Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.3:Update
mbedtls
CVE-2017-14032.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2017-14032.patch of Package mbedtls
Index: include/polarssl/error.h =================================================================== --- include/polarssl/error.h.orig +++ include/polarssl/error.h @@ -80,7 +80,7 @@ * Name ID Nr of Errors * PEM 1 9 * PKCS#12 1 4 (Started from top) - * X509 2 18 + * X509 2 19 * PK 2 14 (Started from top, plus 0x2000) * DHM 3 9 * PKCS5 3 4 (Started from top) Index: include/polarssl/ssl.h =================================================================== --- include/polarssl/ssl.h.orig +++ include/polarssl/ssl.h @@ -1048,7 +1048,7 @@ void ssl_set_authmode( ssl_context *ssl, * * If set, the verify callback is called for each * certificate in the chain. For implementation - * information, please see \c x509parse_verify() + * information, please see \c x509_crt_verify() * * \param ssl SSL context * \param f_vrfy verification function Index: include/polarssl/x509.h =================================================================== --- include/polarssl/x509.h.orig +++ include/polarssl/x509.h @@ -76,6 +76,7 @@ #define POLARSSL_ERR_X509_BAD_INPUT_DATA -0x2800 /**< Input invalid. */ #define POLARSSL_ERR_X509_MALLOC_FAILED -0x2880 /**< Allocation of memory failed. */ #define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2900 /**< Read/write of file failed. */ +#define POLARSSL_ERR_X509_FATAL_ERROR -0x2980 /**< A fatal error occured, eg the chain is too long or the vrfy callback failed. */ /* \} name */ /** Index: include/polarssl/x509_crt.h =================================================================== --- include/polarssl/x509_crt.h.orig +++ include/polarssl/x509_crt.h @@ -232,7 +232,13 @@ int x509_crt_verify_info( char *buf, siz * * All flags left after returning from the callback * are also returned to the application. The function should - * return 0 for anything but a fatal error. + * return 0 for anything (including invalid certificates) + * other than fatal error, as a non-zero return code + * immediately aborts the verification process. For fatal + * errors, a specific error code should be used (different + * from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not + * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR + * can be used if no better code is available. * * \note In case verification failed, the results can be displayed * using \c x509_crt_verify_info() Index: library/error.c =================================================================== --- library/error.c.orig +++ library/error.c @@ -496,6 +496,8 @@ void polarssl_strerror( int ret, char *b polarssl_snprintf( buf, buflen, "X509 - Allocation of memory failed" ); if( use_ret == -(POLARSSL_ERR_X509_FILE_IO_ERROR) ) polarssl_snprintf( buf, buflen, "X509 - Read/write of file failed" ); + if( use_ret == - (POLARSSL_ERR_X509_FATAL_ERROR) ) + polarssl_snprintf( buf, buflen, "X509 - A fatal error occured, eg the chain is too long or the vrfy callback failed" ); #endif /* POLARSSL_X509_USE,X509_CREATE_C */ // END generated code Index: library/x509_crt.c =================================================================== --- library/x509_crt.c.orig +++ library/x509_crt.c @@ -1915,8 +1915,8 @@ static int x509_crt_verify_child( /* path_cnt is 0 for the first intermediate CA */ if( 1 + path_cnt > POLARSSL_X509_MAX_INTERMEDIATE_CA ) { - *flags |= BADCERT_NOT_TRUSTED; - return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED ); + /* return immediately as the goal is to avoid unbounded recursion */ + return( POLARSSL_ERR_X509_FATAL_ERROR ); } if( x509_time_expired( &child->valid_to ) ) @@ -2099,7 +2099,7 @@ int x509_crt_verify( x509_crt *crt, ret = x509_crt_verify_top( crt, parent, ca_crl, pathlen, selfsigned, flags, f_vrfy, p_vrfy ); if( ret != 0 ) - return( ret ); + goto exit; } else { @@ -2114,17 +2114,28 @@ int x509_crt_verify( x509_crt *crt, ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, pathlen, selfsigned, flags, f_vrfy, p_vrfy ); if( ret != 0 ) - return( ret ); + goto exit; } else { ret = x509_crt_verify_top( crt, trust_ca, ca_crl, pathlen, selfsigned, flags, f_vrfy, p_vrfy ); if( ret != 0 ) - return( ret ); + goto exit; } } +exit: + /* prevent misuse of the vrfy callback */ + if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED ) + ret = POLARSSL_ERR_X509_FATAL_ERROR; + + if( ret != 0 ) + { + *flags = (uint32_t) -1; + return( ret ); + } + if( *flags != 0 ) return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor