File gnutls-CVE-2015-0294.patch of Package gnutls.5070

From 6e76e9b9fa845b76b0b9a45f05f4b54a052578ff Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 19 Jan 2015 09:29:31 +0100
Subject: [PATCH] on certificate import check whether the two signature algorithms match

---
 lib/x509/x509.c |   19 ++++++++++++++++++-
 1 files changed, 18 insertions(+), 1 deletions(-)

Index: gnutls-3.2.15/lib/x509/x509.c
===================================================================
--- gnutls-3.2.15.orig/lib/x509/x509.c	2015-03-20 15:26:48.578832565 +0100
+++ gnutls-3.2.15/lib/x509/x509.c	2015-03-20 15:34:07.053436401 +0100
@@ -162,6 +162,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t
 {
 	int result = 0, need_free = 0;
 	gnutls_datum_t _data;
+	int s2;
 
 	if (cert == NULL) {
 		gnutls_assert();
@@ -221,6 +222,23 @@ gnutls_x509_crt_import(gnutls_x509_crt_t
 		goto cleanup;
 	}
 
+	result = _gnutls_x509_get_signature_algorithm(cert->cert,
+						      "signatureAlgorithm.algorithm");
+	if (result < 0) {
+		gnutls_assert();
+		goto cleanup;
+	}
+
+	s2 = _gnutls_x509_get_signature_algorithm(cert->cert,
+						  "tbsCertificate.signature.algorithm");
+	if (result != s2) {
+		_gnutls_debug_log("signatureAlgorithm.algorithm differs from tbsCertificate.signature.algorithm: %s, %s\n",
+			gnutls_sign_get_name(result), gnutls_sign_get_name(s2));
+		gnutls_assert();
+		result = GNUTLS_E_CERTIFICATE_ERROR;
+		goto cleanup;
+	}
+
 	result = _gnutls_x509_get_raw_dn2(cert->cert, &_data,
 					  "tbsCertificate.issuer.rdnSequence",
 					  &cert->raw_issuer_dn);
openSUSE Build Service is sponsored by