1*4882a593SmuzhiyunFrom 1dd43e0709fece299b15208f36cc7c76209ba0bb Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Matt Caswell <matt@openssl.org> 3*4882a593SmuzhiyunDate: Tue, 7 Mar 2023 16:52:55 +0000 4*4882a593SmuzhiyunSubject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf 5*4882a593Smuzhiyun certs 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunEven though we check the leaf cert to confirm it is valid, we 8*4882a593Smuzhiyunlater ignored the invalid flag and did not notice that the leaf 9*4882a593Smuzhiyuncert was bad. 10*4882a593Smuzhiyun 11*4882a593SmuzhiyunFixes: CVE-2023-0465 12*4882a593Smuzhiyun 13*4882a593SmuzhiyunReviewed-by: Hugo Landau <hlandau@openssl.org> 14*4882a593SmuzhiyunReviewed-by: Tomas Mraz <tomas@openssl.org> 15*4882a593Smuzhiyun(Merged from https://github.com/openssl/openssl/pull/20587) 16*4882a593Smuzhiyun 17*4882a593SmuzhiyunUpstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb] 18*4882a593SmuzhiyunCVE: CVE-2023-0465 19*4882a593SmuzhiyunSigned-off-by: Siddharth Doshi <sdoshi@mvista.com> 20*4882a593Smuzhiyun--- 21*4882a593Smuzhiyun crypto/x509/x509_vfy.c | 12 ++++++++++-- 22*4882a593Smuzhiyun 1 file changed, 10 insertions(+), 2 deletions(-) 23*4882a593Smuzhiyun 24*4882a593Smuzhiyundiff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c 25*4882a593Smuzhiyunindex 9384f1d..a0282c3 100644 26*4882a593Smuzhiyun--- a/crypto/x509/x509_vfy.c 27*4882a593Smuzhiyun+++ b/crypto/x509/x509_vfy.c 28*4882a593Smuzhiyun@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) 29*4882a593Smuzhiyun goto memerr; 30*4882a593Smuzhiyun /* Invalid or inconsistent extensions */ 31*4882a593Smuzhiyun if (ret == X509_PCY_TREE_INVALID) { 32*4882a593Smuzhiyun- int i; 33*4882a593Smuzhiyun+ int i, cbcalled = 0; 34*4882a593Smuzhiyun 35*4882a593Smuzhiyun /* Locate certificates with bad extensions and notify callback. */ 36*4882a593Smuzhiyun- for (i = 1; i < sk_X509_num(ctx->chain); i++) { 37*4882a593Smuzhiyun+ for (i = 0; i < sk_X509_num(ctx->chain); i++) { 38*4882a593Smuzhiyun X509 *x = sk_X509_value(ctx->chain, i); 39*4882a593Smuzhiyun 40*4882a593Smuzhiyun+ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) 41*4882a593Smuzhiyun+ cbcalled = 1; 42*4882a593Smuzhiyun CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, 43*4882a593Smuzhiyun ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); 44*4882a593Smuzhiyun } 45*4882a593Smuzhiyun+ if (!cbcalled) { 46*4882a593Smuzhiyun+ /* Should not be able to get here */ 47*4882a593Smuzhiyun+ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); 48*4882a593Smuzhiyun+ return 0; 49*4882a593Smuzhiyun+ } 50*4882a593Smuzhiyun+ /* The callback ignored the error so we return success */ 51*4882a593Smuzhiyun return 1; 52*4882a593Smuzhiyun } 53*4882a593Smuzhiyun if (ret == X509_PCY_TREE_FAILURE) { 54*4882a593Smuzhiyun-- 55*4882a593Smuzhiyun2.35.7 56*4882a593Smuzhiyun 57