File strongswan-CVE-2022-40617.patch of Package strongswan.28069
@@ -, +, @@
basic trust chain validation
using certificate "CN=www.strongswan.org"
using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3"
using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
reached self-signed root ca with a path length of 1
requesting ocsp status from 'http://r3.o.lencr.org' ...
ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3"
ocsp response is valid: until Jul 27 12:59:58 2022
fetching crl from 'http://x1.c.lencr.org/' ...
using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
crl is valid: until Apr 18 01:59:59 2023
using certificate "CN=www.strongswan.org"
using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3"
requesting ocsp status from 'http://r3.o.lencr.org' ...
ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3"
ocsp response is valid: until Jul 27 12:59:58 2022
using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
fetching crl from 'http://x1.c.lencr.org/' ...
using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
crl is valid: until Apr 18 01:59:59 2023
reached self-signed root ca with a path length of 1
---
.../credentials/credential_manager.c | 54 +++++++++++++++----
1 file changed, 45 insertions(+), 9 deletions(-)
--- a/src/libstrongswan/credentials/credential_manager.c
+++ a/src/libstrongswan/credentials/credential_manager.c
@@ -556,7 +556,7 @@ static void cache_queue(private_credential_manager_t *this)
*/
static bool check_lifetime(private_credential_manager_t *this,
certificate_t *cert, char *label,
- int pathlen, bool trusted, auth_cfg_t *auth)
+ int pathlen, bool anchor, auth_cfg_t *auth)
{
time_t not_before, not_after;
cert_validator_t *validator;
@@ -571,7 +571,7 @@ static bool check_lifetime(private_credential_manager_t *this,
continue;
}
status = validator->check_lifetime(validator, cert,
- pathlen, trusted, auth);
+ pathlen, anchor, auth);
if (status != NEED_MORE)
{
break;
@@ -604,13 +604,13 @@ static bool check_lifetime(private_credential_manager_t *this,
*/
static bool check_certificate(private_credential_manager_t *this,
certificate_t *subject, certificate_t *issuer, bool online,
- int pathlen, bool trusted, auth_cfg_t *auth)
+ int pathlen, bool anchor, auth_cfg_t *auth)
{
cert_validator_t *validator;
enumerator_t *enumerator;
if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) ||
- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth))
+ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth))
{
return FALSE;
}
@@ -623,7 +623,7 @@ static bool check_certificate(private_credential_manager_t *this,
continue;
}
if (!validator->validate(validator, subject, issuer,
- online, pathlen, trusted, auth))
+ online, pathlen, anchor, auth))
{
enumerator->destroy(enumerator);
return FALSE;
@@ -726,6 +726,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
auth_cfg_t *auth;
signature_params_t *scheme;
int pathlen;
+ bool is_anchor = FALSE;
auth = auth_cfg_create();
get_key_strength(subject, auth);
@@ -743,7 +744,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"",
issuer->get_subject(issuer));
- trusted = TRUE;
+ trusted = is_anchor = TRUE;
}
else
{
@@ -778,11 +779,18 @@ static bool verify_trust_chain(private_credential_manager_t *this,
DBG1(DBG_CFG, " issuer is \"%Y\"",
current->get_issuer(current));
call_hook(this, CRED_HOOK_NO_ISSUER, current);
+ if (trusted)
+ {
+ DBG1(DBG_CFG, " reached end of incomplete trust chain for "
+ "trusted certificate \"%Y\"",
+ subject->get_subject(subject));
+ }
break;
}
}
- if (!check_certificate(this, current, issuer, online,
- pathlen, trusted, auth))
+ /* don't do online verification here */
+ if (!check_certificate(this, current, issuer, FALSE,
+ pathlen, is_anchor, auth))
{
trusted = FALSE;
issuer->destroy(issuer);
@@ -794,7 +802,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
}
current->destroy(current);
current = issuer;
- if (trusted)
+ if (is_anchor)
{
DBG1(DBG_CFG, " reached self-signed root ca with a "
"path length of %d", pathlen);
@@ -807,6 +815,34 @@ static bool verify_trust_chain(private_credential_manager_t *this,
DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN);
call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject);
}
+ else if (trusted && online)
+ {
+ enumerator_t *enumerator;
+ auth_rule_t rule;
+
+ /* do online revocation checks after basic validation of the chain */
+ pathlen = 0;
+ current = subject;
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &rule, &issuer))
+ {
+ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT)
+ {
+ if (!check_certificate(this, current, issuer, TRUE, pathlen++,
+ rule == AUTH_RULE_CA_CERT, auth))
+ {
+ trusted = FALSE;
+ break;
+ }
+ else if (rule == AUTH_RULE_CA_CERT)
+ {
+ break;
+ }
+ current = issuer;
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
if (trusted)
{
result->merge(result, auth, FALSE);
--