Skip to content

Commit

Permalink
Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
Browse files Browse the repository at this point in the history
Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.

Fixes: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #20588)
  • Loading branch information
mattcaswell authored and t8m committed Mar 28, 2023
1 parent f675d16 commit b013765
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions crypto/x509/x509_vfy.c
Original file line number Diff line number Diff line change
Expand Up @@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
}
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
int i;
int i, cbcalled = 0;

/* Locate certificates with bad extensions and notify callback. */
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);

if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
continue;
cbcalled = 1;
if (!verify_cb_cert(ctx, x, i,
X509_V_ERR_INVALID_POLICY_EXTENSION))
return 0;
}
if (!cbcalled) {
/* Should not be able to get here */
X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
return 0;
}
/* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {
Expand Down

1 comment on commit b013765

@zhoujiren
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) is true, set 1 to the variable cbcalled.

Please sign in to comment.