File CVE-2014-0092.patch of Package gnutls.3982
Index: gnutls-3.2.4/lib/x509/verify.c
===================================================================
--- gnutls-3.2.4.orig/lib/x509/verify.c
+++ gnutls-3.2.4/lib/x509/verify.c
@@ -106,7 +106,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
if (result < 0)
{
gnutls_assert ();
- goto cleanup;
+ goto fail;
}
result =
@@ -115,7 +115,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
if (result < 0)
{
gnutls_assert ();
- goto cleanup;
+ goto fail;
}
result =
@@ -123,7 +123,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
if (result < 0)
{
gnutls_assert ();
- goto cleanup;
+ goto fail;
}
result =
@@ -131,7 +131,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
if (result < 0)
{
gnutls_assert ();
- goto cleanup;
+ goto fail;
}
/* If the subject certificate is the same as the issuer
@@ -183,6 +183,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
else
gnutls_assert ();
+fail:
result = 0;
cleanup:
@@ -368,8 +369,9 @@ _gnutls_verify_certificate2 (gnutls_x509
gnutls_datum_t cert_signed_data = { NULL, 0 };
gnutls_datum_t cert_signature = { NULL, 0 };
gnutls_x509_crt_t issuer = NULL;
- int issuer_version, result, hash_algo;
+ int issuer_version, result = 0, hash_algo;
unsigned int out = 0, usage;
+ const mac_entry_st * me;
if (output)
*output = 0;
@@ -408,14 +410,15 @@ _gnutls_verify_certificate2 (gnutls_x509
if (issuer_version < 0)
{
gnutls_assert ();
- return issuer_version;
+ result = 0;
+ goto cleanup;
}
if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)
|| issuer_version != 1))
{
- if (check_if_ca (cert, issuer, max_path, flags) == 0)
+ if (check_if_ca (cert, issuer, max_path, flags) != 1)
{
gnutls_assert ();
out = GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID;
@@ -446,6 +449,7 @@ _gnutls_verify_certificate2 (gnutls_x509
if (result < 0)
{
gnutls_assert ();
+ result = 0;
goto cleanup;
}
@@ -454,6 +458,7 @@ _gnutls_verify_certificate2 (gnutls_x509
if (result < 0)
{
gnutls_assert ();
+ result = 0;
goto cleanup;
}
@@ -461,13 +466,20 @@ _gnutls_verify_certificate2 (gnutls_x509
if (result < 0)
{
gnutls_assert ();
+ result = 0;
goto cleanup;
}
hash_algo = gnutls_sign_get_hash_algorithm(result);
+ me = mac_to_entry(hash_algo);
+ if (me == NULL) {
+ gnutls_assert();
+ result = 0;
+ goto cleanup;
+ }
result =
- _gnutls_x509_verify_data (mac_to_entry(hash_algo), &cert_signed_data, &cert_signature,
+ _gnutls_x509_verify_data (me, &cert_signed_data, &cert_signature,
issuer);
if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED)
{
@@ -481,6 +493,7 @@ _gnutls_verify_certificate2 (gnutls_x509
else if (result < 0)
{
gnutls_assert();
+ result = 0;
goto cleanup;
}
@@ -650,7 +663,7 @@ _gnutls_x509_verify_certificate (const g
ret = _gnutls_verify_certificate2 (certificate_list[clist_size - 1],
trusted_cas, tcas_size, flags, &output,
&issuer, now, &max_path, func);
- if (ret == 0)
+ if (ret != 1)
{
/* if the last certificate in the certificate
* list is invalid, then the certificate is not
@@ -678,7 +691,7 @@ _gnutls_x509_verify_certificate (const g
if ((ret =
_gnutls_verify_certificate2 (certificate_list[i - 1],
&certificate_list[i], 1, flags,
- &output, NULL, now, &max_path, func)) == 0)
+ &output, NULL, now, &max_path, func)) != 1)
{
status |= output;
status |= GNUTLS_CERT_INVALID;
