Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/gnutls/patches/06-cve-2014-0092.patch
author Ann Lai <ann.lai@oracle.com>
Wed, 08 Apr 2015 10:31:09 -0700
changeset 4068 29a9d33b67fa
permissions -rw-r--r--
20231912 Move GnuTLS from Desktop to Userland consolidation

Source:
http://www.gnutls.org/security.html
Info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not 
properly handle unspecified errors when verifying X.509 certificates from SSL 
servers, which allows man-in-the-middle attackers to spoof servers via a 
crafted certificate.
Status:
Need to determine if this patch has been sent upstream.

--- gnutls-2.8.6/lib/x509/verify.c.orig	Thu Mar  6 14:01:51 2014
+++ gnutls-2.8.6/lib/x509/verify.c	Thu Mar  6 14:50:52 2014
@@ -112,7 +112,7 @@
   if (result < 0)
     {
       gnutls_assert ();
-      goto cleanup;
+      goto fail;
     }
 
   result =
@@ -121,7 +121,7 @@
   if (result < 0)
     {
       gnutls_assert ();
-      goto cleanup;
+      goto fail;
     }
 
   result =
@@ -129,7 +129,7 @@
   if (result < 0)
     {
       gnutls_assert ();
-      goto cleanup;
+      goto fail;
     }
 
   result =
@@ -137,7 +137,7 @@
   if (result < 0)
     {
       gnutls_assert ();
-      goto cleanup;
+      goto fail;
     }
 
   /* If the subject certificate is the same as the issuer
@@ -177,6 +177,7 @@
   else
     gnutls_assert ();
 
+fail:
   result = 0;
 
 cleanup:
@@ -269,7 +270,7 @@
   gnutls_datum_t cert_signed_data = { NULL, 0 };
   gnutls_datum_t cert_signature = { NULL, 0 };
   gnutls_x509_crt_t issuer;
-  int ret, issuer_version, result;
+  int ret, issuer_version, result = 0;
 
   if (output)
     *output = 0;
@@ -299,7 +300,7 @@
   if (issuer_version < 0)
     {
       gnutls_assert ();
-      return issuer_version;
+      return 0;
     }
 
   if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
@@ -320,6 +321,7 @@
   if (result < 0)
     {
       gnutls_assert ();
+      result = 0;
       goto cleanup;
     }
 
@@ -328,23 +330,25 @@
   if (result < 0)
     {
       gnutls_assert ();
+      result = 0;
       goto cleanup;
     }
 
-  ret =
+  result =
     _gnutls_x509_verify_signature (&cert_signed_data, NULL, &cert_signature,
 				   issuer);
-  if (ret < 0)
+  if (result < 0)
     {
+      result = 0;
       gnutls_assert ();
+      goto cleanup;
     }
-  else if (ret == 0)
+  else if (result == 0)
     {
       gnutls_assert ();
       /* error. ignore it */
       if (output)
 	*output |= GNUTLS_CERT_INVALID;
-      ret = 0;
     }
 
   /* If the certificate is not self signed check if the algorithms
@@ -364,11 +368,10 @@
 	{
 	  if (output)
 	    *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
-	  ret = 0;
+	  result = 0;
 	}
     }
 
-  result = ret;
 
 cleanup:
   _gnutls_free_datum (&cert_signed_data);
upstream/oracle/userland-gate