diff options
Diffstat (limited to 'security/openssl31/files/patch-CVE-2023-0465')
| -rw-r--r-- | security/openssl31/files/patch-CVE-2023-0465 | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/security/openssl31/files/patch-CVE-2023-0465 b/security/openssl31/files/patch-CVE-2023-0465 new file mode 100644 index 000000000000..3873133819b7 --- /dev/null +++ b/security/openssl31/files/patch-CVE-2023-0465 @@ -0,0 +1,126 @@ +From 07d8baf3367cbbf81877510e5102e6193da4bfe7 Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Thu, 23 Mar 2023 15:31:25 +0000 +Subject: [PATCH] Updated CHANGES.md and NEWS.md for CVE-2023-0465 + +Also updated the entries for CVE-2023-0464 + +Related-to: CVE-2023-0465 + +Reviewed-by: Hugo Landau <hlandau@openssl.org> +Reviewed-by: Tomas Mraz <tomas@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/20586) +--- + CHANGES.md | 12 ++++++++++++ + NEWS.md | 6 +++++- + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/CHANGES.md b/CHANGES.md +index 99cabb3057fb..511886d213f9 100644 +--- CHANGES.md.orig ++++ CHANGES.md +@@ -24,12 +24,22 @@ OpenSSL 3.1 + + ### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx] + ++ * Fixed an issue where invalid certificate policies in leaf certificates are ++ silently ignored by OpenSSL and other certificate policy checks are skipped ++ for that certificate. A malicious CA could use this to deliberately assert ++ invalid certificate policies in order to circumvent policy checking on the ++ certificate altogether. ++ ([CVE-2023-0465]) ++ ++ *Matt Caswell* ++ + * Limited the number of nodes created in a policy tree to mitigate + against CVE-2023-0464. The default limit is set to 1000 nodes, which + should be sufficient for most installations. If required, the limit + can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build + time define to a desired maximum number of nodes or zero to allow + unlimited growth. ++ ([CVE-2023-0464]) + + *Paul Dale* + +@@ -19689,6 +19699,8 @@ ndif + + <!-- Links --> + ++[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 ++[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 + [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 + [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 + [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 +diff --git a/NEWS.md b/NEWS.md +index c243c5e6818a..23f918f604ea 100644 +--- NEWS.md.orig ++++ NEWS.md +@@ -21,7 +21,9 @@ OpenSSL 3.1 + + ### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [under development] + +- * none ++ * Fixed handling of invalid certificate policies in leaf certificates ++ ([CVE-2023-0465]) ++ * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) + + ### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023] + +@@ -1446,6 +1448,8 @@ OpenSSL 0.9.x + * Support for various new platforms + + <!-- Links --> ++[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 ++[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 + [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 + [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 + [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 +From facfb1ab745646e97a1920977ae4a9965ea61d5c Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Tue, 7 Mar 2023 16:52:55 +0000 +Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf + certs + +Even though we check the leaf cert to confirm it is valid, we +later ignored the invalid flag and did not notice that the leaf +cert was bad. + +Fixes: CVE-2023-0465 + +Reviewed-by: Hugo Landau <hlandau@openssl.org> +Reviewed-by: Tomas Mraz <tomas@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/20586) +--- + crypto/x509/x509_vfy.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 9384f1da9bad..a0282c3ef121 100644 +--- crypto/x509/x509_vfy.c.orig ++++ crypto/x509/x509_vfy.c +@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) + goto memerr; + /* Invalid or inconsistent extensions */ + if (ret == X509_PCY_TREE_INVALID) { +- int i; ++ int i, cbcalled = 0; + + /* Locate certificates with bad extensions and notify callback. */ +- for (i = 1; i < sk_X509_num(ctx->chain); i++) { ++ for (i = 0; i < sk_X509_num(ctx->chain); i++) { + X509 *x = sk_X509_value(ctx->chain, i); + ++ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) ++ cbcalled = 1; + CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, + ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); + } ++ if (!cbcalled) { ++ /* Should not be able to get here */ ++ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ /* The callback ignored the error so we return success */ + return 1; + } + if (ret == X509_PCY_TREE_FAILURE) { |