24w7XwTTAfBgNVHSMEGDAWgBSR9UU27RI0XohiEgHDxNo/9HP4djAFBgMr\n" ++ "ZXADQQCfQg6MDHk71vhyrEo4/5PcLb2Li5F/FKURyux7snv2TbkSdInloAqca9UR\n" ++ "DtqHSLCNLXCNdSPr5QwIt5p29rsE\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA10 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUR4uTedG8e6MibKViQ3eX7QzXG1swBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAnslX04kSVOL5LAf1e+Ze3ggNnDJcEAxLDk8I/IhyjTyjYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSR9UU27RI0Xohi\n" ++ "EgHDxNo/9HP4djAfBgNVHSMEGDAWgBRC7US5gJYnvd5F7EN+C4anMgd2NzAFBgMr\n" ++ "ZXADQQDo+jHt07Tvz3T5Lbz6apBrSln8xKYfJk2W1wP85XAnf7sZT9apM1bS4EyD\n" ++ "Kckw+KG+9x7myOZz6AXJgZB5OGAO\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA9 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUSIIIRjrNpE+kEPkiJMOqaNAazvQwBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAZKy7p1Gn4W/reRxKJN99+QkHt2q9aELktCKe5PqrX5ejYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRC7US5gJYnvd5F\n" ++ "7EN+C4anMgd2NzAfBgNVHSMEGDAWgBSOhR7Ornis2x8g0J+bvTTwMnW60zAFBgMr\n" ++ "ZXADQQA0MEcC4FgKZEAfalVpApU2to0G158MVz/WTNcSc7fnl8ifJ/g56dVHL1jr\n" ++ "REvC/S28dn/CGAlbVXUAgxnHAbgE\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA8 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUGGFSgD95vOTSj7iFxfXA5vq6vsYwBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAg3W/bTdW0fR32NeZEVMXICpa30d7rSdddLOYDvqqUO+jYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSOhR7Ornis2x8g\n" ++ "0J+bvTTwMnW60zAfBgNVHSMEGDAWgBT3zK8Hbn9aVTAOOFY6RSxJ2o5x2jAFBgMr\n" ++ "ZXADQQBl4gnzE463iMFg57gPvjHdVzA39sJBpiu0kUGfRcLnoRI/VOaLcx7WnJ9+\n" ++ "c3KxPZBec76EdIoQDkTmI6m2FIAM\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA7 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUGktMGXhNuaMhKyAlecymmLD+/GIwBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEA/Z1oc76hOQ0Hi+2hePaGIntnMIDqBlb7RDMjRpYONP2jYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT3zK8Hbn9aVTAO\n" ++ "OFY6RSxJ2o5x2jAfBgNVHSMEGDAWgBSPae3JUN3jP0NgUJqDV3eYxcaM3DAFBgMr\n" ++ "ZXADQQBMkwKaUZlvG/hax8rv3nnDv8kJOr6KVHBnxSx3hZ+8HIBT7GFm1+YDeYOB\n" ++ "jhNg66kyeFPGXXBCe+mvNQFFjCEE\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA6 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUKn3gz5lAUpKqWlHKLKYDbOJ4rygwBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAZ/eD4eTe91ddvHusm7YlLPxU4ByGFc6suAmlP1CxXkWjYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSPae3JUN3jP0Ng\n" ++ "UJqDV3eYxcaM3DAfBgNVHSMEGDAWgBT9f/qSI/jhxvGI7aMtkpraDcjBnjAFBgMr\n" ++ "ZXADQQAMRnkmRhnLGdmJaY8B42gfyaAsqCMyds/Tw4OHYy+N48XuAxRjKkhf3szC\n" ++ "0lY71oU043mNP1yx/dzAuCTrVSgI\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA5 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUEgEYbBXXEyGv3vOq10JQv1SBiUUwBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAs2xEDPw8RVal53nX9GVwUd1blq1wjtVFC8S1V7up7MWjYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT9f/qSI/jhxvGI\n" ++ "7aMtkpraDcjBnjAfBgNVHSMEGDAWgBRBVkLu9BmCKz7HNI8md4vPpoE/7jAFBgMr\n" ++ "ZXADQQCCufAyLijtzzmeCuO3K50rBSbGvB3FQfep7g6kVsQKM3bw/olWK5/Ji0dD\n" ++ "ubJ0cFl1FmfAda7aVxLBtJOvO6MI\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA4 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIULj8GkaHw+92HuOTnXnXlxCy3VrEwBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAiedxh4dvtwDellMAHc/pZH0MAOXobRenTUgF1yj5l12jYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRBVkLu9BmCKz7H\n" ++ "NI8md4vPpoE/7jAfBgNVHSMEGDAWgBSDtNRgQ36KwW/ASaMyr6WeDt0STDAFBgMr\n" ++ "ZXADQQDL8U2ckzur7CktdrVUNvfLhVCOz33d/62F28vQFHUa8h/4h+Mi1MMbXOKT\n" ++ "1bL2TvpFpU7Fx/vcIPXDielVqr4C\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA3 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUQXl74TDDw6MQRMbQUSPa6Qrvba8wBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEA7l0jQ0f4fJRw7Qja/Hz2qn8y91SI7CokxhSf+FT+9M6jYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSDtNRgQ36KwW/A\n" ++ "SaMyr6WeDt0STDAfBgNVHSMEGDAWgBQ2inEK4KH6ATftmybxKE1dZUzOozAFBgMr\n" ++ "ZXADQQCnP7Oqx1epGnFnO7TrTJwcUukXDEYsINve2GeUsi8HEIeKKlMcLZ2Cnaj7\n" ++ "5v9NGuWh3QJpmmSGpEemiv8dJc4A\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA2 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBYTCCAROgAwIBAgIUP7Nmof8H2F1LyDkjqlYIUpGdXE8wBQYDK2VwMB0xGzAZ\n" ++ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n" ++ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n" ++ "K2VwAyEAkW9Rod3CXAnha6nlaHkDbCOegq94lgmjqclA9sOIt3yjYzBhMA8GA1Ud\n" ++ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2inEK4KH6ATft\n" ++ "mybxKE1dZUzOozAfBgNVHSMEGDAWgBRPq/CQlK/zuXkjZvTCibu+vejD+jAFBgMr\n" ++ "ZXADQQBU+A+uF0yrtO/yv9cRUdCoL3Y1NKM35INg8BQDnkv724cW9zk1x0q9Fuou\n" ++ "zvfSVb8S3vT8fF5ZDOxarQs6ZH0C\n" ++ "-----END CERTIFICATE-----\n", ++ /* ICA1 */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBXTCCAQ+gAwIBAgIUfUWP+AQHpdFTRKTf21mMzjaJsp0wBQYDK2VwMBkxFzAV\n" ++ "BgNVBAMTDkdudVRMUyB0ZXN0IENBMCAXDTI0MDMxMjIyNTMzOVoYDzk5OTkxMjMx\n" ++ "MjM1OTU5WjAdMRswGQYDVQQDDBJHbnVUTFMgdGVzdCBJQ0EgJGkwKjAFBgMrZXAD\n" ++ "IQAVmfBAvLbT+pTD24pQrr6S0jEIFIV/qOv93yYvAUzpzKNjMGEwDwYDVR0TAQH/\n" ++ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFE+r8JCUr/O5eSNm9MKJ\n" ++ "u7696MP6MB8GA1UdIwQYMBaAFAFpt5wrFsqCtHc4PpluPDvwcxQLMAUGAytlcANB\n" ++ "AC6+XZnthjlUD0TbBKRF3qT5if3Pp29Bgvutw8859unzUZW8FkHg5KeDBj9ncgJc\n" ++ "O2tFnNH2hV6LDPJzU0rtLQc=\n" ++ "-----END CERTIFICATE-----\n", ++ NULL ++}; ++ ++static const char *many_icas_ca[] = { ++ /* CA (self-signed) */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIBNzCB6qADAgECAhRjaokcQwcrtW8tjuVFz3A33F8POjAFBgMrZXAwGTEXMBUG\n" ++ "A1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjQwMzEyMjI1MzM5WhgPOTk5OTEyMzEy\n" ++ "MzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMCowBQYDK2VwAyEAvoxP\n" ++ "TNdbWktxA8qQNNH+25Cx9rzP+DxLGeI/7ODwrQGjQjBAMA8GA1UdEwEB/wQFMAMB\n" ++ "Af8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQBabecKxbKgrR3OD6Zbjw78HMU\n" ++ "CzAFBgMrZXADQQCP5IUD74M7WrUx20uqzrzuj+s2jnBVmLQfWf/Ucetx+oTRFeq4\n" ++ "xZB/adWhycSeJUAB1zKqYUV9hgT8FWHbnHII\n" ++ "-----END CERTIFICATE-----\n", ++ NULL ++}; ++ + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) + # pragma GCC diagnostic push + # pragma GCC diagnostic ignored "-Wunused-variable" +@@ -4566,6 +4773,7 @@ static struct + GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM), + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1}, + { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, 1704955300}, ++ { "many intermediates - ok", many_icas, many_icas_ca, 0, 0, 0, 1710284400}, + { NULL, NULL, NULL, 0, 0} + }; + +-- +2.33.0 + diff --git a/backport-lib-suppress-false-positive-Wanalyzer-out-of-bounds.patch b/backport-lib-suppress-false-positive-Wanalyzer-out-of-bounds.patch new file mode 100644 index 0000000..e4c94ff --- /dev/null +++ b/backport-lib-suppress-false-positive-Wanalyzer-out-of-bounds.patch @@ -0,0 +1,70 @@ +From 7e7b8ed89c93b5f95367eeab1b4f06fc2ac83581 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 7 Jun 2023 16:44:00 +0200 +Subject: [PATCH] lib: suppress false-positive -Wanalyzer-out-of-bounds + +GCC analyzer from GCC 13 reports this: + + verify-high.c:1471:21: error: stack-based buffer over-read [CWE-126] [-Werror=analyzer-out-of-bounds] + 1471 | if (gnutls_x509_trust_list_get_issuer( + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 1472 | list, cert_list[i - 1], &issuer, + +This is false-positive, as i is always in a range 0 < i < cert_list_size. + +Signed-off-by: Daiki Ueno + +Reference: https://gitlab.com/gnutls/gnutls/-/commit/7e7b8ed89c93b5f95367eeab1b4f06fc2ac83581 +Conflict: NA + +--- + lib/x509/verify-high.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index 2c070b0..02d2f0f 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -1421,7 +1421,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + for (i = 0; i < cert_list_size && + cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { + unsigned int sorted_size = 1; +- unsigned int j; ++ unsigned int j, k; + gnutls_x509_crt_t issuer; + + if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { +@@ -1429,6 +1429,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + cert_list_size - i); + } + ++ assert(sorted_size > 0); ++ + /* Remove duplicates. Start with index 1, as the first element + * may be re-checked after issuer retrieval. */ + for (j = 0; j < sorted_size; j++) { +@@ -1448,13 +1450,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + } + + /* Record the certificates seen. */ +- for (j = 0; j < sorted_size; j++, i++) { ++ for (k = 0; k < sorted_size; k++, i++) { + if (!gl_list_nx_add_last(records, cert_list[i])) { + ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + goto cleanup; + } + } + ++ /* Pacify GCC analyzer: the condition always holds ++ * true as sorted_size > 0 is checked above, and the ++ * following loop should iterate at least once so i++ ++ * is called. ++ */ ++ assert(i > 0); ++ + /* If the issuer of the certificate is known, no need + * for further processing. */ + if (gnutls_x509_trust_list_get_issuer(list, +-- +2.33.0 + diff --git a/backport-x509-fix-thread-safety-in-gnutls_x509_trust_list_ver.patch b/backport-x509-fix-thread-safety-in-gnutls_x509_trust_list_ver.patch new file mode 100644 index 0000000..17581b4 --- /dev/null +++ b/backport-x509-fix-thread-safety-in-gnutls_x509_trust_list_ver.patch @@ -0,0 +1,49 @@ +From 22f837ba0bc7d13c3d738a8583566368fc12aee1 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sat, 30 Oct 2021 08:56:07 +0200 +Subject: [PATCH] x509: fix thread-safety in gnutls_x509_trust_list_verify_crt2 + +This function previously used gnutls_x509_trust_list_get_issuer +without GNUTLS_TL_GET_COPY flag, which is required when the function +is called from multi-threaded application and PKCS #11 trust store is +in use. + +Reported and the change suggested by Remi Gacogne in: +https://gitlab.com/gnutls/gnutls/-/issues/1277 + +Signed-off-by: Daiki Ueno + +Reference: https://gitlab.com/gnutls/gnutls/-/commit/22f837ba0bc7d13c3d738a8583566368fc12aee1 +Conflict: NA + +--- + lib/x509/verify-high.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index ab8e006ca..5698d4f37 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -1102,7 +1102,8 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, + * gnutls_x509_trust_list_get_issuer: + * @list: The list + * @cert: is the certificate to find issuer for +- * @issuer: Will hold the issuer if any. Should be treated as constant. ++ * @issuer: Will hold the issuer if any. Should be treated as constant ++ * unless %GNUTLS_TL_GET_COPY is set in @flags. + * @flags: flags from %gnutls_trust_list_flags_t (%GNUTLS_TL_GET_COPY is applicable) + * + * This function will find the issuer of the given certificate. +@@ -1521,7 +1522,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + if (gnutls_x509_trust_list_get_issuer(list, + cert_list[i - 1], + &issuer, +- 0) == 0) { ++ GNUTLS_TL_GET_COPY) == 0) { ++ gnutls_x509_crt_deinit(issuer); + cert_list_size = i; + break; + } +-- +2.33.0 + diff --git a/gnutls.spec b/gnutls.spec index e2b9274..e899f52 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ Name: gnutls Version: 3.7.2 -Release: 14 +Release: 15 Summary: The GNU Secure Communication Protocol Library License: LGPLv2.1+ and GPLv3+ @@ -19,6 +19,10 @@ Patch8: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch Patch9: backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch Patch10: backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch Patch11: backport-add-gnulib-files.patch +Patch12: backport-x509-fix-thread-safety-in-gnutls_x509_trust_list_ver.patch +Patch13: backport-Fix-removal-of-duplicate-certs-during-verification.patch +Patch14: backport-lib-suppress-false-positive-Wanalyzer-out-of-bounds.patch +Patch15: backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch %bcond_without dane %bcond_with guile @@ -225,8 +229,10 @@ make check %{?_smp_mflags} %endif %changelog -* Thu Apr 18 2024 fangxiuning - 3.7 -.2-14 +* Thu Apr 18 2024 fangxiuning - 3.7.2-15 +- fix CVE-2024-28835 + +* Thu Apr 18 2024 fangxiuning - 3.7.2-14 - fix CVE-2024-28835 * Tue Mar 26 2024 xuraoqing - 3.7.2-13