openssl3/contribs10/0107-CVE-2023-0286-X400.patch

From 2f7530077e0ef79d98718138716bc51ca0cad658 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Tue, 17 Jan 2023 17:45:42 +0000
Subject: [PATCH 14/18] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
 (3.0)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
 CHANGES.md                  | 19 +++++++++++++++++++
 crypto/x509/v3_genn.c       |  2 +-
 include/openssl/x509v3.h.in |  2 +-
 test/v3nametest.c           |  8 ++++++++
 4 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c
index c0a7166cd0..1741c2d2f6 100644
--- a/crypto/x509/v3_genn.c
+++ b/crypto/x509/v3_genn.c
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
         return -1;
     switch (a->type) {
     case GEN_X400:
-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
         break;
 
     case GEN_EDIPARTY:
diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
index d00a66a343..c087e3cf92 100644
--- a/include/openssl/x509v3.h.in
+++ b/include/openssl/x509v3.h.in
@@ -154,7 +154,7 @@ typedef struct GENERAL_NAME_st {
         OTHERNAME *otherName;   /* otherName */
         ASN1_IA5STRING *rfc822Name;
         ASN1_IA5STRING *dNSName;
-        ASN1_TYPE *x400Address;
+        ASN1_STRING *x400Address;
         X509_NAME *directoryName;
         EDIPARTYNAME *ediPartyName;
         ASN1_IA5STRING *uniformResourceIdentifier;
diff --git a/test/v3nametest.c b/test/v3nametest.c
index 6d2e2f8e27..0341995dde 100644
--- a/test/v3nametest.c
+++ b/test/v3nametest.c
@@ -644,6 +644,14 @@ static struct gennamedata {
             0xb7, 0x09, 0x02, 0x02
         },
         15
+    }, {
+        /*
+         * Regression test for CVE-2023-0286.
+         */
+        {
+            0xa3, 0x00
+        },
+        2
     }
 };
 
-- 
2.39.1

1	jpp	1.1	From 2f7530077e0ef79d98718138716bc51ca0cad658 Mon Sep 17 00:00:00 2001
2			From: Hugo Landau <hlandau@openssl.org>
3			Date: Tue, 17 Jan 2023 17:45:42 +0000
4			Subject: [PATCH 14/18] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
5			(3.0)
6
7			Reviewed-by: Paul Dale <pauli@openssl.org>
8			Reviewed-by: Tomas Mraz <tomas@openssl.org>
9			---
10			CHANGES.md \| 19 +++++++++++++++++++
11			crypto/x509/v3_genn.c \| 2 +-
12			include/openssl/x509v3.h.in \| 2 +-
13			test/v3nametest.c \| 8 ++++++++
14			4 files changed, 29 insertions(+), 2 deletions(-)
15
16			diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c
17			index c0a7166cd0..1741c2d2f6 100644
18			--- a/crypto/x509/v3_genn.c
19			+++ b/crypto/x509/v3_genn.c
20			@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME a, GENERAL_NAME b)
21			return -1;
22			switch (a->type) {
23			case GEN_X400:
24			- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
25			+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
26			break;
27
28			case GEN_EDIPARTY:
29			diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
30			index d00a66a343..c087e3cf92 100644
31			--- a/include/openssl/x509v3.h.in
32			+++ b/include/openssl/x509v3.h.in
33			@@ -154,7 +154,7 @@ typedef struct GENERAL_NAME_st {
34			OTHERNAME otherName; / otherName */
35			ASN1_IA5STRING *rfc822Name;
36			ASN1_IA5STRING *dNSName;
37			- ASN1_TYPE *x400Address;
38			+ ASN1_STRING *x400Address;
39			X509_NAME *directoryName;
40			EDIPARTYNAME *ediPartyName;
41			ASN1_IA5STRING *uniformResourceIdentifier;
42			diff --git a/test/v3nametest.c b/test/v3nametest.c
43			index 6d2e2f8e27..0341995dde 100644
44			--- a/test/v3nametest.c
45			+++ b/test/v3nametest.c
46			@@ -644,6 +644,14 @@ static struct gennamedata {
47			0xb7, 0x09, 0x02, 0x02
48			},
49			15
50			+ }, {
51			+ /*
52			+ * Regression test for CVE-2023-0286.
53			+ */
54			+ {
55			+ 0xa3, 0x00
56			+ },
57			+ 2
58			}
59			};
60
61			--
62			2.39.1
63