Hello community, here is the log from the commit of package gnutls for openSUSE:Leap:15.2 checked in at 2020-06-10 16:49:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/gnutls (Old) and /work/SRC/openSUSE:Leap:15.2/.gnutls.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Wed Jun 10 16:49:53 2020 rev:49 rq:813046 version:3.6.7 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/gnutls/gnutls.changes 2020-05-19 14:08:37.815016057 +0200 +++ /work/SRC/openSUSE:Leap:15.2/.gnutls.new.3606/gnutls.changes 2020-06-10 16:50:00.492377105 +0200 @@ -1,0 +2,18 @@ +Thu Jun 4 12:11:08 UTC 2020 - Vítězslav Čížek <vci...@suse.com> + +- GNUTLS-SA-2020-06-03 (Fixed insecure session ticket key construction) + The TLS server would not bind the session ticket encryption key with a + value supplied by the application until the initial key rotation, allowing + attacker to bypass authentication in TLS 1.3 and recover previous + conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777) + * add patches: + + gnutls-CVE-2020-13777.patch +- Fixed handling of certificate chain with cross-signed intermediate + CA certificates (#1008). (bsc#1172461) + * add patches: + + 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch + + 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch + + 0003-x509-trigger-fallback-verification-path-when-cert-is.patch + + 0004-tests-add-test-case-for-certificate-chain-supersedin.patch + +------------------------------------------------------------------- New: ---- 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch 0003-x509-trigger-fallback-verification-path-when-cert-is.patch 0004-tests-add-test-case-for-certificate-chain-supersedin.patch gnutls-CVE-2020-13777.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.dzxF0D/_old 2020-06-10 16:50:01.052378730 +0200 +++ /var/tmp/diff_new_pack.dzxF0D/_new 2020-06-10 16:50:01.056378741 +0200 @@ -49,6 +49,12 @@ Patch9: gnutls-fips_XTS_key_check.patch Patch10: gnutls-fips_mode_enabled.patch Patch11: gnutls-3.6.7-fips-rsa-4096.patch +Patch12: gnutls-CVE-2020-13777.patch +# PATCH-FIX-UPSTREAM bsc#1172461 +Patch13: 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch +Patch14: 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch +Patch15: 0003-x509-trigger-fallback-verification-path-when-cert-is.patch +Patch16: 0004-tests-add-test-case-for-certificate-chain-supersedin.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -194,6 +200,11 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 # dtls-resume test fails on PPC %ifarch ppc64 ppc64le ppc %patch2 -p1 @@ -262,6 +273,9 @@ %find_lang libgnutls --all-name %check +# created by 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch, +# but without the executable permissions +chmod a+x tests/server-weak-keys.sh %if ! 0%{?qemu_user_space_build} make %{?_smp_mflags} check || { find -name test-suite.log -print -exec cat {} + ++++++ 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch ++++++ >From 1abb4298398ec6a942dc77384a19b3e3a2392341 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos <n...@redhat.com> Date: Thu, 19 Dec 2019 09:37:34 +0100 Subject: [PATCH] _gnutls_verify_crt_status: apply algorithm checks to trusted CAs If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level. This addresses the problem of accepting CAs which would have been marked as insecure otherwise. Resolves: #877 Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com> --- NEWS | 5 +++ lib/x509/verify.c | 68 ++++++++++++++++++++++-------------- tests/Makefile.am | 5 +-- tests/certs/rsa-512.pem | 20 +++++++++++ tests/server-weak-keys.sh | 72 +++++++++++++++++++++++++++++++++++++++ tests/test-chains.h | 18 +++++++++- 6 files changed, 160 insertions(+), 28 deletions(-) create mode 100644 tests/certs/rsa-512.pem create mode 100755 tests/server-weak-keys.sh Index: gnutls-3.6.7/lib/x509/verify.c =================================================================== --- gnutls-3.6.7.orig/lib/x509/verify.c 2020-06-05 11:45:24.359554720 +0200 +++ gnutls-3.6.7/lib/x509/verify.c 2020-06-05 11:45:38.007648125 +0200 @@ -855,6 +855,36 @@ gnutls_x509_crt_check_issuer(gnutls_x509 return is_issuer(cert, issuer); } +static +unsigned check_ca_sanity(const gnutls_x509_crt_t issuer, + time_t now, unsigned int flags) +{ + unsigned int status = 0; + unsigned sigalg; + int ret; + + /* explicit time check for trusted CA that we remove from + * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS + */ + if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) && + !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { + status |= check_time_status(issuer, now); + } + + ret = + _gnutls_x509_get_signature_algorithm(issuer->cert, "signatureAlgorithm"); + sigalg = ret; + + /* we explicitly allow CAs which we do not support their self-algorithms + * to pass. */ + if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, flags)) { + status |= GNUTLS_CERT_INSECURE_ALGORITHM|GNUTLS_CERT_INVALID; + } + + return status; + +} + /* Verify X.509 certificate chain. * * Note that the return value is an OR of GNUTLS_CERT_* elements. @@ -913,25 +943,17 @@ _gnutls_verify_crt_status(const gnutls_x * CA to self-signed CA at some point. */ if (_gnutls_check_if_same_key (certificate_list[i], trusted_cas[j], i) != 0) { - /* explicit time check for trusted CA that we remove from - * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS - */ - - if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) && - !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { - status |= - check_time_status(trusted_cas[j], - now); - if (status != 0) { - if (func) - func(certificate_list[i], trusted_cas[j], NULL, status); - return status; - } - } + + status |= check_ca_sanity(trusted_cas[j], now, flags); if (func) func(certificate_list[i], trusted_cas[j], NULL, status); + + if (status != 0) { + return gnutls_assert_val(status); + } + clist_size = i; break; } @@ -1161,20 +1183,16 @@ _gnutls_pkcs11_verify_crt_status(const c if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { - if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) && - !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { - status |= - check_time_status(certificate_list[i], now); - if (status != 0) { - if (func) - func(certificate_list[i], certificate_list[i], NULL, status); - return status; - } - } + status |= check_ca_sanity(certificate_list[i], now, flags); + if (func) func(certificate_list[i], certificate_list[i], NULL, status); + if (status != 0) { + return gnutls_assert_val(status); + } + clist_size = i; break; } Index: gnutls-3.6.7/tests/Makefile.am =================================================================== --- gnutls-3.6.7.orig/tests/Makefile.am 2020-06-05 11:45:24.359554720 +0200 +++ gnutls-3.6.7/tests/Makefile.am 2020-06-05 11:46:39.168069978 +0200 @@ -38,7 +38,7 @@ EXTRA_DIST = suppressions.valgrind eagai certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \ certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem psk.passwd \ certs/rawpk_priv.pem certs/rawpk_pub.pem \ - certs/ed25519.pem certs/cert-ed25519.pem \ + certs/ed25519.pem certs/cert-ed25519.pem certs/rsa-512.pem \ system.prio pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c gnutls-asan.supp \ rsa-md5-collision/README safe-renegotiation/README starttls-smtp.txt starttls-ftp.txt \ starttls-lmtp.txt starttls-pop3.txt starttls-xmpp.txt starttls-nntp.txt starttls-sieve.txt \ @@ -467,7 +467,7 @@ dist_check_SCRIPTS += fastopen.sh pkgcon ocsp-tests/ocsp-test cipher-listings.sh sni-hostname.sh server-multi-keys.sh \ psktool.sh ocsp-tests/ocsp-load-chain gnutls-cli-save-data.sh gnutls-cli-debug.sh \ sni-resume.sh ocsp-tests/ocsptool cert-reencoding.sh pkcs7-cat.sh long-crl.sh \ - serv-udp.sh logfile-option.sh gnutls-cli-resume.sh + serv-udp.sh logfile-option.sh gnutls-cli-resume.sh server-weak-keys.sh dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh Index: gnutls-3.6.7/tests/certs/rsa-512.pem =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ gnutls-3.6.7/tests/certs/rsa-512.pem 2020-06-05 11:45:38.007648125 +0200 @@ -0,0 +1,20 @@ +-----BEGIN PRIVATE KEY----- +MIIBVwIBADANBgkqhkiG9w0BAQEFAASCAUEwggE9AgEAAkEAwZFO/Vz94lR3/TKz +76qRCV2skqthX7PB6YxeLHH3ifWSYR2qCYTBikaASm6PGDvAliviIjGjKTkdDdqZ +X2S94QIDAQABAkEAsV+L+FN8OieZBCWwCNBNsz1pY8Uzp1S7Pl3n9eZBJOKNc/tI +Tr0/zwAR+5C7IE7xjfuYHZDWN+yXg0LhH+GYgQIhAP0rzSdsjuPJ9XA9wpnYLN4O +fqXnA7mzW5QKzYuzy3RJAiEAw7sCwUSi7030NszYd7A63o2WrzqWRoX1V1vt6FMd +zNkCIQDmsytXaY0r9bU6eo0CNANutjaiZ0j1x4MD/HQhgc08QQIhALdYYLZF4xKj +RRZoQIWtURfULciq6sXZCf7xICQ2Z33RAiEA/M/OnKZijdWg13dchmdaXLgNGxJO +N90VucFVWK8nXzo= +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIBTjCB+aADAgECAhQcc65I8jSxWRjcS1czw4MRLIc8qDANBgkqhkiG9w0BAQsF +ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTkxMjE1MDI1NTU4WhcNMjkxMjEy +MDI1NTU4WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL +ADBIAkEAwZFO/Vz94lR3/TKz76qRCV2skqthX7PB6YxeLHH3ifWSYR2qCYTBikaA +Sm6PGDvAliviIjGjKTkdDdqZX2S94QIDAQABoyMwITAJBgNVHRMEAjAAMBQGA1Ud +EQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAANBAHslvfVxod5p+Gt7l4LV +M2HBxOt4YM8mRCtyNSmJEGAe+aIzXaiSiRnVkVvjQvdxacu2D4yP52BUo1vzNnCq +2UI= +-----END CERTIFICATE----- Index: gnutls-3.6.7/tests/server-weak-keys.sh =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ gnutls-3.6.7/tests/server-weak-keys.sh 2020-06-05 11:45:38.007648125 +0200 @@ -0,0 +1,72 @@ +#!/bin/sh + +# Copyright (C) 2017 Nikos Mavrogiannopoulos +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" +SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" +unset RETCODE + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi + + +SERV="${SERV} -q" + +. "${srcdir}/scripts/common.sh" + +check_for_datefudge + +echo "Checking whether a client will refuse weak but trusted keys" + +KEY1=${srcdir}/certs/rsa-512.pem +CERT1=${srcdir}/certs/rsa-512.pem + +eval "${GETPORT}" +launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1} +PID=$! +wait_server ${PID} + +timeout 1800 datefudge "2019-12-20" \ +"${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 </dev/null && \ + fail ${PID} "1. handshake with RSA should have failed!" + +timeout 1800 datefudge "2019-12-20" \ +"${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL </dev/null && \ + fail ${PID} "2. handshake with RSA should have failed!" + +kill ${PID} +wait + +exit 0 Index: gnutls-3.6.7/tests/test-chains.h =================================================================== --- gnutls-3.6.7.orig/tests/test-chains.h 2020-06-05 11:45:24.383554884 +0200 +++ gnutls-3.6.7/tests/test-chains.h 2020-06-05 11:45:38.007648125 +0200 @@ -3978,6 +3978,20 @@ static const char *gost12_512[] = { }; #endif +static const char *rsa_512[] = { + "-----BEGIN CERTIFICATE-----\n" + "MIIBTjCB+aADAgECAhQcc65I8jSxWRjcS1czw4MRLIc8qDANBgkqhkiG9w0BAQsF\n" + "ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTkxMjE1MDI1NTU4WhcNMjkxMjEy\n" + "MDI1NTU4WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL\n" + "ADBIAkEAwZFO/Vz94lR3/TKz76qRCV2skqthX7PB6YxeLHH3ifWSYR2qCYTBikaA\n" + "Sm6PGDvAliviIjGjKTkdDdqZX2S94QIDAQABoyMwITAJBgNVHRMEAjAAMBQGA1Ud\n" + "EQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAANBAHslvfVxod5p+Gt7l4LV\n" + "M2HBxOt4YM8mRCtyNSmJEGAe+aIzXaiSiRnVkVvjQvdxacu2D4yP52BUo1vzNnCq\n" + "2UI=\n" + "-----END CERTIFICATE-----\n", + NULL +}; + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) # pragma GCC diagnostic push # pragma GCC diagnostic ignored "-Wunused-variable" @@ -4138,10 +4152,12 @@ static struct #ifdef ENABLE_GOST { "gost 34.10-01 - ok", gost01, &gost01[2], 0, 0, 0, 1466612070, 1}, { "gost 34.10-01 - not ok (due to profile)", gost01, &gost01[2], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), - GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1466612070, 1}, + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1466612070, 1}, { "gost 34.10-12-256 - ok", gost12_256, &gost12_256[0], 0, 0, 0, 1466612070, 1}, { "gost 34.10-12-512 - ok", gost12_512, &gost12_512[0], 0, 0, 0, 1466612070, 1}, #endif + { "rsa-512 - not ok (due to profile)", rsa_512, &rsa_512[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM), + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, { NULL, NULL, NULL, 0, 0} }; ++++++ 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch ++++++ >From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 From: Daiki Ueno <u...@gnu.org> Date: Sun, 31 May 2020 12:39:14 +0200 Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against system cert To verify a certificate chain, this function replaces known certificates with the ones in the system trust store if possible. However, if it is found, the function checks the validity of the original certificate rather than the certificate found in the trust store. That reveals a problem in a scenario that (1) a certificate is signed by multiple issuers and (2) one of the issuers' certificate has expired and included in the input chain. This patch makes it a little robuster by actually retrieving the certificate from the trust store and perform check against it. Signed-off-by: Daiki Ueno <u...@gnu.org> --- lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- lib/pkcs11_int.h | 5 +++ lib/x509/verify.c | 7 +++- 3 files changed, 80 insertions(+), 30 deletions(-) Index: gnutls-3.6.7/lib/pkcs11.c =================================================================== --- gnutls-3.6.7.orig/lib/pkcs11.c 2020-06-05 11:46:56.276188039 +0200 +++ gnutls-3.6.7/lib/pkcs11.c 2020-06-05 11:46:57.408195852 +0200 @@ -4509,34 +4509,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subj return ret; } -/** - * gnutls_pkcs11_crt_is_known: - * @url: A PKCS 11 url identifying a token - * @cert: is the certificate to find issuer for - * @issuer: Will hold the issuer if any in an allocated buffer. - * @fmt: The format of the exported issuer. - * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. - * - * This function will check whether the provided certificate is stored - * in the specified token. This is useful in combination with - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, - * to check whether a CA is present or a certificate is blacklisted in - * a trust PKCS #11 module. - * - * This function can be used with a @url of "pkcs11:", and in that case all modules - * will be searched. To restrict the modules to the marked as trusted in p11-kit - * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. - * - * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is - * specific to p11-kit trust modules. - * - * Returns: If the certificate exists non-zero is returned, otherwise zero. - * - * Since: 3.3.0 - **/ -unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - unsigned int flags) +unsigned +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + unsigned int flags, + gnutls_x509_crt_t *trusted_cert) { int ret; struct find_cert_st priv; @@ -4548,6 +4524,15 @@ unsigned gnutls_pkcs11_crt_is_known(cons memset(&priv, 0, sizeof(priv)); + if (trusted_cert) { + ret = gnutls_pkcs11_obj_init(&priv.obj); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + priv.need_import = 1; + } + if (url == NULL || url[0] == 0) { url = "pkcs11:"; } @@ -4594,8 +4579,18 @@ unsigned gnutls_pkcs11_crt_is_known(cons _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); /* attempt searching with the subject DN only */ gnutls_assert(); + if (priv.obj) + gnutls_pkcs11_obj_deinit(priv.obj); gnutls_free(priv.serial.data); memset(&priv, 0, sizeof(priv)); + if (trusted_cert) { + ret = gnutls_pkcs11_obj_init(&priv.obj); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + priv.need_import = 1; + } priv.crt = cert; priv.flags = flags; @@ -4612,9 +4607,26 @@ unsigned gnutls_pkcs11_crt_is_known(cons goto cleanup; } + if (trusted_cert) { + ret = gnutls_x509_crt_init(trusted_cert); + if (ret < 0) { + gnutls_assert(); + ret = 0; + goto cleanup; + } + ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_crt_deinit(*trusted_cert); + ret = 0; + goto cleanup; + } + } ret = 1; cleanup: + if (priv.obj) + gnutls_pkcs11_obj_deinit(priv.obj); if (info) p11_kit_uri_free(info); gnutls_free(priv.serial.data); @@ -4623,6 +4635,36 @@ unsigned gnutls_pkcs11_crt_is_known(cons } /** + * gnutls_pkcs11_crt_is_known: + * @url: A PKCS 11 url identifying a token + * @cert: is the certificate to find issuer for + * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. + * + * This function will check whether the provided certificate is stored + * in the specified token. This is useful in combination with + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, + * to check whether a CA is present or a certificate is blacklisted in + * a trust PKCS #11 module. + * + * This function can be used with a @url of "pkcs11:", and in that case all modules + * will be searched. To restrict the modules to the marked as trusted in p11-kit + * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. + * + * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is + * specific to p11-kit trust modules. + * + * Returns: If the certificate exists non-zero is returned, otherwise zero. + * + * Since: 3.3.0 + **/ +unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + unsigned int flags) +{ + return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); +} + +/** * gnutls_pkcs11_obj_get_flags: * @obj: The pkcs11 object * @oflags: Will hold the output flags Index: gnutls-3.6.7/lib/pkcs11_int.h =================================================================== --- gnutls-3.6.7.orig/lib/pkcs11_int.h 2020-06-05 11:46:57.408195852 +0200 +++ gnutls-3.6.7/lib/pkcs11_int.h 2020-06-05 11:47:51.656570223 +0200 @@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object( return 0; } +unsigned +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + unsigned int flags, + gnutls_x509_crt_t *trusted_cert); + #endif /* ENABLE_PKCS11 */ #endif Index: gnutls-3.6.7/lib/x509/verify.c =================================================================== --- gnutls-3.6.7.orig/lib/x509/verify.c 2020-06-05 11:46:56.280188067 +0200 +++ gnutls-3.6.7/lib/x509/verify.c 2020-06-05 11:46:57.408195852 +0200 @@ -34,6 +34,7 @@ #include <tls-sig.h> #include <str.h> #include <datum.h> +#include <pkcs11_int.h> #include <x509_int.h> #include <common.h> #include <pk.h> @@ -1173,6 +1174,7 @@ _gnutls_pkcs11_verify_crt_status(const c for (; i < clist_size; i++) { unsigned vflags; + gnutls_x509_crt_t trusted_cert; if (i == 0) /* in the end certificate do full comparison */ vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| @@ -1181,9 +1183,10 @@ _gnutls_pkcs11_verify_crt_status(const c vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; - if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { + if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { - status |= check_ca_sanity(certificate_list[i], now, flags); + status |= check_ca_sanity(trusted_cert, now, flags); + gnutls_x509_crt_deinit(trusted_cert); if (func) func(certificate_list[i], ++++++ 0003-x509-trigger-fallback-verification-path-when-cert-is.patch ++++++ >From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 From: Daiki Ueno <u...@gnu.org> Date: Sun, 31 May 2020 13:59:53 +0200 Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is expired gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN to trigger the fallback verification path if the signer of the last certificate is not in the trust store. Previously, it doesn't take into account of the condition where the certificate is expired. Signed-off-by: Daiki Ueno <u...@gnu.org> --- lib/x509/verify-high.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index b1421ef17a..40638ad3aa 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, #define LAST_DN cert_list[cert_list_size-1]->raw_dn #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn -/* This macro is introduced to detect a verification output - * which indicates an unknown signer, or a signer which uses - * an insecure algorithm (e.g., sha1), something that indicates - * a superseded signer */ -#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) +/* This macro is introduced to detect a verification output which + * indicates an unknown signer, a signer which uses an insecure + * algorithm (e.g., sha1), a signer has expired, or something that + * indicates a superseded signer */ +#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ + (output & GNUTLS_CERT_EXPIRED) || \ + (output & GNUTLS_CERT_INSECURE_ALGORITHM)) #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) /** -- 2.25.0 ++++++ 0004-tests-add-test-case-for-certificate-chain-supersedin.patch ++++++ >From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 From: Daiki Ueno <u...@gnu.org> Date: Sun, 31 May 2020 14:28:48 +0200 Subject: [PATCH 3/3] tests: add test case for certificate chain superseding Signed-off-by: Daiki Ueno <u...@gnu.org> --- tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) Index: gnutls-3.6.7/tests/test-chains.h =================================================================== --- gnutls-3.6.7.orig/tests/test-chains.h 2020-06-05 12:02:59.378844068 +0200 +++ gnutls-3.6.7/tests/test-chains.h 2020-06-05 12:05:18.007799062 +0200 @@ -3992,6 +3992,102 @@ static const char *rsa_512[] = { NULL }; +/* This contains an expired intermediate CA, which should be superseded. */ +static const char *superseding[] = { + "-----BEGIN CERTIFICATE-----" + "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" + "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" + "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" + "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" + "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" + "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" + "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" + "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" + "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" + "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" + "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" + "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" + "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" + "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" + "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" + "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" + "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" + "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" + "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" + "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" + "-----END CERTIFICATE-----", + "-----BEGIN CERTIFICATE-----" + "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" + "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" + "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" + "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" + "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" + "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" + "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" + "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" + "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" + "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" + "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" + "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" + "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" + "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" + "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" + "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" + "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" + "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" + "iJwOKIk=" + "-----END CERTIFICATE-----", + NULL +}; + +static const char *superseding_ca[] = { + "-----BEGIN CERTIFICATE-----" + "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" + "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" + "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" + "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" + "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" + "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" + "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" + "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" + "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" + "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" + "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" + "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" + "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" + "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" + "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" + "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" + "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" + "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" + "izchzb9eow==" + "-----END CERTIFICATE-----", + "-----BEGIN CERTIFICATE-----" + "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" + "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" + "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" + "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" + "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" + "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" + "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" + "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" + "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" + "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" + "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" + "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" + "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" + "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" + "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" + "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" + "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" + "eh1COrLsOJo+" + "-----END CERTIFICATE-----", + NULL +}; + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) # pragma GCC diagnostic push # pragma GCC diagnostic ignored "-Wunused-variable" @@ -4158,6 +4254,7 @@ static struct #endif { "rsa-512 - not ok (due to profile)", rsa_512, &rsa_512[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM), GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, + { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, { NULL, NULL, NULL, 0, 0} }; ++++++ gnutls-CVE-2020-13777.patch ++++++ >From c2646aeee94e71cb15c90a3147cf3b5b0ca158ca Mon Sep 17 00:00:00 2001 From: Daiki Ueno <u...@gnu.org> Date: Tue, 2 Jun 2020 20:53:11 +0200 Subject: [PATCH 1/2] stek: differentiate initial state from valid time window of TOTP There was a confusion in the TOTP implementation in stek.c. When the mechanism is initialized at the first time, it records the timestamp but doesn't initialize the key. This removes the timestamp recording at the initialization phase, so the key is properly set later. Signed-off-by: Daiki Ueno <u...@gnu.org> --- lib/stek.c | 17 +++++------------ tests/resume-with-previous-stek.c | 4 ++-- 3 files changed, 11 insertions(+), 18 deletions(-) diff --git a/lib/stek.c b/lib/stek.c index 2f885cee37..5ab9e7d2d1 100644 --- a/lib/stek.c +++ b/lib/stek.c @@ -323,20 +323,13 @@ int _gnutls_initialize_session_ticket_key_rotation(gnutls_session_t session, con if (unlikely(session == NULL || key == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - if (session->key.totp.last_result == 0) { - int64_t t; - memcpy(session->key.initial_stek, key->data, key->size); - t = totp_next(session); - if (t < 0) - return gnutls_assert_val(t); + if (unlikely(session->key.totp.last_result != 0)) + return GNUTLS_E_INVALID_REQUEST; - session->key.totp.last_result = t; - session->key.totp.was_rotated = 0; - - return GNUTLS_E_SUCCESS; - } + memcpy(session->key.initial_stek, key->data, key->size); - return GNUTLS_E_INVALID_REQUEST; + session->key.totp.was_rotated = 0; + return 0; } /* diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c index f212b188b9..05c1c90868 100644 --- a/tests/resume-with-previous-stek.c +++ b/tests/resume-with-previous-stek.c @@ -196,8 +196,8 @@ static void server(int fd, unsigned rounds, const char *prio) serverx509cred = NULL; } - if (num_stek_rotations != 2) - fail("STEK should be rotated exactly twice (%d)!\n", num_stek_rotations); + if (num_stek_rotations != 3) + fail("STEK should be rotated exactly three times (%d)!\n", num_stek_rotations); if (serverx509cred) gnutls_certificate_free_credentials(serverx509cred); -- 2.25.0