Compare commits
11 Commits
070498d91a
...
b67b69edf0
| Author | SHA1 | Date | |
|---|---|---|---|
|
b67b69edf0 | ||
|
|
eb5245a0a9 | ||
|
|
7f0c36aac1 | ||
|
|
1276eea055 | ||
|
|
09bc14916a | ||
|
|
d09afe28be | ||
|
|
a4089ce740 | ||
|
|
2eb4441d6c | ||
|
|
0365224fe2 | ||
|
|
c35dc90605 | ||
|
|
49862a6024 |
@ -0,0 +1,212 @@
|
||||
From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Mon, 23 Oct 2023 09:26:57 +0900
|
||||
Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
|
||||
|
||||
This removes branching that depends on secret data, porting changes
|
||||
for regular RSA key exchange from
|
||||
4804febddc2ed958e5ae774de2a8f85edeeff538 and
|
||||
80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the
|
||||
allow_wrong_pms as it was used sorely to control debug output
|
||||
depending on the branching.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
|
||||
Conflict::rsa.c,rsa_psk.c,gnutls_int.h
|
||||
|
||||
---
|
||||
lib/auth/rsa.c | 2 +-
|
||||
lib/auth/rsa_psk.c | 93 +++++++++++++++++-----------------------------
|
||||
lib/gnutls_int.h | 4 --
|
||||
lib/priority.c | 1 -
|
||||
4 files changed, 35 insertions(+), 65 deletions(-)
|
||||
|
||||
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
|
||||
index d9635a9..8c87e66 100644
|
||||
--- a/lib/auth/rsa.c
|
||||
+++ b/lib/auth/rsa.c
|
||||
@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
|
||||
session->key.key.size);
|
||||
/* After this point, any conditional on failure that cause differences
|
||||
* in execution may create a timing or cache access pattern side
|
||||
- * channel that can be used as an oracle, so treat very carefully */
|
||||
+ * channel that can be used as an oracle, so tread carefully */
|
||||
|
||||
/* Error handling logic:
|
||||
* In case decryption fails then don't inform the peer. Just use the
|
||||
diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
|
||||
index 1a9dab5..93c2dc9 100644
|
||||
--- a/lib/auth/rsa_psk.c
|
||||
+++ b/lib/auth/rsa_psk.c
|
||||
@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
|
||||
{
|
||||
gnutls_datum_t username;
|
||||
psk_auth_info_t info;
|
||||
- gnutls_datum_t plaintext;
|
||||
gnutls_datum_t ciphertext;
|
||||
gnutls_datum_t pwd_psk = { NULL, 0 };
|
||||
int ret, dsize;
|
||||
- int randomize_key = 0;
|
||||
ssize_t data_size = _data_size;
|
||||
gnutls_psk_server_credentials_t cred;
|
||||
gnutls_datum_t premaster_secret = { NULL, 0 };
|
||||
+ volatile uint8_t ver_maj, ver_min;
|
||||
|
||||
cred = (gnutls_psk_server_credentials_t)
|
||||
_gnutls_get_cred(session, GNUTLS_CRD_PSK);
|
||||
@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
|
||||
}
|
||||
ciphertext.size = dsize;
|
||||
|
||||
- ret =
|
||||
- gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
|
||||
- &ciphertext, &plaintext);
|
||||
- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
|
||||
- /* In case decryption fails then don't inform
|
||||
- * the peer. Just use a random key. (in order to avoid
|
||||
- * attack against pkcs-1 formatting).
|
||||
- */
|
||||
+ ver_maj = _gnutls_get_adv_version_major(session);
|
||||
+ ver_min = _gnutls_get_adv_version_minor(session);
|
||||
+
|
||||
+ premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
|
||||
+ if (premaster_secret.data == NULL) {
|
||||
gnutls_assert();
|
||||
- _gnutls_debug_log
|
||||
- ("auth_rsa_psk: Possible PKCS #1 format attack\n");
|
||||
- if (ret >= 0) {
|
||||
- gnutls_free(plaintext.data);
|
||||
- }
|
||||
- randomize_key = 1;
|
||||
- } else {
|
||||
- /* If the secret was properly formatted, then
|
||||
- * check the version number.
|
||||
- */
|
||||
- if (_gnutls_get_adv_version_major(session) !=
|
||||
- plaintext.data[0]
|
||||
- || (session->internals.allow_wrong_pms == 0
|
||||
- && _gnutls_get_adv_version_minor(session) !=
|
||||
- plaintext.data[1])) {
|
||||
- /* No error is returned here, if the version number check
|
||||
- * fails. We proceed normally.
|
||||
- * That is to defend against the attack described in the paper
|
||||
- * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
|
||||
- * Ondej Pokorny and Tomas Rosa.
|
||||
- */
|
||||
- gnutls_assert();
|
||||
- _gnutls_debug_log
|
||||
- ("auth_rsa: Possible PKCS #1 version check format attack\n");
|
||||
- }
|
||||
+ return GNUTLS_E_MEMORY_ERROR;
|
||||
}
|
||||
+ premaster_secret.size = GNUTLS_MASTER_SIZE;
|
||||
|
||||
-
|
||||
- if (randomize_key != 0) {
|
||||
- premaster_secret.size = GNUTLS_MASTER_SIZE;
|
||||
- premaster_secret.data =
|
||||
- gnutls_malloc(premaster_secret.size);
|
||||
- if (premaster_secret.data == NULL) {
|
||||
- gnutls_assert();
|
||||
- return GNUTLS_E_MEMORY_ERROR;
|
||||
- }
|
||||
-
|
||||
- /* we do not need strong random numbers here.
|
||||
- */
|
||||
- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
|
||||
- premaster_secret.size);
|
||||
- if (ret < 0) {
|
||||
- gnutls_assert();
|
||||
- goto cleanup;
|
||||
- }
|
||||
- } else {
|
||||
- premaster_secret.data = plaintext.data;
|
||||
- premaster_secret.size = plaintext.size;
|
||||
+ /* Fallback value when decryption fails. Needs to be unpredictable. */
|
||||
+ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
|
||||
+ premaster_secret.size);
|
||||
+ if (ret < 0) {
|
||||
+ gnutls_assert();
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
+ gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
|
||||
+ &ciphertext, premaster_secret.data,
|
||||
+ premaster_secret.size);
|
||||
+ /* After this point, any conditional on failure that cause differences
|
||||
+ * in execution may create a timing or cache access pattern side
|
||||
+ * channel that can be used as an oracle, so tread carefully */
|
||||
+
|
||||
+ /* Error handling logic:
|
||||
+ * In case decryption fails then don't inform the peer. Just use the
|
||||
+ * random key previously generated. (in order to avoid attack against
|
||||
+ * pkcs-1 formatting).
|
||||
+ *
|
||||
+ * If we get version mismatches no error is returned either. We
|
||||
+ * proceed normally. This is to defend against the attack described
|
||||
+ * in the paper "Attacking RSA-based sessions in SSL/TLS" by
|
||||
+ * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
|
||||
+ */
|
||||
+
|
||||
/* This is here to avoid the version check attack
|
||||
* discussed above.
|
||||
*/
|
||||
-
|
||||
- premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
|
||||
- premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
|
||||
+ premaster_secret.data[0] = ver_maj;
|
||||
+ premaster_secret.data[1] = ver_min;
|
||||
|
||||
/* find the key of this username
|
||||
*/
|
||||
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
|
||||
index b9eace5..2eafc18 100644
|
||||
--- a/lib/gnutls_int.h
|
||||
+++ b/lib/gnutls_int.h
|
||||
@@ -971,7 +971,6 @@ struct gnutls_priority_st {
|
||||
bool _no_etm;
|
||||
bool _no_ext_master_secret;
|
||||
bool _allow_key_usage_violation;
|
||||
- bool _allow_wrong_pms;
|
||||
bool _dumbfw;
|
||||
unsigned int _dh_prime_bits; /* old (deprecated) variable */
|
||||
|
||||
@@ -989,7 +988,6 @@ struct gnutls_priority_st {
|
||||
(x)->no_etm = 1; \
|
||||
(x)->no_ext_master_secret = 1; \
|
||||
(x)->allow_key_usage_violation = 1; \
|
||||
- (x)->allow_wrong_pms = 1; \
|
||||
(x)->dumbfw = 1
|
||||
|
||||
#define ENABLE_PRIO_COMPAT(x) \
|
||||
@@ -998,7 +996,6 @@ struct gnutls_priority_st {
|
||||
(x)->_no_etm = 1; \
|
||||
(x)->_no_ext_master_secret = 1; \
|
||||
(x)->_allow_key_usage_violation = 1; \
|
||||
- (x)->_allow_wrong_pms = 1; \
|
||||
(x)->_dumbfw = 1
|
||||
|
||||
/* DH and RSA parameters types.
|
||||
@@ -1123,7 +1120,6 @@ typedef struct {
|
||||
bool no_etm;
|
||||
bool no_ext_master_secret;
|
||||
bool allow_key_usage_violation;
|
||||
- bool allow_wrong_pms;
|
||||
bool dumbfw;
|
||||
|
||||
/* old (deprecated) variable. This is used for both srp_prime_bits
|
||||
diff --git a/lib/priority.c b/lib/priority.c
|
||||
index 0a284ae..67ec887 100644
|
||||
--- a/lib/priority.c
|
||||
+++ b/lib/priority.c
|
||||
@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority)
|
||||
COPY_TO_INTERNALS(no_etm);
|
||||
COPY_TO_INTERNALS(no_ext_master_secret);
|
||||
COPY_TO_INTERNALS(allow_key_usage_violation);
|
||||
- COPY_TO_INTERNALS(allow_wrong_pms);
|
||||
COPY_TO_INTERNALS(dumbfw);
|
||||
COPY_TO_INTERNALS(dh_prime_bits);
|
||||
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -0,0 +1,125 @@
|
||||
From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Wed, 10 Jan 2024 19:13:17 +0900
|
||||
Subject: [PATCH] rsa-psk: minimize branching after decryption
|
||||
|
||||
This moves any non-trivial code between gnutls_privkey_decrypt_data2
|
||||
and the function return in _gnutls_proc_rsa_psk_client_kx up until the
|
||||
decryption. This also avoids an extra memcpy to session->key.key.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
|
||||
Reference: https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e
|
||||
Conflicts: lib/auth/rsa_psk.c
|
||||
|
||||
---
|
||||
lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
|
||||
1 file changed, 35 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
|
||||
index 93c2dc9..a77aeb6 100644
|
||||
--- a/lib/auth/rsa_psk.c
|
||||
+++ b/lib/auth/rsa_psk.c
|
||||
@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
|
||||
int ret, dsize;
|
||||
ssize_t data_size = _data_size;
|
||||
gnutls_psk_server_credentials_t cred;
|
||||
- gnutls_datum_t premaster_secret = { NULL, 0 };
|
||||
volatile uint8_t ver_maj, ver_min;
|
||||
|
||||
cred = (gnutls_psk_server_credentials_t)
|
||||
@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
|
||||
ver_maj = _gnutls_get_adv_version_major(session);
|
||||
ver_min = _gnutls_get_adv_version_minor(session);
|
||||
|
||||
- premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
|
||||
- if (premaster_secret.data == NULL) {
|
||||
+ /* Find the key of this username. A random value will be
|
||||
+ * filled in if the key is not found.
|
||||
+ */
|
||||
+ ret = _gnutls_psk_pwd_find_entry(session, info->username,
|
||||
+ strlen(info->username), &pwd_psk);
|
||||
+ if (ret < 0)
|
||||
+ return gnutls_assert_val(ret);
|
||||
+
|
||||
+ /* Allocate memory for premaster secret, and fill in the
|
||||
+ * fields except the decryption result.
|
||||
+ */
|
||||
+ session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
|
||||
+ session->key.key.data = gnutls_malloc(session->key.key.size);
|
||||
+ if (session->key.key.data == NULL) {
|
||||
gnutls_assert();
|
||||
+ _gnutls_free_key_datum(&pwd_psk);
|
||||
+ /* No need to zeroize, as the secret is not copied in yet */
|
||||
+ _gnutls_free_datum(&session->key.key);
|
||||
return GNUTLS_E_MEMORY_ERROR;
|
||||
}
|
||||
- premaster_secret.size = GNUTLS_MASTER_SIZE;
|
||||
|
||||
/* Fallback value when decryption fails. Needs to be unpredictable. */
|
||||
- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
|
||||
- premaster_secret.size);
|
||||
+ ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
|
||||
+ GNUTLS_MASTER_SIZE);
|
||||
if (ret < 0) {
|
||||
gnutls_assert();
|
||||
- goto cleanup;
|
||||
+ _gnutls_free_key_datum(&pwd_psk);
|
||||
+ /* No need to zeroize, as the secret is not copied in yet */
|
||||
+ _gnutls_free_datum(&session->key.key);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
+ _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
|
||||
+ _gnutls_write_uint16(pwd_psk.size,
|
||||
+ &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
|
||||
+ memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
|
||||
+ pwd_psk.size);
|
||||
+ _gnutls_free_key_datum(&pwd_psk);
|
||||
+
|
||||
gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
|
||||
- &ciphertext, premaster_secret.data,
|
||||
- premaster_secret.size);
|
||||
+ &ciphertext, session->key.key.data + 2,
|
||||
+ GNUTLS_MASTER_SIZE);
|
||||
/* After this point, any conditional on failure that cause differences
|
||||
* in execution may create a timing or cache access pattern side
|
||||
* channel that can be used as an oracle, so tread carefully */
|
||||
@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
|
||||
/* This is here to avoid the version check attack
|
||||
* discussed above.
|
||||
*/
|
||||
- premaster_secret.data[0] = ver_maj;
|
||||
- premaster_secret.data[1] = ver_min;
|
||||
+ session->key.key.data[2] = ver_maj;
|
||||
+ session->key.key.data[3] = ver_min;
|
||||
|
||||
- /* find the key of this username
|
||||
- */
|
||||
- ret =
|
||||
- _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
|
||||
- if (ret < 0) {
|
||||
- gnutls_assert();
|
||||
- goto cleanup;
|
||||
- }
|
||||
-
|
||||
- ret =
|
||||
- set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
|
||||
- if (ret < 0) {
|
||||
- gnutls_assert();
|
||||
- goto cleanup;
|
||||
- }
|
||||
-
|
||||
- ret = 0;
|
||||
- cleanup:
|
||||
- _gnutls_free_key_datum(&pwd_psk);
|
||||
- _gnutls_free_temp_key_datum(&premaster_secret);
|
||||
-
|
||||
- return ret;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -0,0 +1,186 @@
|
||||
From 9edbdaa84e38b1bfb53a7d72c1de44f8de373405 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Thu, 11 Jan 2024 15:45:11 +0900
|
||||
Subject: [PATCH] x509: detect loop in certificate chain
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
There can be a loop in a certificate chain, when multiple CA
|
||||
certificates are cross-signed with each other, such as A → B, B → C,
|
||||
and C → A. Previously, the verification logic was not capable of
|
||||
handling this scenario while sorting the certificates in the chain in
|
||||
_gnutls_sort_clist, resulting in an assertion failure. This patch
|
||||
properly detects such loop and aborts further processing in a graceful
|
||||
manner.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
|
||||
Reference: https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405
|
||||
Conflicts: tests/test-chains.h
|
||||
|
||||
---
|
||||
lib/x509/common.c | 4 ++
|
||||
tests/test-chains.h | 124 ++++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 128 insertions(+)
|
||||
|
||||
diff --git a/lib/x509/common.c b/lib/x509/common.c
|
||||
index c156bd9..96e7e7c 100644
|
||||
--- a/lib/x509/common.c
|
||||
+++ b/lib/x509/common.c
|
||||
@@ -1787,6 +1787,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
|
||||
break;
|
||||
}
|
||||
|
||||
+ if (insorted[prev]) { /* loop detected */
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
sorted[i] = clist[prev];
|
||||
insorted[prev] = 1;
|
||||
}
|
||||
diff --git a/tests/test-chains.h b/tests/test-chains.h
|
||||
index c3c499a..07e90bb 100644
|
||||
--- a/tests/test-chains.h
|
||||
+++ b/tests/test-chains.h
|
||||
@@ -4263,6 +4263,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = {
|
||||
NULL
|
||||
};
|
||||
|
||||
+static const char *cross_signed[] = {
|
||||
+ /* server (signed by A1) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBqDCCAVqgAwIBAgIUejlil+8DBffazcnMNwyOOP6yCCowBQYDK2VwMBoxGDAW\n"
|
||||
+ "BgNVBAMTD0ludGVybWVkaWF0ZSBBMTAgFw0yNDAxMTEwNjI3MjJaGA85OTk5MTIz\n"
|
||||
+ "MTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYDVQQD\n"
|
||||
+ "Ew90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQA1ZVS0PcNeTPQMZ+FuVz82AHrj\n"
|
||||
+ "qL5hWEpCDgpG4M4fxaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3Rl\n"
|
||||
+ "c3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC\n"
|
||||
+ "B4AwHQYDVR0OBBYEFGtEUv+JSt+zPoO3lu0IiObZVoiNMB8GA1UdIwQYMBaAFPnY\n"
|
||||
+ "v6Pw0IvKSqIlb6ewHyEAmTA3MAUGAytlcANBAAS2lyc87kH/aOvNKzPjqDwUYxPA\n"
|
||||
+ "CfYjyaKea2d0DZLBM5+Bjnj/4aWwTKgVTJzWhLJcLtaSdVHrXqjr9NhEhQ0=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* A1 (signed by A) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBUjCCAQSgAwIBAgIUe/R+NVp04e74ySw2qgI6KZgFR20wBQYDK2VwMBExDzAN\n"
|
||||
+ "BgNVBAMTBlJvb3QgQTAgFw0yNDAxMTEwNjI1MDFaGA85OTk5MTIzMTIzNTk1OVow\n"
|
||||
+ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEExMCowBQYDK2VwAyEAlkTNqwz973sy\n"
|
||||
+ "u3whMjSiUMs77CZu5YA7Gi5KcakExrKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
|
||||
+ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT52L+j8NCLykqiJW+nsB8hAJkwNzAfBgNV\n"
|
||||
+ "HSMEGDAWgBRbYgOkRGsd3Z74+CauX4htzLg0lzAFBgMrZXADQQBM0NBaFVPd3cTJ\n"
|
||||
+ "DSaZNT34fsHuJk4eagpn8mBxKQpghq4s8Ap+nYtp2KiXjcizss53PeLXVnkfyLi0\n"
|
||||
+ "TLVBHvUJ\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* A (signed by B) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBSDCB+6ADAgECAhQtdJpg+qlPcLoRW8iiztJUD4xNvDAFBgMrZXAwETEPMA0G\n"
|
||||
+ "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MTk1OVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
|
||||
+ "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n"
|
||||
+ "WbnINkmOSNmOiZlGHKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
|
||||
+ "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMB8GA1UdIwQYMBaAFJFA\n"
|
||||
+ "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBAPv674p9ek5GjRcRfVQhgN+kQlHU\n"
|
||||
+ "u774wL3Vx3fWA1E7+WchdMzcHrPoa5OKtKmxjIKUTO4SeDZL/AVpvulrWwk=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* A (signed by C) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n"
|
||||
+ "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
|
||||
+ "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
|
||||
+ "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
|
||||
+ "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n"
|
||||
+ "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n"
|
||||
+ "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* B1 (signed by B) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBUjCCAQSgAwIBAgIUfpmrVDc1XBA5/7QYMyGBuB9mTtUwBQYDK2VwMBExDzAN\n"
|
||||
+ "BgNVBAMTBlJvb3QgQjAgFw0yNDAxMTEwNjI1MjdaGA85OTk5MTIzMTIzNTk1OVow\n"
|
||||
+ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEIxMCowBQYDK2VwAyEAh6ZTuJWsweVB\n"
|
||||
+ "a5fsye5iq89kWDC2Y/Hlc0htLmjzMP+jYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
|
||||
+ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBTMQu37PKyLjKfPODZgxYCaayff+jAfBgNV\n"
|
||||
+ "HSMEGDAWgBSRQLNq4Oo/MPQCiLUZzjjoxthRujAFBgMrZXADQQBblmguY+lnYvOK\n"
|
||||
+ "rAZJnqpEUGfm1tIFyu3rnlE7WOVcXRXMIoNApLH2iHIipQjlvNWuSBFBTC1qdewh\n"
|
||||
+ "/e+0cgQB\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* B (signed by A) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBSDCB+6ADAgECAhRpEm+dWNX6DMZh/nottkFfFFrXXDAFBgMrZXAwETEPMA0G\n"
|
||||
+ "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTcyNloYDzk5OTkxMjMxMjM1OTU5WjAR\n"
|
||||
+ "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
|
||||
+ "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
|
||||
+ "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFFti\n"
|
||||
+ "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAFvmcK3Ida5ViVYDzxKVLPcPsCHe\n"
|
||||
+ "3hxz99lBrerJC9iJSvRYTJoPBvjTxDYnBn5EFrQYMrUED+6i71lmGXNU9gs=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* B (signed by C) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n"
|
||||
+ "A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
|
||||
+ "MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
|
||||
+ "3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
|
||||
+ "AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n"
|
||||
+ "XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n"
|
||||
+ "BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* C1 (signed by C) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBUjCCAQSgAwIBAgIUSKsfY1wD3eD2VmaaK1wt5naPckMwBQYDK2VwMBExDzAN\n"
|
||||
+ "BgNVBAMTBlJvb3QgQzAgFw0yNDAxMTEwNjI1NDdaGA85OTk5MTIzMTIzNTk1OVow\n"
|
||||
+ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEMxMCowBQYDK2VwAyEA/t7i1chZlKkV\n"
|
||||
+ "qxJOrmmyATn8XnpK+nV/iT4OMHSHfAyjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
|
||||
+ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRmpF3JjoP3NiBzE5J5ANT0bvfRmjAfBgNV\n"
|
||||
+ "HSMEGDAWgBRIf1yoyLjHhGr1+UFaMt/UPhoZ8DAFBgMrZXADQQAeRBXv6WCTOp0G\n"
|
||||
+ "3wgd8bbEGrrILfpi+qH7aj/MywgkPIlppDYRQ3jL6ASd+So/408dlE0DV9DXKBi0\n"
|
||||
+ "725XUUYO\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* C (signed by A) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBSDCB+6ADAgECAhRvbZv3SRTjDOiAbyFWHH4y0yMZkjAFBgMrZXAwETEPMA0G\n"
|
||||
+ "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTg1MVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
|
||||
+ "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n"
|
||||
+ "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
|
||||
+ "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFFti\n"
|
||||
+ "A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAPl+SyiOfXJnjSWx8hFMhJ7w92mn\n"
|
||||
+ "tkGifCFHBpUhYcBIMeMtLw0RBLXqaaN0EKlTFimiEkLClsU7DKYrpEEJegs=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* C (signed by B) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBSDCB+6ADAgECAhQU1OJWRVOLrGrgJiLwexd1/MwKkTAFBgMrZXAwETEPMA0G\n"
|
||||
+ "A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MjAzMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
|
||||
+ "MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n"
|
||||
+ "8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
|
||||
+ "AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFJFA\n"
|
||||
+ "s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBALXeyuj8vj6Q8j4l17VzZwmJl0gN\n"
|
||||
+ "bCGoKMl0J/0NiN/fQRIsdbwQDh0RUN/RN3I6DTtB20ER6f3VdnzAh8nXkQ4=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
+static const char *cross_signed_ca[] = {
|
||||
+ /* A (self-signed) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBJzCB2qADAgECAhQs1Ur+gzPs1ISxs3Tbs700q0CZcjAFBgMrZXAwETEPMA0G\n"
|
||||
+ "A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTYwMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
|
||||
+ "MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n"
|
||||
+ "WbnINkmOSNmOiZlGHKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
|
||||
+ "AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAHrVv7E9\n"
|
||||
+ "5scuOVCH9gNRRm8Z9SUoLakRHAPnySdg6z/kI3vOgA/OM7reArpnW8l1H2FapgpL\n"
|
||||
+ "bDeZ2XJH+BdVFwg=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
#if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
|
||||
# pragma GCC diagnostic push
|
||||
# pragma GCC diagnostic ignored "-Wunused-variable"
|
||||
@@ -4442,6 +4565,7 @@ static struct
|
||||
rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
|
||||
GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
|
||||
GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
|
||||
+ { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, 1704955300},
|
||||
{ NULL, NULL, NULL, 0, 0}
|
||||
};
|
||||
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -0,0 +1,387 @@
|
||||
From e89378d5853d9bd0136b95aade37e23762ad9290 Mon Sep 17 00:00:00 2001
|
||||
From: Zoltan Fridrich <zfridric@redhat.com>
|
||||
Date: Mon, 17 Oct 2022 15:27:37 +0200
|
||||
Subject: [PATCH] Fix removal of duplicate certs during verification
|
||||
|
||||
Co-authored-by: Daiki Ueno <ueno@gnu.org>
|
||||
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
||||
|
||||
Reference: https://gitlab.com/gnutls/gnutls/-/commit/e89378d5853d9bd0136b95aade37e23762ad9290
|
||||
Conflict: .gitignore
|
||||
|
||||
---
|
||||
lib/x509/verify-high.c | 101 ++++---------------
|
||||
tests/Makefile.am | 2 +-
|
||||
tests/x509-verify-duplicate.c | 181 ++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 202 insertions(+), 82 deletions(-)
|
||||
create mode 100644 tests/x509-verify-duplicate.c
|
||||
|
||||
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
||||
index 5698d4f..2c070b0 100644
|
||||
--- a/lib/x509/verify-high.c
|
||||
+++ b/lib/x509/verify-high.c
|
||||
@@ -35,6 +35,8 @@
|
||||
#include <gnutls/x509-ext.h>
|
||||
#include "verify-high.h"
|
||||
#include "intprops.h"
|
||||
+#include "gl_linkedhash_list.h"
|
||||
+#include "gl_list.h"
|
||||
|
||||
struct named_cert_st {
|
||||
gnutls_x509_crt_t cert;
|
||||
@@ -68,82 +70,19 @@ struct gnutls_x509_trust_list_iter {
|
||||
|
||||
#define DEFAULT_SIZE 127
|
||||
|
||||
-struct cert_set_node_st {
|
||||
- gnutls_x509_crt_t *certs;
|
||||
- unsigned int size;
|
||||
-};
|
||||
-
|
||||
-struct cert_set_st {
|
||||
- struct cert_set_node_st *node;
|
||||
- unsigned int size;
|
||||
-};
|
||||
-
|
||||
-static int
|
||||
-cert_set_init(struct cert_set_st *set, unsigned int size)
|
||||
-{
|
||||
- memset(set, 0, sizeof(*set));
|
||||
-
|
||||
- set->size = size;
|
||||
- set->node = gnutls_calloc(size, sizeof(*set->node));
|
||||
- if (!set->node) {
|
||||
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
- }
|
||||
-
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-static void
|
||||
-cert_set_deinit(struct cert_set_st *set)
|
||||
-{
|
||||
- size_t i;
|
||||
-
|
||||
- for (i = 0; i < set->size; i++) {
|
||||
- gnutls_free(set->node[i].certs);
|
||||
- }
|
||||
-
|
||||
- gnutls_free(set->node);
|
||||
-}
|
||||
-
|
||||
static bool
|
||||
-cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
|
||||
+cert_eq(const void *cert1, const void *cert2)
|
||||
{
|
||||
- size_t hash, i;
|
||||
-
|
||||
- hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
|
||||
- hash %= set->size;
|
||||
-
|
||||
- for (i = 0; i < set->node[hash].size; i++) {
|
||||
- if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
|
||||
- return true;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- return false;
|
||||
+ const gnutls_x509_crt_t c1 = (const gnutls_x509_crt_t)cert1;
|
||||
+ const gnutls_x509_crt_t c2 = (const gnutls_x509_crt_t)cert2;
|
||||
+ return gnutls_x509_crt_equals(c1, c2);
|
||||
}
|
||||
|
||||
-static int
|
||||
-cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
|
||||
+static size_t
|
||||
+cert_hashcode(const void *cert)
|
||||
{
|
||||
- size_t hash;
|
||||
-
|
||||
- hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
|
||||
- hash %= set->size;
|
||||
-
|
||||
- if (unlikely(INT_ADD_OVERFLOW(set->node[hash].size, 1))) {
|
||||
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
- }
|
||||
-
|
||||
- set->node[hash].certs =
|
||||
- _gnutls_reallocarray_fast(set->node[hash].certs,
|
||||
- set->node[hash].size + 1,
|
||||
- sizeof(*set->node[hash].certs));
|
||||
- if (!set->node[hash].certs) {
|
||||
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
- }
|
||||
- set->node[hash].certs[set->node[hash].size] = cert;
|
||||
- set->node[hash].size++;
|
||||
-
|
||||
- return 0;
|
||||
+ const gnutls_x509_crt_t c = (const gnutls_x509_crt_t)cert;
|
||||
+ return hash_pjw_bare(c->raw_dn.data, c->raw_dn.size) % DEFAULT_MAX_VERIFY_DEPTH;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1426,7 +1365,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
unsigned have_set_name = 0;
|
||||
unsigned saved_output;
|
||||
gnutls_datum_t ip = {NULL, 0};
|
||||
- struct cert_set_st cert_set = { NULL, 0 };
|
||||
+ gl_list_t records;
|
||||
|
||||
if (cert_list == NULL || cert_list_size < 1)
|
||||
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
||||
@@ -1475,10 +1414,9 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
|
||||
cert_list = sorted;
|
||||
|
||||
- ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
|
||||
- if (ret < 0) {
|
||||
- return ret;
|
||||
- }
|
||||
+ records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false);
|
||||
+ if (records == NULL)
|
||||
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
|
||||
for (i = 0; i < cert_list_size &&
|
||||
cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
|
||||
@@ -1493,8 +1431,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
|
||||
/* Remove duplicates. Start with index 1, as the first element
|
||||
* may be re-checked after issuer retrieval. */
|
||||
- for (j = 1; j < sorted_size; j++) {
|
||||
- if (cert_set_contains(&cert_set, cert_list[i + j])) {
|
||||
+ for (j = 0; j < sorted_size; j++) {
|
||||
+ if (gl_list_search(records, cert_list[i + j])) {
|
||||
if (i + j < cert_list_size - 1) {
|
||||
memmove(&cert_list[i + j],
|
||||
&cert_list[i + j + 1],
|
||||
@@ -1511,8 +1449,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
|
||||
/* Record the certificates seen. */
|
||||
for (j = 0; j < sorted_size; j++, i++) {
|
||||
- ret = cert_set_add(&cert_set, cert_list[i]);
|
||||
- if (ret < 0) {
|
||||
+ if (!gl_list_nx_add_last(records, cert_list[i])) {
|
||||
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
@@ -1559,6 +1497,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
|
||||
/* Start again from the end of the previous segment. */
|
||||
i--;
|
||||
+ gl_list_remove(records, cert_list[i]);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1718,7 +1657,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
for (i = 0; i < retrieved_size; i++) {
|
||||
gnutls_x509_crt_deinit(retrieved[i]);
|
||||
}
|
||||
- cert_set_deinit(&cert_set);
|
||||
+ gl_list_free(records);
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index b65fb65..f92a130 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -172,7 +172,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
|
||||
crlverify mini-dtls-discard mini-record-failure openconnect-dtls12 \
|
||||
tls12-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \
|
||||
tls12-rehandshake-cert-auto tls12-rehandshake-set-prio \
|
||||
- mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
|
||||
+ mini-chain-unsorted x509-verify-duplicate x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
|
||||
mini-dtls-record-asym key-import-export priority-set priority-set2 \
|
||||
pubkey-import-export sign-is-secure spki spki-abstract rsa-rsa-pss \
|
||||
mini-dtls-fork dtls-pthread mini-key-material x509cert-invalid \
|
||||
diff --git a/tests/x509-verify-duplicate.c b/tests/x509-verify-duplicate.c
|
||||
new file mode 100644
|
||||
index 0000000..f47a8b2
|
||||
--- /dev/null
|
||||
+++ b/tests/x509-verify-duplicate.c
|
||||
@@ -0,0 +1,181 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2022 Red Hat, Inc.
|
||||
+ *
|
||||
+ * Author: Zoltan Fridrich
|
||||
+ *
|
||||
+ * This file is part of GnuTLS.
|
||||
+ *
|
||||
+ * GnuTLS is free software: you can redistribute it and/or modify it
|
||||
+ * under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation, either version 3 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * GnuTLS is distributed in the hope that it will be useful, but
|
||||
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ * General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License
|
||||
+ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
|
||||
+ */
|
||||
+
|
||||
+#ifdef HAVE_CONFIG_H
|
||||
+#include <config.h>
|
||||
+#endif
|
||||
+
|
||||
+#include <gnutls/x509.h>
|
||||
+
|
||||
+#include "utils.h"
|
||||
+
|
||||
+#define CHECK(X)\
|
||||
+{\
|
||||
+ r = X;\
|
||||
+ if (r < 0)\
|
||||
+ fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\
|
||||
+}\
|
||||
+
|
||||
+static char cert_pem[] =
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n"
|
||||
+ "MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"
|
||||
+ "EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n"
|
||||
+ "DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n"
|
||||
+ "AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n"
|
||||
+ "3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n"
|
||||
+ "GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n"
|
||||
+ "ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n"
|
||||
+ "8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n"
|
||||
+ "XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n"
|
||||
+ "HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n"
|
||||
+ "FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n"
|
||||
+ "5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n"
|
||||
+ "by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n"
|
||||
+ "JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n"
|
||||
+ "RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n"
|
||||
+ "Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n"
|
||||
+ "AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n"
|
||||
+ "RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n"
|
||||
+ "TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n"
|
||||
+ "+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n"
|
||||
+ "bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n"
|
||||
+ "DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n"
|
||||
+ "dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n"
|
||||
+ "/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n"
|
||||
+ "SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n"
|
||||
+ "QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n"
|
||||
+ "k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n"
|
||||
+ "-----END CERTIFICATE-----\n"
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n"
|
||||
+ "MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"
|
||||
+ "EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n"
|
||||
+ "DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n"
|
||||
+ "AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n"
|
||||
+ "3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n"
|
||||
+ "GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n"
|
||||
+ "ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n"
|
||||
+ "8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n"
|
||||
+ "XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n"
|
||||
+ "HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n"
|
||||
+ "FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n"
|
||||
+ "5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n"
|
||||
+ "by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n"
|
||||
+ "JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n"
|
||||
+ "RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n"
|
||||
+ "Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n"
|
||||
+ "AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n"
|
||||
+ "RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n"
|
||||
+ "TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n"
|
||||
+ "+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n"
|
||||
+ "bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n"
|
||||
+ "DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n"
|
||||
+ "dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n"
|
||||
+ "/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n"
|
||||
+ "SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n"
|
||||
+ "QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n"
|
||||
+ "k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n"
|
||||
+ "-----END CERTIFICATE-----\n"
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\n"
|
||||
+ "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
|
||||
+ "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\n"
|
||||
+ "WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\n"
|
||||
+ "RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
|
||||
+ "AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\n"
|
||||
+ "R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\n"
|
||||
+ "sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\n"
|
||||
+ "NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\n"
|
||||
+ "Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n"
|
||||
+ "/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\n"
|
||||
+ "AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\n"
|
||||
+ "Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\n"
|
||||
+ "FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\n"
|
||||
+ "AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\n"
|
||||
+ "Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\n"
|
||||
+ "gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\n"
|
||||
+ "PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\n"
|
||||
+ "ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\n"
|
||||
+ "CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\n"
|
||||
+ "lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\n"
|
||||
+ "avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\n"
|
||||
+ "yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\n"
|
||||
+ "yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\n"
|
||||
+ "hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\n"
|
||||
+ "HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\n"
|
||||
+ "MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\n"
|
||||
+ "nLRbwHOoq7hHwg==\n"
|
||||
+ "-----END CERTIFICATE-----\n"
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\n"
|
||||
+ "MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n"
|
||||
+ "DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\n"
|
||||
+ "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
|
||||
+ "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\n"
|
||||
+ "AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\n"
|
||||
+ "ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\n"
|
||||
+ "wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\n"
|
||||
+ "LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n"
|
||||
+ "4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\n"
|
||||
+ "bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\n"
|
||||
+ "sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\n"
|
||||
+ "Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\n"
|
||||
+ "FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\n"
|
||||
+ "SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\n"
|
||||
+ "PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\n"
|
||||
+ "TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
|
||||
+ "SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\n"
|
||||
+ "c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n"
|
||||
+ "+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\n"
|
||||
+ "ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\n"
|
||||
+ "b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\n"
|
||||
+ "U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\n"
|
||||
+ "MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n"
|
||||
+ "5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n"
|
||||
+ "9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\n"
|
||||
+ "WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\n"
|
||||
+ "he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\n"
|
||||
+ "Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n"
|
||||
+ "-----END CERTIFICATE-----\n";
|
||||
+
|
||||
+void doit(void)
|
||||
+{
|
||||
+ int r;
|
||||
+ unsigned i, certs_size, out;
|
||||
+ unsigned flags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME | GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
|
||||
+ gnutls_x509_trust_list_t tl;
|
||||
+ gnutls_x509_crt_t *certs = NULL;
|
||||
+ gnutls_datum_t cert = { (unsigned char *)cert_pem, sizeof(cert_pem) - 1 };
|
||||
+
|
||||
+ CHECK(gnutls_x509_crt_list_import2(&certs, &certs_size, &cert, GNUTLS_X509_FMT_PEM, 0));
|
||||
+ CHECK(gnutls_x509_trust_list_init(&tl, 0));
|
||||
+ CHECK(gnutls_x509_trust_list_add_cas(tl, certs + certs_size - 1, 1, 0));
|
||||
+ CHECK(gnutls_x509_trust_list_verify_crt(tl, certs, certs_size, flags, &out, NULL));
|
||||
+
|
||||
+ if (out)
|
||||
+ fail("Not verified\n");
|
||||
+
|
||||
+ gnutls_x509_trust_list_deinit(tl, 0);
|
||||
+ for (i = 0; i < certs_size; ++i)
|
||||
+ gnutls_x509_crt_deinit(certs[i]);
|
||||
+ gnutls_free(certs);
|
||||
+}
|
||||
--
|
||||
2.33.0
|
||||
|
||||
2766
backport-add-gnulib-files.patch
Normal file
2766
backport-add-gnulib-files.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,456 @@
|
||||
From 1c4701ffc342259fc5965d5a0de90d87f780e3e5 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Fri, 12 Jan 2024 17:56:58 +0900
|
||||
Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA
|
||||
|
||||
This removes function calls that potentially leak bit-length of a
|
||||
private key used to calculate a nonce in deterministic ECDSA. Namely:
|
||||
|
||||
- _gnutls_dsa_compute_k has been rewritten to work on always
|
||||
zero-padded mp_limb_t arrays instead of mpz_t
|
||||
- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
|
||||
by a byte array instead of an mpz_t value
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
|
||||
Reference: https://gitlab.com/gnutls/gnutls/-/commit/1c4701ffc342259fc5965d5a0de90d87f780e3e5
|
||||
Conflict: lib/nettle/pk.c,
|
||||
lib/nettle/int/ecdsa-compute-k.c,lib/nettle/int/ecdsa-compute-k.h,
|
||||
lib/nettle/int/dsa-compute-k.c,lib/nettle/int/dsa-compute-k.h
|
||||
|
||||
---
|
||||
lib/nettle/int/dsa-compute-k.c | 82 ++++++++++++++++++++-----------
|
||||
lib/nettle/int/dsa-compute-k.h | 31 +++++++++---
|
||||
lib/nettle/int/ecdsa-compute-k.c | 33 +++----------
|
||||
lib/nettle/int/ecdsa-compute-k.h | 8 +--
|
||||
lib/nettle/pk.c | 79 +++++++++++++++++++----------
|
||||
tests/sign-verify-deterministic.c | 2 +-
|
||||
6 files changed, 138 insertions(+), 97 deletions(-)
|
||||
|
||||
diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
|
||||
index 17d6331..649a194 100644
|
||||
--- a/lib/nettle/int/dsa-compute-k.c
|
||||
+++ b/lib/nettle/int/dsa-compute-k.c
|
||||
@@ -31,33 +31,37 @@
|
||||
#include "mpn-base256.h"
|
||||
#include <string.h>
|
||||
|
||||
-#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
|
||||
-
|
||||
-/* The maximum size of q, choosen from the fact that we support
|
||||
- * 521-bit elliptic curve generator and 512-bit DSA subgroup at
|
||||
- * maximum. */
|
||||
-#define MAX_Q_BITS 521
|
||||
-#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
|
||||
-#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
|
||||
-
|
||||
-#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
|
||||
-#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
|
||||
-
|
||||
-int
|
||||
-_gnutls_dsa_compute_k(mpz_t k,
|
||||
- const mpz_t q,
|
||||
- const mpz_t x,
|
||||
- gnutls_mac_algorithm_t mac,
|
||||
- const uint8_t *digest,
|
||||
+/* For mini-gmp */
|
||||
+#ifndef GMP_LIMB_BITS
|
||||
+#define GMP_LIMB_BITS GMP_NUMB_BITS
|
||||
+#endif
|
||||
+
|
||||
+static inline int is_zero_limb(mp_limb_t x)
|
||||
+{
|
||||
+ x |= (x << 1);
|
||||
+ return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
|
||||
+}
|
||||
+
|
||||
+static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
|
||||
+{
|
||||
+ volatile mp_limb_t w;
|
||||
+ mp_size_t i;
|
||||
+
|
||||
+ for (i = 0, w = 0; i < n; i++)
|
||||
+ w |= ap[i];
|
||||
+
|
||||
+ return is_zero_limb(w);
|
||||
+}
|
||||
+
|
||||
+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
|
||||
+ mp_size_t qn, mp_bitcnt_t q_bits,
|
||||
+ gnutls_mac_algorithm_t mac, const uint8_t *digest,
|
||||
size_t length)
|
||||
{
|
||||
uint8_t V[MAX_HASH_SIZE];
|
||||
uint8_t K[MAX_HASH_SIZE];
|
||||
uint8_t xp[MAX_Q_SIZE];
|
||||
uint8_t tp[MAX_Q_SIZE];
|
||||
- mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
|
||||
- mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2);
|
||||
- mp_size_t qn = mpz_size(q);
|
||||
mp_bitcnt_t h_bits = length * 8;
|
||||
mp_size_t hn = BITS_TO_LIMBS(h_bits);
|
||||
size_t nbytes = (q_bits + 7) / 8;
|
||||
@@ -66,6 +70,7 @@ _gnutls_dsa_compute_k(mpz_t k,
|
||||
mp_limb_t cy;
|
||||
gnutls_hmac_hd_t hd;
|
||||
int ret = 0;
|
||||
+ mp_limb_t scratch[MAX_Q_LIMBS];
|
||||
|
||||
if (unlikely(q_bits > MAX_Q_BITS))
|
||||
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
||||
@@ -73,7 +78,7 @@ _gnutls_dsa_compute_k(mpz_t k,
|
||||
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
||||
|
||||
/* int2octets(x) */
|
||||
- mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
|
||||
+ mpn_get_base256(xp, nbytes, x, qn);
|
||||
|
||||
/* bits2octets(h) */
|
||||
mpn_set_base256(h, hn, digest, length);
|
||||
@@ -97,12 +102,12 @@ _gnutls_dsa_compute_k(mpz_t k,
|
||||
mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
|
||||
}
|
||||
|
||||
- cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
|
||||
+ cy = mpn_sub_n(h, h, q, qn);
|
||||
/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
|
||||
#ifdef mpn_cnd_add_n
|
||||
- mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
|
||||
+ mpn_cnd_add_n(cy, h, h, q, qn);
|
||||
#else
|
||||
- mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
|
||||
+ mpn_addmul_1(h, q, qn, cy != 0);
|
||||
#endif
|
||||
mpn_get_base256(tp, nbytes, h, qn);
|
||||
|
||||
@@ -178,12 +183,8 @@ _gnutls_dsa_compute_k(mpz_t k,
|
||||
if (tlen * 8 > q_bits)
|
||||
mpn_rshift (h, h, qn, tlen * 8 - q_bits);
|
||||
/* Check if k is in [1,q-1] */
|
||||
- if (!mpn_zero_p (h, qn) &&
|
||||
- mpn_cmp (h, mpz_limbs_read(q), qn) < 0) {
|
||||
- mpn_copyi(mpz_limbs_write(k, qn), h, qn);
|
||||
- mpz_limbs_finish(k, qn);
|
||||
+ if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn))
|
||||
break;
|
||||
- }
|
||||
|
||||
ret = gnutls_hmac_init(&hd, mac, K, length);
|
||||
if (ret < 0)
|
||||
@@ -207,3 +208,24 @@ _gnutls_dsa_compute_k(mpz_t k,
|
||||
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+/* cancel-out dsa_sign's addition of 1 to random data */
|
||||
+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
||||
+ mp_size_t n)
|
||||
+{
|
||||
+ /* Fall back to sub_1, if nettle is linked with mini-gmp. */
|
||||
+#ifdef mpn_sec_sub_1
|
||||
+ mp_limb_t t[MAX_Q_LIMBS];
|
||||
+
|
||||
+ mpn_sec_sub_1(h, h, n, 1, t);
|
||||
+#else
|
||||
+ mpn_sub_1(h, h, n, 1);
|
||||
+#endif
|
||||
+ mpn_get_base256(k, nbytes, h, n);
|
||||
+}
|
||||
+
|
||||
+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
||||
+ mp_size_t n)
|
||||
+{
|
||||
+ mpn_get_base256(k, nbytes, h, n);
|
||||
+}
|
||||
diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
|
||||
index 64e90e0..12dc7d0 100644
|
||||
--- a/lib/nettle/int/dsa-compute-k.h
|
||||
+++ b/lib/nettle/int/dsa-compute-k.h
|
||||
@@ -26,12 +26,29 @@
|
||||
#include <gnutls/gnutls.h>
|
||||
#include <nettle/bignum.h> /* includes gmp.h */
|
||||
|
||||
-int
|
||||
-_gnutls_dsa_compute_k(mpz_t k,
|
||||
- const mpz_t q,
|
||||
- const mpz_t x,
|
||||
- gnutls_mac_algorithm_t mac,
|
||||
- const uint8_t *digest,
|
||||
- size_t length);
|
||||
+#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
|
||||
+
|
||||
+/* The maximum size of q, chosen from the fact that we support
|
||||
+ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
|
||||
+ * maximum. */
|
||||
+#define MAX_Q_BITS 521
|
||||
+#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
|
||||
+#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
|
||||
+
|
||||
+#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
|
||||
+#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
|
||||
+
|
||||
+#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)
|
||||
+
|
||||
+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
|
||||
+ mp_size_t qn, mp_bitcnt_t q_bits,
|
||||
+ gnutls_mac_algorithm_t mac, const uint8_t *digest,
|
||||
+ size_t length);
|
||||
+
|
||||
+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
||||
+ mp_size_t n);
|
||||
+
|
||||
+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
|
||||
+ mp_size_t n);
|
||||
|
||||
#endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
|
||||
diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
|
||||
index 94914eb..d98f246 100644
|
||||
--- a/lib/nettle/int/ecdsa-compute-k.c
|
||||
+++ b/lib/nettle/int/ecdsa-compute-k.c
|
||||
@@ -29,39 +29,38 @@
|
||||
#include "dsa-compute-k.h"
|
||||
#include "gnutls_int.h"
|
||||
|
||||
-static inline int
|
||||
-_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
|
||||
+int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve)
|
||||
{
|
||||
switch (curve) {
|
||||
#ifdef ENABLE_NON_SUITEB_CURVES
|
||||
case GNUTLS_ECC_CURVE_SECP192R1:
|
||||
- mpz_init_set_str(*q,
|
||||
+ mpz_init_set_str(q,
|
||||
"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
|
||||
"146BC9B1B4D22831",
|
||||
16);
|
||||
return 0;
|
||||
case GNUTLS_ECC_CURVE_SECP224R1:
|
||||
- mpz_init_set_str(*q,
|
||||
+ mpz_init_set_str(q,
|
||||
"FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
|
||||
"E0B8F03E13DD29455C5C2A3D",
|
||||
16);
|
||||
return 0;
|
||||
#endif
|
||||
case GNUTLS_ECC_CURVE_SECP256R1:
|
||||
- mpz_init_set_str(*q,
|
||||
+ mpz_init_set_str(q,
|
||||
"FFFFFFFF00000000FFFFFFFFFFFFFFFF"
|
||||
"BCE6FAADA7179E84F3B9CAC2FC632551",
|
||||
16);
|
||||
return 0;
|
||||
case GNUTLS_ECC_CURVE_SECP384R1:
|
||||
- mpz_init_set_str(*q,
|
||||
+ mpz_init_set_str(q,
|
||||
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||
"FFFFFFFFFFFFFFFFC7634D81F4372DDF"
|
||||
"581A0DB248B0A77AECEC196ACCC52973",
|
||||
16);
|
||||
return 0;
|
||||
case GNUTLS_ECC_CURVE_SECP521R1:
|
||||
- mpz_init_set_str(*q,
|
||||
+ mpz_init_set_str(q,
|
||||
"1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||
"FFA51868783BF2F966B7FCC0148F709A"
|
||||
@@ -73,23 +72,3 @@ _gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
|
||||
return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
|
||||
}
|
||||
}
|
||||
-
|
||||
-int
|
||||
-_gnutls_ecdsa_compute_k (mpz_t k,
|
||||
- gnutls_ecc_curve_t curve,
|
||||
- const mpz_t x,
|
||||
- gnutls_mac_algorithm_t mac,
|
||||
- const uint8_t *digest,
|
||||
- size_t length)
|
||||
-{
|
||||
- mpz_t q;
|
||||
- int ret;
|
||||
-
|
||||
- ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
|
||||
- if (ret < 0)
|
||||
- return gnutls_assert_val(ret);
|
||||
-
|
||||
- ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length);
|
||||
- mpz_clear(q);
|
||||
- return ret;
|
||||
-}
|
||||
diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
|
||||
index 7ca401d..a7e612b 100644
|
||||
--- a/lib/nettle/int/ecdsa-compute-k.h
|
||||
+++ b/lib/nettle/int/ecdsa-compute-k.h
|
||||
@@ -26,12 +26,6 @@
|
||||
#include <gnutls/gnutls.h>
|
||||
#include <nettle/bignum.h> /* includes gmp.h */
|
||||
|
||||
-int
|
||||
-_gnutls_ecdsa_compute_k (mpz_t k,
|
||||
- gnutls_ecc_curve_t curve,
|
||||
- const mpz_t x,
|
||||
- gnutls_mac_algorithm_t mac,
|
||||
- const uint8_t *digest,
|
||||
- size_t length);
|
||||
+int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve);
|
||||
|
||||
#endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
|
||||
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
|
||||
index ff8e3d1..bb9f2a0 100644
|
||||
--- a/lib/nettle/pk.c
|
||||
+++ b/lib/nettle/pk.c
|
||||
@@ -97,10 +97,16 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
|
||||
}
|
||||
}
|
||||
|
||||
-static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
|
||||
+static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
|
||||
{
|
||||
- mpz_t *k = _ctx;
|
||||
- nettle_mpz_get_str_256 (length, data, *k);
|
||||
+ gnutls_datum_t *d = ctx;
|
||||
+
|
||||
+ if (length > d->size) {
|
||||
+ memset(data, 0, length - d->size);
|
||||
+ memcpy(data + (length - d->size), d->data, d->size);
|
||||
+ } else {
|
||||
+ memcpy(data, d->data, length);
|
||||
+ }
|
||||
}
|
||||
|
||||
static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
|
||||
@@ -979,7 +985,10 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
||||
struct dsa_signature sig;
|
||||
int curve_id = pk_params->curve;
|
||||
const struct ecc_curve *curve;
|
||||
- mpz_t k;
|
||||
+ mpz_t q;
|
||||
+ /* 521-bit elliptic curve generator at maximum */
|
||||
+ uint8_t buf[(521 + 7) / 8];
|
||||
+ gnutls_datum_t k = { NULL, 0 };
|
||||
void *random_ctx;
|
||||
nettle_random_func *random_func;
|
||||
|
||||
@@ -1008,19 +1017,32 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
||||
hash_len = vdata->size;
|
||||
}
|
||||
|
||||
- mpz_init(k);
|
||||
+ mpz_init(q);
|
||||
+
|
||||
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
|
||||
(sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
|
||||
- ret = _gnutls_ecdsa_compute_k(k,
|
||||
- curve_id,
|
||||
- pk_params->params[ECC_K],
|
||||
- DIG_TO_MAC(sign_params->dsa_dig),
|
||||
- vdata->data,
|
||||
- vdata->size);
|
||||
+ mp_limb_t h[DSA_COMPUTE_K_ITCH];
|
||||
+
|
||||
+ ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
|
||||
if (ret < 0)
|
||||
goto ecdsa_cleanup;
|
||||
+
|
||||
+ ret = _gnutls_dsa_compute_k(
|
||||
+ h, mpz_limbs_read(q), priv.p,
|
||||
+ ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
|
||||
+ DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
|
||||
+ vdata->size);
|
||||
+ if (ret < 0)
|
||||
+ goto ecdsa_cleanup;
|
||||
+
|
||||
+ k.data = buf;
|
||||
+ k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
|
||||
+
|
||||
+ _gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
|
||||
+ ecc_size(priv.ecc));
|
||||
+
|
||||
random_ctx = &k;
|
||||
- random_func = rnd_mpz_func;
|
||||
+ random_func = rnd_datum_func;
|
||||
} else {
|
||||
random_ctx = NULL;
|
||||
random_func = rnd_nonce_func;
|
||||
@@ -1041,7 +1063,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
||||
ecdsa_cleanup:
|
||||
dsa_signature_clear(&sig);
|
||||
ecc_scalar_zclear(&priv);
|
||||
- mpz_clear(k);
|
||||
+ mpz_clear(q);
|
||||
|
||||
if (ret < 0) {
|
||||
gnutls_assert();
|
||||
@@ -1054,7 +1076,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
||||
struct dsa_params pub;
|
||||
bigint_t priv;
|
||||
struct dsa_signature sig;
|
||||
- mpz_t k;
|
||||
+ /* 512-bit DSA subgroup at maximum */
|
||||
+ uint8_t buf[(512 + 7) / 8];
|
||||
+ gnutls_datum_t k = { NULL, 0 };
|
||||
void *random_ctx;
|
||||
nettle_random_func *random_func;
|
||||
|
||||
@@ -1077,21 +1101,27 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
||||
hash_len = vdata->size;
|
||||
}
|
||||
|
||||
- mpz_init(k);
|
||||
if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
|
||||
(sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
|
||||
- ret = _gnutls_dsa_compute_k(k,
|
||||
- pub.q,
|
||||
- TOMPZ(priv),
|
||||
- DIG_TO_MAC(sign_params->dsa_dig),
|
||||
- vdata->data,
|
||||
- vdata->size);
|
||||
+ mp_limb_t h[DSA_COMPUTE_K_ITCH];
|
||||
+
|
||||
+ ret = _gnutls_dsa_compute_k(
|
||||
+ h, mpz_limbs_read(pub.q),
|
||||
+ mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
|
||||
+ mpz_sizeinbase(pub.q, 2),
|
||||
+ DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
|
||||
+ vdata->size);
|
||||
if (ret < 0)
|
||||
goto dsa_fail;
|
||||
- /* cancel-out dsa_sign's addition of 1 to random data */
|
||||
- mpz_sub_ui (k, k, 1);
|
||||
+
|
||||
+ k.data = buf;
|
||||
+ k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
|
||||
+
|
||||
+ _gnutls_dsa_compute_k_finish(k.data, k.size, h,
|
||||
+ mpz_size(pub.q));
|
||||
+
|
||||
random_ctx = &k;
|
||||
- random_func = rnd_mpz_func;
|
||||
+ random_func = rnd_datum_func;
|
||||
} else {
|
||||
random_ctx = NULL;
|
||||
random_func = rnd_nonce_func;
|
||||
@@ -1111,7 +1141,6 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
||||
|
||||
dsa_fail:
|
||||
dsa_signature_clear(&sig);
|
||||
- mpz_clear(k);
|
||||
|
||||
if (ret < 0) {
|
||||
gnutls_assert();
|
||||
diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
|
||||
index 6e90728..25aa553 100644
|
||||
--- a/tests/sign-verify-deterministic.c
|
||||
+++ b/tests/sign-verify-deterministic.c
|
||||
@@ -197,7 +197,7 @@ void doit(void)
|
||||
&signature);
|
||||
if (ret < 0)
|
||||
testfail("gnutls_pubkey_verify_data2\n");
|
||||
- success(" - pass");
|
||||
+ success(" - pass\n");
|
||||
|
||||
next:
|
||||
gnutls_free(signature.data);
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -0,0 +1,419 @@
|
||||
From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Mon, 29 Jan 2024 13:52:46 +0900
|
||||
Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: remove length limit
|
||||
of
|
||||
input
|
||||
|
||||
Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
|
||||
chain verification logic crashed with assertion failure. This patch
|
||||
removes the restriction while keeping the maximum number of
|
||||
retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
|
||||
Reference:
|
||||
https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d
|
||||
Conflict:lib/x509/verify-high.c,tests/test-chains.h
|
||||
|
||||
---
|
||||
lib/gnutls_int.h | 5 +-
|
||||
lib/x509/common.c | 10 +-
|
||||
lib/x509/verify-high.c | 56 +++++++----
|
||||
tests/test-chains.h | 210 ++++++++++++++++++++++++++++++++++++++++-
|
||||
4 files changed, 258 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
|
||||
index a06d123..9706db3 100644
|
||||
--- a/lib/gnutls_int.h
|
||||
+++ b/lib/gnutls_int.h
|
||||
@@ -218,7 +218,10 @@ typedef enum record_send_state_t {
|
||||
|
||||
#define MAX_PK_PARAM_SIZE 2048
|
||||
|
||||
-/* defaults for verification functions
|
||||
+/* Defaults for verification functions.
|
||||
+ *
|
||||
+ * update many_icas in tests/test-chains.h when increasing
|
||||
+ * DEFAULT_MAX_VERIFY_DEPTH.
|
||||
*/
|
||||
#define DEFAULT_MAX_VERIFY_DEPTH 16
|
||||
#define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE*8)
|
||||
diff --git a/lib/x509/common.c b/lib/x509/common.c
|
||||
index 96e7e7c..10ee9c6 100644
|
||||
--- a/lib/x509/common.c
|
||||
+++ b/lib/x509/common.c
|
||||
@@ -1746,7 +1746,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
|
||||
bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */
|
||||
gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
|
||||
|
||||
- assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH);
|
||||
+ /* Limit the number of certificates in the chain, to avoid DoS
|
||||
+ * because of the O(n^2) sorting below. FIXME: Switch to a
|
||||
+ * topological sort algorithm which should be linear to the
|
||||
+ * number of certificates and subject-issuer relationships.
|
||||
+ */
|
||||
+ if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) {
|
||||
+ _gnutls_debug_log("too many certificates; skipping sorting\n");
|
||||
+ return 1;
|
||||
+ }
|
||||
|
||||
for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) {
|
||||
issuer[i] = -1;
|
||||
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
||||
index 02d2f0f..bbfb02e 100644
|
||||
--- a/lib/x509/verify-high.c
|
||||
+++ b/lib/x509/verify-high.c
|
||||
@@ -25,7 +25,7 @@
|
||||
#include "errors.h"
|
||||
#include <libtasn1.h>
|
||||
#include <global.h>
|
||||
-#include <num.h> /* MAX */
|
||||
+#include "num.h" /* MIN */
|
||||
#include <tls-sig.h>
|
||||
#include <str.h>
|
||||
#include <datum.h>
|
||||
@@ -1357,7 +1357,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
int ret = 0;
|
||||
unsigned int i;
|
||||
size_t hash;
|
||||
- gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
|
||||
+ gnutls_x509_crt_t *cert_list_copy = NULL;
|
||||
+ unsigned int cert_list_max_size = 0;
|
||||
gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH];
|
||||
unsigned int retrieved_size = 0;
|
||||
const char *hostname = NULL, *purpose = NULL, *email = NULL;
|
||||
@@ -1411,15 +1412,27 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
}
|
||||
}
|
||||
|
||||
- memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
|
||||
- cert_list = sorted;
|
||||
+ /* Allocate extra for retrieved certificates. */
|
||||
+ if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH,
|
||||
+ &cert_list_max_size))
|
||||
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
||||
|
||||
- records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false);
|
||||
- if (records == NULL)
|
||||
+ cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size,
|
||||
+ sizeof(gnutls_x509_crt_t));
|
||||
+ if (!cert_list_copy)
|
||||
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
|
||||
- for (i = 0; i < cert_list_size &&
|
||||
- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
|
||||
+ memcpy(cert_list_copy, cert_list,
|
||||
+ cert_list_size * sizeof(gnutls_x509_crt_t));
|
||||
+ cert_list = cert_list_copy;
|
||||
+
|
||||
+ records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false);
|
||||
+ if (records == NULL) {
|
||||
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < cert_list_size;) {
|
||||
unsigned int sorted_size = 1;
|
||||
unsigned int j, k;
|
||||
gnutls_x509_crt_t issuer;
|
||||
@@ -1431,8 +1444,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
|
||||
assert(sorted_size > 0);
|
||||
|
||||
- /* Remove duplicates. Start with index 1, as the first element
|
||||
- * may be re-checked after issuer retrieval. */
|
||||
+ /* Remove duplicates. */
|
||||
for (j = 0; j < sorted_size; j++) {
|
||||
if (gl_list_search(records, cert_list[i + j])) {
|
||||
if (i + j < cert_list_size - 1) {
|
||||
@@ -1483,17 +1495,16 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
continue;
|
||||
}
|
||||
|
||||
- ret = retrieve_issuers(list,
|
||||
- cert_list[i - 1],
|
||||
- &retrieved[retrieved_size],
|
||||
- DEFAULT_MAX_VERIFY_DEPTH -
|
||||
- MAX(retrieved_size,
|
||||
- cert_list_size));
|
||||
+ ret = retrieve_issuers(list, cert_list[i - 1], &retrieved[retrieved_size],
|
||||
+ MIN(DEFAULT_MAX_VERIFY_DEPTH - retrieved_size,
|
||||
+ cert_list_max_size - cert_list_size));
|
||||
if (ret < 0) {
|
||||
break;
|
||||
} else if (ret > 0) {
|
||||
assert((unsigned int)ret <=
|
||||
- DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
|
||||
+ DEFAULT_MAX_VERIFY_DEPTH - retrieved_size);
|
||||
+ assert((unsigned int)ret <=
|
||||
+ cert_list_max_size - cert_list_size);
|
||||
memmove(&cert_list[i + ret],
|
||||
&cert_list[i],
|
||||
(cert_list_size - i) *
|
||||
@@ -1511,8 +1522,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
}
|
||||
|
||||
cert_list_size = shorten_clist(list, cert_list, cert_list_size);
|
||||
- if (cert_list_size <= 0)
|
||||
- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
||||
+ if (cert_list_size <= 0) {
|
||||
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
|
||||
hash =
|
||||
hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.
|
||||
@@ -1663,10 +1676,13 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
}
|
||||
|
||||
cleanup:
|
||||
+ gnutls_free(cert_list_copy);
|
||||
for (i = 0; i < retrieved_size; i++) {
|
||||
gnutls_x509_crt_deinit(retrieved[i]);
|
||||
}
|
||||
- gl_list_free(records);
|
||||
+ if (records) {
|
||||
+ gl_list_free(records);
|
||||
+ }
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff --git a/tests/test-chains.h b/tests/test-chains.h
|
||||
index 07e90bb..2dbee07 100644
|
||||
--- a/tests/test-chains.h
|
||||
+++ b/tests/test-chains.h
|
||||
@@ -25,7 +25,7 @@
|
||||
|
||||
/* *INDENT-OFF* */
|
||||
|
||||
-#define MAX_CHAIN 10
|
||||
+#define MAX_CHAIN 17
|
||||
|
||||
static const char *chain_with_no_subject_id_in_ca_ok[] = {
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
@@ -4386,6 +4386,213 @@ static const char *cross_signed_ca[] = {
|
||||
NULL
|
||||
};
|
||||
|
||||
+/* This assumes DEFAULT_MAX_VERIFY_DEPTH to be 16 */
|
||||
+static const char *many_icas[] = {
|
||||
+ /* Server */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBqzCCAV2gAwIBAgIUIK3+SD3GmqJlRLZ/ESyhTzkSDL8wBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYD\n"
|
||||
+ "VQQDEw90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQAWGjx45NIJiKFsNBxxRRjm\n"
|
||||
+ "NxUT5KYK7xXr5HPVywwgLaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGC\n"
|
||||
+ "D3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8E\n"
|
||||
+ "BAMCB4AwHQYDVR0OBBYEFKgNAQWZPx76/vXqQOdIi5mTftsaMB8GA1UdIwQYMBaA\n"
|
||||
+ "FDaPsY6WAGuRtrhYJE6Gk/bg5qbdMAUGAytlcANBAMIDh8aGcIIFDTUrzfV7tnkX\n"
|
||||
+ "hHrxyFKBH/cApf6xcJQTfDXm23po627Ibp+WgLaWMY08Fn9Y2V6Ev8ADfqXNbQ8=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA16 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUSnE0PKdm/dsnZSWBh5Ct4pS6DcwwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAxq9SI8vp0QH1dDBBuZW+t+bLLROppQbjSQ4O1BEonDOjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2j7GOlgBrkba4\n"
|
||||
+ "WCROhpP24Oam3TAfBgNVHSMEGDAWgBRvdUKX0aw3nfUIdvivXGSfRO7zyjAFBgMr\n"
|
||||
+ "ZXADQQBsI2Hc7X5hXoHTvk01qMc5a1I27QHAFRARJnvIQ15wxNS2LVLzGk+AUmwr\n"
|
||||
+ "sOhBKAcVfS55uWtYdjoWQ80h238H\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA15 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUQk4XkgQVImnp6OPZas7ctwgBza4wBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAs3yVKLJd3sKbNVmj6Bxy2j1x025rksyQpZZWnCx5a+CjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRvdUKX0aw3nfUI\n"
|
||||
+ "dvivXGSfRO7zyjAfBgNVHSMEGDAWgBRhGfUXYPh4YQsdtTWYUozLphGgfzAFBgMr\n"
|
||||
+ "ZXADQQBXTtm56x6/pHXdW8dTvZLc/8RufNQrMlc23TCgX0apUnrZdTsNAb7OE4Uu\n"
|
||||
+ "9PBuxK+CC9NL/BL2hXsKvAT+NWME\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA14 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUKfwz7UUYRvYlvqwmnLJlTOS9o1AwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAXbUetQ08t+F4+IcKL++HpeclqTxXZ7cG4mwqvHmTUEWjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRhGfUXYPh4YQsd\n"
|
||||
+ "tTWYUozLphGgfzAfBgNVHSMEGDAWgBQYRQqO+V1kefF7QvNnFU1fX5H9+jAFBgMr\n"
|
||||
+ "ZXADQQAiSHNMTLPFP3oa6q13Dj8jSxF9trQDJGM1ArWffFcPZUt2U4/ODHdcMTHx\n"
|
||||
+ "kGwhIj+ghBlu6ykgu6J2wewCUooC\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA13 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUUKOs59gyCPAZzoC7zMZQSh6AnQgwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAmvqhj5GYqsXIpsr1BXBfD+2mTP/m/TEpKIYSZHM62dijYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQYRQqO+V1kefF7\n"
|
||||
+ "QvNnFU1fX5H9+jAfBgNVHSMEGDAWgBQ27HzvP5hl2xR+LOzRcPfmY5ndXjAFBgMr\n"
|
||||
+ "ZXADQQBrB3NkrYC7EQ74qgeesVOE71rW012dPOOKPAV0laR+JLEgsv9sfus+AdBF\n"
|
||||
+ "WBNwR3KeYBTi/MFDuecxBHU2m5gD\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA12 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUUQooGfH21+sR7/pSgCWm13gg2H4wBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAK2of/B4wMpk6k/KdugC5dMS+jo2fseUM7/PvXkE6HASjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ27HzvP5hl2xR+\n"
|
||||
+ "LOzRcPfmY5ndXjAfBgNVHSMEGDAWgBSJDHU0Mj1Xr0e8ErCnRK24w7XwTTAFBgMr\n"
|
||||
+ "ZXADQQDY8d2bAZpj7oGhdl2dBsCE48jEWj49da0PbgN12koAj3gf4hjMPd8G7p5z\n"
|
||||
+ "8RsURAwQmCkE8ShvdNw/Qr2tDL0E\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA11 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUW9Dw0hU2pfjXhb5Stip+mk9SndIwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAn5ISjLVV6RBWsnxDWHDicpye7SjFwGOTwzF01/psiJ2jYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSJDHU0Mj1Xr0e8\n"
|
||||
+ "ErCnRK24w7XwTTAfBgNVHSMEGDAWgBSR9UU27RI0XohiEgHDxNo/9HP4djAFBgMr\n"
|
||||
+ "ZXADQQCfQg6MDHk71vhyrEo4/5PcLb2Li5F/FKURyux7snv2TbkSdInloAqca9UR\n"
|
||||
+ "DtqHSLCNLXCNdSPr5QwIt5p29rsE\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA10 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUR4uTedG8e6MibKViQ3eX7QzXG1swBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAnslX04kSVOL5LAf1e+Ze3ggNnDJcEAxLDk8I/IhyjTyjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSR9UU27RI0Xohi\n"
|
||||
+ "EgHDxNo/9HP4djAfBgNVHSMEGDAWgBRC7US5gJYnvd5F7EN+C4anMgd2NzAFBgMr\n"
|
||||
+ "ZXADQQDo+jHt07Tvz3T5Lbz6apBrSln8xKYfJk2W1wP85XAnf7sZT9apM1bS4EyD\n"
|
||||
+ "Kckw+KG+9x7myOZz6AXJgZB5OGAO\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA9 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUSIIIRjrNpE+kEPkiJMOqaNAazvQwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAZKy7p1Gn4W/reRxKJN99+QkHt2q9aELktCKe5PqrX5ejYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRC7US5gJYnvd5F\n"
|
||||
+ "7EN+C4anMgd2NzAfBgNVHSMEGDAWgBSOhR7Ornis2x8g0J+bvTTwMnW60zAFBgMr\n"
|
||||
+ "ZXADQQA0MEcC4FgKZEAfalVpApU2to0G158MVz/WTNcSc7fnl8ifJ/g56dVHL1jr\n"
|
||||
+ "REvC/S28dn/CGAlbVXUAgxnHAbgE\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA8 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUGGFSgD95vOTSj7iFxfXA5vq6vsYwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAg3W/bTdW0fR32NeZEVMXICpa30d7rSdddLOYDvqqUO+jYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSOhR7Ornis2x8g\n"
|
||||
+ "0J+bvTTwMnW60zAfBgNVHSMEGDAWgBT3zK8Hbn9aVTAOOFY6RSxJ2o5x2jAFBgMr\n"
|
||||
+ "ZXADQQBl4gnzE463iMFg57gPvjHdVzA39sJBpiu0kUGfRcLnoRI/VOaLcx7WnJ9+\n"
|
||||
+ "c3KxPZBec76EdIoQDkTmI6m2FIAM\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA7 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUGktMGXhNuaMhKyAlecymmLD+/GIwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEA/Z1oc76hOQ0Hi+2hePaGIntnMIDqBlb7RDMjRpYONP2jYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT3zK8Hbn9aVTAO\n"
|
||||
+ "OFY6RSxJ2o5x2jAfBgNVHSMEGDAWgBSPae3JUN3jP0NgUJqDV3eYxcaM3DAFBgMr\n"
|
||||
+ "ZXADQQBMkwKaUZlvG/hax8rv3nnDv8kJOr6KVHBnxSx3hZ+8HIBT7GFm1+YDeYOB\n"
|
||||
+ "jhNg66kyeFPGXXBCe+mvNQFFjCEE\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA6 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUKn3gz5lAUpKqWlHKLKYDbOJ4rygwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAZ/eD4eTe91ddvHusm7YlLPxU4ByGFc6suAmlP1CxXkWjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSPae3JUN3jP0Ng\n"
|
||||
+ "UJqDV3eYxcaM3DAfBgNVHSMEGDAWgBT9f/qSI/jhxvGI7aMtkpraDcjBnjAFBgMr\n"
|
||||
+ "ZXADQQAMRnkmRhnLGdmJaY8B42gfyaAsqCMyds/Tw4OHYy+N48XuAxRjKkhf3szC\n"
|
||||
+ "0lY71oU043mNP1yx/dzAuCTrVSgI\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA5 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUEgEYbBXXEyGv3vOq10JQv1SBiUUwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAs2xEDPw8RVal53nX9GVwUd1blq1wjtVFC8S1V7up7MWjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT9f/qSI/jhxvGI\n"
|
||||
+ "7aMtkpraDcjBnjAfBgNVHSMEGDAWgBRBVkLu9BmCKz7HNI8md4vPpoE/7jAFBgMr\n"
|
||||
+ "ZXADQQCCufAyLijtzzmeCuO3K50rBSbGvB3FQfep7g6kVsQKM3bw/olWK5/Ji0dD\n"
|
||||
+ "ubJ0cFl1FmfAda7aVxLBtJOvO6MI\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA4 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIULj8GkaHw+92HuOTnXnXlxCy3VrEwBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAiedxh4dvtwDellMAHc/pZH0MAOXobRenTUgF1yj5l12jYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRBVkLu9BmCKz7H\n"
|
||||
+ "NI8md4vPpoE/7jAfBgNVHSMEGDAWgBSDtNRgQ36KwW/ASaMyr6WeDt0STDAFBgMr\n"
|
||||
+ "ZXADQQDL8U2ckzur7CktdrVUNvfLhVCOz33d/62F28vQFHUa8h/4h+Mi1MMbXOKT\n"
|
||||
+ "1bL2TvpFpU7Fx/vcIPXDielVqr4C\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA3 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUQXl74TDDw6MQRMbQUSPa6Qrvba8wBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEA7l0jQ0f4fJRw7Qja/Hz2qn8y91SI7CokxhSf+FT+9M6jYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSDtNRgQ36KwW/A\n"
|
||||
+ "SaMyr6WeDt0STDAfBgNVHSMEGDAWgBQ2inEK4KH6ATftmybxKE1dZUzOozAFBgMr\n"
|
||||
+ "ZXADQQCnP7Oqx1epGnFnO7TrTJwcUukXDEYsINve2GeUsi8HEIeKKlMcLZ2Cnaj7\n"
|
||||
+ "5v9NGuWh3QJpmmSGpEemiv8dJc4A\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA2 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBYTCCAROgAwIBAgIUP7Nmof8H2F1LyDkjqlYIUpGdXE8wBQYDK2VwMB0xGzAZ\n"
|
||||
+ "BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
|
||||
+ "MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
|
||||
+ "K2VwAyEAkW9Rod3CXAnha6nlaHkDbCOegq94lgmjqclA9sOIt3yjYzBhMA8GA1Ud\n"
|
||||
+ "EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2inEK4KH6ATft\n"
|
||||
+ "mybxKE1dZUzOozAfBgNVHSMEGDAWgBRPq/CQlK/zuXkjZvTCibu+vejD+jAFBgMr\n"
|
||||
+ "ZXADQQBU+A+uF0yrtO/yv9cRUdCoL3Y1NKM35INg8BQDnkv724cW9zk1x0q9Fuou\n"
|
||||
+ "zvfSVb8S3vT8fF5ZDOxarQs6ZH0C\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ /* ICA1 */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBXTCCAQ+gAwIBAgIUfUWP+AQHpdFTRKTf21mMzjaJsp0wBQYDK2VwMBkxFzAV\n"
|
||||
+ "BgNVBAMTDkdudVRMUyB0ZXN0IENBMCAXDTI0MDMxMjIyNTMzOVoYDzk5OTkxMjMx\n"
|
||||
+ "MjM1OTU5WjAdMRswGQYDVQQDDBJHbnVUTFMgdGVzdCBJQ0EgJGkwKjAFBgMrZXAD\n"
|
||||
+ "IQAVmfBAvLbT+pTD24pQrr6S0jEIFIV/qOv93yYvAUzpzKNjMGEwDwYDVR0TAQH/\n"
|
||||
+ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFE+r8JCUr/O5eSNm9MKJ\n"
|
||||
+ "u7696MP6MB8GA1UdIwQYMBaAFAFpt5wrFsqCtHc4PpluPDvwcxQLMAUGAytlcANB\n"
|
||||
+ "AC6+XZnthjlUD0TbBKRF3qT5if3Pp29Bgvutw8859unzUZW8FkHg5KeDBj9ncgJc\n"
|
||||
+ "O2tFnNH2hV6LDPJzU0rtLQc=\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
+static const char *many_icas_ca[] = {
|
||||
+ /* CA (self-signed) */
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIBNzCB6qADAgECAhRjaokcQwcrtW8tjuVFz3A33F8POjAFBgMrZXAwGTEXMBUG\n"
|
||||
+ "A1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjQwMzEyMjI1MzM5WhgPOTk5OTEyMzEy\n"
|
||||
+ "MzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMCowBQYDK2VwAyEAvoxP\n"
|
||||
+ "TNdbWktxA8qQNNH+25Cx9rzP+DxLGeI/7ODwrQGjQjBAMA8GA1UdEwEB/wQFMAMB\n"
|
||||
+ "Af8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQBabecKxbKgrR3OD6Zbjw78HMU\n"
|
||||
+ "CzAFBgMrZXADQQCP5IUD74M7WrUx20uqzrzuj+s2jnBVmLQfWf/Ucetx+oTRFeq4\n"
|
||||
+ "xZB/adWhycSeJUAB1zKqYUV9hgT8FWHbnHII\n"
|
||||
+ "-----END CERTIFICATE-----\n",
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
#if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
|
||||
# pragma GCC diagnostic push
|
||||
# pragma GCC diagnostic ignored "-Wunused-variable"
|
||||
@@ -4566,6 +4773,7 @@ static struct
|
||||
GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
|
||||
GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
|
||||
{ "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, 1704955300},
|
||||
+ { "many intermediates - ok", many_icas, many_icas_ca, 0, 0, 0, 1710284400},
|
||||
{ NULL, NULL, NULL, 0, 0}
|
||||
};
|
||||
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -0,0 +1,70 @@
|
||||
From 7e7b8ed89c93b5f95367eeab1b4f06fc2ac83581 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Wed, 7 Jun 2023 16:44:00 +0200
|
||||
Subject: [PATCH] lib: suppress false-positive -Wanalyzer-out-of-bounds
|
||||
|
||||
GCC analyzer from GCC 13 reports this:
|
||||
|
||||
verify-high.c:1471:21: error: stack-based buffer over-read [CWE-126] [-Werror=analyzer-out-of-bounds]
|
||||
1471 | if (gnutls_x509_trust_list_get_issuer(
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
1472 | list, cert_list[i - 1], &issuer,
|
||||
|
||||
This is false-positive, as i is always in a range 0 < i < cert_list_size.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
|
||||
Reference: https://gitlab.com/gnutls/gnutls/-/commit/7e7b8ed89c93b5f95367eeab1b4f06fc2ac83581
|
||||
Conflict: NA
|
||||
|
||||
---
|
||||
lib/x509/verify-high.c | 13 +++++++++++--
|
||||
1 file changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
||||
index 2c070b0..02d2f0f 100644
|
||||
--- a/lib/x509/verify-high.c
|
||||
+++ b/lib/x509/verify-high.c
|
||||
@@ -1421,7 +1421,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
for (i = 0; i < cert_list_size &&
|
||||
cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
|
||||
unsigned int sorted_size = 1;
|
||||
- unsigned int j;
|
||||
+ unsigned int j, k;
|
||||
gnutls_x509_crt_t issuer;
|
||||
|
||||
if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
|
||||
@@ -1429,6 +1429,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
cert_list_size - i);
|
||||
}
|
||||
|
||||
+ assert(sorted_size > 0);
|
||||
+
|
||||
/* Remove duplicates. Start with index 1, as the first element
|
||||
* may be re-checked after issuer retrieval. */
|
||||
for (j = 0; j < sorted_size; j++) {
|
||||
@@ -1448,13 +1450,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
}
|
||||
|
||||
/* Record the certificates seen. */
|
||||
- for (j = 0; j < sorted_size; j++, i++) {
|
||||
+ for (k = 0; k < sorted_size; k++, i++) {
|
||||
if (!gl_list_nx_add_last(records, cert_list[i])) {
|
||||
ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
+ /* Pacify GCC analyzer: the condition always holds
|
||||
+ * true as sorted_size > 0 is checked above, and the
|
||||
+ * following loop should iterate at least once so i++
|
||||
+ * is called.
|
||||
+ */
|
||||
+ assert(i > 0);
|
||||
+
|
||||
/* If the issuer of the certificate is known, no need
|
||||
* for further processing. */
|
||||
if (gnutls_x509_trust_list_get_issuer(list,
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -0,0 +1,49 @@
|
||||
From 22f837ba0bc7d13c3d738a8583566368fc12aee1 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Sat, 30 Oct 2021 08:56:07 +0200
|
||||
Subject: [PATCH] x509: fix thread-safety in gnutls_x509_trust_list_verify_crt2
|
||||
|
||||
This function previously used gnutls_x509_trust_list_get_issuer
|
||||
without GNUTLS_TL_GET_COPY flag, which is required when the function
|
||||
is called from multi-threaded application and PKCS #11 trust store is
|
||||
in use.
|
||||
|
||||
Reported and the change suggested by Remi Gacogne in:
|
||||
https://gitlab.com/gnutls/gnutls/-/issues/1277
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
|
||||
Reference: https://gitlab.com/gnutls/gnutls/-/commit/22f837ba0bc7d13c3d738a8583566368fc12aee1
|
||||
Conflict: NA
|
||||
|
||||
---
|
||||
lib/x509/verify-high.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
||||
index ab8e006ca..5698d4f37 100644
|
||||
--- a/lib/x509/verify-high.c
|
||||
+++ b/lib/x509/verify-high.c
|
||||
@@ -1102,7 +1102,8 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
|
||||
* gnutls_x509_trust_list_get_issuer:
|
||||
* @list: The list
|
||||
* @cert: is the certificate to find issuer for
|
||||
- * @issuer: Will hold the issuer if any. Should be treated as constant.
|
||||
+ * @issuer: Will hold the issuer if any. Should be treated as constant
|
||||
+ * unless %GNUTLS_TL_GET_COPY is set in @flags.
|
||||
* @flags: flags from %gnutls_trust_list_flags_t (%GNUTLS_TL_GET_COPY is applicable)
|
||||
*
|
||||
* This function will find the issuer of the given certificate.
|
||||
@@ -1521,7 +1522,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
if (gnutls_x509_trust_list_get_issuer(list,
|
||||
cert_list[i - 1],
|
||||
&issuer,
|
||||
- 0) == 0) {
|
||||
+ GNUTLS_TL_GET_COPY) == 0) {
|
||||
+ gnutls_x509_crt_deinit(issuer);
|
||||
cert_list_size = i;
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.33.0
|
||||
|
||||
29
gnutls.spec
29
gnutls.spec
@ -1,6 +1,6 @@
|
||||
Name: gnutls
|
||||
Version: 3.7.2
|
||||
Release: 9
|
||||
Release: 15
|
||||
Summary: The GNU Secure Communication Protocol Library
|
||||
|
||||
License: LGPLv2.1+ and GPLv3+
|
||||
@ -14,6 +14,15 @@ Patch3: backport-CVE-2021-4209.patch
|
||||
Patch4: gnutls-3.7.2-sw.patch
|
||||
Patch5: backport-01-CVE-2023-0361.patch
|
||||
Patch6: backport-02-CVE-2023-0361.patch
|
||||
Patch7: backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch
|
||||
Patch8: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
|
||||
Patch9: backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
|
||||
Patch10: backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch
|
||||
Patch11: backport-add-gnulib-files.patch
|
||||
Patch12: backport-x509-fix-thread-safety-in-gnutls_x509_trust_list_ver.patch
|
||||
Patch13: backport-Fix-removal-of-duplicate-certs-during-verification.patch
|
||||
Patch14: backport-lib-suppress-false-positive-Wanalyzer-out-of-bounds.patch
|
||||
Patch15: backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch
|
||||
|
||||
%bcond_without dane
|
||||
%bcond_with guile
|
||||
@ -220,6 +229,24 @@ make check %{?_smp_mflags}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Apr 18 2024 fangxiuning <fangxiuning@huawei.com> - 3.7.2-15
|
||||
- fix CVE-2024-28835
|
||||
|
||||
* Thu Apr 18 2024 fangxiuning <fangxiuning@huawei.com> - 3.7.2-14
|
||||
- fix CVE-2024-28835
|
||||
|
||||
* Tue Mar 26 2024 xuraoqing <xuraoqing@huawei.com> - 3.7.2-13
|
||||
- update patch to remove function declare in header file
|
||||
|
||||
* Sat Mar 23 2024 xuraoqing <xuraoqing@huawei.com> - 3.7.2-12
|
||||
- fix CVE-2024-28834
|
||||
|
||||
* Wed Jan 17 2024 xuraoqing <xuraoqing@huawei.com> - 3.7.2-11
|
||||
- fix CVE-2024-0553 and CVE-2024-0567
|
||||
|
||||
* Mon Nov 20 2023 xuraoqing <xuraoqing@huawei.com> - 3.7.2-10
|
||||
- fix CVE-2023-5981
|
||||
|
||||
* Thu Jun 29 2023 xuraoqing <609179072@qq.com> - 3.7.2-9
|
||||
- add nettle version restriction
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user