Skip to content

Commit 1032517

Browse files
mattcaswellt8m
authored andcommitted
Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
Even though we check the leaf cert to confirm it is valid, we later ignored the invalid flag and did not notice that the leaf cert was bad. Fixes: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
1 parent de61835 commit 1032517

File tree

1 file changed

+10
-1
lines changed

1 file changed

+10
-1
lines changed

Diff for: crypto/x509/x509_vfy.c

+10-1
Original file line numberDiff line numberDiff line change
@@ -1780,15 +1780,24 @@ static int check_policy(X509_STORE_CTX *ctx)
17801780
*/
17811781
X509 *x;
17821782
int i;
1783-
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
1783+
int cbcalled = 0;
1784+
1785+
for (i = 0; i < sk_X509_num(ctx->chain); i++) {
17841786
x = sk_X509_value(ctx->chain, i);
17851787
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
17861788
continue;
1789+
cbcalled = 1;
17871790
ctx->current_cert = x;
17881791
ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
17891792
if (!ctx->verify_cb(0, ctx))
17901793
return 0;
17911794
}
1795+
if (!cbcalled) {
1796+
/* Should not be able to get here */
1797+
X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
1798+
return 0;
1799+
}
1800+
/* The callback ignored the error so we return success */
17921801
return 1;
17931802
}
17941803
if (ret == -2) {

0 commit comments

Comments
 (0)