Fix the type of x400Address in GENERAL_NAME This fixes CVE-2023-0286. The main impact is that GENERAL_NAME_cmp, when given x400Addresses, can interpret a pointer with the wrong type. Applications that set X509_V_FLAG_CRL_CHECK and take CRLs from untrusted sources should take this patch. Change-Id: Ib76265fa098df3cb0db075646773c14d59d0ca75 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56985 Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> (cherry picked from commit f219ae96bef5be04e78ddb5b5226ccb6439bd3ed) Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57165
diff --git a/src/crypto/x509/x509_test.cc b/src/crypto/x509/x509_test.cc index 77c383a..9808073 100644 --- a/src/crypto/x509/x509_test.cc +++ b/src/crypto/x509/x509_test.cc
@@ -3105,6 +3105,8 @@ {0x82, 0x01, 0x61}, // [2 PRIMITIVE] { "b" } {0x82, 0x01, 0x62}, + // [3] {} + {0xa3, 0x00}, // [4] { // SEQUENCE { // SET {
diff --git a/src/crypto/x509v3/v3_genn.c b/src/crypto/x509v3/v3_genn.c index ae79374..16704be 100644 --- a/src/crypto/x509v3/v3_genn.c +++ b/src/crypto/x509v3/v3_genn.c
@@ -129,7 +129,7 @@ switch (a->type) { case GEN_X400: - return ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); + return ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); case GEN_EDIPARTY: return edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
diff --git a/src/include/openssl/x509v3.h b/src/include/openssl/x509v3.h index acff637..59558cd 100644 --- a/src/include/openssl/x509v3.h +++ b/src/include/openssl/x509v3.h
@@ -187,7 +187,7 @@ OTHERNAME *otherName; // otherName ASN1_IA5STRING *rfc822Name; ASN1_IA5STRING *dNSName; - ASN1_TYPE *x400Address; + ASN1_STRING *x400Address; X509_NAME *directoryName; EDIPARTYNAME *ediPartyName; ASN1_IA5STRING *uniformResourceIdentifier; @@ -199,7 +199,6 @@ X509_NAME *dirn; // dirn ASN1_IA5STRING *ia5; // rfc822Name, dNSName, uniformResourceIdentifier ASN1_OBJECT *rid; // registeredID - ASN1_TYPE *other; // x400Address } d; } GENERAL_NAME;