[EMAIL PROTECTED] - Thu Oct 5 18:51:21 2006]: > Found this bug in OpenSSL 0.9.8d source. A logical AND is being used > where a bitwise AND is clearly intended. If I understand correctly, the > bug would allow "any" matching even if the certificate was not self > issued, at least in circumstances where x->ex_flags != 0. I don't know > this system well enough to comment accurately on any further security > implications, I'll leave that to you guys. > > --- crypto/x509v3/pcy_tree.c.orig Thu Oct 5 12:20:10 2006 > +++ crypto/x509v3/pcy_tree.c Thu Oct 5 12:20:22 2006 > @@ -197,7 +197,7 @@ > /* Any matching allowed if certificate is self > * issued and not the last in the chain. > */ > - if (!(x->ex_flags && EXFLAG_SS) || (i == 0)) > + if (!(x->ex_flags & EXFLAG_SS) || (i == 0)) > level->flags |= X509_V_FLAG_INHIBIT_ANY; > } > else >
Thanks for the report. This will effectively still allow anyPolicy matching if the inhibitAnyPolicy extension skip value has been reached. The policy code is rarely used at present and not enabled by default so there shouldn't be any security issues. I'll commit a fix. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
