Fix GENERAL_NAME_cmp for x400Address (master)

CVE-2023-0286

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c
index c0a7166cd0e64b23ca0559bce68df2c75171af4e..1741c2d2f62932a959a1e48cc00e9a758e3b6e6d 100644 (file)
--- a/crypto/x509/v3_genn.c
+++ b/crypto/x509/v3_genn.c
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
         return -1;
     switch (a->type) {
     case GEN_X400:
-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
         break;
 
     case GEN_EDIPARTY:

diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
index 80c69960b0c0e447495706eb99b4c8f30d658a23..2d7164e3a24cdfc3c698e5f1fa686f28e36bd771 100644 (file)
--- a/include/openssl/x509v3.h.in
+++ b/include/openssl/x509v3.h.in
@@ -157,7 +157,7 @@ typedef struct GENERAL_NAME_st {
         OTHERNAME *otherName;   /* otherName */
         ASN1_IA5STRING *rfc822Name;
         ASN1_IA5STRING *dNSName;
-        ASN1_TYPE *x400Address;
+        ASN1_STRING *x400Address;
         X509_NAME *directoryName;
         EDIPARTYNAME *ediPartyName;
         ASN1_IA5STRING *uniformResourceIdentifier;

diff --git a/test/v3nametest.c b/test/v3nametest.c
index 6d2e2f8e270a0a2acc52b1a18b74c14918c697e2..0341995dde823f0b6fa7cc4f438dc560a4fcfa54 100644 (file)
--- a/test/v3nametest.c
+++ b/test/v3nametest.c
@@ -644,6 +644,14 @@ static struct gennamedata {
             0xb7, 0x09, 0x02, 0x02
         },
         15
+    }, {
+        /*
+         * Regression test for CVE-2023-0286.
+         */
+        {
+            0xa3, 0x00
+        },
+        2
     }
 };