commit: c14a846f98e90712f3db8cb838706fc26224e5e2 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> AuthorDate: Sat Feb 20 19:03:31 2021 +0000 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> CommitDate: Sat Feb 20 19:04:19 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c14a846f
net-libs/gnutls: ignore duplicate certificates Closes: https://bugs.gentoo.org/759037 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> ...nutls-3.7.0-ignore-duplicate-certificates.patch | 403 +++++++++++++++++++++ ...{gnutls-3.7.0.ebuild => gnutls-3.7.0-r1.ebuild} | 2 + profiles/package.mask | 5 - 3 files changed, 405 insertions(+), 5 deletions(-) diff --git a/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch b/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch new file mode 100644 index 00000000000..b0143818b46 --- /dev/null +++ b/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch @@ -0,0 +1,403 @@ +From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <[email protected]> +Date: Mon, 28 Dec 2020 12:14:13 +0100 +Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate + certificates + +The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a +regression, where duplicate certificates in a certificate chain are no +longer ignored but treated as a non-contiguous segment and that +results in calling the issuer callback, or a verification failure. + +This adds a mechanism to record certificates already seen in the +chain, and skip them while still allow the caller to inject missing +certificates. + +Signed-off-by: Daiki Ueno <[email protected]> +Co-authored-by: Andreas Metzler <[email protected]> +--- + lib/x509/common.c | 8 ++ + lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------ + tests/missingissuer.c | 2 + + tests/test-chains-issuer.h | 101 +++++++++++++++++++++++- + 4 files changed, 245 insertions(+), 23 deletions(-) + +diff --git a/lib/x509/common.c b/lib/x509/common.c +index 3301aaad0c..10c8db53c0 100644 +--- a/lib/x509/common.c ++++ b/lib/x509/common.c +@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, + * increasing DEFAULT_MAX_VERIFY_DEPTH. + */ + for (i = 0; i < clist_size; i++) { ++ /* Self-signed certificate found in the chain; skip it ++ * as it should only appear in the trusted set. ++ */ ++ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { ++ _gnutls_cert_log("self-signed cert found", clist[i]); ++ continue; ++ } ++ + for (j = 1; j < clist_size; j++) { + if (i == j) + continue; +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index 588e7ee0dc..9a16e6b42a 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter { + + #define DEFAULT_SIZE 127 + ++struct cert_set_node_st { ++ gnutls_x509_crt_t *certs; ++ unsigned int size; ++}; ++ ++struct cert_set_st { ++ struct cert_set_node_st *node; ++ unsigned int size; ++}; ++ ++static int ++cert_set_init(struct cert_set_st *set, unsigned int size) ++{ ++ memset(set, 0, sizeof(*set)); ++ ++ set->size = size; ++ set->node = gnutls_calloc(size, sizeof(*set->node)); ++ if (!set->node) { ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } ++ ++ return 0; ++} ++ ++static void ++cert_set_deinit(struct cert_set_st *set) ++{ ++ size_t i; ++ ++ for (i = 0; i < set->size; i++) { ++ gnutls_free(set->node[i].certs); ++ } ++ ++ gnutls_free(set->node); ++} ++ ++static bool ++cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert) ++{ ++ size_t hash, i; ++ ++ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); ++ hash %= set->size; ++ ++ for (i = 0; i < set->node[hash].size; i++) { ++ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) { ++ return true; ++ } ++ } ++ ++ return false; ++} ++ ++static int ++cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert) ++{ ++ size_t hash; ++ ++ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); ++ hash %= set->size; ++ ++ set->node[hash].certs = ++ gnutls_realloc_fast(set->node[hash].certs, ++ (set->node[hash].size + 1) * ++ sizeof(*set->node[hash].certs)); ++ if (!set->node[hash].certs) { ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } ++ set->node[hash].certs[set->node[hash].size] = cert; ++ set->node[hash].size++; ++ ++ return 0; ++} ++ + /** + * gnutls_x509_trust_list_init: + * @list: A pointer to the type to be initialized +@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + unsigned have_set_name = 0; + unsigned saved_output; + gnutls_datum_t ip = {NULL, 0}; ++ struct cert_set_st cert_set = { NULL, 0 }; + + if (cert_list == NULL || cert_list_size < 1) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); +@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); + cert_list = sorted; + ++ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH); ++ if (ret < 0) { ++ return ret; ++ } ++ + for (i = 0; i < cert_list_size && +- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) { +- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { +- unsigned int sorted_size; ++ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { ++ unsigned int sorted_size = 1; ++ unsigned int j; ++ gnutls_x509_crt_t issuer; + ++ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { + sorted_size = _gnutls_sort_clist(&cert_list[i], + cert_list_size - i); +- i += sorted_size - 1; + } + +- if (i == cert_list_size - 1) { +- gnutls_x509_crt_t issuer; +- +- /* If it is the last certificate and its issuer is +- * known, don't need to run issuer callback. */ +- if (_gnutls_trust_list_get_issuer(list, +- cert_list[i], +- &issuer, +- 0) == 0) { ++ /* Remove duplicates. Start with index 1, as the first element ++ * may be re-checked after issuer retrieval. */ ++ for (j = 1; j < sorted_size; j++) { ++ if (cert_set_contains(&cert_set, cert_list[i + j])) { ++ if (i + j < cert_list_size - 1) { ++ memmove(&cert_list[i + j], ++ &cert_list[i + j + 1], ++ sizeof(cert_list[i])); ++ } ++ cert_list_size--; + break; + } +- } else if (gnutls_x509_crt_check_issuer(cert_list[i], +- cert_list[i + 1])) { +- /* There is no gap between this and the next +- * certificate. */ ++ } ++ /* Found a duplicate, try again with the same index. */ ++ if (j < sorted_size) { ++ continue; ++ } ++ ++ /* Record the certificates seen. */ ++ for (j = 0; j < sorted_size; j++, i++) { ++ ret = cert_set_add(&cert_set, cert_list[i]); ++ if (ret < 0) { ++ goto cleanup; ++ } ++ } ++ ++ /* If the issuer of the certificate is known, no need ++ * for further processing. */ ++ if (_gnutls_trust_list_get_issuer(list, ++ cert_list[i - 1], ++ &issuer, ++ 0) == 0) { ++ cert_list_size = i; ++ break; ++ } ++ ++ /* If there is no gap between this and the next certificate, ++ * proceed with the next certificate. */ ++ if (i < cert_list_size && ++ gnutls_x509_crt_check_issuer(cert_list[i - 1], ++ cert_list[i])) { + continue; + } + + ret = retrieve_issuers(list, +- cert_list[i], ++ cert_list[i - 1], + &retrieved[retrieved_size], + DEFAULT_MAX_VERIFY_DEPTH - + MAX(retrieved_size, +@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + if (ret < 0) { + break; + } else if (ret > 0) { +- memmove(&cert_list[i + 1 + ret], +- &cert_list[i + 1], +- (cert_list_size - i - 1) * ++ assert((unsigned int)ret <= ++ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); ++ memmove(&cert_list[i + ret], ++ &cert_list[i], ++ (cert_list_size - i) * + sizeof(gnutls_x509_crt_t)); +- memcpy(&cert_list[i + 1], ++ memcpy(&cert_list[i], + &retrieved[retrieved_size], + ret * sizeof(gnutls_x509_crt_t)); + retrieved_size += ret; + cert_list_size += ret; ++ ++ /* Start again from the end of the previous segment. */ ++ i--; + } + } + +@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + for (i = 0; i < retrieved_size; i++) { + gnutls_x509_crt_deinit(retrieved[i]); + } ++ cert_set_deinit(&cert_set); + return ret; + } + +diff --git a/tests/missingissuer.c b/tests/missingissuer.c +index f21e2b6b0c..226d095929 100644 +--- a/tests/missingissuer.c ++++ b/tests/missingissuer.c +@@ -145,6 +145,8 @@ void doit(void) + printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name); + + for (j = 0; chains[i].chain[j]; j++) { ++ assert(j < MAX_CHAIN); ++ + if (debug > 2) + printf("\tAdding certificate %d...", (int)j); + +diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h +index 543e2d71fb..bf1e65c956 100644 +--- a/tests/test-chains-issuer.h ++++ b/tests/test-chains-issuer.h +@@ -24,7 +24,7 @@ + #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H + #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H + +-#define MAX_CHAIN 6 ++#define MAX_CHAIN 15 + + #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \ + "MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \ +@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = { + NULL, + }; + ++static const char *missing_middle_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_2, ++ CA_CERT_2, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_middle_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_last_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_3, ++ CA_CERT_3, ++ CA_CERT_2, ++ CA_CERT_2, ++ NULL, ++}; ++ ++static const char *missing_last_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_3, ++ CA_CERT_3, ++ NULL, ++}; ++ ++static const char *missing_skip_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_3, ++ CA_CERT_3, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_skip_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_3, ++ CA_CERT_3, ++ NULL, ++}; ++ + static const char *missing_ca[] = { + CA_CERT_0, + NULL, + }; + ++static const char *middle_single_duplicate_ca[] = { ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_0, ++ CA_CERT_4, ++ CA_CERT_0, ++ CA_CERT_2, ++ CA_CERT_0, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = { ++ CA_CERT_0, ++ NULL, ++}; ++ + static struct chains { + const char *name; + const char **chain; +@@ -377,6 +468,14 @@ static struct chains { + { "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 }, + { "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, + { "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 }, ++ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 }, ++ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 }, ++ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 }, ++ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 }, ++ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, + { NULL, NULL, NULL, NULL }, + }; + +-- +GitLab + diff --git a/net-libs/gnutls/gnutls-3.7.0.ebuild b/net-libs/gnutls/gnutls-3.7.0-r1.ebuild similarity index 98% rename from net-libs/gnutls/gnutls-3.7.0.ebuild rename to net-libs/gnutls/gnutls-3.7.0-r1.ebuild index ece149c1855..643a1c4d8ad 100644 --- a/net-libs/gnutls/gnutls-3.7.0.ebuild +++ b/net-libs/gnutls/gnutls-3.7.0-r1.ebuild @@ -54,6 +54,8 @@ DOCS=( HTML_DOCS=() +PATCHES=( "${FILESDIR}"/${P}-ignore-duplicate-certificates.patch ) + pkg_setup() { # bug#520818 export TZ=UTC diff --git a/profiles/package.mask b/profiles/package.mask index 2eb3763d8d0..25377e28e6b 100644 --- a/profiles/package.mask +++ b/profiles/package.mask @@ -271,11 +271,6 @@ sys-power/pm-quirks >=sys-devel/autoconf-2.70 >=sys-devel/autoconf-wrapper-14 -# Thomas Deutschmann <[email protected]> (2020-12-08) -# Fails to validate certificates which have multiple trusted -# paths. -=net-libs/gnutls-3.7.0 - # Michał Górny <[email protected]> (2020-11-10) # This old Kodi version requires vulnerable dev-python/pillow # and prevents users from upgrading. Masked for the time being.
