Fix the type of x400Address in GENERAL_NAME
This fixes CVE-2023-0286.
The main impact is that GENERAL_NAME_cmp, when given x400Addresses, can
interpret a pointer with the wrong type. Applications that set
X509_V_FLAG_CRL_CHECK and take CRLs from untrusted sources should take
this patch.
Bug: 266637308
Test: atest boringssl_crypto_test boringssl_ssl_test
Change-Id: Ib76265fa098df3cb0db075646773c14d59d0ca75
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56985
Commit-Queue: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/src/crypto/x509/x509_test.cc b/src/crypto/x509/x509_test.cc
index 5e089d4..9f7bce8 100644
--- a/src/crypto/x509/x509_test.cc
+++ b/src/crypto/x509/x509_test.cc
@@ -3497,6 +3497,8 @@
{0x82, 0x01, 0x61},
// [2 PRIMITIVE] { "b" }
{0x82, 0x01, 0x62},
+ // [3] {}
+ {0xa3, 0x00},
// [4] {
// SEQUENCE {
// SET {
diff --git a/src/crypto/x509v3/v3_genn.c b/src/crypto/x509v3/v3_genn.c
index fef0204..2153a1d 100644
--- a/src/crypto/x509v3/v3_genn.c
+++ b/src/crypto/x509v3/v3_genn.c
@@ -130,7 +130,7 @@
switch (a->type) {
case GEN_X400:
- return ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+ return ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
case GEN_EDIPARTY:
return edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
diff --git a/src/include/openssl/x509v3.h b/src/include/openssl/x509v3.h
index 9db57e6..56e44c8 100644
--- a/src/include/openssl/x509v3.h
+++ b/src/include/openssl/x509v3.h
@@ -186,7 +186,7 @@
OTHERNAME *otherName; // otherName
ASN1_IA5STRING *rfc822Name;
ASN1_IA5STRING *dNSName;
- ASN1_TYPE *x400Address;
+ ASN1_STRING *x400Address;
X509_NAME *directoryName;
EDIPARTYNAME *ediPartyName;
ASN1_IA5STRING *uniformResourceIdentifier;
@@ -198,7 +198,6 @@
X509_NAME *dirn; // dirn
ASN1_IA5STRING *ia5; // rfc822Name, dNSName, uniformResourceIdentifier
ASN1_OBJECT *rid; // registeredID
- ASN1_TYPE *other; // x400Address
} d;
} GENERAL_NAME;