mykola/freebsd-ports
1
0
Fork 0
forked from Lainports/freebsd-ports
Code Pull requests Activity

security/openssl: Security update for CVE-2023-0465 & 0466

Browse source 
Security:	425b9538-ce5f-11ed-ade3-d4c9ef517024
This commit is contained in:
Bernard Spil 2023-03-29 18:53:07 +00:00
parent f410329bc6
commit 543bd99158
4 changed files with 268 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
security/openssl/Makefile
View file

@ -1,6 +1,6 @@
PORTNAME= openssl
PORTVERSION= 1.1.1t
PORTREVISION= 1
PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= security devel
MASTER_SITES= https://www.openssl.org/source/ \

86
security/openssl/files/patch-CVE-2023-0464
View file

@ -217,3 +217,89 @@ index 6e8322cbc5e3..6c7fd3540500 100644
return X509_PCY_TREE_INTERNAL;
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
From fd42c9126844f5eefa76872a1ffe5f529f8f75df Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Tue, 7 Feb 2023 14:37:22 +0100
Subject: [PATCH] Prepare for 1.1.1u-dev
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
---
CHANGES | 4 ++++
NEWS | 4 ++++
README | 2 +-
include/openssl/opensslv.h | 4 ++--
4 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/CHANGES b/CHANGES
index 1e2d651b7514..f18b08cb0ee2 100644
--- CHANGES.orig
+++ CHANGES
@@ -7,6 +7,10 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
+
+ *)
+
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
diff --git a/NEWS b/NEWS
index 2724fc4d85ba..8a18516d8609 100644
--- NEWS.orig
+++ NEWS
@@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development]
+
+ o
+
Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
diff --git a/README b/README
index b2f806be3a44..1957cf1f5515 100644
--- README.orig
+++ README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1t 7 Feb 2023
+ OpenSSL 1.1.1u-dev
Copyright (c) 1998-2022 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
From fa425f20955c7948faed27f69ae4544f89c108ea Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Wed, 15 Mar 2023 14:29:22 +1100
Subject: [PATCH] changes: note about policy tree size limits and circumvention
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20569)
---
CHANGES | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/CHANGES b/CHANGES
index f18b08cb0ee2..17caf6775bfe 100644
--- CHANGES.orig
+++ CHANGES
@@ -9,7 +9,13 @@
Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
- *)
+ *) Limited the number of nodes created in a policy tree to mitigate
+ against CVE-2023-0464. The default limit is set to 1000 nodes, which
+ should be sufficient for most installations. If required, the limit
+ can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+ time define to a desired maximum number of nodes or zero to allow
+ unlimited growth.
+ [Paul Dale]
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

108
security/openssl/files/patch-CVE-2023-0465 Normal file
View file

@ -0,0 +1,108 @@
From 8bc232b14624b7af01801d7940b7dec59b3ae47d Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 23 Mar 2023 15:31:25 +0000
Subject: [PATCH] Updated CHANGES and NEWS for CVE-2023-0465
Also updated the entries for CVE-2023-0464
Related-to: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20588)
---
CHANGES | 9 ++++++++-
NEWS | 4 +++-
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/CHANGES b/CHANGES
index 17caf6775bfe..efccf7838e65 100644
--- CHANGES.orig
+++ CHANGES
@@ -9,12 +9,19 @@
Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
+ *) Fixed an issue where invalid certificate policies in leaf certificates are
+ silently ignored by OpenSSL and other certificate policy checks are skipped
+ for that certificate. A malicious CA could use this to deliberately assert
+ invalid certificate policies in order to circumvent policy checking on the
+ certificate altogether. (CVE-2023-0465)
+ [Matt Caswell]
+
*) Limited the number of nodes created in a policy tree to mitigate
against CVE-2023-0464. The default limit is set to 1000 nodes, which
should be sufficient for most installations. If required, the limit
can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
time define to a desired maximum number of nodes or zero to allow
- unlimited growth.
+ unlimited growth. (CVE-2023-0464)
[Paul Dale]
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
diff --git a/NEWS b/NEWS
index 8a18516d8609..36a9bb6890bf 100644
--- NEWS.orig
+++ NEWS
@@ -7,7 +7,9 @@
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development]
- o
+ o Fixed handling of invalid certificate policies in leaf certificates
+ (CVE-2023-0465)
+ o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 7 Mar 2023 16:52:55 +0000
Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
certs
Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.
Fixes: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20588)
---
crypto/x509/x509_vfy.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 925fbb541258..1dfe4f9f31a5 100644
--- crypto/x509/x509_vfy.c.orig
+++ crypto/x509/x509_vfy.c
@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
}
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
- int i;
+ int i, cbcalled = 0;
/* Locate certificates with bad extensions and notify callback. */
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
continue;
+ cbcalled = 1;
if (!verify_cb_cert(ctx, x, i,
X509_V_ERR_INVALID_POLICY_EXTENSION))
return 0;
}
+ if (!cbcalled) {
+ /* Should not be able to get here */
+ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ /* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {

73
security/openssl/files/patch-CVE-2023-0466 Normal file
View file

@ -0,0 +1,73 @@
From 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 21 Mar 2023 16:15:47 +0100
Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
The function was incorrectly documented as enabling policy checking.
Fixes: CVE-2023-0466
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20564)
---
CHANGES | 5 +++++
NEWS | 1 +
doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++--
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/CHANGES b/CHANGES
index efccf7838e65..b19f1429bbb0 100644
--- CHANGES.orig
+++ CHANGES
@@ -9,6 +9,11 @@
Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
+ *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+ that it does not enable policy checking. Thanks to
+ David Benjamin for discovering this issue. (CVE-2023-0466)
+ [Tomas Mraz]
+
*) Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are skipped
for that certificate. A malicious CA could use this to deliberately assert
diff --git a/NEWS b/NEWS
index 36a9bb6890bf..62615693fab8 100644
--- NEWS.orig
+++ NEWS
@@ -7,6 +7,7 @@
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development]
+ o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
o Fixed handling of invalid certificate policies in leaf certificates
(CVE-2023-0465)
o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index f6f304bf7bd0..aa292f9336fc 100644
--- doc/man3/X509_VERIFY_PARAM_set_flags.pod.orig
+++ doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -92,8 +92,9 @@ B<trust>.
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
B<t>. Normally the current time is used.
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
-by default) and adds B<policy> to the acceptable policy set.
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
+Contrary to preexisting documentation of this function it does not enable
+policy checking.
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -377,6 +378,10 @@ and has no effect.
The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
+enabling policy checking however the implementation has never done this.
+The documentation was changed to align with the implementation.
+
=head1 COPYRIGHT
Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.