commit facfb1ab745646e97a1920977ae4a9965ea61d5c Author: Matt Caswell Date: Tue Mar 7 16:52:55 2023 +0000 Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs Even though we check the leaf cert to confirm it is valid, we later ignored the invalid flag and did not notice that the leaf cert was bad. Fixes: CVE-2023-0465 Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/20586) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9384f1da9b..a0282c3ef1 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) goto memerr; /* Invalid or inconsistent extensions */ if (ret == X509_PCY_TREE_INVALID) { - int i; + int i, cbcalled = 0; /* Locate certificates with bad extensions and notify callback. */ - for (i = 1; i < sk_X509_num(ctx->chain); i++) { + for (i = 0; i < sk_X509_num(ctx->chain); i++) { X509 *x = sk_X509_value(ctx->chain, i); + if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) + cbcalled = 1; CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); } + if (!cbcalled) { + /* Should not be able to get here */ + ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); + return 0; + } + /* The callback ignored the error so we return success */ return 1; } if (ret == X509_PCY_TREE_FAILURE) {