57 lines
1.9 KiB
Diff
57 lines
1.9 KiB
Diff
From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
|
|
From: Matt Caswell <matt@openssl.org>
|
|
Date: Tue, 7 Mar 2023 16:52:55 +0000
|
|
Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in
|
|
leaf
|
|
certs
|
|
|
|
Even though we check the leaf cert to confirm it is valid, we
|
|
later ignored the invalid flag and did not notice that the leaf
|
|
cert was bad.
|
|
|
|
Fixes: CVE-2023-0465
|
|
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
(Merged from https://github.com/openssl/openssl/pull/20588)
|
|
|
|
Reference:https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95
|
|
Conflict: Context conflict
|
|
---
|
|
Cryptlib/OpenSSL/crypto/x509/x509_vfy.c | 11 +++++++++--
|
|
1 file changed, 9 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c
|
|
index 96f306b..a6878fe 100644
|
|
--- a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c
|
|
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c
|
|
@@ -1768,16 +1768,23 @@ static int check_policy(X509_STORE_CTX *ctx)
|
|
* Locate certificates with bad extensions and notify callback.
|
|
*/
|
|
X509 *x;
|
|
- int i;
|
|
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
|
|
+ int i, cbcalled = 0;
|
|
+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
|
|
x = sk_X509_value(ctx->chain, i);
|
|
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
|
|
continue;
|
|
+ cbcalled = 1;
|
|
ctx->current_cert = x;
|
|
ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
|
|
if (!ctx->verify_cb(0, ctx))
|
|
return 0;
|
|
}
|
|
+ if (!cbcalled) {
|
|
+ /* Should not be able to get here */
|
|
+ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
|
|
+ return 0;
|
|
+ }
|
|
+ /* The callback ignored the error so we return success */
|
|
return 1;
|
|
}
|
|
if (ret == -2) {
|
|
--
|
|
2.33.0
|
|
|