]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a198caa)
apps/x509.c: Fix the -addreject option adding trust instead of rejection
authorTomas Mraz <tomas@openssl.org>
Tue, 20 May 2025 14:34:10 +0000 (16:34 +0200)
committerDmitry Belyavskiy <beldmit@gmail.com>
Thu, 22 May 2025 07:49:18 +0000 (09:49 +0200)
Fixes CVE-2025-4575

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27672)

apps/x509.c patch | blob | blame | history
test/recipes/25-test_x509.t patch | blob | blame | history

diff --git a/apps/x509.c b/apps/x509.c
index 9bae7fa72215992df308855be212e5435b20f573..d0802287304a4fe6319713c6d7994da60a6b39d0 100644 (file)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -467,7 +467,7 @@ int x509_main(int argc, char **argv)
                            prog, opt_arg());
                 goto opthelp;
             }
-            if (!sk_ASN1_OBJECT_push(trust, objtmp))
+            if (!sk_ASN1_OBJECT_push(reject, objtmp))
                 goto end;
             trustout = 1;
             break;
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index efda91d15e92e12c6ab39f6f68e1ed48ee95652e..1b343392aa8f986cde44a275c0eef1c6f7367c98 100644 (file)
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -17,7 +17,7 @@ use File::Compare qw/compare_text/;
 
 setup("test_x509");
 
-plan tests => 136;
+plan tests => 140;
 
 # Prevent MSys2 filename munging for arguments that look like file paths but
 # aren't
@@ -111,6 +111,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
 && run(app(["openssl", "verify", "-no_check_time",
             "-trusted", $ca, "-partial_chain", $caout])));
 
+# test trust decoration
+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
+            "-out", "ca-trusted.pem"])));
+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
+              1, 'trusted use - E-mail Protection');
+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
+            "-out", "ca-rejected.pem"])));
+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
+              1, 'rejected use - E-mail Protection');
+
 subtest 'x509 -- x.509 v1 certificate' => sub {
     tconversion( -type => 'x509', -prefix => 'x509v1',
                  -in => srctop_file("test", "testx509.pem") );
Mirror of https://github.com/openssl/openssl.git