From patchwork Fri Nov 4 15:39:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ranjitsinh Rathod X-Patchwork-Id: 14825 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 963F9C433FE for ; Fri, 4 Nov 2022 15:39:21 +0000 (UTC) Received: from IND01-BMX-obe.outbound.protection.outlook.com (IND01-BMX-obe.outbound.protection.outlook.com [40.107.239.83]) by mx.groups.io with SMTP id smtpd.web12.12691.1667576358008710392 for ; Fri, 04 Nov 2022 08:39:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kpit.com header.s=selector1 header.b=oNB0jbNe; spf=pass (domain: kpit.com, ip: 40.107.239.83, mailfrom: ranjitsinh.rathod@kpit.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Fwzoemmqb4Mf+u1sxZzYuVX3fTZkNegiqJIQe2ZcBxX+vj5o2453in14JVawO6WkvCY73xW7TU0c1uI3BrkQi6wH40ubk4waA7S6x8BiWk//P2nritxSoD8MCfT4L6XKZV+qANri7Aj7WAnVYcwpe2qu+j+6cflJNybXon8cCht/FVAmw5IYWGp1H1QelFI6PsslDoNZtoChg6hbe2LiOgsDPb3kneOv69PoAyLFNnF9PZDw2/kClMCoQFwnUtK5IGES4mF3BSwsJHrYnWh33KeZ+v6anaN4Cm35fBHEoUbinjyoHTK0c/stzdkXxzg1OF/143mcqlam5pOFP52SiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=n0JX5yvv8z9dWebnqy0NEnTouWgH8Gzht8z3ZZYYI7Q=; b=VR6XNL8gI7V4UC9vvLl4cEYl8tv2/4sZUdPCCkUhOBIim74NuPjanRm12aclWl4YWJ0yN/Hk8vAbHSTdyWCdWLOhQzqV2cbBMAwdM79Qwi1MiC1JLZf/RDhforxehOeGR8f5HAf2JX+64bSFOmceeaNHBJcDxESDMJSAiOlGOwQxXWsfHdPmHcBDql242TYDFc6im8qZP+w9FOqxhZaxtD8gNVxDr7KfPqqWA+Yy420b2g+sFpYA5tHjJsrTmZDIkcphKvSjiQco/CRlZx6Mh0cfsczulwImauVqPxsRt3vakNz+7VfxT5OA/7EtvJrb+w7bnkrfmlmJg3WeDfTcNA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=kpit.com; dmarc=pass action=none header.from=kpit.com; dkim=pass header.d=kpit.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kpit.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=n0JX5yvv8z9dWebnqy0NEnTouWgH8Gzht8z3ZZYYI7Q=; b=oNB0jbNeRXzBHU8TdfIs2k3BrCkRfFh+fqKWQLSope0FVDGv5S2NZzeXn3AodMlgvmI88czhotKYn3Tz2cbcWAujWTPCyZKodMC1aZ2rAD4jrgofDXq+n+B6ylrE2w1OO3nDKPIRPYYBRBL2H/RqlJEr6vqdhbPXIOLGfUqvquc= Received: from PN3PR01MB7382.INDPRD01.PROD.OUTLOOK.COM (2603:1096:c01:8d::14) by MAZPR01MB7311.INDPRD01.PROD.OUTLOOK.COM (2603:1096:a01:46::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5791.22; Fri, 4 Nov 2022 15:39:12 +0000 Received: from PN3PR01MB7382.INDPRD01.PROD.OUTLOOK.COM ([fe80::44e1:963f:1c4a:577e]) by PN3PR01MB7382.INDPRD01.PROD.OUTLOOK.COM ([fe80::44e1:963f:1c4a:577e%9]) with mapi id 15.20.5791.022; Fri, 4 Nov 2022 15:39:12 +0000 From: Ranjitsinh Rathod To: "Openembedded-devel@lists.openembedded.org" , akuster808 Subject: [meta-networking][dunfell][PATCH] strongswan: Fix CVE-2022-40617 Thread-Topic: [meta-networking][dunfell][PATCH] strongswan: Fix CVE-2022-40617 Thread-Index: AQHY8GOFkwLor5sR0kO2YqqM4qt7iw== Date: Fri, 4 Nov 2022 15:39:12 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: msip_labels: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=kpit.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: PN3PR01MB7382:EE_|MAZPR01MB7311:EE_ x-ms-office365-filtering-correlation-id: d4801984-5ef7-4386-c1d1-08dabe7ab8cc x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: HS1NMsaWUhzIWsccVRhKLXqkdkhBsQleIIoRgxPbZwOzJy8kzt0VKrv8KQtNL+JXCMqsohVXN0XIrIze//EOihxRR0ADvsf/JRoSPeV8vSzZg/Dm1lt+IxA6h3XErKa2sVUSrUAUH0/HNPnQBAVHGa2bqHDLx7jJC/fL/54Zsh4GWqTkg+YH7NCGHyDqfUTPXUgwZxbb2lhf46iZQivxJlA2IusTcDNkWtEveYJk/gTJMmFrqXvO0Y+RV3onksOIjrE46LS7f88W0G9L1NuOOcZcHHqABbhHR/daCCWi9HMNvMNzucUmfBIZUbIlx80VyLLn4WXOEkOmPmq6TiCGkcOF2ut/9tCyR8YUDdq+KzE9fzgBb/coSygRpHtTQCGK/AyI1kVaCh04Sfew8XwcGCzfR0G7CzDBb48akO2z2nZo4MUl2yesP1cAijPxStp8KlStOqCGOz+Vjan4j/f5jwrH7VQeyqIaxjFKqS8SCfvDjuLrtCoXKaH0wRX8hmKwobF3ztODhK7vceWVrzpkKEPVd7X/iiG6mE1fbETCHcgpZ6wi22OneQ8e30WN3Z7ACxqz+BvOypYOUULAhcwJI6jWM5x8LVjmLclBq+16Ksi5ANlcL9YHyBlPVsR8i/m+rJMhIn9zzSadSfGGiN8A6GLvyR3GN5hyDnpYw7ofRn5c1jmTj2BecZm7JFYvCUVLJEg/mrM1/rL7l9FnhyXFENwozdzeT+2O4iAzYNA1sAUGU2CfT9ko7/nrmxQM1HAls4woDmXDk++Rj170IqUIsNhTBr5RjFiHdDq4c+4PV4HH3CK89ZqipF6bpT92zJCm/ItB4QxTDkyQEIMe56LPWw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PN3PR01MB7382.INDPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(39860400002)(366004)(346002)(136003)(396003)(376002)(451199015)(166002)(86362001)(52536014)(33656002)(55016003)(9686003)(38070700005)(7066003)(76116006)(8676002)(64756008)(66446008)(66556008)(41300700001)(66946007)(66476007)(26005)(186003)(7696005)(4744005)(45080400002)(8936002)(71200400001)(91956017)(478600001)(6506007)(5660300002)(316002)(122000001)(99936003)(38100700002)(110136005)(66574015)(2906002)(83380400001)(19627405001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?q?m/lPXPLveXdEv+V2pA8+FQm?= =?iso-8859-1?q?SDddk7/fltW9Pt/djsyZWB8MyOasWzmfNsPZaV+tAh+yTo/eRdvdcz/tQ87i?= =?iso-8859-1?q?KCWGmRzMMgA+WoB1R1+FlRWJz3KhgXENsg3gD7aEH3iVBatWXoLH2CU4Bb2K?= =?iso-8859-1?q?IIXPfYhuz4AwDMPOOT45nt59ukNge+50lVNqQ6iSuNTFLL26Z3SCHvzRjQVa?= =?iso-8859-1?q?pwseLRml/ka6EHNGSlUFrUB1GxUOOBwIWbFAkQvpIc+ECC3KXNDfJPqPDOFI?= =?iso-8859-1?q?4OFPmtyvMjzX7ySNNie9ARKpj2lmKke3k2V61c4le3W8RdaDmb2DOd7DyqHe?= =?iso-8859-1?q?awUfZSBsZZnNQwBLpdnUvE5fedd/+NzCWb5aUGkVgHKKytDMboAZkmBCMv/t?= =?iso-8859-1?q?x6ORVvvgeEFquvJ6SznNwzD9elG99KV5j4Fy+biBCqHAQXNhX/qP1Zpu3Qpe?= =?iso-8859-1?q?DuvBmsS/+xxU5j1R6R4gOMMEI6miUtPptW27AfMPGn+UHop7Fk7jwpJad3nL?= =?iso-8859-1?q?eqOr6L1izW3FT3OXoLDbzAW0mBKIiyAFxN31C/YwMIi5YsFYWDvRpqbq6TQQ?= =?iso-8859-1?q?3d6g6fxHnH9EEvA/R4SafQY/SONYolW7CLHjnoiX2wkJAS04ixn/mSvdZiHZ?= =?iso-8859-1?q?mLc82TYjINnwcNDe1AFop1oekAgbr6paF0fSsXxFHLZ+BNCrWQea5NrlVVcL?= =?iso-8859-1?q?7+WZaast2c3Tic6rbWZqi+vZiaiziFec7Gc3tMMxWrgPaJfLMuVJ51Bs8tp6?= =?iso-8859-1?q?rFxUGQ/hx45WijUFKEfFsIMsj3OTdpiumlAeTIgShDdrehkvfomKTBsVpLUN?= =?iso-8859-1?q?Obu6N47iJl5z7NZ9UrjYqBiDfTA/KCo8dBzcgazMZoQo+ImfMS88NPAGP6w8?= =?iso-8859-1?q?0HvyEWezvOwLLYJnKo9M6XPHPQmWY2VMPxAvxWC6NyfZ4zHos2RPswCRGyrE?= =?iso-8859-1?q?IN1mEK8UiPedMX9xIbzpKn48Bvm0DYIQi6INRBNSMAEqueFk8cuiE9vUb68z?= =?iso-8859-1?q?0UB3yNfAWRqXbqHe/983LYl6focUdmArIfqd3THmicPAcjUme3McgqyALB86?= =?iso-8859-1?q?mq+rcxOAubfyqAB+mF4SANMRCKDvQ7ohNM4jIYlsx0GAm+YXwkM0QOfZTjJG?= =?iso-8859-1?q?naDJAFo1HDUqj7c8Qi8E8Mw8flZiS/VzNX89TInlZbjWLLaLQ//Mh+1Ii1tA?= =?iso-8859-1?q?Refl6Yv2o0dj9nHwQ7MXCJNB3/IURizH2/cW0YIe01toJHm9faiVMsSVRrp/?= =?iso-8859-1?q?EcDGO/aV7N2PUg4AWzHQFdI2JSrJ2Kyi5vbYOl5yoE3cBg0wt79G94MuycjF?= =?iso-8859-1?q?DViiyeTLTFnkBQJbdJJAk7jFo7MXLlOAHyhUewIM7RDJ4r5PA3kX/DaNhnb9?= =?iso-8859-1?q?ZBGTpEytKqf12tMjuycfyBnBDibnfmlp7CTOck6F63eBdVyNV21ncZkzmysx?= =?iso-8859-1?q?wvd7l+CeSw9FqY/xJszeoxRHjp+wmiDCSPTUz0W7iBQEC0b79ML7qZxZBP9I?= =?iso-8859-1?q?J6S/HMzBkz0gNgZgTxzwWPKWNvQiezGTzSEYZ9ao8XBMikwm+0BtZ2bM85Ve?= =?iso-8859-1?q?kjYiaUM02J57TaYVwWRMC/biVwqXuEcYxJ4gtkjSO8362TSJKnTNRejURTNU?= =?iso-8859-1?q?PHLfXGSpduD6xHFgk?= MIME-Version: 1.0 X-OriginatorOrg: kpit.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PN3PR01MB7382.INDPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: d4801984-5ef7-4386-c1d1-08dabe7ab8cc X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2022 15:39:12.1592 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 3539451e-b46e-4a26-a242-ff61502855c7 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: +sSA18dwQ2zN9giAngoY/L8UMnNZ+/ypsMW26e8PhTo08lhxAoogeRYGsL9KfC/LMCZYU2tZ09K1OuO5u8ejjA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MAZPR01MB7311 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Nov 2022 15:39:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/99429 Hi Armin, I still not figured out why sending patch is corrupting from my company's domain and so attaching patch here in the email. Thanks, Best Regards, Ranjitsinh Rathod Technical Leader | | KPIT Technologies Ltd. Cellphone: +91-84606 92403 From f360549886c767338e14467545d9e5ae00db326a Mon Sep 17 00:00:00 2001 From: Ranjitsinh Rathod Date: Thu, 3 Nov 2022 10:43:47 +0530 Subject: [PATCH] strongswan: Fix CVE-2022-40617 Add a patch to fix CVE-2022-40617 issue which allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data. Link: https://nvd.nist.gov/vuln/detail/CVE-2022-40617 Signed-off-by: Ranjitsinh Rathod --- .../strongswan/files/CVE-2022-40617.patch | 210 ++++++++++++++++++ .../strongswan/strongswan_5.8.4.bb | 1 + 2 files changed, 211 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch new file mode 100644 index 000000000..66e504712 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch @@ -0,0 +1,210 @@ +From 66d3b2e0e596a6eac1ebcd15c83a8d9368fe7b34 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Fri, 22 Jul 2022 15:37:43 +0200 +Subject: [PATCH] credential-manager: Do online revocation checks only after + basic trust chain validation + +This avoids querying URLs of potentially untrusted certificates, e.g. if +an attacker sends a specially crafted end-entity and intermediate CA +certificate with a CDP that points to a server that completes the +TCP handshake but then does not send any further data, which will block +the fetcher thread (depending on the plugin) for as long as the default +timeout for TCP. Doing that multiple times will block all worker threads, +leading to a DoS attack. + +The logging during the certificate verification obviously changes. The +following example shows the output of `pki --verify` for the current +strongswan.org certificate: + +new: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + reached self-signed root ca with a path length of 1 +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good +certificate trusted, lifetimes valid, certificate not revoked + +old: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good + reached self-signed root ca with a path length of 1 +certificate trusted, lifetimes valid, certificate not revoked + +Note that this also fixes an issue with the previous dual-use of the +`trusted` flag. It not only indicated whether the chain is trusted but +also whether the current issuer is the root anchor (the corresponding +flag in the `cert_validator_t` interface is called `anchor`). This was +a problem when building multi-level trust chains for pre-trusted +end-entity certificates (i.e. where `trusted` is TRUE from the start). +This caused the main loop to get aborted after the first intermediate CA +certificate and the mentioned `anchor` flag wasn't correct in any calls +to `cert_validator_t` implementations. + +Fixes: CVE-2022-40617 + +CVE: CVE-2022-40617 +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2022-40617/strongswan-5.1.0-5.9.7_cert_online_validate.patch] +Signed-off-by: Ranjitsinh Rathod + +--- + .../credentials/credential_manager.c | 54 +++++++++++++++---- + 1 file changed, 45 insertions(+), 9 deletions(-) + +diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c +index e93b5943a3a7..798785544e41 100644 +--- a/src/libstrongswan/credentials/credential_manager.c ++++ b/src/libstrongswan/credentials/credential_manager.c +@@ -556,7 +556,7 @@ static void cache_queue(private_credential_manager_t *this) + */ + static bool check_lifetime(private_credential_manager_t *this, + certificate_t *cert, char *label, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + time_t not_before, not_after; + cert_validator_t *validator; +@@ -571,7 +571,7 @@ static bool check_lifetime(private_credential_manager_t *this, + continue; + } + status = validator->check_lifetime(validator, cert, +- pathlen, trusted, auth); ++ pathlen, anchor, auth); + if (status != NEED_MORE) + { + break; +@@ -604,13 +604,13 @@ static bool check_lifetime(private_credential_manager_t *this, + */ + static bool check_certificate(private_credential_manager_t *this, + certificate_t *subject, certificate_t *issuer, bool online, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + cert_validator_t *validator; + enumerator_t *enumerator; + + if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) || +- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth)) ++ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth)) + { + return FALSE; + } +@@ -623,7 +623,7 @@ static bool check_certificate(private_credential_manager_t *this, + continue; + } + if (!validator->validate(validator, subject, issuer, +- online, pathlen, trusted, auth)) ++ online, pathlen, anchor, auth)) + { + enumerator->destroy(enumerator); + return FALSE; +@@ -726,6 +726,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth_cfg_t *auth; + signature_params_t *scheme; + int pathlen; ++ bool is_anchor = FALSE; + + auth = auth_cfg_create(); + get_key_strength(subject, auth); +@@ -743,7 +744,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", + issuer->get_subject(issuer)); +- trusted = TRUE; ++ trusted = is_anchor = TRUE; + } + else + { +@@ -778,11 +779,18 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, " issuer is \"%Y\"", + current->get_issuer(current)); + call_hook(this, CRED_HOOK_NO_ISSUER, current); ++ if (trusted) ++ { ++ DBG1(DBG_CFG, " reached end of incomplete trust chain for " ++ "trusted certificate \"%Y\"", ++ subject->get_subject(subject)); ++ } + break; + } + } +- if (!check_certificate(this, current, issuer, online, +- pathlen, trusted, auth)) ++ /* don't do online verification here */ ++ if (!check_certificate(this, current, issuer, FALSE, ++ pathlen, is_anchor, auth)) + { + trusted = FALSE; + issuer->destroy(issuer); +@@ -794,7 +802,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + } + current->destroy(current); + current = issuer; +- if (trusted) ++ if (is_anchor) + { + DBG1(DBG_CFG, " reached self-signed root ca with a " + "path length of %d", pathlen); +@@ -807,6 +815,34 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); + call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject); + } ++ else if (trusted && online) ++ { ++ enumerator_t *enumerator; ++ auth_rule_t rule; ++ ++ /* do online revocation checks after basic validation of the chain */ ++ pathlen = 0; ++ current = subject; ++ enumerator = auth->create_enumerator(auth); ++ while (enumerator->enumerate(enumerator, &rule, &issuer)) ++ { ++ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT) ++ { ++ if (!check_certificate(this, current, issuer, TRUE, pathlen++, ++ rule == AUTH_RULE_CA_CERT, auth)) ++ { ++ trusted = FALSE; ++ break; ++ } ++ else if (rule == AUTH_RULE_CA_CERT) ++ { ++ break; ++ } ++ current = issuer; ++ } ++ } ++ enumerator->destroy(enumerator); ++ } + if (trusted) + { + result->merge(result, auth, FALSE); +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb index 8a5855fb8..c11748645 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb @@ -14,6 +14,7 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://CVE-2021-41990.patch \ file://CVE-2021-41991.patch \ file://CVE-2021-45079.patch \ + file://CVE-2022-40617.patch \ " SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29" -- 2.25.1