File CVE-2017-14032.patch of Package mbedtls

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2017-14032.patch of Package mbedtls

Index: include/polarssl/error.h
===================================================================
--- include/polarssl/error.h.orig
+++ include/polarssl/error.h
@@ -80,7 +80,7 @@
  * Name      ID  Nr of Errors
  * PEM       1   9
  * PKCS#12   1   4 (Started from top)
- * X509      2   18
+ * X509      2   19
  * PK        2   14 (Started from top, plus 0x2000)
  * DHM       3   9
  * PKCS5     3   4 (Started from top)
Index: include/polarssl/ssl.h
===================================================================
--- include/polarssl/ssl.h.orig
+++ include/polarssl/ssl.h
@@ -1048,7 +1048,7 @@ void ssl_set_authmode( ssl_context *ssl,
  *
  *                 If set, the verify callback is called for each
  *                 certificate in the chain. For implementation
- *                 information, please see \c x509parse_verify()
+ *                 information, please see \c x509_crt_verify()
  *
  * \param ssl      SSL context
  * \param f_vrfy   verification function
Index: include/polarssl/x509.h
===================================================================
--- include/polarssl/x509.h.orig
+++ include/polarssl/x509.h
@@ -76,6 +76,7 @@
 #define POLARSSL_ERR_X509_BAD_INPUT_DATA                   -0x2800  /**< Input invalid. */
 #define POLARSSL_ERR_X509_MALLOC_FAILED                    -0x2880  /**< Allocation of memory failed. */
 #define POLARSSL_ERR_X509_FILE_IO_ERROR                    -0x2900  /**< Read/write of file failed. */
+#define POLARSSL_ERR_X509_FATAL_ERROR                      -0x2980  /**< A fatal error occured, eg the chain is too long or the vrfy callback failed. */
 /* \} name */
 
 /**
Index: include/polarssl/x509_crt.h
===================================================================
--- include/polarssl/x509_crt.h.orig
+++ include/polarssl/x509_crt.h
@@ -232,7 +232,13 @@ int x509_crt_verify_info( char *buf, siz
  *
  *                 All flags left after returning from the callback
  *                 are also returned to the application. The function should
- *                 return 0 for anything but a fatal error.
+ *                 return 0 for anything (including invalid certificates)
+ *                 other than fatal error, as a non-zero return code
+ *                 immediately aborts the verification process. For fatal
+ *                 errors, a specific error code should be used (different
+ *                 from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
+ *                 be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
+ *                 can be used if no better code is available.
  *
  * \note           In case verification failed, the results can be displayed
  *                 using \c x509_crt_verify_info()
Index: library/error.c
===================================================================
--- library/error.c.orig
+++ library/error.c
@@ -496,6 +496,8 @@ void polarssl_strerror( int ret, char *b
             polarssl_snprintf( buf, buflen, "X509 - Allocation of memory failed" );
         if( use_ret == -(POLARSSL_ERR_X509_FILE_IO_ERROR) )
             polarssl_snprintf( buf, buflen, "X509 - Read/write of file failed" );
+        if( use_ret == - (POLARSSL_ERR_X509_FATAL_ERROR) )
+            polarssl_snprintf( buf, buflen, "X509 - A fatal error occured, eg the chain is too long or the vrfy callback failed" );
 #endif /* POLARSSL_X509_USE,X509_CREATE_C */
         // END generated code
 
Index: library/x509_crt.c
===================================================================
--- library/x509_crt.c.orig
+++ library/x509_crt.c
@@ -1915,8 +1915,8 @@ static int x509_crt_verify_child(
     /* path_cnt is 0 for the first intermediate CA */
     if( 1 + path_cnt > POLARSSL_X509_MAX_INTERMEDIATE_CA )
     {
-        *flags |= BADCERT_NOT_TRUSTED;
-        return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
+        /* return immediately as the goal is to avoid unbounded recursion */
+        return( POLARSSL_ERR_X509_FATAL_ERROR );
     }
 
     if( x509_time_expired( &child->valid_to ) )
@@ -2099,7 +2099,7 @@ int x509_crt_verify( x509_crt *crt,
         ret = x509_crt_verify_top( crt, parent, ca_crl,
                                    pathlen, selfsigned, flags, f_vrfy, p_vrfy );
         if( ret != 0 )
-            return( ret );
+            goto exit;
     }
     else
     {
@@ -2114,17 +2114,28 @@ int x509_crt_verify( x509_crt *crt,
             ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl,
                                          pathlen, selfsigned, flags, f_vrfy, p_vrfy );
             if( ret != 0 )
-                return( ret );
+                goto exit;
         }
         else
         {
             ret = x509_crt_verify_top( crt, trust_ca, ca_crl,
                                        pathlen, selfsigned, flags, f_vrfy, p_vrfy );
             if( ret != 0 )
-                return( ret );
+                goto exit;
         }
     }
 
+exit:
+    /* prevent misuse of the vrfy callback */
+    if( ret  == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
+        ret = POLARSSL_ERR_X509_FATAL_ERROR;
+
+    if( ret != 0 )
+    {
+        *flags = (uint32_t) -1;
+        return( ret );
+    }
+
     if( *flags != 0 )
         return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );

Places

File CVE-2017-14032.patch of Package mbedtls

Places