From: Bob Beck Date: Fri, 17 Apr 2026 20:09:52 +0000 (-0600) Subject: Use the correct issuer when validating rootCAKeyUpdate X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2765d53c2649b56bc1ca1bb799e42002953056a;p=thirdparty%2Fopenssl.git Use the correct issuer when validating rootCAKeyUpdate This correctly uses the existing root, and not the same certificate as the root of the chain to validate. While we are here, we also turn on self signed certificate signature checking as this case is actually bringing in trust anchors as self signed certs, and fix a possible NULL deref. Fixes CVE-2026-42769 Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz MergeDate: Mon Jun 8 19:54:01 2026 --- diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c index 905927554fa..8e974297fde 100644 --- a/crypto/cmp/cmp_genm.c +++ b/crypto/cmp/cmp_genm.c @@ -223,7 +223,7 @@ static int selfsigned_verify_cb(int ok, X509_STORE_CTX *store_ctx) for (i = 0; i < sk_X509_num(trust); i++) { issuer = sk_X509_value(trust, i); if ((*check_issued)(store_ctx, cert, issuer)) { - if (X509_add_cert(chain, cert, X509_ADD_FLAG_UP_REF)) + if (X509_add_cert(chain, issuer, X509_ADD_FLAG_UP_REF)) ok = 1; break; } @@ -256,6 +256,7 @@ static int verify_ss_cert(OSSL_LIB_CTX *libctx, const char *propq, if ((csc = X509_STORE_CTX_new_ex(libctx, propq)) == NULL || !X509_STORE_CTX_init(csc, ts, target, untrusted)) goto err; + X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CHECK_SS_SIGNATURE); X509_STORE_CTX_set_verify_cb(csc, selfsigned_verify_cb); ok = X509_verify_cert(csc) > 0; @@ -274,7 +275,8 @@ verify_ss_cert_trans(OSSL_CMP_CTX *ctx, X509 *trusted /* may be NULL */, int res = 0; if (trusted != NULL) { - X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + X509_VERIFY_PARAM *vpm = (ts == NULL) ? NULL + : X509_STORE_get0_param(ts); if ((ts = X509_STORE_new()) == NULL) return 0;