63 lines
2.3 KiB
Diff
63 lines
2.3 KiB
Diff
From 2b18a8b0c5b315083c49664101a103572d5592b6 Mon Sep 17 00:00:00 2001
|
|
From: Tomas Mraz <tomas@openssl.org>
|
|
Date: Tue, 20 May 2025 16:34:10 +0200
|
|
Subject: [PATCH 58/59] apps/x509.c: Fix the -addreject option adding trust
|
|
instead of rejection
|
|
|
|
Fixes CVE-2025-4575
|
|
|
|
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
|
|
(Merged from https://github.com/openssl/openssl/pull/27672)
|
|
---
|
|
apps/x509.c | 2 +-
|
|
test/recipes/25-test_x509.t | 12 +++++++++++-
|
|
2 files changed, 12 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/apps/x509.c b/apps/x509.c
|
|
index fdae8f383a..0c340c15b3 100644
|
|
--- a/apps/x509.c
|
|
+++ b/apps/x509.c
|
|
@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
|
|
prog, opt_arg());
|
|
goto opthelp;
|
|
}
|
|
- if (!sk_ASN1_OBJECT_push(trust, objtmp))
|
|
+ if (!sk_ASN1_OBJECT_push(reject, objtmp))
|
|
goto end;
|
|
trustout = 1;
|
|
break;
|
|
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
|
|
index 09b61708ff..dfa0a428f5 100644
|
|
--- a/test/recipes/25-test_x509.t
|
|
+++ b/test/recipes/25-test_x509.t
|
|
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
|
|
|
|
setup("test_x509");
|
|
|
|
-plan tests => 134;
|
|
+plan tests => 138;
|
|
|
|
# Prevent MSys2 filename munging for arguments that look like file paths but
|
|
# aren't
|
|
@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
|
|
&& run(app(["openssl", "verify", "-no_check_time",
|
|
"-trusted", $ca, "-partial_chain", $caout])));
|
|
|
|
+# test trust decoration
|
|
+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
|
|
+ "-out", "ca-trusted.pem"])));
|
|
+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
|
|
+ 1, 'trusted use - E-mail Protection');
|
|
+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
|
|
+ "-out", "ca-rejected.pem"])));
|
|
+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
|
|
+ 1, 'rejected use - E-mail Protection');
|
|
+
|
|
subtest 'x509 -- x.509 v1 certificate' => sub {
|
|
tconversion( -type => 'x509', -prefix => 'x509v1',
|
|
-in => srctop_file("test", "testx509.pem") );
|
|
--
|
|
2.49.0
|
|
|