From 03afa0dfe07fc58931780105d2f1010cd9df26e2 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 7 Mar 2023 16:52:55 +0000 Subject: [PATCH 03/11] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs Even though we check the leaf cert to confirm it is valid, we later ignored the invalid flag and did not notice that the leaf cert was bad. Fixes: CVE-2023-0465 Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz reference: https://github.com/openssl/openssl/pull/20588 Signed-off-by: yexiao --- .../Library/OpensslLib/openssl/crypto/x509/x509_vfy.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c index f28f2d26..0c6ebb45 100644 --- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c +++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c @@ -1615,18 +1615,25 @@ static int check_policy(X509_STORE_CTX *ctx) } /* Invalid or inconsistent extensions */ if (ret == X509_PCY_TREE_INVALID) { - int i; + int i, cbcalled = 0; /* Locate certificates with bad extensions and notify callback. */ - for (i = 1; i < sk_X509_num(ctx->chain); i++) { + for (i = 0; i < sk_X509_num(ctx->chain); i++) { X509 *x = sk_X509_value(ctx->chain, i); if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) continue; + cbcalled = 1; if (!verify_cb_cert(ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION)) return 0; } + if (!cbcalled) { + /* Should not be able to get here */ + X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); + return 0; + } + /* The callback ignored the error so we return success */ return 1; } if (ret == X509_PCY_TREE_FAILURE) { -- 2.33.0