1 files changed, 0 insertions, 219 deletions
diff --git a/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch b/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch
deleted file mode 100644
index 13d002a106..0000000000
--- a/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch
+++ /dev/null
@@ -1,219 +0,0 @@
-From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Sun, 31 May 2020 12:39:14 +0200
-Subject: [PATCH] _gnutls_pkcs11_verify_crt_status: check validity against
- system cert
-To verify a certificate chain, this function replaces known
-certificates with the ones in the system trust store if possible.
-However, if it is found, the function checks the validity of the
-original certificate rather than the certificate found in the trust
-store.  That reveals a problem in a scenario that (1) a certificate is
-signed by multiple issuers and (2) one of the issuers' certificate has
-expired and included in the input chain.
-This patch makes it a little robuster by actually retrieving the
-certificate from the trust store and perform check against it.
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
- lib/pkcs11.c      | 98 +++++++++++++++++++++++++++++++++--------------
- lib/pkcs11_int.h  |  5 +++
- lib/x509/verify.c |  7 +++-
- 3 files changed, 80 insertions(+), 30 deletions(-)
-diff --git a/lib/pkcs11.c b/lib/pkcs11.c
-index fad16aaf4f..d8d4a65114 100644
--- a/lib/pkcs11.c
-+++ b/lib/pkcs11.c
-@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,
-        return ret;
- }
- 
-/**
- * gnutls_pkcs11_crt_is_known:
- * @url: A PKCS 11 url identifying a token
- * @cert: is the certificate to find issuer for
- * @issuer: Will hold the issuer if any in an allocated buffer.
- * @fmt: The format of the exported issuer.
- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
- *
- * This function will check whether the provided certificate is stored
- * in the specified token. This is useful in combination with 
- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
- * to check whether a CA is present or a certificate is blacklisted in
- * a trust PKCS #11 module.
- *
- * This function can be used with a @url of "pkcs11:", and in that case all modules
- * will be searched. To restrict the modules to the marked as trusted in p11-kit
- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
- *
- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
- * specific to p11-kit trust modules.
- *
- * Returns: If the certificate exists non-zero is returned, otherwise zero.
- *
- * Since: 3.3.0
- **/
-unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-                                unsigned int flags)
-+unsigned
-+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-+                           unsigned int flags,
-+                           gnutls_x509_crt_t *trusted_cert)
- {
-        int ret;
-        struct find_cert_st priv;
-@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
- 
-        memset(&priv, 0, sizeof(priv));
- 
-+       if (trusted_cert) {
-+               ret = gnutls_pkcs11_obj_init(&priv.obj);
-+               if (ret < 0) {
-+                       gnutls_assert();
-+                       goto cleanup;
-+               }
-+               priv.need_import = 1;
-+       }
-+
-        if (url == NULL || url[0] == 0) {
-                url = "pkcs11:";
-        }
-@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-                _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n");
-                /* attempt searching with the subject DN only */
-                gnutls_assert();
-+               if (priv.obj)
-+                       gnutls_pkcs11_obj_deinit(priv.obj);
-                gnutls_free(priv.serial.data);
-                memset(&priv, 0, sizeof(priv));
-+               if (trusted_cert) {
-+                       ret = gnutls_pkcs11_obj_init(&priv.obj);
-+                       if (ret < 0) {
-+                               gnutls_assert();
-+                               goto cleanup;
-+                       }
-+                       priv.need_import = 1;
-+               }
-                priv.crt = cert;
-                priv.flags = flags;
- 
-@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-                goto cleanup;
-        }
- 
-+       if (trusted_cert) {
-+               ret = gnutls_x509_crt_init(trusted_cert);
-+               if (ret < 0) {
-+                       gnutls_assert();
-+                       ret = 0;
-+                       goto cleanup;
-+               }
-+               ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj);
-+               if (ret < 0) {
-+                       gnutls_assert();
-+                       gnutls_x509_crt_deinit(*trusted_cert);
-+                       ret = 0;
-+                       goto cleanup;
-+               }
-+       }
-        ret = 1;
- 
-       cleanup:
-+       if (priv.obj)
-+               gnutls_pkcs11_obj_deinit(priv.obj);
-        if (info)
-                p11_kit_uri_free(info);
-        gnutls_free(priv.serial.data);
-@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-        return ret;
- }
- 
-+/**
-+ * gnutls_pkcs11_crt_is_known:
-+ * @url: A PKCS 11 url identifying a token
-+ * @cert: is the certificate to find issuer for
-+ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
-+ *
-+ * This function will check whether the provided certificate is stored
-+ * in the specified token. This is useful in combination with 
-+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
-+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
-+ * to check whether a CA is present or a certificate is blacklisted in
-+ * a trust PKCS #11 module.
-+ *
-+ * This function can be used with a @url of "pkcs11:", and in that case all modules
-+ * will be searched. To restrict the modules to the marked as trusted in p11-kit
-+ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
-+ *
-+ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
-+ * specific to p11-kit trust modules.
-+ *
-+ * Returns: If the certificate exists non-zero is returned, otherwise zero.
-+ *
-+ * Since: 3.3.0
-+ **/
-+unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-+                                unsigned int flags)
-+{
-+       return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL);
-+}
-+
- /**
-  * gnutls_pkcs11_obj_get_flags:
-  * @obj: The pkcs11 object
-diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
-index 9d88807098..86cce0dee5 100644
--- a/lib/pkcs11_int.h
-+++ b/lib/pkcs11_int.h
-@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url)
-        return 0;
- }
- 
-+unsigned
-+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-+                           unsigned int flags,
-+                           gnutls_x509_crt_t *trusted_cert);
-+
- #endif                         /* ENABLE_PKCS11 */
- 
- #endif /* GNUTLS_LIB_PKCS11_INT_H */
-diff --git a/lib/x509/verify.c b/lib/x509/verify.c
-index d202670198..fd7c6a1642 100644
--- a/lib/x509/verify.c
-+++ b/lib/x509/verify.c
-@@ -34,6 +34,7 @@
- #include <tls-sig.h>
- #include <str.h>
- #include <datum.h>
-+#include <pkcs11_int.h>
- #include <x509_int.h>
- #include <common.h>
- #include <pk.h>
-@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
- 
-        for (; i < clist_size; i++) {
-                unsigned vflags;
-+               gnutls_x509_crt_t trusted_cert;
- 
-                if (i == 0) /* in the end certificate do full comparison */
-                        vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
-@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
-                        vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
-                                GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;
- 
-               if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) {
-+               if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) {
- 
-                       status |= check_ca_sanity(certificate_list[i], now, flags);
-+                       status |= check_ca_sanity(trusted_cert, now, flags);
-+                       gnutls_x509_crt_deinit(trusted_cert);
- 
-                        if (func)
-                                func(certificate_list[i],
-- 
-2.26.2

diff --git a/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch b/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch deleted file mode 100644 index 13d002a106..0000000000 --- a/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch +++ /dev/null
@@ -1,219 +0,0 @@
1	From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001
2	From: Daiki Ueno <ueno@gnu.org>
3	Date: Sun, 31 May 2020 12:39:14 +0200
4	Subject: [PATCH] _gnutls_pkcs11_verify_crt_status: check validity against
5	system cert
6
7	To verify a certificate chain, this function replaces known
8	certificates with the ones in the system trust store if possible.
9
10	However, if it is found, the function checks the validity of the
11	original certificate rather than the certificate found in the trust
12	store. That reveals a problem in a scenario that (1) a certificate is
13	signed by multiple issuers and (2) one of the issuers' certificate has
14	expired and included in the input chain.
15
16	This patch makes it a little robuster by actually retrieving the
17	certificate from the trust store and perform check against it.
18
19	Signed-off-by: Daiki Ueno <ueno@gnu.org>
20	---
21	lib/pkcs11.c \| 98 +++++++++++++++++++++++++++++++++--------------
22	lib/pkcs11_int.h \| 5 +++
23	lib/x509/verify.c \| 7 +++-
24	3 files changed, 80 insertions(+), 30 deletions(-)
25
26	diff --git a/lib/pkcs11.c b/lib/pkcs11.c
27	index fad16aaf4f..d8d4a65114 100644
28	--- a/lib/pkcs11.c
29	+++ b/lib/pkcs11.c
30	@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,
31	return ret;
32	}
33
34	-/**
35	- * gnutls_pkcs11_crt_is_known:
36	- * @url: A PKCS 11 url identifying a token
37	- * @cert: is the certificate to find issuer for
38	- * @issuer: Will hold the issuer if any in an allocated buffer.
39	- * @fmt: The format of the exported issuer.
40	- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
41	- *
42	- * This function will check whether the provided certificate is stored
43	- * in the specified token. This is useful in combination with
44	- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
45	- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
46	- * to check whether a CA is present or a certificate is blacklisted in
47	- * a trust PKCS #11 module.
48	- *
49	- * This function can be used with a @url of "pkcs11:", and in that case all modules
50	- * will be searched. To restrict the modules to the marked as trusted in p11-kit
51	- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
52	- *
53	- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
54	- * specific to p11-kit trust modules.
55	- *
56	- * Returns: If the certificate exists non-zero is returned, otherwise zero.
57	- *
58	- * Since: 3.3.0
59	- **/
60	-unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
61	- unsigned int flags)
62	+unsigned
63	+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
64	+ unsigned int flags,
65	+ gnutls_x509_crt_t *trusted_cert)
66	{
67	int ret;
68	struct find_cert_st priv;
69	@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
70
71	memset(&priv, 0, sizeof(priv));
72
73	+ if (trusted_cert) {
74	+ ret = gnutls_pkcs11_obj_init(&priv.obj);
75	+ if (ret < 0) {
76	+ gnutls_assert();
77	+ goto cleanup;
78	+ }
79	+ priv.need_import = 1;
80	+ }
81	+
82	if (url == NULL \|\| url[0] == 0) {
83	url = "pkcs11:";
84	}
85	@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
86	_gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n");
87	/* attempt searching with the subject DN only */
88	gnutls_assert();
89	+ if (priv.obj)
90	+ gnutls_pkcs11_obj_deinit(priv.obj);
91	gnutls_free(priv.serial.data);
92	memset(&priv, 0, sizeof(priv));
93	+ if (trusted_cert) {
94	+ ret = gnutls_pkcs11_obj_init(&priv.obj);
95	+ if (ret < 0) {
96	+ gnutls_assert();
97	+ goto cleanup;
98	+ }
99	+ priv.need_import = 1;
100	+ }
101	priv.crt = cert;
102	priv.flags = flags;
103
104	@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
105	goto cleanup;
106	}
107
108	+ if (trusted_cert) {
109	+ ret = gnutls_x509_crt_init(trusted_cert);
110	+ if (ret < 0) {
111	+ gnutls_assert();
112	+ ret = 0;
113	+ goto cleanup;
114	+ }
115	+ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj);
116	+ if (ret < 0) {
117	+ gnutls_assert();
118	+ gnutls_x509_crt_deinit(*trusted_cert);
119	+ ret = 0;
120	+ goto cleanup;
121	+ }
122	+ }
123	ret = 1;
124
125	cleanup:
126	+ if (priv.obj)
127	+ gnutls_pkcs11_obj_deinit(priv.obj);
128	if (info)
129	p11_kit_uri_free(info);
130	gnutls_free(priv.serial.data);
131	@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
132	return ret;
133	}
134
135	+/**
136	+ * gnutls_pkcs11_crt_is_known:
137	+ * @url: A PKCS 11 url identifying a token
138	+ * @cert: is the certificate to find issuer for
139	+ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
140	+ *
141	+ * This function will check whether the provided certificate is stored
142	+ * in the specified token. This is useful in combination with
143	+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
144	+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
145	+ * to check whether a CA is present or a certificate is blacklisted in
146	+ * a trust PKCS #11 module.
147	+ *
148	+ * This function can be used with a @url of "pkcs11:", and in that case all modules
149	+ * will be searched. To restrict the modules to the marked as trusted in p11-kit
150	+ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
151	+ *
152	+ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
153	+ * specific to p11-kit trust modules.
154	+ *
155	+ * Returns: If the certificate exists non-zero is returned, otherwise zero.
156	+ *
157	+ * Since: 3.3.0
158	+ **/
159	+unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
160	+ unsigned int flags)
161	+{
162	+ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL);
163	+}
164	+
165	/**
166	* gnutls_pkcs11_obj_get_flags:
167	* @obj: The pkcs11 object
168	diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
169	index 9d88807098..86cce0dee5 100644
170	--- a/lib/pkcs11_int.h
171	+++ b/lib/pkcs11_int.h
172	@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url)
173	return 0;
174	}
175
176	+unsigned
177	+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
178	+ unsigned int flags,
179	+ gnutls_x509_crt_t *trusted_cert);
180	+
181	#endif /* ENABLE_PKCS11 */
182
183	#endif /* GNUTLS_LIB_PKCS11_INT_H */
184	diff --git a/lib/x509/verify.c b/lib/x509/verify.c
185	index d202670198..fd7c6a1642 100644
186	--- a/lib/x509/verify.c
187	+++ b/lib/x509/verify.c
188	@@ -34,6 +34,7 @@
189	#include <tls-sig.h>
190	#include <str.h>
191	#include <datum.h>
192	+#include <pkcs11_int.h>
193	#include <x509_int.h>
194	#include <common.h>
195	#include <pk.h>
196	@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
197
198	for (; i < clist_size; i++) {
199	unsigned vflags;
200	+ gnutls_x509_crt_t trusted_cert;
201
202	if (i == 0) /* in the end certificate do full comparison */
203	vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE\|
204	@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
205	vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE\|
206	GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY\|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;
207
208	- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) {
209	+ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) {
210
211	- status \|= check_ca_sanity(certificate_list[i], now, flags);
212	+ status \|= check_ca_sanity(trusted_cert, now, flags);
213	+ gnutls_x509_crt_deinit(trusted_cert);
214
215	if (func)
216	func(certificate_list[i],
217	--
218	2.26.2
219