From 842a6bbe1493b169f9c546a2d53488444675f82a Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 7 Apr 2026 12:48:37 +0000 Subject: [PATCH] Stop Delta CRL processing if a CRL number is misssing A malformed Delta CRL could cause a crash. Funnily enough the deserializer recognizes this and marks such a CRL as invalid, but nothing ever checks the EXFLAG_INVALID for CRLs. For certificates this would usually result in verification failure due to x509v3_cache_extensions() failing. This is only reachable if the X509_V_FLAG_USE_DELTAS is used, which only a handful of ports do, plus openssl(1) does if you use the undocumented -use_deltas flag. Reported by Igor Morgenstern to OpenSSL who then sat on this since Jan 8 and assigned CVE-2026-28388. ok jsing --- lib/libcrypto/x509/x509_vfy.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 3d0abda6155..776478508ea 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.148 2025/05/10 05:54:39 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.149 2026/04/07 12:48:37 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1148,11 +1148,15 @@ crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) static int check_delta_base(X509_CRL *delta, X509_CRL *base) { - /* Delta CRL must be a delta */ - if (!delta->base_crl_number) + /* + * Delta CRL must be a delta and have a CRL number. + * XXX - This means EXFLAG_INVALID was set by crl_cb(), + * which we should check somewhere and bail out. + */ + if (delta->base_crl_number == NULL || delta->crl_number == NULL) return 0; /* Base must have a CRL number */ - if (!base->crl_number) + if (base->crl_number == NULL) return 0; /* Issuer names must match */ if (X509_NAME_cmp(X509_CRL_get_issuer(base),