Google Git
Sign in
boringssl / boringssl / refs/heads/grpc-202302^! / .
commit6195bf8242156c9a2fa75702eee058f91b86a88b[log] [tgz]
authorDavid Benjamin <davidben@google.com>Tue Jan 31 13:36:55 2023 -0500
committerDavid Benjamin <davidben@google.com>Fri Feb 10 19:05:04 2023 +0000
tree788ade99f95fb9f827a2970aff79956f8e06ffbb
parentb9232f9e27e5668bc0414879dcdedb2a59ea75f2 [diff]
Fix the type of x400Address in GENERAL_NAME

This fixes CVE-2023-0286.

The main impact is that GENERAL_NAME_cmp, when given x400Addresses, can
interpret a pointer with the wrong type. Applications that set
X509_V_FLAG_CRL_CHECK and take CRLs from untrusted sources should take
this patch.

Change-Id: Ib76265fa098df3cb0db075646773c14d59d0ca75
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56985
Commit-Queue: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
(cherry picked from commit f219ae96bef5be04e78ddb5b5226ccb6439bd3ed)
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57165

diff --git a/src/crypto/x509/x509_test.cc b/src/crypto/x509/x509_test.cc
index 77c383a..9808073 100644
--- a/src/crypto/x509/x509_test.cc
+++ b/src/crypto/x509/x509_test.cc

@@ -3105,6 +3105,8 @@
       {0x82, 0x01, 0x61},
       // [2 PRIMITIVE] { "b" }
       {0x82, 0x01, 0x62},
+      // [3] {}
+      {0xa3, 0x00},
       // [4] {
       //   SEQUENCE {
       //     SET {

diff --git a/src/crypto/x509v3/v3_genn.c b/src/crypto/x509v3/v3_genn.c
index ae79374..16704be 100644
--- a/src/crypto/x509v3/v3_genn.c
+++ b/src/crypto/x509v3/v3_genn.c

@@ -129,7 +129,7 @@
 
     switch (a->type) {
     case GEN_X400:
-        return ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+        return ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
 
     case GEN_EDIPARTY:
         return edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);

diff --git a/src/include/openssl/x509v3.h b/src/include/openssl/x509v3.h
index acff637..59558cd 100644
--- a/src/include/openssl/x509v3.h
+++ b/src/include/openssl/x509v3.h

@@ -187,7 +187,7 @@
     OTHERNAME *otherName;  // otherName
     ASN1_IA5STRING *rfc822Name;
     ASN1_IA5STRING *dNSName;
-    ASN1_TYPE *x400Address;
+    ASN1_STRING *x400Address;
     X509_NAME *directoryName;
     EDIPARTYNAME *ediPartyName;
     ASN1_IA5STRING *uniformResourceIdentifier;
@@ -199,7 +199,6 @@
     X509_NAME *dirn;        // dirn
     ASN1_IA5STRING *ia5;    // rfc822Name, dNSName, uniformResourceIdentifier
     ASN1_OBJECT *rid;       // registeredID
-    ASN1_TYPE *other;       // x400Address
   } d;
 } GENERAL_NAME;