Overview

File gnutls-CVE-2015-0294.patch of Package gnutls.3982

From 6e76e9b9fa845b76b0b9a45f05f4b54a052578ff Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 19 Jan 2015 09:29:31 +0100
Subject: [PATCH] on certificate import check whether the two signature algorithms match

---
 lib/x509/x509.c |   19 ++++++++++++++++++-
 1 files changed, 18 insertions(+), 1 deletions(-)

Index: gnutls-3.2.4/lib/x509/x509.c
===================================================================
--- gnutls-3.2.4.orig/lib/x509/x509.c	2015-03-20 19:26:28.623144079 +0100
+++ gnutls-3.2.4/lib/x509/x509.c	2015-03-20 19:27:25.328957294 +0100
@@ -165,6 +165,7 @@ gnutls_x509_crt_import (gnutls_x509_crt_
 {
   int result = 0, need_free = 0;
   gnutls_datum_t _data;
+  int s2;
 
   if (cert == NULL)
     {
@@ -227,6 +228,23 @@ gnutls_x509_crt_import (gnutls_x509_crt_
       goto cleanup;
     }
   
+	result = _gnutls_x509_get_signature_algorithm(cert->cert,
+						      "signatureAlgorithm.algorithm");
+	if (result < 0) {
+		gnutls_assert();
+		goto cleanup;
+	}
+
+	s2 = _gnutls_x509_get_signature_algorithm(cert->cert,
+						  "tbsCertificate.signature.algorithm");
+	if (result != s2) {
+		_gnutls_debug_log("signatureAlgorithm.algorithm differs from tbsCertificate.signature.algorithm: %s, %s\n",
+			gnutls_sign_get_name(result), gnutls_sign_get_name(s2));
+		gnutls_assert();
+		result = GNUTLS_E_CERTIFICATE_ERROR;
+		goto cleanup;
+	}
+
   result = _gnutls_x509_get_raw_dn2 (cert->cert, &_data,
                               "tbsCertificate.issuer.rdnSequence", 
                               &cert->raw_issuer_dn);
openSUSE Build Service is sponsored by
Places