From 27892001331da24704fca8fa39041289ff7d3cd9 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Mon, 03 Mar 2014
Subject: CVE-2014-0092 (GNUTLS-SA-2014-2)

Fix vulnerabilities in the certificate verification code path.
The vulnerabilities can be exploited such that specially-crafted
certificates can bypass certificate validation checks.

This is a backport adaptation for use with GnuTLS 2.8.6.

Relevant upstream commit:
-------------------------
https://gitorious.org/gnutls/gnutls/commit/6aa26f78150ccb

---
 lib/x509/verify.c |   17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -112,7 +112,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
   if (result < 0)
     {
       gnutls_assert ();
-      goto cleanup;
+      goto fail;
     }
 
   result =
@@ -121,7 +121,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
   if (result < 0)
     {
       gnutls_assert ();
-      goto cleanup;
+      goto fail;
     }
 
   result =
@@ -129,7 +129,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
   if (result < 0)
     {
       gnutls_assert ();
-      goto cleanup;
+      goto fail;
     }
 
   result =
@@ -137,7 +137,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
   if (result < 0)
     {
       gnutls_assert ();
-      goto cleanup;
+      goto fail;
     }
 
   /* If the subject certificate is the same as the issuer
@@ -177,6 +177,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
   else
     gnutls_assert ();
 
+fail:
   result = 0;
 
 cleanup:
@@ -269,7 +270,7 @@ _gnutls_verify_certificate2 (gnutls_x509
   gnutls_datum_t cert_signed_data = { NULL, 0 };
   gnutls_datum_t cert_signature = { NULL, 0 };
   gnutls_x509_crt_t issuer;
-  int ret, issuer_version, result;
+  int ret, issuer_version, result = 0;
 
   if (output)
     *output = 0;
@@ -299,7 +300,7 @@ _gnutls_verify_certificate2 (gnutls_x509
   if (issuer_version < 0)
     {
       gnutls_assert ();
-      return issuer_version;
+      return 0;
     }
 
   if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
@@ -320,6 +321,7 @@ _gnutls_verify_certificate2 (gnutls_x509
   if (result < 0)
     {
       gnutls_assert ();
+      result = 0;
       goto cleanup;
     }
 
@@ -328,6 +330,7 @@ _gnutls_verify_certificate2 (gnutls_x509
   if (result < 0)
     {
       gnutls_assert ();
+      result = 0;
       goto cleanup;
     }
 
@@ -337,6 +340,8 @@ _gnutls_verify_certificate2 (gnutls_x509
   if (ret < 0)
     {
       gnutls_assert ();
+      result = 0;
+      goto cleanup;
     }
   else if (ret == 0)
     {