[openssl.org #1402] x509v3 policy initialization bug
Found this bug in OpenSSL 0.9.8d source. A logical AND is being used where a bitwise AND is clearly intended. If I understand correctly, the bug would allow any matching even if the certificate was not self issued, at least in circumstances where x-ex_flags != 0. I don't know this system well enough to comment accurately on any further security implications, I'll leave that to you guys. --- crypto/x509v3/pcy_tree.c.orig Thu Oct 5 12:20:10 2006 +++ crypto/x509v3/pcy_tree.cThu Oct 5 12:20:22 2006 @@ -197,7 +197,7 @@ /* Any matching allowed if certificate is self * issued and not the last in the chain. */ - if (!(x-ex_flags EXFLAG_SS) || (i == 0)) + if (!(x-ex_flags EXFLAG_SS) || (i == 0)) level-flags |= X509_V_FLAG_INHIBIT_ANY; } else --- Aaron Campbell [EMAIL PROTECTED] Software Engineer, Arbor Networks, Inc. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #692] off-by-one bugs
(Excuse the filenames, patch generated from OpenBSD -current sources.) Index: lib/libssl/src/apps/openssl.c === RCS file: /cvs/src/lib/libssl/src/apps/openssl.c,v retrieving revision 1.8 diff -u -r1.8 openssl.c --- lib/libssl/src/apps/openssl.c 12 May 2003 02:18:35 - 1.8 +++ lib/libssl/src/apps/openssl.c 19 Sep 2003 14:38:36 - @@ -163,7 +163,7 @@ goto err; } - if (type 0 || type CRYPTO_NUM_LOCKS) + if (type 0 || type = CRYPTO_NUM_LOCKS) { errstr = type out of bounds; goto err; Index: lib/libssl/src/ssl/ssltest.c === RCS file: /cvs/src/lib/libssl/src/ssl/ssltest.c,v retrieving revision 1.9 diff -u -r1.9 ssltest.c --- lib/libssl/src/ssl/ssltest.c12 May 2003 02:18:40 - 1.9 +++ lib/libssl/src/ssl/ssltest.c19 Sep 2003 14:38:37 - @@ -291,7 +291,7 @@ goto err; } - if (type 0 || type CRYPTO_NUM_LOCKS) + if (type 0 || type = CRYPTO_NUM_LOCKS) { errstr = type out of bounds; goto err; --- Aaron Campbell ([EMAIL PROTECTED]) http://www.monkey.org/~aaron __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]