root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs 

Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.

Fixes: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20587)
This commit is contained in:
Matt Caswell 2023-03-07 16:52:55 +00:00 committed by Tomas Mraz
parent d2f0d05807
commit 1dd43e0709
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
crypto/x509/x509_vfy.c
View File

@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
goto memerr;
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
int i;
int i, cbcalled = 0;
/* Locate certificates with bad extensions and notify callback. */
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
cbcalled = 1;
CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
}
if (!cbcalled) {
/* Should not be able to get here */
ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
return 0;
}
/* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {