From ab351f4a837dc98b862d6efdc8a7732b67c57c13 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Tue, 31 Jan 2023 13:36:55 -0500
Subject: Fix the type of x400Address in GENERAL_NAME

This fixes CVE-2023-0286.

The main impact is that GENERAL_NAME_cmp, when given x400Addresses, can
interpret a pointer with the wrong type. Applications that set
X509_V_FLAG_CRL_CHECK and take CRLs from untrusted sources should take
this patch.

Bug: 266637308
Test: atest boringssl_crypto_test boringssl_ssl_test
Change-Id: Ib76265fa098df3cb0db075646773c14d59d0ca75
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56985
Commit-Queue: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
---
 src/crypto/x509/x509_test.cc | 2 ++
 src/crypto/x509v3/v3_genn.c  | 2 +-
 src/include/openssl/x509v3.h | 3 +--
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/crypto/x509/x509_test.cc b/src/crypto/x509/x509_test.cc
index 5e089d4b..9f7bce8b 100644
--- a/src/crypto/x509/x509_test.cc
+++ b/src/crypto/x509/x509_test.cc
@@ -3497,6 +3497,8 @@ TEST(X509Test, GeneralName)  {
       {0x82, 0x01, 0x61},
       // [2 PRIMITIVE] { "b" }
       {0x82, 0x01, 0x62},
+      // [3] {}
+      {0xa3, 0x00},
       // [4] {
       //   SEQUENCE {
       //     SET {
diff --git a/src/crypto/x509v3/v3_genn.c b/src/crypto/x509v3/v3_genn.c
index fef02044..2153a1d0 100644
--- a/src/crypto/x509v3/v3_genn.c
+++ b/src/crypto/x509v3/v3_genn.c
@@ -130,7 +130,7 @@ int GENERAL_NAME_cmp(const GENERAL_NAME *a, const GENERAL_NAME *b) {
 
   switch (a->type) {
     case GEN_X400:
-      return ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+      return ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
 
     case GEN_EDIPARTY:
       return edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
diff --git a/src/include/openssl/x509v3.h b/src/include/openssl/x509v3.h
index 9db57e6f..56e44c81 100644
--- a/src/include/openssl/x509v3.h
+++ b/src/include/openssl/x509v3.h
@@ -186,7 +186,7 @@ typedef struct GENERAL_NAME_st {
     OTHERNAME *otherName;  // otherName
     ASN1_IA5STRING *rfc822Name;
     ASN1_IA5STRING *dNSName;
-    ASN1_TYPE *x400Address;
+    ASN1_STRING *x400Address;
     X509_NAME *directoryName;
     EDIPARTYNAME *ediPartyName;
     ASN1_IA5STRING *uniformResourceIdentifier;
@@ -198,7 +198,6 @@ typedef struct GENERAL_NAME_st {
     X509_NAME *dirn;        // dirn
     ASN1_IA5STRING *ia5;    // rfc822Name, dNSName, uniformResourceIdentifier
     ASN1_OBJECT *rid;       // registeredID
-    ASN1_TYPE *other;       // x400Address
   } d;
 } GENERAL_NAME;
 
-- 
cgit v1.2.3