packages/edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
edk2/0047-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch
yexiao 42c6afb519 Fix some CVE 
Fix CVE-2023-0464、CVE-2023-0465、CVE-2023-0466
CVE-2023-2650、CVE-2023-3446、CVE-2023-3817、
CVE-2024-0727

Signed-off-by: yexiao <yexiao7@huawei.com>
(cherry picked from commit 18b1d8bb62840c170fd6311b04ba9a571794e566)
2024-02-22 23:01:41 +08:00

57 lines
2.0 KiB
Diff
Raw Blame History

From e7adfb998e27325a2c51cec688582b6621062eb5 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 7 Mar 2023 16:52:55 +0000
Subject: [PATCH 03/11] Ensure that EXFLAG_INVALID_POLICY is checked even in
leaf certs
Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.
Fixes: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
reference: https://github.com/openssl/openssl/pull/20588
Signed-off-by: yexiao <yexiao7@huawei.com>
---
.../Library/OpensslLib/openssl/crypto/x509/x509_vfy.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c
index f28f2d26..0c6ebb45 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c
@@ -1615,18 +1615,25 @@ static int check_policy(X509_STORE_CTX *ctx)
}
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
- int i;
+ int i, cbcalled = 0;
/* Locate certificates with bad extensions and notify callback. */
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
continue;
+ cbcalled = 1;
if (!verify_cb_cert(ctx, x, i,
X509_V_ERR_INVALID_POLICY_EXTENSION))
return 0;
}
+ if (!cbcalled) {
+ /* Should not be able to get here */
+ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ /* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink