X509_check_issued doesn't grab locks

I noticed that `X509_check_issued` calls x509v3_cache_extensions without acquiring locks on the individual X509 objects.

https://github.com/openssl/openssl/blob/272c0df8e1aa549da9060bf70b34c9aabb3bcb0d/crypto/x509v3/v3_purp.c#L758-L764

It seems that `x509v3_cache_extensions` mutates fields like `ex_flags`. Other usages of `x509v3_cache_extensions` (in `X509_check_purpose`, `X509_check_ca`) acquire the lock before calling.

https://github.com/openssl/openssl/blob/272c0df8e1aa549da9060bf70b34c9aabb3bcb0d/crypto/x509v3/v3_purp.c#L77-L84

https://github.com/openssl/openssl/blob/272c0df8e1aa549da9060bf70b34c9aabb3bcb0d/crypto/x509v3/v3_purp.c#L543-L548


Given that `X509_check_issued` is an exported function, is there a possibility of a race here?

	int X509_check_issued(X509 issuer, X509 subject)
	{
	if (X509_NAME_cmp(X509_get_subject_name(issuer),
	X509_get_issuer_name(subject)))
	return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
	x509v3_cache_extensions(issuer);
	x509v3_cache_extensions(subject);

	int X509_check_purpose(X509 *x, int id, int ca)
	{
	int idx;
	const X509_PURPOSE *pt;
	if (!(x->ex_flags & EXFLAG_SET)) {
	CRYPTO_THREAD_write_lock(x->lock);
	x509v3_cache_extensions(x);
	CRYPTO_THREAD_unlock(x->lock);

	int X509_check_ca(X509 *x)
	{
	if (!(x->ex_flags & EXFLAG_SET)) {
	CRYPTO_THREAD_write_lock(x->lock);
	x509v3_cache_extensions(x);
	CRYPTO_THREAD_unlock(x->lock);

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

X509_check_issued doesn't grab locks #6121

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

X509_check_issued doesn't grab locks #6121

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions