[openssl/openssl] 959c59: x509: excessive resource use verifying policy cons...
Pauli
noreply at github.com
Wed Mar 22 00:42:36 UTC 2023
Branch: refs/heads/openssl-3.0
Home: https://github.com/openssl/openssl
Commit: 959c59c7a0164117e7f8366466a32bb1f8d77ff1
https://github.com/openssl/openssl/commit/959c59c7a0164117e7f8366466a32bb1f8d77ff1
Author: Pauli <pauli at openssl.org>
Date: 2023-03-22 (Wed, 22 Mar 2023)
Changed paths:
M crypto/x509/pcy_local.h
M crypto/x509/pcy_node.c
M crypto/x509/pcy_tree.c
Log Message:
-----------
x509: excessive resource use verifying policy constraints
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.
Fixes CVE-2023-0464
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20568)
Commit: 2a35fdcd965d8afcf4c139447aef8d5985eb9048
https://github.com/openssl/openssl/commit/2a35fdcd965d8afcf4c139447aef8d5985eb9048
Author: Pauli <pauli at openssl.org>
Date: 2023-03-22 (Wed, 22 Mar 2023)
Changed paths:
A test/recipes/80-test_policy_tree.t
A test/recipes/80-test_policy_tree_data/large_leaf.pem
A test/recipes/80-test_policy_tree_data/large_policy_tree.pem
A test/recipes/80-test_policy_tree_data/small_leaf.pem
A test/recipes/80-test_policy_tree_data/small_policy_tree.pem
Log Message:
-----------
test: add test cases for the policy resource overuse
These trees have pathological properties with respect to building. The small
tree stays within the imposed limit, the large tree doesn't.
The large tree would consume over 150Gb of RAM to process.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20568)
Commit: f8fe66e3f13350b527da871183b727e0fb9632ca
https://github.com/openssl/openssl/commit/f8fe66e3f13350b527da871183b727e0fb9632ca
Author: Pauli <pauli at openssl.org>
Date: 2023-03-22 (Wed, 22 Mar 2023)
Changed paths:
M CHANGES.md
Log Message:
-----------
changes: note about policy tree size limits and circumvention
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20568)
Compare: https://github.com/openssl/openssl/compare/c309c4dce742...f8fe66e3f133
More information about the openssl-commits
mailing list