From: Tomas Mraz Date: Tue, 20 May 2025 14:34:10 +0000 (+0200) Subject: apps/x509.c: Fix the -addreject option adding trust instead of rejection X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0eb9acc24febb1f3f01f0320cfba9654cf66b0ac;p=thirdparty%2Fopenssl.git apps/x509.c: Fix the -addreject option adding trust instead of rejection Fixes CVE-2025-4575 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/27672) --- diff --git a/apps/x509.c b/apps/x509.c index 9bae7fa7221..d0802287304 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -467,7 +467,7 @@ int x509_main(int argc, char **argv) prog, opt_arg()); goto opthelp; } - if (!sk_ASN1_OBJECT_push(trust, objtmp)) + if (!sk_ASN1_OBJECT_push(reject, objtmp)) goto end; trustout = 1; break; diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t index efda91d15e9..1b343392aa8 100644 --- a/test/recipes/25-test_x509.t +++ b/test/recipes/25-test_x509.t @@ -17,7 +17,7 @@ use File::Compare qw/compare_text/; setup("test_x509"); -plan tests => 136; +plan tests => 140; # Prevent MSys2 filename munging for arguments that look like file paths but # aren't @@ -111,6 +111,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE", && run(app(["openssl", "verify", "-no_check_time", "-trusted", $ca, "-partial_chain", $caout]))); +# test trust decoration +ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection", + "-out", "ca-trusted.pem"]))); +cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection", + 1, 'trusted use - E-mail Protection'); +ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection", + "-out", "ca-rejected.pem"]))); +cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection", + 1, 'rejected use - E-mail Protection'); + subtest 'x509 -- x.509 v1 certificate' => sub { tconversion( -type => 'x509', -prefix => 'x509v1', -in => srctop_file("test", "testx509.pem") );