Bug 1301691 - openssl: verify function ignores X509_V_ERR_INVALID_PURPOSE in verify callback
openssl: verify function ignores X509_V_ERR_INVALID_PURPOSE in verify callback
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170324,repor...
: Security
Depends On:
Blocks: 1301692
  Show dependency treegraph
 
Reported: 2016-01-25 12:19 EST by Adam Mariš
Modified: 2017-03-24 02:45 EDT (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-03-24 02:45:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed upstream patch 1 (1.82 KB, patch)
2016-02-15 11:29 EST, Adam Mariš
no flags Details | Diff
Proposed upstream patch 2 (1.84 KB, patch)
2016-02-15 11:29 EST, Adam Mariš
no flags Details | Diff
Proposed upstream patch 3 (11.24 KB, patch)
2016-02-15 11:30 EST, Adam Mariš
no flags Details | Diff
Proposed upstream patch 4 (6.88 KB, patch)
2016-02-15 11:30 EST, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2016-01-25 12:19:15 EST
It was reported that openssl verify function ignores X509_V_ERR_INVALID_PURPOSE in its verify callback when verifying root and intermediate certificates with extended key
usage extension.
Comment 2 Adam Mariš 2016-01-25 12:24:28 EST
Acknowledgments:

This issue was discovered by Christian Heimes of Red Hat.
Comment 3 Adam Mariš 2016-02-15 11:29 EST
Created attachment 1127332 [details]
Proposed upstream patch 1
Comment 4 Adam Mariš 2016-02-15 11:29 EST
Created attachment 1127333 [details]
Proposed upstream patch 2
Comment 5 Adam Mariš 2016-02-15 11:30 EST
Created attachment 1127335 [details]
Proposed upstream patch 3
Comment 6 Adam Mariš 2016-02-15 11:30 EST
Created attachment 1127336 [details]
Proposed upstream patch 4
Comment 8 Huzaifa S. Sidhpurwala 2017-03-24 02:38:31 EDT
This patch was applied to upstream master branch to fix this issue:

https://github.com/openssl/openssl/commit/33cc5dde478ba5ad79f8fd4acd8737f0e60e236e

Note You need to log in before you can comment on or make changes to this bug.