From: erbsland-dev Date: Wed, 19 Jun 2024 12:02:06 +0000 (+0200) Subject: Add Version Check for CSR Verification X-Git-Tag: openssl-3.4.0-alpha1~462 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7fab3c7d61b0064dcf50db39fb490970c60d9a34;p=thirdparty%2Fopenssl.git Add Version Check for CSR Verification Fixes #5738: This change introduces a check for the version number of a CSR document before its signature is verified. If the version number is not 1 (encoded as zero), the verification function fails with an `X509_R_UNSUPPORTED_VERSION` error. To minimize impact, this check is only applied when verifying a certificate signing request using the `-verify` argument, resulting in a `X509_REQ_verify` call. This ensures that malformed certificate requests are rejected by a certification authority, enhancing security and preventing potential issues. Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/24677) --- diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 3279f49199f..93dfbeeea5e 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1841,5 +1841,6 @@ X509_R_UNKNOWN_PURPOSE_ID:121:unknown purpose id X509_R_UNKNOWN_SIGID_ALGS:144:unknown sigid algs X509_R_UNKNOWN_TRUST_ID:120:unknown trust id X509_R_UNSUPPORTED_ALGORITHM:111:unsupported algorithm +X509_R_UNSUPPORTED_VERSION:145:unsupported version X509_R_WRONG_LOOKUP_TYPE:112:wrong lookup type X509_R_WRONG_TYPE:122:wrong type diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c index 226e45a737b..607d38f3be3 100644 --- a/crypto/x509/x509_err.c +++ b/crypto/x509/x509_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -79,6 +79,8 @@ static const ERR_STRING_DATA X509_str_reasons[] = { {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNKNOWN_TRUST_ID), "unknown trust id"}, {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNSUPPORTED_ALGORITHM), "unsupported algorithm"}, + {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNSUPPORTED_VERSION), + "unsupported version"}, {ERR_PACK(ERR_LIB_X509, 0, X509_R_WRONG_LOOKUP_TYPE), "wrong lookup type"}, {ERR_PACK(ERR_LIB_X509, 0, X509_R_WRONG_TYPE), "wrong type"}, {0, NULL} diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 3083eb1dca9..55d3dca1f2d 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -43,6 +43,11 @@ int X509_verify(X509 *a, EVP_PKEY *r) int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OSSL_LIB_CTX *libctx, const char *propq) { + if (X509_REQ_get_version(a) != X509_REQ_VERSION_1) { + ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_VERSION); + return -1; + } + return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &a->sig_alg, a->signature, &a->req_info, a->distinguishing_id, r, libctx, propq); diff --git a/include/openssl/x509err.h b/include/openssl/x509err.h index 71b557a3e6b..77b91c8b2cf 100644 --- a/include/openssl/x509err.h +++ b/include/openssl/x509err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -63,6 +63,7 @@ # define X509_R_UNKNOWN_SIGID_ALGS 144 # define X509_R_UNKNOWN_TRUST_ID 120 # define X509_R_UNSUPPORTED_ALGORITHM 111 +# define X509_R_UNSUPPORTED_VERSION 145 # define X509_R_WRONG_LOOKUP_TYPE 112 # define X509_R_WRONG_TYPE 122