Acasă Explorează Ajutor
Înregistrare Autentificare
OpenWrt
/
openwrt
oglindă de https://github.com/openwrt/openwrt.git
2
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Arbore: c3cb2d48da
Ramuri Etichete
openwrt
/
package
/
libs
/
openssl
/
patches
/
200-x509-excessive-resource-use-verifying-policy-constra.patch

200-x509-excessive-resource-use-verifying-policy-constra.patch 8.0 KB
Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207 
  1. From 959c59c7a0164117e7f8366466a32bb1f8d77ff1 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Pauli <[email protected]>
    3. 

  3. Date: Wed, 8 Mar 2023 15:28:20 +1100
    4. 

  4. Subject: [PATCH] x509: excessive resource use verifying policy constraints
    5. 

  5. 

  6. A security vulnerability has been identified in all supported versions
    7. 

  7. of OpenSSL related to the verification of X.509 certificate chains
    8. 

  8. that include policy constraints.  Attackers may be able to exploit this
    9. 

  9. vulnerability by creating a malicious certificate chain that triggers
    10. 

  10. exponential use of computational resources, leading to a denial-of-service
    11. 

  11. (DoS) attack on affected systems.
    12. 

  12. 

  13. Fixes CVE-2023-0464
    14. 

  14. 

  15. Reviewed-by: Tomas Mraz <[email protected]>
    16. 

  16. Reviewed-by: Shane Lontis <[email protected]>
    17. 

  17. (Merged from https://github.com/openssl/openssl/pull/20568)
    18. 

  18. 

  19. --- a/crypto/x509/pcy_local.h
    20. 

  20. +++ b/crypto/x509/pcy_local.h
    21. 

  21. @@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
    22. 

  22.  };
    23. 

  23.  
    24. 

  24.  struct X509_POLICY_TREE_st {
    25. 

  25. +    /* The number of nodes in the tree */
    26. 

  26. +    size_t node_count;
    27. 

  27. +    /* The maximum number of nodes in the tree */
    28. 

  28. +    size_t node_maximum;
    29. 

  29. +
    30. 

  30.      /* This is the tree 'level' data */
    31. 

  31.      X509_POLICY_LEVEL *levels;
    32. 

  32.      int nlevel;
    33. 

  33. @@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_
    34. 

  34.  X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
    35. 

  35.                                               X509_POLICY_DATA *data,
    36. 

  36.                                               X509_POLICY_NODE *parent,
    37. 

  37. -                                             X509_POLICY_TREE *tree);
    38. 

  38. +                                             X509_POLICY_TREE *tree,
    39. 

  39. +                                             int extra_data);
    40. 

  40.  void ossl_policy_node_free(X509_POLICY_NODE *node);
    41. 

  41.  int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
    42. 

  42.                             const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
    43. 

  43. --- a/crypto/x509/pcy_node.c
    44. 

  44. +++ b/crypto/x509/pcy_node.c
    45. 

  45. @@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find
    46. 

  46.  X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
    47. 

  47.                                               X509_POLICY_DATA *data,
    48. 

  48.                                               X509_POLICY_NODE *parent,
    49. 

  49. -                                             X509_POLICY_TREE *tree)
    50. 

  50. +                                             X509_POLICY_TREE *tree,
    51. 

  51. +                                             int extra_data)
    52. 

  52.  {
    53. 

  53.      X509_POLICY_NODE *node;
    54. 

  54.  
    55. 

  55. +    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
    56. 

  56. +    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
    57. 

  57. +        return NULL;
    58. 

  58. +
    59. 

  59.      node = OPENSSL_zalloc(sizeof(*node));
    60. 

  60.      if (node == NULL) {
    61. 

  61.          ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
    62. 

  62. @@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_
    63. 

  63.      }
    64. 

  64.      node->data = data;
    65. 

  65.      node->parent = parent;
    66. 

  66. -    if (level) {
    67. 

  67. +    if (level != NULL) {
    68. 

  68.          if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
    69. 

  69.              if (level->anyPolicy)
    70. 

  70.                  goto node_error;
    71. 

  71. @@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_
    72. 

  72.          }
    73. 

  73.      }
    74. 

  74.  
    75. 

  75. -    if (tree) {
    76. 

  76. +    if (extra_data) {
    77. 

  77.          if (tree->extra_data == NULL)
    78. 

  78.              tree->extra_data = sk_X509_POLICY_DATA_new_null();
    79. 

  79.          if (tree->extra_data == NULL){
    80. 

  80. @@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_
    81. 

  81.          }
    82. 

  82.      }
    83. 

  83.  
    84. 

  84. +    tree->node_count++;
    85. 

  85.      if (parent)
    86. 

  86.          parent->nchild++;
    87. 

  87.  
    88. 

  88. --- a/crypto/x509/pcy_tree.c
    89. 

  89. +++ b/crypto/x509/pcy_tree.c
    90. 

  90. @@ -14,6 +14,17 @@
    91. 

  91.  
    92. 

  92.  #include "pcy_local.h"
    93. 

  93.  
    94. 

  94. +/*
    95. 

  95. + * If the maximum number of nodes in the policy tree isn't defined, set it to
    96. 

  96. + * a generous default of 1000 nodes.
    97. 

  97. + *
    98. 

  98. + * Defining this to be zero means unlimited policy tree growth which opens the
    99. 

  99. + * door on CVE-2023-0464.
    100. 

  100. + */
    101. 

  101. +#ifndef OPENSSL_POLICY_TREE_NODES_MAX
    102. 

  102. +# define OPENSSL_POLICY_TREE_NODES_MAX 1000
    103. 

  103. +#endif
    104. 

  104. +
    105. 

  105.  static void expected_print(BIO *channel,
    106. 

  106.                             X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
    107. 

  107.                             int indent)
    108. 

  108. @@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **
    109. 

  109.          return X509_PCY_TREE_INTERNAL;
    110. 

  110.      }
    111. 

  111.  
    112. 

  112. +    /* Limit the growth of the tree to mitigate CVE-2023-0464 */
    113. 

  113. +    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
    114. 

  114. +
    115. 

  115.      /*
    116. 

  116.       * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
    117. 

  117.       *
    118. 

  118. @@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **
    119. 

  119.      if ((data = ossl_policy_data_new(NULL,
    120. 

  120.                                       OBJ_nid2obj(NID_any_policy), 0)) == NULL)
    121. 

  121.          goto bad_tree;
    122. 

  122. -    if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
    123. 

  123. +    if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
    124. 

  124.          ossl_policy_data_free(data);
    125. 

  125.          goto bad_tree;
    126. 

  126.      }
    127. 

  127. @@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **
    128. 

  128.   * Return value: 1 on success, 0 otherwise
    129. 

  129.   */
    130. 

  130.  static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
    131. 

  131. -                                    X509_POLICY_DATA *data)
    132. 

  132. +                                    X509_POLICY_DATA *data,
    133. 

  133. +                                    X509_POLICY_TREE *tree)
    134. 

  134.  {
    135. 

  135.      X509_POLICY_LEVEL *last = curr - 1;
    136. 

  136.      int i, matched = 0;
    137. 

  137. @@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509
    138. 

  138.          X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
    139. 

  139.  
    140. 

  140.          if (ossl_policy_node_match(last, node, data->valid_policy)) {
    141. 

  141. -            if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
    142. 

  142. +            if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
    143. 

  143.                  return 0;
    144. 

  144.              matched = 1;
    145. 

  145.          }
    146. 

  146.      }
    147. 

  147.      if (!matched && last->anyPolicy) {
    148. 

  148. -        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
    149. 

  149. +        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
    150. 

  150.              return 0;
    151. 

  151.      }
    152. 

  152.      return 1;
    153. 

  153. @@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509
    154. 

  154.   * Return value: 1 on success, 0 otherwise.
    155. 

  155.   */
    156. 

  156.  static int tree_link_nodes(X509_POLICY_LEVEL *curr,
    157. 

  157. -                           const X509_POLICY_CACHE *cache)
    158. 

  158. +                           const X509_POLICY_CACHE *cache,
    159. 

  159. +                           X509_POLICY_TREE *tree)
    160. 

  160.  {
    161. 

  161.      int i;
    162. 

  162.  
    163. 

  163. @@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_L
    164. 

  164.          X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
    165. 

  165.  
    166. 

  166.          /* Look for matching nodes in previous level */
    167. 

  167. -        if (!tree_link_matching_nodes(curr, data))
    168. 

  168. +        if (!tree_link_matching_nodes(curr, data, tree))
    169. 

  169.              return 0;
    170. 

  170.      }
    171. 

  171.      return 1;
    172. 

  172. @@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLIC
    173. 

  173.      /* Curr may not have anyPolicy */
    174. 

  174.      data->qualifier_set = cache->anyPolicy->qualifier_set;
    175. 

  175.      data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
    176. 

  176. -    if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
    177. 

  177. +    if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
    178. 

  178.          ossl_policy_data_free(data);
    179. 

  179.          return 0;
    180. 

  180.      }
    181. 

  181. @@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEV
    182. 

  182.      /* Finally add link to anyPolicy */
    183. 

  183.      if (last->anyPolicy &&
    184. 

  184.              ossl_policy_level_add_node(curr, cache->anyPolicy,
    185. 

  185. -                                       last->anyPolicy, NULL) == NULL)
    186. 

  186. +                                       last->anyPolicy, tree, 0) == NULL)
    187. 

  187.          return 0;
    188. 

  188.      return 1;
    189. 

  189.  }
    190. 

  190. @@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_
    191. 

  191.              extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
    192. 

  192.                  | POLICY_DATA_FLAG_EXTRA_NODE;
    193. 

  193.              node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
    194. 

  194. -                                              tree);
    195. 

  195. +                                              tree, 1);
    196. 

  196.          }
    197. 

  197.          if (!tree->user_policies) {
    198. 

  198.              tree->user_policies = sk_X509_POLICY_NODE_new_null();
    199. 

  199. @@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TRE
    200. 

  200.  
    201. 

  201.      for (i = 1; i < tree->nlevel; i++, curr++) {
    202. 

  202.          cache = ossl_policy_cache_set(curr->cert);
    203. 

  203. -        if (!tree_link_nodes(curr, cache))
    204. 

  204. +        if (!tree_link_nodes(curr, cache, tree))
    205. 

  205.              return X509_PCY_TREE_INTERNAL;
    206. 

  206.  
    207. 

  207.          if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
    208.