openssl: Vendor import of OpenSSL-3.0.9
Summary: Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html . Obtained from: https://www.openssl.org/source/openssl-3.0.9.tar.gz Test Plan: ``` $ git status On branch vendor/openssl-3.0 Your branch is up to date with 'origin/vendor/openssl-3.0'. nothing to commit, working tree clean $ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc) openssl-3.0.9.tar.gz 14 MB 74 MBps 01s openssl-3.0.9.tar.gz.asc 833 B 10 MBps 00s $ set | egrep '(XLIST|OSSLVER)=' OSSLVER=3.0.9 XLIST=FREEBSD-Xlist $ gpg --list-keys /home/khorben/.gnupg/pubring.kbx -------------------------------- pub rsa4096 2021-07-16 [SC] [expires: 2031-07-14] A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C uid [ unknown] Tomáš Mráz <tm@t8m.info> uid [ unknown] Tomáš Mráz <tomas@arleto.cz> uid [ unknown] Tomáš Mráz <tomas@openssl.org> sub rsa4096 2021-07-16 [S] [expires: 2027-07-15] sub rsa4096 2021-07-16 [E] [expires: 2031-07-14] $ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz gpg: Signature made Tue May 30 14:32:24 2023 CEST gpg: using RSA key DC7032662AF885E2F47F243F527466A21CA79E6D gpg: Good signature from "Tomáš Mráz <tm@t8m.info>" [unknown] gpg: aka "Tomáš Mráz <tomas@arleto.cz>" [unknown] gpg: aka "Tomáš Mráz <tomas@openssl.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C Subkey fingerprint: DC70 3266 2AF8 85E2 F47F 243F 5274 66A2 1CA7 9E6D $ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C .. $ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* . [...] $ diff -arq ../openssl-${OSSLVER} . Only in .: .git Only in .: FREEBSD-Xlist Only in .: FREEBSD-upgrade $ git status FREEBSD* On branch vendor/openssl-3.0 Your branch is up to date with 'origin/vendor/openssl-3.0'. nothing to commit, working tree clean ```
This commit is contained in:
committed by
Ed Maste
parent
e4520c8bd1
commit
b84c4564ef
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
|
||||
};
|
||||
|
||||
struct X509_POLICY_TREE_st {
|
||||
/* The number of nodes in the tree */
|
||||
size_t node_count;
|
||||
/* The maximum number of nodes in the tree */
|
||||
size_t node_maximum;
|
||||
|
||||
/* This is the tree 'level' data */
|
||||
X509_POLICY_LEVEL *levels;
|
||||
int nlevel;
|
||||
@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
|
||||
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
X509_POLICY_DATA *data,
|
||||
X509_POLICY_NODE *parent,
|
||||
X509_POLICY_TREE *tree);
|
||||
X509_POLICY_TREE *tree,
|
||||
int extra_data);
|
||||
void ossl_policy_node_free(X509_POLICY_NODE *node);
|
||||
int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
|
||||
const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
|
||||
|
||||
+20
-6
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
|
||||
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
X509_POLICY_DATA *data,
|
||||
X509_POLICY_NODE *parent,
|
||||
X509_POLICY_TREE *tree)
|
||||
X509_POLICY_TREE *tree,
|
||||
int extra_data)
|
||||
{
|
||||
X509_POLICY_NODE *node;
|
||||
|
||||
/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
|
||||
if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
|
||||
return NULL;
|
||||
|
||||
node = OPENSSL_zalloc(sizeof(*node));
|
||||
if (node == NULL) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
}
|
||||
node->data = data;
|
||||
node->parent = parent;
|
||||
if (level) {
|
||||
if (level != NULL) {
|
||||
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
|
||||
if (level->anyPolicy)
|
||||
goto node_error;
|
||||
@@ -90,24 +95,33 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
}
|
||||
}
|
||||
|
||||
if (tree) {
|
||||
if (extra_data) {
|
||||
if (tree->extra_data == NULL)
|
||||
tree->extra_data = sk_X509_POLICY_DATA_new_null();
|
||||
if (tree->extra_data == NULL){
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
goto node_error;
|
||||
goto extra_data_error;
|
||||
}
|
||||
if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
goto node_error;
|
||||
goto extra_data_error;
|
||||
}
|
||||
}
|
||||
|
||||
tree->node_count++;
|
||||
if (parent)
|
||||
parent->nchild++;
|
||||
|
||||
return node;
|
||||
|
||||
extra_data_error:
|
||||
if (level != NULL) {
|
||||
if (level->anyPolicy == node)
|
||||
level->anyPolicy = NULL;
|
||||
else
|
||||
(void) sk_X509_POLICY_NODE_pop(level->nodes);
|
||||
}
|
||||
|
||||
node_error:
|
||||
ossl_policy_node_free(node);
|
||||
return NULL;
|
||||
|
||||
+40
-14
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -14,6 +14,19 @@
|
||||
|
||||
#include "pcy_local.h"
|
||||
|
||||
/*
|
||||
* If the maximum number of nodes in the policy tree isn't defined, set it to
|
||||
* a generous default of 1000 nodes.
|
||||
*
|
||||
* Defining this to be zero means unlimited policy tree growth which opens the
|
||||
* door on CVE-2023-0464.
|
||||
*/
|
||||
#ifndef OPENSSL_POLICY_TREE_NODES_MAX
|
||||
# define OPENSSL_POLICY_TREE_NODES_MAX 1000
|
||||
#endif
|
||||
|
||||
static void exnode_free(X509_POLICY_NODE *node);
|
||||
|
||||
static void expected_print(BIO *channel,
|
||||
X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
|
||||
int indent)
|
||||
@@ -163,6 +176,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
||||
return X509_PCY_TREE_INTERNAL;
|
||||
}
|
||||
|
||||
/* Limit the growth of the tree to mitigate CVE-2023-0464 */
|
||||
tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
|
||||
|
||||
/*
|
||||
* http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
|
||||
*
|
||||
@@ -180,7 +196,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
||||
if ((data = ossl_policy_data_new(NULL,
|
||||
OBJ_nid2obj(NID_any_policy), 0)) == NULL)
|
||||
goto bad_tree;
|
||||
if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
|
||||
if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
|
||||
ossl_policy_data_free(data);
|
||||
goto bad_tree;
|
||||
}
|
||||
@@ -239,7 +255,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
||||
* Return value: 1 on success, 0 otherwise
|
||||
*/
|
||||
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
|
||||
X509_POLICY_DATA *data)
|
||||
X509_POLICY_DATA *data,
|
||||
X509_POLICY_TREE *tree)
|
||||
{
|
||||
X509_POLICY_LEVEL *last = curr - 1;
|
||||
int i, matched = 0;
|
||||
@@ -249,13 +266,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
|
||||
X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
|
||||
|
||||
if (ossl_policy_node_match(last, node, data->valid_policy)) {
|
||||
if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
|
||||
if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
|
||||
return 0;
|
||||
matched = 1;
|
||||
}
|
||||
}
|
||||
if (!matched && last->anyPolicy) {
|
||||
if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
|
||||
if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
@@ -268,7 +285,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
|
||||
* Return value: 1 on success, 0 otherwise.
|
||||
*/
|
||||
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
|
||||
const X509_POLICY_CACHE *cache)
|
||||
const X509_POLICY_CACHE *cache,
|
||||
X509_POLICY_TREE *tree)
|
||||
{
|
||||
int i;
|
||||
|
||||
@@ -276,7 +294,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
|
||||
X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
|
||||
|
||||
/* Look for matching nodes in previous level */
|
||||
if (!tree_link_matching_nodes(curr, data))
|
||||
if (!tree_link_matching_nodes(curr, data, tree))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
@@ -307,7 +325,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
|
||||
/* Curr may not have anyPolicy */
|
||||
data->qualifier_set = cache->anyPolicy->qualifier_set;
|
||||
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
|
||||
if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
|
||||
if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
|
||||
ossl_policy_data_free(data);
|
||||
return 0;
|
||||
}
|
||||
@@ -370,7 +388,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
|
||||
/* Finally add link to anyPolicy */
|
||||
if (last->anyPolicy &&
|
||||
ossl_policy_level_add_node(curr, cache->anyPolicy,
|
||||
last->anyPolicy, NULL) == NULL)
|
||||
last->anyPolicy, tree, 0) == NULL)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
@@ -553,15 +571,23 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
|
||||
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
|
||||
| POLICY_DATA_FLAG_EXTRA_NODE;
|
||||
node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
|
||||
tree);
|
||||
tree, 1);
|
||||
if (node == NULL) {
|
||||
ossl_policy_data_free(extra);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
if (!tree->user_policies) {
|
||||
tree->user_policies = sk_X509_POLICY_NODE_new_null();
|
||||
if (!tree->user_policies)
|
||||
return 1;
|
||||
if (!tree->user_policies) {
|
||||
exnode_free(node);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
|
||||
if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) {
|
||||
exnode_free(node);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
@@ -580,7 +606,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
|
||||
|
||||
for (i = 1; i < tree->nlevel; i++, curr++) {
|
||||
cache = ossl_policy_cache_set(curr->cert);
|
||||
if (!tree_link_nodes(curr, cache))
|
||||
if (!tree_link_nodes(curr, cache, tree))
|
||||
return X509_PCY_TREE_INTERNAL;
|
||||
|
||||
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
|
||||
|
||||
@@ -179,7 +179,7 @@ const char *X509_verify_cert_error_string(long n)
|
||||
case X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH:
|
||||
return "subject signature algorithm and issuer public key algorithm mismatch";
|
||||
case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY:
|
||||
return "cert info siganature and signature algorithm mismatch";
|
||||
return "cert info signature and signature algorithm mismatch";
|
||||
case X509_V_ERR_INVALID_CA:
|
||||
return "invalid CA certificate";
|
||||
case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA:
|
||||
@@ -213,6 +213,11 @@ const char *X509_verify_cert_error_string(long n)
|
||||
case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS:
|
||||
return "Certificate public key has explicit ECC parameters";
|
||||
|
||||
/*
|
||||
* Entries must be kept consistent with include/openssl/x509_vfy.h.in
|
||||
* and with doc/man3/X509_STORE_CTX_get_error.pod
|
||||
*/
|
||||
|
||||
default:
|
||||
/* Printing an error number into a static buffer is not thread-safe */
|
||||
return "unknown certificate verification error";
|
||||
|
||||
+12
-4
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
|
||||
goto memerr;
|
||||
/* Invalid or inconsistent extensions */
|
||||
if (ret == X509_PCY_TREE_INVALID) {
|
||||
int i;
|
||||
int i, cbcalled = 0;
|
||||
|
||||
/* Locate certificates with bad extensions and notify callback. */
|
||||
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
|
||||
for (i = 0; i < sk_X509_num(ctx->chain); i++) {
|
||||
X509 *x = sk_X509_value(ctx->chain, i);
|
||||
|
||||
if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
|
||||
cbcalled = 1;
|
||||
CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
|
||||
ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
|
||||
}
|
||||
if (!cbcalled) {
|
||||
/* Should not be able to get here */
|
||||
ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
/* The callback ignored the error so we return success */
|
||||
return 1;
|
||||
}
|
||||
if (ret == X509_PCY_TREE_FAILURE) {
|
||||
@@ -3413,7 +3421,7 @@ static int check_curve(X509 *cert)
|
||||
ret = EVP_PKEY_get_int_param(pkey,
|
||||
OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS,
|
||||
&val);
|
||||
return ret < 0 ? ret : !val;
|
||||
return ret == 1 ? !val : -1;
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
||||
Reference in New Issue
Block a user