From 2f7530077e0ef79d98718138716bc51ca0cad658 Mon Sep 17 00:00:00 2001

From: Hugo Landau <hlandau@openssl.org>

Date: Tue, 17 Jan 2023 17:45:42 +0000

Subject: [PATCH 14/18] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address

 (3.0)

Reviewed-by: Paul Dale <pauli@openssl.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>

---

 CHANGES.md                  | 19 +++++++++++++++++++

 crypto/x509/v3_genn.c       |  2 +-

 include/openssl/x509v3.h.in |  2 +-

 test/v3nametest.c           |  8 ++++++++

 4 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c

index c0a7166cd0..1741c2d2f6 100644

--- a/crypto/x509/v3_genn.c

+++ b/crypto/x509/v3_genn.c

@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)

         return -1;

     switch (a->type) {

     case GEN_X400:

-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);

+        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);

         break;

     case GEN_EDIPARTY:

diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in

index d00a66a343..c087e3cf92 100644

--- a/include/openssl/x509v3.h.in

+++ b/include/openssl/x509v3.h.in

@@ -154,7 +154,7 @@ typedef struct GENERAL_NAME_st {

         OTHERNAME *otherName;   /* otherName */

         ASN1_IA5STRING *rfc822Name;

         ASN1_IA5STRING *dNSName;

-        ASN1_TYPE *x400Address;

+        ASN1_STRING *x400Address;

         X509_NAME *directoryName;

         EDIPARTYNAME *ediPartyName;

         ASN1_IA5STRING *uniformResourceIdentifier;

diff --git a/test/v3nametest.c b/test/v3nametest.c

index 6d2e2f8e27..0341995dde 100644

--- a/test/v3nametest.c

+++ b/test/v3nametest.c

@@ -644,6 +644,14 @@ static struct gennamedata {

             0xb7, 0x09, 0x02, 0x02

         },

         15

+    }, {

+        /*

+         * Regression test for CVE-2023-0286.

+         */

+        {

+            0xa3, 0x00

+        },

+        2

     }

 };

-- 

2.39.1