package/libs/openssl/patches/210-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch

   1 From 1dd43e0709fece299b15208f36cc7c76209ba0bb Mon Sep 17 00:00:00 2001
   2 From: Matt Caswell <matt@openssl.org>
   3 Date: Tue, 7 Mar 2023 16:52:55 +0000
   4 Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
   5  certs
   6
   7 Even though we check the leaf cert to confirm it is valid, we
   8 later ignored the invalid flag and did not notice that the leaf
   9 cert was bad.
  10
  11 Fixes: CVE-2023-0465
  12
  13 Reviewed-by: Hugo Landau <hlandau@openssl.org>
  14 Reviewed-by: Tomas Mraz <tomas@openssl.org>
  15 (Merged from https://github.com/openssl/openssl/pull/20587)
  16
  17 --- a/crypto/x509/x509_vfy.c
  18 +++ b/crypto/x509/x509_vfy.c
  19 @@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *
  20          goto memerr;
  21      /* Invalid or inconsistent extensions */
  22      if (ret == X509_PCY_TREE_INVALID) {
  23 -        int i;
  24 +        int i, cbcalled = 0;
  25
  26          /* Locate certificates with bad extensions and notify callback. */
  27 -        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
  28 +        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
  29              X509 *x = sk_X509_value(ctx->chain, i);
  30
  31 +            if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
  32 +                cbcalled = 1;
  33              CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
  34                         ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
  35          }
  36 +        if (!cbcalled) {
  37 +            /* Should not be able to get here */
  38 +            ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
  39 +            return 0;
  40 +        }
  41 +        /* The callback ignored the error so we return success */
  42          return 1;
  43      }
  44      if (ret == X509_PCY_TREE_FAILURE) {