| 1234567891011121314151617181920212223242526272829303132333435363738394041424344 |
- From 1dd43e0709fece299b15208f36cc7c76209ba0bb Mon Sep 17 00:00:00 2001
- From: Matt Caswell <[email protected]>
- Date: Tue, 7 Mar 2023 16:52:55 +0000
- Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
- certs
- Even though we check the leaf cert to confirm it is valid, we
- later ignored the invalid flag and did not notice that the leaf
- cert was bad.
- Fixes: CVE-2023-0465
- Reviewed-by: Hugo Landau <[email protected]>
- Reviewed-by: Tomas Mraz <[email protected]>
- (Merged from https://github.com/openssl/openssl/pull/20587)
- --- a/crypto/x509/x509_vfy.c
- +++ b/crypto/x509/x509_vfy.c
- @@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *
- goto memerr;
- /* Invalid or inconsistent extensions */
- if (ret == X509_PCY_TREE_INVALID) {
- - int i;
- + int i, cbcalled = 0;
-
- /* Locate certificates with bad extensions and notify callback. */
- - for (i = 1; i < sk_X509_num(ctx->chain); i++) {
- + for (i = 0; i < sk_X509_num(ctx->chain); i++) {
- X509 *x = sk_X509_value(ctx->chain, i);
-
- + if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
- + cbcalled = 1;
- CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
- ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
- }
- + if (!cbcalled) {
- + /* Should not be able to get here */
- + ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
- + return 0;
- + }
- + /* The callback ignored the error so we return success */
- return 1;
- }
- if (ret == X509_PCY_TREE_FAILURE) {
|
