49 lines
2.0 KiB
Diff
49 lines
2.0 KiB
Diff
From 092f35598ea935c0808a97637f8f8f30256359af Mon Sep 17 00:00:00 2001
|
|
From: Bob Beck <beck@openssl.org>
|
|
Date: Fri, 17 Apr 2026 14:09:52 -0600
|
|
Subject: [PATCH] Use the correct issuer when validating rootCAKeyUpdate
|
|
|
|
This correctly uses the existing root, and not the same certificate
|
|
as the root of the chain to validate.
|
|
|
|
While we are here, we also turn on self signed certificate signature
|
|
checking as this case is actually bringing in trust anchors as
|
|
self signed certs, and fix a possible NULL deref.
|
|
|
|
Fixes CVE-2026-42769
|
|
---
|
|
crypto/cmp/cmp_genm.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c
|
|
index 86bad3a7445..44e5eef291b 100644
|
|
--- a/crypto/cmp/cmp_genm.c
|
|
+++ b/crypto/cmp/cmp_genm.c
|
|
@@ -222,7 +222,7 @@ static int selfsigned_verify_cb(int ok, X509_STORE_CTX *store_ctx)
|
|
for (i = 0; i < sk_X509_num(trust); i++) {
|
|
issuer = sk_X509_value(trust, i);
|
|
if ((*check_issued)(store_ctx, cert, issuer)) {
|
|
- if (X509_add_cert(chain, cert, X509_ADD_FLAG_UP_REF))
|
|
+ if (X509_add_cert(chain, issuer, X509_ADD_FLAG_UP_REF))
|
|
ok = 1;
|
|
break;
|
|
}
|
|
@@ -255,6 +255,7 @@ static int verify_ss_cert(OSSL_LIB_CTX *libctx, const char *propq,
|
|
if ((csc = X509_STORE_CTX_new_ex(libctx, propq)) == NULL
|
|
|| !X509_STORE_CTX_init(csc, ts, target, untrusted))
|
|
goto err;
|
|
+ X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CHECK_SS_SIGNATURE);
|
|
X509_STORE_CTX_set_verify_cb(csc, selfsigned_verify_cb);
|
|
ok = X509_verify_cert(csc) > 0;
|
|
|
|
@@ -273,7 +274,8 @@ verify_ss_cert_trans(OSSL_CMP_CTX *ctx, X509 *trusted /* may be NULL */,
|
|
int res = 0;
|
|
|
|
if (trusted != NULL) {
|
|
- X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
|
|
+ X509_VERIFY_PARAM *vpm = (ts == NULL) ? NULL
|
|
+ : X509_STORE_get0_param(ts);
|
|
|
|
if ((ts = X509_STORE_new()) == NULL)
|
|
return 0;
|