!99 release3.1分支修复CVE漏洞CVE-2023-0465 CVE-2023-0466

Merge pull request !99 from wanghao-free/OpenHarmony-3.1-Release

!99 release3.1分支修复CVE漏洞CVE-2023-0465 CVE-2023-0466
Merge pull request !99 from wanghao-free/OpenHarmony-3.1-Release
5c81cb12 · openharmony_ci · Gitee · 64a3d5e7 · e47fa4a3 · 5c81cb12
隐藏空白更改
内联并排

Showing with 22 addition and 4 deletion

CHANGES CHANGES +5 -0

NEWS NEWS +1 -0

crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c +9 -2

doc/man3/X509_VERIFY_PARAM_set_flags.pod doc/man3/X509_VERIFY_PARAM_set_flags.pod +7 -2

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,11 @@
 Changes between 1.1.1s and 1.1.1t [xx XXX xxxx]
+  *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+     that it does not enable policy checking. Thanks to
+     David Benjamin for discovering this issue. (CVE-2023-0466)
+     [Tomas Mraz]
  *) Fixed a type confusion vulnerability relating to X.400 address processing
     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This

--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
+      o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
  Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]

--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
    }
    /* Invalid or inconsistent extensions */
    if (ret == X509_PCY_TREE_INVALID) {
-        int i;
+        int i, cbcalled = 0;
        /* Locate certificates with bad extensions and notify callback. */
-        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
+        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
            X509 *x = sk_X509_value(ctx->chain, i);
            if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
                continue;
+            cbcalled = 1;
            if (!verify_cb_cert(ctx, x, i,
                                X509_V_ERR_INVALID_POLICY_EXTENSION))
                return 0;
        }
+        if (!cbcalled) {
+            /* Should not be able to get here */
+            X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
+        /* The callback ignored the error so we return success */
        return 1;
    }
    if (ret == X509_PCY_TREE_FAILURE) {

--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -92,8 +92,9 @@ B<trust>.
 X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
 B<t>. Normally the current time is used.
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
-by default) and adds B<policy> to the acceptable policy set.
+Contrary to preexisting documentation of this function it does not enable
+policy checking.
 X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
 by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -377,6 +378,10 @@ and has no effect.
 The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
+enabling policy checking however the implementation has never done this.
+The documentation was changed to align with the implementation.
 =head1 COPYRIGHT
 Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.