| From 1dd43e0709fece299b15208f36cc7c76209ba0bb Mon Sep 17 00:00:00 2001 |
| From: Matt Caswell <matt@openssl.org> |
| Date: Tue, 7 Mar 2023 16:52:55 +0000 |
| Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf |
| certs |
| |
| Even though we check the leaf cert to confirm it is valid, we |
| later ignored the invalid flag and did not notice that the leaf |
| cert was bad. |
| |
| Fixes: CVE-2023-0465 |
| |
| Reviewed-by: Hugo Landau <hlandau@openssl.org> |
| Reviewed-by: Tomas Mraz <tomas@openssl.org> |
| (Merged from https://github.com/openssl/openssl/pull/20587) |
| --- |
| crypto/x509/x509_vfy.c | 12 ++++++++++-- |
| 1 file changed, 10 insertions(+), 2 deletions(-) |
| |
| diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c |
| index 9384f1da9b..a0282c3ef1 100644 |
| --- a/crypto/x509/x509_vfy.c |
| +++ b/crypto/x509/x509_vfy.c |
| @@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) |
| goto memerr; |
| /* Invalid or inconsistent extensions */ |
| if (ret == X509_PCY_TREE_INVALID) { |
| - int i; |
| + int i, cbcalled = 0; |
| |
| /* Locate certificates with bad extensions and notify callback. */ |
| - for (i = 1; i < sk_X509_num(ctx->chain); i++) { |
| + for (i = 0; i < sk_X509_num(ctx->chain); i++) { |
| X509 *x = sk_X509_value(ctx->chain, i); |
| |
| + if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) |
| + cbcalled = 1; |
| CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, |
| ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); |
| } |
| + if (!cbcalled) { |
| + /* Should not be able to get here */ |
| + ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); |
| + return 0; |
| + } |
| + /* The callback ignored the error so we return success */ |
| return 1; |
| } |
| if (ret == X509_PCY_TREE_FAILURE) { |
| -- |
| 2.34.1 |