rpms/gnutls
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update gnutls-3.6.13-superseding-chain.patch

Browse Source
This commit is contained in:
Daiki Ueno 2020-05-31 15:39:54 +02:00
parent ff6457e1d1
commit 230640c591
2 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
gnutls-3.6.13-superseding-chain.patch
View File

@ -1,4 +1,4 @@
From f6ce3a62cb39fb281f5a47c543de7d9db3206050 Mon Sep 17 00:00:00 2001 From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org> From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 31 May 2020 12:39:14 +0200 Date: Sun, 31 May 2020 12:39:14 +0200
Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against
@ -7,24 +7,24 @@ Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against
To verify a certificate chain, this function replaces known To verify a certificate chain, this function replaces known
certificates with the ones in the system trust store if possible. certificates with the ones in the system trust store if possible.
However, if it is found, the function checked the validity of the However, if it is found, the function checks the validity of the
original certificate rather than the certificate found in the trust original certificate rather than the certificate found in the trust
store. That reveals a problem in a scenario that (1) a certificate is store. That reveals a problem in a scenario that (1) a certificate is
signed by multiple issuers and (2) one of the issuers' certificate has signed by multiple issuers and (2) one of the issuers' certificate has
expired and included in the input chain. expired and included in the input chain.
This patch makes it a little robuster by actually retrieving the This patch makes it a little robuster by actually retrieving the
certificate from the trust store and check against it. certificate from the trust store and perform check against it.
Signed-off-by: Daiki Ueno <ueno@gnu.org> Signed-off-by: Daiki Ueno <ueno@gnu.org>
--- ---
lib/pkcs11.c | 96 +++++++++++++++++++++++++++++++++-------------- lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++--------------
lib/pkcs11_int.h | 5 +++ lib/pkcs11_int.h | 5 +++
lib/x509/verify.c | 7 +++- lib/x509/verify.c | 7 +++-
3 files changed, 78 insertions(+), 30 deletions(-) 3 files changed, 80 insertions(+), 30 deletions(-)
diff --git a/lib/pkcs11.c b/lib/pkcs11.c diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index fad16aaf4..662dda441 100644 index fad16aaf4..d8d4a6511 100644
--- a/lib/pkcs11.c --- a/lib/pkcs11.c
+++ b/lib/pkcs11.c +++ b/lib/pkcs11.c
@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, @@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,
@ -82,8 +82,12 @@ index fad16aaf4..662dda441 100644
if (url == NULL || url[0] == 0) { if (url == NULL || url[0] == 0) {
url = "pkcs11:"; url = "pkcs11:";
} }
@@ -4634,6 +4619,14 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, @@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
_gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n");
/* attempt searching with the subject DN only */
gnutls_assert(); gnutls_assert();
+ if (priv.obj)
+ gnutls_pkcs11_obj_deinit(priv.obj);
gnutls_free(priv.serial.data); gnutls_free(priv.serial.data);
memset(&priv, 0, sizeof(priv)); memset(&priv, 0, sizeof(priv));
+ if (trusted_cert) { + if (trusted_cert) {
@ -97,7 +101,7 @@ index fad16aaf4..662dda441 100644
priv.crt = cert; priv.crt = cert;
priv.flags = flags; priv.flags = flags;
@@ -4650,9 +4643,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, @@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
goto cleanup; goto cleanup;
} }
@ -124,7 +128,7 @@ index fad16aaf4..662dda441 100644
if (info) if (info)
p11_kit_uri_free(info); p11_kit_uri_free(info);
gnutls_free(priv.serial.data); gnutls_free(priv.serial.data);
@@ -4660,6 +4670,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, @@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
return ret; return ret;
} }
@ -214,7 +218,7 @@ index d20267019..fd7c6a164 100644
2.26.2 2.26.2
From 2b83f612f2b2647c271969f3df64fb3a52753724 Mon Sep 17 00:00:00 2001 From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org> From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 31 May 2020 13:59:53 +0200 Date: Sun, 31 May 2020 13:59:53 +0200
Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is
@ -257,7 +261,7 @@ index b1421ef17..40638ad3a 100644
2.26.2 2.26.2
From e337e56adfeeb4af7fe34291ed15d15b362a94bb Mon Sep 17 00:00:00 2001 From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org> From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 31 May 2020 14:28:48 +0200 Date: Sun, 31 May 2020 14:28:48 +0200
Subject: [PATCH 3/3] tests: add test case for certificate chain superseding Subject: [PATCH 3/3] tests: add test case for certificate chain superseding

5
gnutls.spec
View File

@ -1,6 +1,6 @@
# This spec file has been automatically updated # This spec file has been automatically updated
Version: 3.6.13 Version: 3.6.13
Release: 5%{?dist} Release: 6%{?dist}
Patch1: gnutls-3.6.7-no-now-guile.patch Patch1: gnutls-3.6.7-no-now-guile.patch
Patch2: gnutls-3.2.7-rpath.patch Patch2: gnutls-3.2.7-rpath.patch
Patch3: gnutls-3.6.13-bump-linked-libs-soname-f33.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f33.patch
@ -283,6 +283,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
%endif %endif
%changelog %changelog
* Sun May 31 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-6
- Update gnutls-3.6.13-superseding-chain.patch
* Sun May 31 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-5 * Sun May 31 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-5
- Fix cert chain validation behavior if the last cert has expired (#1842178) - Fix cert chain validation behavior if the last cert has expired (#1842178)