summaryrefslogtreecommitdiff
path: root/package/libs/openssl/patches/210-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/libs/openssl/patches/210-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch')
-rw-r--r--package/libs/openssl/patches/210-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch44
1 files changed, 44 insertions, 0 deletions
diff --git a/package/libs/openssl/patches/210-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch b/package/libs/openssl/patches/210-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch
new file mode 100644
index 0000000000..01819c15a8
--- /dev/null
+++ b/package/libs/openssl/patches/210-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch
@@ -0,0 +1,44 @@
+From 1dd43e0709fece299b15208f36cc7c76209ba0bb Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 7 Mar 2023 16:52:55 +0000
+Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
+ certs
+
+Even though we check the leaf cert to confirm it is valid, we
+later ignored the invalid flag and did not notice that the leaf
+cert was bad.
+
+Fixes: CVE-2023-0465
+
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20587)
+
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *
+ goto memerr;
+ /* Invalid or inconsistent extensions */
+ if (ret == X509_PCY_TREE_INVALID) {
+- int i;
++ int i, cbcalled = 0;
+
+ /* Locate certificates with bad extensions and notify callback. */
+- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
++ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+ X509 *x = sk_X509_value(ctx->chain, i);
+
++ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
++ cbcalled = 1;
+ CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
+ ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
+ }
++ if (!cbcalled) {
++ /* Should not be able to get here */
++ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ /* The callback ignored the error so we return success */
+ return 1;
+ }
+ if (ret == X509_PCY_TREE_FAILURE) {
View Lorry Controller Status