Skip to content

Commit b013765

Browse files
mattcaswellt8m
authored andcommitted
Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
Even though we check the leaf cert to confirm it is valid, we later ignored the invalid flag and did not notice that the leaf cert was bad. Fixes: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #20588)
1 parent f675d16 commit b013765

File tree

1 file changed

+9
-2
lines changed

1 file changed

+9
-2
lines changed

Diff for: crypto/x509/x509_vfy.c

+9-2
Original file line numberDiff line numberDiff line change
@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
16491649
}
16501650
/* Invalid or inconsistent extensions */
16511651
if (ret == X509_PCY_TREE_INVALID) {
1652-
int i;
1652+
int i, cbcalled = 0;
16531653

16541654
/* Locate certificates with bad extensions and notify callback. */
1655-
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
1655+
for (i = 0; i < sk_X509_num(ctx->chain); i++) {
16561656
X509 *x = sk_X509_value(ctx->chain, i);
16571657

16581658
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
16591659
continue;
1660+
cbcalled = 1;
16601661
if (!verify_cb_cert(ctx, x, i,
16611662
X509_V_ERR_INVALID_POLICY_EXTENSION))
16621663
return 0;
16631664
}
1665+
if (!cbcalled) {
1666+
/* Should not be able to get here */
1667+
X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
1668+
return 0;
1669+
}
1670+
/* The callback ignored the error so we return success */
16641671
return 1;
16651672
}
16661673
if (ret == X509_PCY_TREE_FAILURE) {

0 commit comments

Comments
 (0)