commit: 42cb2c95be07553ccb6c28c1634e8b64602c3fe1 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> AuthorDate: Sun Mar 28 06:07:24 2021 +0000 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> CommitDate: Sun Mar 28 06:08:22 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42cb2c95
net-libs/gnutls: drop vulnerable version Bug: https://bugs.gentoo.org/775338 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> net-libs/gnutls/Manifest | 1 - ...nutls-3.7.0-ignore-duplicate-certificates.patch | 403 --------------------- net-libs/gnutls/gnutls-3.7.0-r1.ebuild | 139 ------- 3 files changed, 543 deletions(-) diff --git a/net-libs/gnutls/Manifest b/net-libs/gnutls/Manifest index 5c0d91491fa..1ab16ed845f 100644 --- a/net-libs/gnutls/Manifest +++ b/net-libs/gnutls/Manifest @@ -1,3 +1,2 @@ DIST gnutls-3.6.15.tar.xz 6081656 BLAKE2B 6c52419037e41e817087a2577a6b73969cf065453ecf88e2f87152f544a177e4ad0ef825ae9dab243312e0223a953ab28e532bd2dbf96cb9498618415bc7f654 SHA512 f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c -DIST gnutls-3.7.0.tar.xz 6129176 BLAKE2B 3b03e7017ac1d715c740f8f09b0690dd1c983dcfd5faef0740cf66ac785c1a84e959f85808aa10a6eebd745d96ca0293681049911ea663aeff85fedfa2567aad SHA512 5cf1025f2d0a0cbf5a83dd7f3b22dafd1769f7c3349096c0272d08573bb5ff87f510e0e69b4bbb47dad1b64476aa5479804b2f4ceb2216cd747bbc53bf42d885 DIST gnutls-3.7.1.tar.xz 6038388 BLAKE2B 1d55eb441827c7148d63bcad37bf7bc62d539ee9bc7e14c2fe5ec1d0bdcadd75e2cbc98ba104523b24c8dfd9526b4595475a818d206971cc012fac509cd33a6f SHA512 0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95 diff --git a/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch b/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch deleted file mode 100644 index b0143818b46..00000000000 --- a/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch +++ /dev/null @@ -1,403 +0,0 @@ -From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno <u...@gnu.org> -Date: Mon, 28 Dec 2020 12:14:13 +0100 -Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate - certificates - -The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a -regression, where duplicate certificates in a certificate chain are no -longer ignored but treated as a non-contiguous segment and that -results in calling the issuer callback, or a verification failure. - -This adds a mechanism to record certificates already seen in the -chain, and skip them while still allow the caller to inject missing -certificates. - -Signed-off-by: Daiki Ueno <u...@gnu.org> -Co-authored-by: Andreas Metzler <ametz...@debian.org> ---- - lib/x509/common.c | 8 ++ - lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------ - tests/missingissuer.c | 2 + - tests/test-chains-issuer.h | 101 +++++++++++++++++++++++- - 4 files changed, 245 insertions(+), 23 deletions(-) - -diff --git a/lib/x509/common.c b/lib/x509/common.c -index 3301aaad0c..10c8db53c0 100644 ---- a/lib/x509/common.c -+++ b/lib/x509/common.c -@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, - * increasing DEFAULT_MAX_VERIFY_DEPTH. - */ - for (i = 0; i < clist_size; i++) { -+ /* Self-signed certificate found in the chain; skip it -+ * as it should only appear in the trusted set. -+ */ -+ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { -+ _gnutls_cert_log("self-signed cert found", clist[i]); -+ continue; -+ } -+ - for (j = 1; j < clist_size; j++) { - if (i == j) - continue; -diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c -index 588e7ee0dc..9a16e6b42a 100644 ---- a/lib/x509/verify-high.c -+++ b/lib/x509/verify-high.c -@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter { - - #define DEFAULT_SIZE 127 - -+struct cert_set_node_st { -+ gnutls_x509_crt_t *certs; -+ unsigned int size; -+}; -+ -+struct cert_set_st { -+ struct cert_set_node_st *node; -+ unsigned int size; -+}; -+ -+static int -+cert_set_init(struct cert_set_st *set, unsigned int size) -+{ -+ memset(set, 0, sizeof(*set)); -+ -+ set->size = size; -+ set->node = gnutls_calloc(size, sizeof(*set->node)); -+ if (!set->node) { -+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -+ } -+ -+ return 0; -+} -+ -+static void -+cert_set_deinit(struct cert_set_st *set) -+{ -+ size_t i; -+ -+ for (i = 0; i < set->size; i++) { -+ gnutls_free(set->node[i].certs); -+ } -+ -+ gnutls_free(set->node); -+} -+ -+static bool -+cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert) -+{ -+ size_t hash, i; -+ -+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); -+ hash %= set->size; -+ -+ for (i = 0; i < set->node[hash].size; i++) { -+ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) { -+ return true; -+ } -+ } -+ -+ return false; -+} -+ -+static int -+cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert) -+{ -+ size_t hash; -+ -+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); -+ hash %= set->size; -+ -+ set->node[hash].certs = -+ gnutls_realloc_fast(set->node[hash].certs, -+ (set->node[hash].size + 1) * -+ sizeof(*set->node[hash].certs)); -+ if (!set->node[hash].certs) { -+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -+ } -+ set->node[hash].certs[set->node[hash].size] = cert; -+ set->node[hash].size++; -+ -+ return 0; -+} -+ - /** - * gnutls_x509_trust_list_init: - * @list: A pointer to the type to be initialized -@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - unsigned have_set_name = 0; - unsigned saved_output; - gnutls_datum_t ip = {NULL, 0}; -+ struct cert_set_st cert_set = { NULL, 0 }; - - if (cert_list == NULL || cert_list_size < 1) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); - cert_list = sorted; - -+ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH); -+ if (ret < 0) { -+ return ret; -+ } -+ - for (i = 0; i < cert_list_size && -- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) { -- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { -- unsigned int sorted_size; -+ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { -+ unsigned int sorted_size = 1; -+ unsigned int j; -+ gnutls_x509_crt_t issuer; - -+ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { - sorted_size = _gnutls_sort_clist(&cert_list[i], - cert_list_size - i); -- i += sorted_size - 1; - } - -- if (i == cert_list_size - 1) { -- gnutls_x509_crt_t issuer; -- -- /* If it is the last certificate and its issuer is -- * known, don't need to run issuer callback. */ -- if (_gnutls_trust_list_get_issuer(list, -- cert_list[i], -- &issuer, -- 0) == 0) { -+ /* Remove duplicates. Start with index 1, as the first element -+ * may be re-checked after issuer retrieval. */ -+ for (j = 1; j < sorted_size; j++) { -+ if (cert_set_contains(&cert_set, cert_list[i + j])) { -+ if (i + j < cert_list_size - 1) { -+ memmove(&cert_list[i + j], -+ &cert_list[i + j + 1], -+ sizeof(cert_list[i])); -+ } -+ cert_list_size--; - break; - } -- } else if (gnutls_x509_crt_check_issuer(cert_list[i], -- cert_list[i + 1])) { -- /* There is no gap between this and the next -- * certificate. */ -+ } -+ /* Found a duplicate, try again with the same index. */ -+ if (j < sorted_size) { -+ continue; -+ } -+ -+ /* Record the certificates seen. */ -+ for (j = 0; j < sorted_size; j++, i++) { -+ ret = cert_set_add(&cert_set, cert_list[i]); -+ if (ret < 0) { -+ goto cleanup; -+ } -+ } -+ -+ /* If the issuer of the certificate is known, no need -+ * for further processing. */ -+ if (_gnutls_trust_list_get_issuer(list, -+ cert_list[i - 1], -+ &issuer, -+ 0) == 0) { -+ cert_list_size = i; -+ break; -+ } -+ -+ /* If there is no gap between this and the next certificate, -+ * proceed with the next certificate. */ -+ if (i < cert_list_size && -+ gnutls_x509_crt_check_issuer(cert_list[i - 1], -+ cert_list[i])) { - continue; - } - - ret = retrieve_issuers(list, -- cert_list[i], -+ cert_list[i - 1], - &retrieved[retrieved_size], - DEFAULT_MAX_VERIFY_DEPTH - - MAX(retrieved_size, -@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - if (ret < 0) { - break; - } else if (ret > 0) { -- memmove(&cert_list[i + 1 + ret], -- &cert_list[i + 1], -- (cert_list_size - i - 1) * -+ assert((unsigned int)ret <= -+ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); -+ memmove(&cert_list[i + ret], -+ &cert_list[i], -+ (cert_list_size - i) * - sizeof(gnutls_x509_crt_t)); -- memcpy(&cert_list[i + 1], -+ memcpy(&cert_list[i], - &retrieved[retrieved_size], - ret * sizeof(gnutls_x509_crt_t)); - retrieved_size += ret; - cert_list_size += ret; -+ -+ /* Start again from the end of the previous segment. */ -+ i--; - } - } - -@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - for (i = 0; i < retrieved_size; i++) { - gnutls_x509_crt_deinit(retrieved[i]); - } -+ cert_set_deinit(&cert_set); - return ret; - } - -diff --git a/tests/missingissuer.c b/tests/missingissuer.c -index f21e2b6b0c..226d095929 100644 ---- a/tests/missingissuer.c -+++ b/tests/missingissuer.c -@@ -145,6 +145,8 @@ void doit(void) - printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name); - - for (j = 0; chains[i].chain[j]; j++) { -+ assert(j < MAX_CHAIN); -+ - if (debug > 2) - printf("\tAdding certificate %d...", (int)j); - -diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h -index 543e2d71fb..bf1e65c956 100644 ---- a/tests/test-chains-issuer.h -+++ b/tests/test-chains-issuer.h -@@ -24,7 +24,7 @@ - #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H - #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H - --#define MAX_CHAIN 6 -+#define MAX_CHAIN 15 - - #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \ - "MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \ -@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = { - NULL, - }; - -+static const char *missing_middle_single_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_2, -+ CA_CERT_2, -+ CA_CERT_1, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_middle_multiple_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_1, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_last_single_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_3, -+ CA_CERT_3, -+ CA_CERT_2, -+ CA_CERT_2, -+ NULL, -+}; -+ -+static const char *missing_last_multiple_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_3, -+ CA_CERT_3, -+ NULL, -+}; -+ -+static const char *missing_skip_single_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_3, -+ CA_CERT_3, -+ CA_CERT_1, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_skip_multiple_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_3, -+ CA_CERT_3, -+ NULL, -+}; -+ - static const char *missing_ca[] = { - CA_CERT_0, - NULL, - }; - -+static const char *middle_single_duplicate_ca[] = { -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_0, -+ CA_CERT_4, -+ CA_CERT_0, -+ CA_CERT_2, -+ CA_CERT_0, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = { -+ CA_CERT_0, -+ NULL, -+}; -+ - static struct chains { - const char *name; - const char **chain; -@@ -377,6 +468,14 @@ static struct chains { - { "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 }, - { "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, - { "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 }, -+ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 }, -+ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 }, -+ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 }, -+ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 }, -+ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 }, -+ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 }, -+ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 }, -+ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, - { NULL, NULL, NULL, NULL }, - }; - --- -GitLab - diff --git a/net-libs/gnutls/gnutls-3.7.0-r1.ebuild b/net-libs/gnutls/gnutls-3.7.0-r1.ebuild deleted file mode 100644 index 643a1c4d8ad..00000000000 --- a/net-libs/gnutls/gnutls-3.7.0-r1.ebuild +++ /dev/null @@ -1,139 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit libtool multilib-minimal - -DESCRIPTION="A secure communications library implementing the SSL, TLS and DTLS protocols" -HOMEPAGE="https://www.gnutls.org/"; -SRC_URI="mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz" - -LICENSE="GPL-3 LGPL-2.1+" -SLOT="0/30" # libgnutls.so number -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -IUSE="+cxx dane doc examples guile +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools valgrind" - -REQUIRED_USE=" - test-full? ( cxx dane doc examples guile idn nls openssl pkcs11 seccomp tls-heartbeat tools )" -RESTRICT="!test? ( test )" - -# NOTICE: sys-devel/autogen is required at runtime as we -# use system libopts -RDEPEND=">=dev-libs/libtasn1-4.9:=[${MULTILIB_USEDEP}] - dev-libs/libunistring:=[${MULTILIB_USEDEP}] - >=dev-libs/nettle-3.6:=[gmp,${MULTILIB_USEDEP}] - >=dev-libs/gmp-5.1.3-r1:=[${MULTILIB_USEDEP}] - tools? ( sys-devel/autogen:= ) - dane? ( >=net-dns/unbound-1.4.20:=[${MULTILIB_USEDEP}] ) - guile? ( >=dev-scheme/guile-2:=[networking] ) - nls? ( >=virtual/libintl-0-r1:=[${MULTILIB_USEDEP}] ) - pkcs11? ( >=app-crypt/p11-kit-0.23.1:=[${MULTILIB_USEDEP}] ) - idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] )" -DEPEND="${RDEPEND} - test? ( - seccomp? ( sys-libs/libseccomp ) - )" -BDEPEND=">=virtual/pkgconfig-0-r1 - doc? ( dev-util/gtk-doc ) - nls? ( sys-devel/gettext ) - tools? ( sys-devel/autogen ) - valgrind? ( dev-util/valgrind ) - test-full? ( - app-crypt/dieharder - >=app-misc/datefudge-1.22 - dev-libs/softhsm:2[-bindist] - net-dialup/ppp - net-misc/socat - )" - -DOCS=( - README.md - doc/certtool.cfg -) - -HTML_DOCS=() - -PATCHES=( "${FILESDIR}"/${P}-ignore-duplicate-certificates.patch ) - -pkg_setup() { - # bug#520818 - export TZ=UTC - - use doc && HTML_DOCS+=( - doc/gnutls.html - ) -} - -src_prepare() { - default - - # force regeneration of autogen-ed files - local file - for file in $(grep -l AutoGen-ed src/*.c) ; do - rm src/$(basename ${file} .c).{c,h} || die - done - - # don't try to use system certificate store on macOS, it is - # confusingly ignoring our ca-certificates and more importantly - # fails to compile in certain configurations - sed -i -e 's/__APPLE__/__NO_APPLE__/' lib/system/certs.c || die - - # Use sane .so versioning on FreeBSD. - elibtoolize -} - -multilib_src_configure() { - LINGUAS="${LINGUAS//en/en@boldquot en@quot}" - - local libconf=() - - # TPM needs to be tested before being enabled - libconf+=( --without-tpm ) - - # hardware-accell is disabled on OSX because the asm files force - # GNU-stack (as doesn't support that) and when that's removed ld - # complains about duplicate symbols - [[ ${CHOST} == *-darwin* ]] && libconf+=( --disable-hardware-acceleration ) - - # Cygwin as does not understand these asm files at all - [[ ${CHOST} == *-cygwin* ]] && libconf+=( --disable-hardware-acceleration ) - - local myeconfargs=( - $(multilib_native_enable manpages) - $(multilib_native_use_enable doc gtk-doc) - $(multilib_native_use_enable doc) - $(multilib_native_use_enable guile) - $(multilib_native_use_enable seccomp seccomp-tests) - $(multilib_native_use_enable test tests) - $(multilib_native_use_enable test-full full-test-suite) - $(multilib_native_use_enable tools) - $(multilib_native_use_enable valgrind valgrind-tests) - $(use_enable cxx) - $(use_enable dane libdane) - $(use_enable nls) - $(use_enable openssl openssl-compatibility) - $(use_enable sslv2 ssl2-support) - $(use_enable sslv3 ssl3-support) - $(use_enable static-libs static) - $(use_enable tls-heartbeat heartbeat-support) - $(use_with idn) - $(use_with pkcs11 p11-kit) - --disable-rpath - --with-default-trust-store-file="${EPREFIX}/etc/ssl/certs/ca-certificates.crt" - --with-unbound-root-key-file="${EPREFIX}/etc/dnssec/root-anchors.txt" - --without-included-libtasn1 - $("${S}/configure" --help | grep -o -- '--without-.*-prefix') - ) - ECONF_SOURCE="${S}" econf "${libconf[@]}" "${myeconfargs[@]}" -} - -multilib_src_install_all() { - einstalldocs - find "${ED}" -type f -name '*.la' -delete || die - - if use examples; then - docinto examples - dodoc doc/examples/*.c - fi -}
