Bug 1301683

Summary: openssl: X509_verify_cert() ignores EKU extension of trust anchors
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbaranow, bmaxwell, cdewolf, cheimes, csutherl, dandread, darran.lofthouse, dknox, jason.greene, jawilson, jclere, jdoyle, lgao, mbabacek, myarboro, osoukup, pgier, psakar, pslavice, rsvoboda, security-response-team, tmraz, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-24 06:45:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1301692    
Attachments:
Description Flags
Proposed patch from upstream
none
Proposed patch from upstream
none
Master/mitaka patch
none
Proposed patch from upstream none

Description Adam Mariš 2016-01-25 16:52:53 UTC 
It was reported that X509_verify_cert() ignores the extended key usage extension of trust anchors. Only EKU extensions of intermediate and leaf certs are checked.
Comment 3 Adam Mariš 2016-01-27 09:50:07 UTC 
Quoting maintainer:

"This is a known behaviour, that is already planned to be addressed
in OpenSSL 1.1.0. In fact the EKU is only checked for certificates
from the peer, and not those from the trust store, so if your CAfile
or CApath contains intermediate certificates that get used to build
the chain, those won't be checked either."
Comment 4 Adam Mariš 2016-02-15 16:20:40 UTC 
Created attachment 1127327 [details]
Proposed patch from upstream
Comment 5 Adam Mariš 2016-02-15 16:21:27 UTC 
Created attachment 1127328 [details]
Proposed patch from upstream
Comment 6 Adam Mariš 2016-02-15 16:21:47 UTC 
Created attachment 1127329 [details]
Master/mitaka patch

Proposed patch from upstream
//ignore "master/mitaka" name
Comment 7 Adam Mariš 2016-02-15 16:25:24 UTC 
Created attachment 1127330 [details]
Proposed patch from upstream
Comment 9 Huzaifa S. Sidhpurwala 2017-03-24 06:34:28 UTC 
This patch was applied to upstream master branch to fix this issue:

https://github.com/openssl/openssl/commit/33cc5dde478ba5ad79f8fd4acd8737f0e60e236e