Adding upstream version 3.7.9.upstream/3.7.9 upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-28 07:33:12 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-28 07:33:12 +0000
commit: 36082a2fe36ecd800d784ae44c14f1f18c66a7e9 (patch)
tree: 6c68e0c0097987aff85a01dabddd34b862309a7c /tests/cve-2008-4989.c
parent: Initial commit. (diff)
download: gnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.tar.xz
gnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.zip
1 files changed, 263 insertions, 0 deletions
diff --git a/tests/cve-2008-4989.c b/tests/cve-2008-4989.c
new file mode 100644
index 0000000..c745b99
--- /dev/null
+++ b/tests/cve-2008-4989.c
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) 2008-2012 Free Software Foundation, Inc.
+ *
+ * Author: Simon Josefsson
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <utils.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+/* Don't add more chains to this file, this is for cve-2008-4989
+   related chains only.  See chainverify.c instead for a generic chain
+   verification tester.  */
+
+static const char *pem_certs[] = {
+	"-----BEGIN CERTIFICATE-----\n"
+	    "MIIB6zCCAVQCCQCgwnB/k0WZrDANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJE\n"
+	    "RTEXMBUGA1UEChMOR05VIFRMUyBBdHRhY2sxFTATBgNVBAMTDGludGVybWVkaWF0\n"
+	    "ZTAeFw0wODExMDMxMjA1MDRaFw0wODEyMDMxMjA1MDRaMDcxCzAJBgNVBAYTAkRF\n"
+	    "MRcwFQYDVQQKEw5HTlUgVExTIEF0dGFjazEPMA0GA1UEAxMGc2VydmVyMIGfMA0G\n"
+	    "CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKdL9g5ErMLOLRCjiomZlNLhy0moWGaKIW\n"
+	    "aX6vyUIfh8d6FcArHoKoqhmX7ckvod50sOYPojQesDpl7gVaQNA6Ntr1VCcuNPef\n"
+	    "UKWtEwL0Qu9JbPnUoIYd7mAaqVQgFp6W6yzV/dp63LH4XSdzBMhpZ/EU6vZoE8Sv\n"
+	    "VLdqj5r6jwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAH4QRR7sZEbjW00tXYk/3O/Z\n"
+	    "96AxJNg0F78W5B68gaJrLJ7DTE2RTglscuEq1+2Jyb4AIziwXpYqxgwcP91QpH97\n"
+	    "XfwdXIcyjYvVLHiKmkQj2zJTY7MeyiEQQ2it8VstZG2fYmi2EiMZIEnyJ2JJ7bA7\n"
+	    "bF7pG7Cg3oEHUM0H5KUU\n" "-----END CERTIFICATE-----\n",
+	"-----BEGIN CERTIFICATE-----\n"
+	    "MIICADCCAWmgAwIBAgIJAIZ4nkHQAqTFMA0GCSqGSIb3DQEBBQUAMDUxCzAJBgNV\n"
+	    "BAYTAkRFMRcwFQYDVQQKEw5HTlUgVExTIEF0dGFjazENMAsGA1UEAxMEcm9vdDAe\n"
+	    "Fw0wODExMDMxMjA0NDVaFw0wODEyMDMxMjA0NDVaMD0xCzAJBgNVBAYTAkRFMRcw\n"
+	    "FQYDVQQKEw5HTlUgVExTIEF0dGFjazEVMBMGA1UEAxMMaW50ZXJtZWRpYXRlMIGf\n"
+	    "MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvBpW8sAhIuUmNvcBE6wv/q7MtM1Z9\n"
+	    "2I1SDL8eJ8I2nPg6BlCX+OIqNruynj8J7uPEQ04ZLwLxNXoyZa8057YFyrKLOvoj\n"
+	    "5IfBtidsLWYv6PO3qqHJXVvwGdS7PKMuUlsjucCRyXVgQ07ODF7piqoVFi9KD99w\n"
+	    "AU5+9plGrZNP/wIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA\n"
+	    "A4GBAGPg+M+8MsB6zHN2o+jAtyqovrTTwmzVWEgfEH/aHC9+imGZRQ5lFNc2vdny\n"
+	    "AgaJ9/izO5S6Ibb5zUowN2WhoUJOVipuQa2m9AviOgheoU7tmANC9ylm/pRkKy/0\n"
+	    "n5UVzlKxDhRp/xBb7MWOw3KEQjiAf2Z3wCLcCPUqcJUdJC4v\n"
+	    "-----END CERTIFICATE-----\n",
+	"-----BEGIN CERTIFICATE-----\n"
+	    "MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUF\n"
+	    "ADCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYG\n"
+	    "A1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UE\n"
+	    "CxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl\n"
+	    "IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYx\n"
+	    "MTE3MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTAT\n"
+	    "BgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT\n"
+	    "ZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJ\n"
+	    "bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMTFnRoYXd0\n"
+	    "ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
+	    "AoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFsW0hoSVk3/AszGcJ3f8wQ\n"
+	    "LZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta3RGNKJpchJAQeg29\n"
+	    "dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk6KHYcWUNo1F7\n"
+	    "7rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6Sk/KaAcd\n"
+	    "HJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94JNqR3\n"
+	    "2HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA\n"
+	    "MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7\n"
+	    "W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7OR\n"
+	    "tvzw6WfUDW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeE\n"
+	    "uzLlQRHAd9mzYJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQ\n"
+	    "aEfZYGDm/Ac9IiAXxPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqd\n"
+	    "E8hhuvU5HIe6uL17In/2/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+\n"
+	    "MwS7QcjBAvlEYyCegc5C09Y/LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+\n"
+	    "fpErgUfCJzDupxBdN49cOSvkBPB7jVaMaA==\n"
+	    "-----END CERTIFICATE-----\n"
+};
+
+static const char *pem_ca = {
+	"-----BEGIN CERTIFICATE-----\n"
+	    "MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUF\n"
+	    "ADCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYG\n"
+	    "A1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UE\n"
+	    "CxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl\n"
+	    "IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYx\n"
+	    "MTE3MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTAT\n"
+	    "BgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT\n"
+	    "ZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJ\n"
+	    "bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMTFnRoYXd0\n"
+	    "ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
+	    "AoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFsW0hoSVk3/AszGcJ3f8wQ\n"
+	    "LZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta3RGNKJpchJAQeg29\n"
+	    "dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk6KHYcWUNo1F7\n"
+	    "7rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6Sk/KaAcd\n"
+	    "HJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94JNqR3\n"
+	    "2HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA\n"
+	    "MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7\n"
+	    "W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7OR\n"
+	    "tvzw6WfUDW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeE\n"
+	    "uzLlQRHAd9mzYJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQ\n"
+	    "aEfZYGDm/Ac9IiAXxPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqd\n"
+	    "E8hhuvU5HIe6uL17In/2/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+\n"
+	    "MwS7QcjBAvlEYyCegc5C09Y/LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+\n"
+	    "fpErgUfCJzDupxBdN49cOSvkBPB7jVaMaA==\n"
+	    "-----END CERTIFICATE-----\n"
+};
+
+#define CHAIN_LENGTH (sizeof (pem_certs) / sizeof (pem_certs[0]))
+
+static const char *pem_self_cert = {
+	"-----BEGIN CERTIFICATE-----\n"
+	    "MIIDgjCCAmygAwIBAgIBADALBgkqhkiG9w0BAQUwSzELMAkGA1UEBhMCQlIxFDAS\n"
+	    "BgNVBAoTC01pbmFzIExpdnJlMSYwJAYDVQQDEx1UaGFkZXUgTGltYSBkZSBTb3V6\n"
+	    "YSBDYXNjYXJkbzAeFw0wODA1MzAxOTUzNDNaFw0wODExMjYxOTUzNDNaMEsxCzAJ\n"
+	    "BgNVBAYTAkJSMRQwEgYDVQQKEwtNaW5hcyBMaXZyZTEmMCQGA1UEAxMdVGhhZGV1\n"
+	    "IExpbWEgZGUgU291emEgQ2FzY2FyZG8wggEfMAsGCSqGSIb3DQEBAQOCAQ4AMIIB\n"
+	    "CQKCAQC4D934O6wrXJbMyu1w8gu6nN0aNUDGqrX9UgaB/4xVuYhPlhjH0z9Dqic9\n"
+	    "0pEZmyNCjQmzDSg/hnlY3fBG0i9Iel2oYn1UB4SdcJ2qGkLS87y2ZbMTS1oyMR7/\n"
+	    "y9l3WGEWqwgjIvOjGstcZo0rCIF8Qr21QGX22KWg2HXlMaZyA9bGtJ+L+x6f2hoo\n"
+	    "yIPCA30VMvIgHjOSPQJF3iJFE4Uxq1PQ65W91NyI6/bRKFOmFdCUJW8tqqvntYP8\n"
+	    "hEE08wGlKimFNv7CqZuRI8QuOnhZ7pBXkyvQpW8yHrORlOHxSjkNQKjddt92TCJb\n"
+	    "1q6eKv2CtCuDLgCuIy0Onr4U9n+hAgMBAAGjeDB2MA8GA1UdEwEB/wQFMAMBAf8w\n"
+	    "HgYDVR0RBBcwFYITbWFpbC5taW5hc2xpdnJlLm9yZzATBgNVHSUEDDAKBggrBgEF\n"
+	    "BQcDATAPBgNVHQ8BAf8EBQMDB6QAMB0GA1UdDgQWBBQ/5v42y0jBHUKEfqpPmr5a\n"
+	    "WsjCGjALBgkqhkiG9w0BAQUDggEBAC/WfO2yK3vM9bG0qFEj8sd0cWiapMhf5PtH\n"
+	    "jigcPb/OKqSFQVXpAdNiUclPRP79Ih3CuWiXfZ/CW0+k2Z8tyy6AnEQItWvoVh/b\n"
+	    "8lS7Ph/f9JUYHp2DtgsQWcNQbrUZOPFBu8J4MD6cDWG5Uxwl3YASg30ZdmMDNT8B\n"
+	    "HshYz0HUOAhYwVSI3J/f7LFhD5OpjSroHgE7wA9UJrerAp9f7e3e9D7kNQ8DlvLP\n"
+	    "kz6Jh+5M/xD3JO1yl+evaCp3LA+z4M2xiNvtzkAEgj3t6RaJ81Sh5XGiooDYZ14R\n"
+	    "DgEBYLTUfBYBPzoaahPEdG/f0kUjUBJ34fkBUSjJKURPTHJfDfA=\n"
+	    "-----END CERTIFICATE-----\n"
+};
+
+int main(int argc, char *argv[])
+{
+	int ret;
+	gnutls_x509_crt_t certs[3];
+	gnutls_x509_crt_t ca;
+	gnutls_x509_crt_t self_cert;
+	gnutls_datum_t tmp;
+	size_t i;
+	unsigned int verify_status;
+
+	ret = global_init();
+	if (ret != 0) {
+		printf("%d: %s\n", ret, gnutls_strerror(ret));
+		return EXIT_FAILURE;
+	}
+
+	for (i = 0; i < CHAIN_LENGTH; i++) {
+		ret = gnutls_x509_crt_init(&certs[i]);
+		if (ret < 0) {
+			fprintf(stderr, "gnutls_x509_crt_init[%d]: %s",
+				(int) i, gnutls_strerror(ret));
+			exit(1);
+		}
+
+		tmp.data = (unsigned char *) pem_certs[i];
+		tmp.size = strlen(pem_certs[i]);
+
+		ret =
+		    gnutls_x509_crt_import(certs[i], &tmp,
+					   GNUTLS_X509_FMT_PEM);
+		if (ret < 0) {
+			fprintf(stderr, "gnutls_x509_crt_import[%d]: %s",
+				(int) i, gnutls_strerror(ret));
+			exit(1);
+		}
+	}
+
+	ret = gnutls_x509_crt_init(&ca);
+	if (ret < 0) {
+		fprintf(stderr, "gnutls_x509_crt_init: %s",
+			gnutls_strerror(ret));
+		exit(1);
+	}
+
+	tmp.data = (unsigned char *) pem_ca;
+	tmp.size = strlen(pem_ca);
+
+	ret = gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fprintf(stderr, "gnutls_x509_crt_import: %s",
+			gnutls_strerror(ret));
+		exit(1);
+	}
+
+	ret = gnutls_x509_crt_list_verify(certs, CHAIN_LENGTH,
+					  &ca, 1,
+					  NULL, 0,
+					  GNUTLS_VERIFY_DISABLE_TIME_CHECKS|GNUTLS_VERIFY_ALLOW_BROKEN,
+					  &verify_status);
+	if (ret < 0) {
+		fprintf(stderr, "gnutls_x509_crt_list_verify[%d]: %s",
+			(int) i, gnutls_strerror(ret));
+		exit(1);
+	}
+
+	if (verify_status !=
+	    (GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID)) {
+		fprintf(stderr, "verify_status: %d", verify_status);
+		exit(1);
+	}
+
+	gnutls_x509_crt_deinit(ca);
+	for (i = 0; i < CHAIN_LENGTH; i++)
+		gnutls_x509_crt_deinit(certs[i]);
+
+	/* Also test chain length of 1, since the initial patch to solve the
+	   problem caused a crash in this situation. */
+
+	ret = gnutls_x509_crt_init(&self_cert);
+	if (ret < 0) {
+		fprintf(stderr, "gnutls_x509_crt_init: %s",
+			gnutls_strerror(ret));
+		exit(1);
+	}
+
+	tmp.data = (unsigned char *) pem_self_cert;
+	tmp.size = strlen(pem_self_cert);
+
+	ret = gnutls_x509_crt_import(self_cert, &tmp, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fprintf(stderr, "gnutls_x509_crt_import: %s",
+			gnutls_strerror(ret));
+		exit(1);
+	}
+	ret = gnutls_x509_crt_list_verify(&self_cert, 1,
+					  &self_cert, 1,
+					  NULL, 0,
+					  GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
+					  &verify_status);
+	if (ret < 0) {
+		fprintf(stderr, "gnutls_x509_crt_list_verify[%d]: %s",
+			(int) i, gnutls_strerror(ret));
+		exit(1);
+	}
+
+	if (verify_status != 0) {
+		fprintf(stderr, "verify_status: %d", verify_status);
+		exit(1);
+	}
+
+	gnutls_x509_crt_deinit(self_cert);
+
+	gnutls_global_deinit();
+
+	return 0;
+}
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-28 07:33:12 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-28 07:33:12 +0000
commit	36082a2fe36ecd800d784ae44c14f1f18c66a7e9 (patch)
tree	6c68e0c0097987aff85a01dabddd34b862309a7c /tests/cve-2008-4989.c
parent	Initial commit. (diff)
download	gnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.tar.xz gnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.zip