gentoo resync : 03.03.2021

author: V3n3RiX <venerix@redcorelinux.org> 2021-03-03 10:28:17 +0000
committer: V3n3RiX <venerix@redcorelinux.org> 2021-03-03 10:28:17 +0000
commit: d99093fb4bb5652015c06274d64083daa2439e4f (patch)
tree: cf61513204d97974179580065e85df5c8009087c /net-libs/gnutls
parent: 463397cf1e064185110fe57c568d73f99a06f5d1 (diff)
3 files changed, 407 insertions, 1 deletions
diff --git a/net-libs/gnutls/Manifest b/net-libs/gnutls/Manifest
index b16a42648e75..662412c41f13 100644
--- a/net-libs/gnutls/Manifest
+++ b/net-libs/gnutls/Manifest
@@ -1,6 +1,7 @@
 AUX gnutls-3.6.15-skip-dtls-seccomp-tests.patch 477 BLAKE2B 4c1add5ab8041b7847c0b579d77483b9fc0f779bb24e3ba50953c2ca2b2bfc7774861085da3d9709fdf250c450cc77aa312095f816bf67748b5d2b5bed4f43ee SHA512 6f2dc20dbdd27875a964aa806380556f4a3da1d2c0c4f7337e0845fb304319b5b9ad94ba519982a4db75486f673a717e20c294487b2d3e339bf7d144a0f33803
+AUX gnutls-3.7.0-ignore-duplicate-certificates.patch 11218 BLAKE2B 2d2b03b17dd482e11c4d51e8947459f0543f6f053be4175bd324b3395af31b77fd689613842abd147ae2cfe6ad4f0abf3f9dd80dec69685b36097828a0008dfc SHA512 65e0a4660caee99ca2d129227061a165fa7a0f5aee085a1ab5e4bf4939549e268d2988d601bc3a719c64e19597fd45bb19b3e6f721ac7ba290249c67e345096b
 DIST gnutls-3.6.15.tar.xz 6081656 BLAKE2B 6c52419037e41e817087a2577a6b73969cf065453ecf88e2f87152f544a177e4ad0ef825ae9dab243312e0223a953ab28e532bd2dbf96cb9498618415bc7f654 SHA512 f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c
 DIST gnutls-3.7.0.tar.xz 6129176 BLAKE2B 3b03e7017ac1d715c740f8f09b0690dd1c983dcfd5faef0740cf66ac785c1a84e959f85808aa10a6eebd745d96ca0293681049911ea663aeff85fedfa2567aad SHA512 5cf1025f2d0a0cbf5a83dd7f3b22dafd1769f7c3349096c0272d08573bb5ff87f510e0e69b4bbb47dad1b64476aa5479804b2f4ceb2216cd747bbc53bf42d885
 EBUILD gnutls-3.6.15.ebuild 4303 BLAKE2B c4aa9aed6ba8b99aaae8c3541d087afe299e37beaf78167876535b49aa9f7bc5ef624d5b04d4124df074ae08c63dccdb543e4bcdf9347cf6c4ac86938d60c62e SHA512 61a3ff29bd0821b07a7792b0d5d1520eb1abadc87119b8ba1cdc30980c299e47e40637cee61621607d860f7b66a38cc17714938995e7c477d1a85fd4b5b4e001
-EBUILD gnutls-3.7.0.ebuild 4240 BLAKE2B a53df62983590ce9052deb810b474563b7d5c046e3de5fcfb026c78962f7237f798be322e940cf78ba1949863bd0aac48606cb87f8e3f0be1af49bed43050f41 SHA512 e54a53d940060f0fa5e037478aa49a6eed4bf3293806a8045e8850918dd7b4cff54cd7786178fe9f17124ef8de2ef7b20cf2e85f5ea8e946ca153c782e51eaa5
+EBUILD gnutls-3.7.0-r1.ebuild 4308 BLAKE2B c72d05e3119bf539a2f5058ba2d917c28f05700d20a7e5773ad8ef3d3bcffb1ec5603e5238d42aef2e2ecf8d7d8755cdef181ded939cb683a93e2ae416506f16 SHA512 35e6036471eb50cea51e52614dc169972d8cba4da7e36b6f0e9c357e3c9d54e7cab828c84fd86ad6d960ad8807d3d599acb1c1109cbe29cfb3ccc351610633a3
 MISC metadata.xml 1258 BLAKE2B 4dbd1ceb49d79ae699d79471e636807b79f68d6e81f403d8c458eb5110dbf172d5839ea1550a32581bac1da039549731d397e91069570a76c8ef0c871feccad5 SHA512 749eb5f798cd04170a5dcf44c2e7fbc26e19210217791d92c0fdb1a53586a219c183686c74385bed1ff0f743b9972fa1d92fc216f53d3870127d39a6b3adb87a
diff --git a/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch b/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch
new file mode 100644
index 000000000000..b0143818b46b
--- /dev/null
+++ b/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch
@@ -0,0 +1,403 @@
+From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 28 Dec 2020 12:14:13 +0100
+Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate
+ certificates
+
+The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a
+regression, where duplicate certificates in a certificate chain are no
+longer ignored but treated as a non-contiguous segment and that
+results in calling the issuer callback, or a verification failure.
+
+This adds a mechanism to record certificates already seen in the
+chain, and skip them while still allow the caller to inject missing
+certificates.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Co-authored-by: Andreas Metzler <ametzler@debian.org>
+---
+ lib/x509/common.c          |   8 ++
+ lib/x509/verify-high.c     | 157 +++++++++++++++++++++++++++++++------
+ tests/missingissuer.c      |   2 +
+ tests/test-chains-issuer.h | 101 +++++++++++++++++++++++-
+ 4 files changed, 245 insertions(+), 23 deletions(-)
+
+diff --git a/lib/x509/common.c b/lib/x509/common.c
+index 3301aaad0c..10c8db53c0 100644
+--- a/lib/x509/common.c
++++ b/lib/x509/common.c
+@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
+ 	 * increasing DEFAULT_MAX_VERIFY_DEPTH.
+ 	 */
+ 	for (i = 0; i < clist_size; i++) {
++		/* Self-signed certificate found in the chain; skip it
++		 * as it should only appear in the trusted set.
++		 */
++		if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) {
++			_gnutls_cert_log("self-signed cert found", clist[i]);
++			continue;
++		}
++
+ 		for (j = 1; j < clist_size; j++) {
+ 			if (i == j)
+ 				continue;
+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
+index 588e7ee0dc..9a16e6b42a 100644
+--- a/lib/x509/verify-high.c
++++ b/lib/x509/verify-high.c
+@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter {
+ 
+ #define DEFAULT_SIZE 127
+ 
++struct cert_set_node_st {
++	gnutls_x509_crt_t *certs;
++	unsigned int size;
++};
++
++struct cert_set_st {
++	struct cert_set_node_st *node;
++	unsigned int size;
++};
++
++static int
++cert_set_init(struct cert_set_st *set, unsigned int size)
++{
++	memset(set, 0, sizeof(*set));
++
++	set->size = size;
++	set->node = gnutls_calloc(size, sizeof(*set->node));
++	if (!set->node) {
++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++	}
++
++	return 0;
++}
++
++static void
++cert_set_deinit(struct cert_set_st *set)
++{
++	size_t i;
++
++	for (i = 0; i < set->size; i++) {
++		gnutls_free(set->node[i].certs);
++	}
++
++	gnutls_free(set->node);
++}
++
++static bool
++cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
++{
++	size_t hash, i;
++
++	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
++	hash %= set->size;
++
++	for (i = 0; i < set->node[hash].size; i++) {
++		if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
++			return true;
++		}
++	}
++
++	return false;
++}
++
++static int
++cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
++{
++	size_t hash;
++
++	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
++	hash %= set->size;
++
++	set->node[hash].certs =
++		gnutls_realloc_fast(set->node[hash].certs,
++				    (set->node[hash].size + 1) *
++				    sizeof(*set->node[hash].certs));
++	if (!set->node[hash].certs) {
++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++	}
++	set->node[hash].certs[set->node[hash].size] = cert;
++	set->node[hash].size++;
++
++	return 0;
++}
++
+ /**
+  * gnutls_x509_trust_list_init:
+  * @list: A pointer to the type to be initialized
+@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 	unsigned have_set_name = 0;
+ 	unsigned saved_output;
+ 	gnutls_datum_t ip = {NULL, 0};
++	struct cert_set_st cert_set = { NULL, 0 };
+ 
+ 	if (cert_list == NULL || cert_list_size < 1)
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 	memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
+ 	cert_list = sorted;
+ 
++	ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
++	if (ret < 0) {
++		return ret;
++	}
++
+ 	for (i = 0; i < cert_list_size &&
+-		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) {
+-		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
+-			unsigned int sorted_size;
++		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
++		unsigned int sorted_size = 1;
++		unsigned int j;
++		gnutls_x509_crt_t issuer;
+ 
++		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
+ 			sorted_size = _gnutls_sort_clist(&cert_list[i],
+ 							 cert_list_size - i);
+-			i += sorted_size - 1;
+ 		}
+ 
+-		if (i == cert_list_size - 1) {
+-			gnutls_x509_crt_t issuer;
+-
+-			/* If it is the last certificate and its issuer is
+-			 * known, don't need to run issuer callback. */
+-			if (_gnutls_trust_list_get_issuer(list,
+-							  cert_list[i],
+-							  &issuer,
+-							  0) == 0) {
++		/* Remove duplicates. Start with index 1, as the first element
++		 * may be re-checked after issuer retrieval. */
++		for (j = 1; j < sorted_size; j++) {
++			if (cert_set_contains(&cert_set, cert_list[i + j])) {
++				if (i + j < cert_list_size - 1) {
++					memmove(&cert_list[i + j],
++						&cert_list[i + j + 1],
++						sizeof(cert_list[i]));
++				}
++				cert_list_size--;
+ 				break;
+ 			}
+-		} else if (gnutls_x509_crt_check_issuer(cert_list[i],
+-							cert_list[i + 1])) {
+-			/* There is no gap between this and the next
+-			 * certificate. */
++		}
++		/* Found a duplicate, try again with the same index. */
++		if (j < sorted_size) {
++			continue;
++		}
++
++		/* Record the certificates seen. */
++		for (j = 0; j < sorted_size; j++, i++) {
++			ret = cert_set_add(&cert_set, cert_list[i]);
++			if (ret < 0) {
++				goto cleanup;
++			}
++		}
++
++		/* If the issuer of the certificate is known, no need
++		 * for further processing. */
++		if (_gnutls_trust_list_get_issuer(list,
++						  cert_list[i - 1],
++						  &issuer,
++						  0) == 0) {
++			cert_list_size = i;
++			break;
++		}
++
++		/* If there is no gap between this and the next certificate,
++		 * proceed with the next certificate. */
++		if (i < cert_list_size &&
++		    gnutls_x509_crt_check_issuer(cert_list[i - 1],
++						 cert_list[i])) {
+ 			continue;
+ 		}
+ 
+ 		ret = retrieve_issuers(list,
+-				       cert_list[i],
++				       cert_list[i - 1],
+ 				       &retrieved[retrieved_size],
+ 				       DEFAULT_MAX_VERIFY_DEPTH -
+ 				       MAX(retrieved_size,
+@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 		if (ret < 0) {
+ 			break;
+ 		} else if (ret > 0) {
+-			memmove(&cert_list[i + 1 + ret],
+-				&cert_list[i + 1],
+-				(cert_list_size - i - 1) *
++			assert((unsigned int)ret <=
++			       DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
++			memmove(&cert_list[i + ret],
++				&cert_list[i],
++				(cert_list_size - i) *
+ 				sizeof(gnutls_x509_crt_t));
+-			memcpy(&cert_list[i + 1],
++			memcpy(&cert_list[i],
+ 			       &retrieved[retrieved_size],
+ 			       ret * sizeof(gnutls_x509_crt_t));
+ 			retrieved_size += ret;
+ 			cert_list_size += ret;
++
++			/* Start again from the end of the previous segment. */
++			i--;
+ 		}
+ 	}
+ 
+@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 	for (i = 0; i < retrieved_size; i++) {
+ 		gnutls_x509_crt_deinit(retrieved[i]);
+ 	}
++	cert_set_deinit(&cert_set);
+ 	return ret;
+ }
+ 
+diff --git a/tests/missingissuer.c b/tests/missingissuer.c
+index f21e2b6b0c..226d095929 100644
+--- a/tests/missingissuer.c
++++ b/tests/missingissuer.c
+@@ -145,6 +145,8 @@ void doit(void)
+ 		printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name);
+ 
+ 		for (j = 0; chains[i].chain[j]; j++) {
++			assert(j < MAX_CHAIN);
++
+ 			if (debug > 2)
+ 				printf("\tAdding certificate %d...", (int)j);
+ 
+diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h
+index 543e2d71fb..bf1e65c956 100644
+--- a/tests/test-chains-issuer.h
++++ b/tests/test-chains-issuer.h
+@@ -24,7 +24,7 @@
+ #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
+ #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
+ 
+-#define MAX_CHAIN 6
++#define MAX_CHAIN 15
+ 
+ #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n"			\
+ 	"MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \
+@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = {
+ 	NULL,
+ };
+ 
++static const char *missing_middle_single_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_2,
++	CA_CERT_2,
++	CA_CERT_1,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_middle_multiple_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_1,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_last_single_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_3,
++	CA_CERT_3,
++	CA_CERT_2,
++	CA_CERT_2,
++	NULL,
++};
++
++static const char *missing_last_multiple_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_3,
++	CA_CERT_3,
++	NULL,
++};
++
++static const char *missing_skip_single_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_3,
++	CA_CERT_3,
++	CA_CERT_1,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_skip_multiple_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_3,
++	CA_CERT_3,
++	NULL,
++};
++
+ static const char *missing_ca[] = {
+ 	CA_CERT_0,
+ 	NULL,
+ };
+ 
++static const char *middle_single_duplicate_ca[] = {
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_0,
++	CA_CERT_4,
++	CA_CERT_0,
++	CA_CERT_2,
++	CA_CERT_0,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = {
++	CA_CERT_0,
++	NULL,
++};
++
+ static struct chains {
+ 	const char *name;
+ 	const char **chain;
+@@ -377,6 +468,14 @@ static struct chains {
+ 	{ "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 },
+ 	{ "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
+ 	{ "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 },
++	{ "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 },
++	{ "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 },
++	{ "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 },
++	{ "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 },
++	{ "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 },
++	{ "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 },
++	{ "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 },
++	{ "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
+ 	{ NULL, NULL, NULL, NULL },
+ };
+ 
+-- 
+GitLab
+
diff --git a/net-libs/gnutls/gnutls-3.7.0.ebuild b/net-libs/gnutls/gnutls-3.7.0-r1.ebuild
index ece149c18554..643a1c4d8ad5 100644
--- a/net-libs/gnutls/gnutls-3.7.0.ebuild
+++ b/net-libs/gnutls/gnutls-3.7.0-r1.ebuild
@@ -54,6 +54,8 @@ DOCS=(
 
 HTML_DOCS=()
 
+PATCHES=( "${FILESDIR}"/${P}-ignore-duplicate-certificates.patch )
+
 pkg_setup() {
 	# bug#520818
 	export TZ=UTC
author	V3n3RiX <venerix@redcorelinux.org>	2021-03-03 10:28:17 +0000
committer	V3n3RiX <venerix@redcorelinux.org>	2021-03-03 10:28:17 +0000
commit	d99093fb4bb5652015c06274d64083daa2439e4f (patch)
tree	cf61513204d97974179580065e85df5c8009087c /net-libs/gnutls
parent	463397cf1e064185110fe57c568d73f99a06f5d1 (diff)