Fix the type of x400Address in GENERAL_NAME
This fixes CVE-2023-0286.
The main impact is that GENERAL_NAME_cmp, when given x400Addresses, can
interpret a pointer with the wrong type. Applications that set
X509_V_FLAG_CRL_CHECK and take CRLs from untrusted sources should take
this patch.
Change-Id: Ib76265fa098df3cb0db075646773c14d59d0ca75
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56985
Commit-Queue: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
(cherry picked from commit f219ae96bef5be04e78ddb5b5226ccb6439bd3ed)
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57165
diff --git a/src/crypto/x509/x509_test.cc b/src/crypto/x509/x509_test.cc
index 77c383a..9808073 100644
--- a/src/crypto/x509/x509_test.cc
+++ b/src/crypto/x509/x509_test.cc
@@ -3105,6 +3105,8 @@
{0x82, 0x01, 0x61},
// [2 PRIMITIVE] { "b" }
{0x82, 0x01, 0x62},
+ // [3] {}
+ {0xa3, 0x00},
// [4] {
// SEQUENCE {
// SET {
diff --git a/src/crypto/x509v3/v3_genn.c b/src/crypto/x509v3/v3_genn.c
index ae79374..16704be 100644
--- a/src/crypto/x509v3/v3_genn.c
+++ b/src/crypto/x509v3/v3_genn.c
@@ -129,7 +129,7 @@
switch (a->type) {
case GEN_X400:
- return ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+ return ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
case GEN_EDIPARTY:
return edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
diff --git a/src/include/openssl/x509v3.h b/src/include/openssl/x509v3.h
index acff637..59558cd 100644
--- a/src/include/openssl/x509v3.h
+++ b/src/include/openssl/x509v3.h
@@ -187,7 +187,7 @@
OTHERNAME *otherName; // otherName
ASN1_IA5STRING *rfc822Name;
ASN1_IA5STRING *dNSName;
- ASN1_TYPE *x400Address;
+ ASN1_STRING *x400Address;
X509_NAME *directoryName;
EDIPARTYNAME *ediPartyName;
ASN1_IA5STRING *uniformResourceIdentifier;
@@ -199,7 +199,6 @@
X509_NAME *dirn; // dirn
ASN1_IA5STRING *ia5; // rfc822Name, dNSName, uniformResourceIdentifier
ASN1_OBJECT *rid; // registeredID
- ASN1_TYPE *other; // x400Address
} d;
} GENERAL_NAME;