]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1b20579)
apps/x509.c: Fix the -addreject option adding trust instead of rejection
authorTomas Mraz <tomas@openssl.org>
Tue, 20 May 2025 14:34:10 +0000 (16:34 +0200)
committerDmitry Belyavskiy <beldmit@gmail.com>
Thu, 22 May 2025 08:03:14 +0000 (10:03 +0200)
Fixes CVE-2025-4575

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27672)

(cherry picked from commit 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac)

apps/x509.c patch | blob | blame | history
test/recipes/25-test_x509.t patch | blob | blame | history

diff --git a/apps/x509.c b/apps/x509.c
index fdae8f383a667eb53ff271ab16ed6b00a588277a..0c340c15b321a8093741e072456e8072ca004e2d 100644 (file)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
                            prog, opt_arg());
                 goto opthelp;
             }
-            if (!sk_ASN1_OBJECT_push(trust, objtmp))
+            if (!sk_ASN1_OBJECT_push(reject, objtmp))
                 goto end;
             trustout = 1;
             break;
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 09b61708ff8a5aa8fe8d1cd048743971cfcbcf1b..dfa0a428f5f0ce86a4b840f1905c15e0231bf745 100644 (file)
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_x509");
 
-plan tests => 134;
+plan tests => 138;
 
 # Prevent MSys2 filename munging for arguments that look like file paths but
 # aren't
@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
 && run(app(["openssl", "verify", "-no_check_time",
             "-trusted", $ca, "-partial_chain", $caout])));
 
+# test trust decoration
+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
+            "-out", "ca-trusted.pem"])));
+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
+              1, 'trusted use - E-mail Protection');
+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
+            "-out", "ca-rejected.pem"])));
+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
+              1, 'rejected use - E-mail Protection');
+
 subtest 'x509 -- x.509 v1 certificate' => sub {
     tconversion( -type => 'x509', -prefix => 'x509v1',
                  -in => srctop_file("test", "testx509.pem") );
Mirror of https://github.com/openssl/openssl.git