[openssl/openssl] 879f70: x509: excessive resource use verifying policy cons...

Pauli noreply at github.com
Wed Mar 22 00:44:27 UTC 2023 

  Branch: refs/heads/OpenSSL_1_1_1-stable
  Home:   https://github.com/openssl/openssl
  Commit: 879f7080d7e141f415c79eaa3a8ac4a3dad0348b
      https://github.com/openssl/openssl/commit/879f7080d7e141f415c79eaa3a8ac4a3dad0348b
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-22 (Wed, 22 Mar 2023)

  Changed paths:
    M crypto/x509v3/pcy_local.h
    M crypto/x509v3/pcy_node.c
    M crypto/x509v3/pcy_tree.c

  Log Message:
  -----------
  x509: excessive resource use verifying policy constraints

A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints.  Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.

Fixes CVE-2023-0464

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20569)


  Commit: b44a67c6132754adc256290d0267c1e82994ac94
      https://github.com/openssl/openssl/commit/b44a67c6132754adc256290d0267c1e82994ac94
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-22 (Wed, 22 Mar 2023)

  Changed paths:
    A test/recipes/80-test_policy_tree.t
    A test/recipes/80-test_policy_tree_data/large_leaf.pem
    A test/recipes/80-test_policy_tree_data/large_policy_tree.pem
    A test/recipes/80-test_policy_tree_data/small_leaf.pem
    A test/recipes/80-test_policy_tree_data/small_policy_tree.pem

  Log Message:
  -----------
  test: add test cases for the policy resource overuse

These trees have pathological properties with respect to building.  The small
tree stays within the imposed limit, the large tree doesn't.

The large tree would consume over 150Gb of RAM to process.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20569)


  Commit: fa425f20955c7948faed27f69ae4544f89c108ea
      https://github.com/openssl/openssl/commit/fa425f20955c7948faed27f69ae4544f89c108ea
  Author: Pauli <pauli at openssl.org>
  Date:   2023-03-22 (Wed, 22 Mar 2023)

  Changed paths:
    M CHANGES

  Log Message:
  -----------
  changes: note about policy tree size limits and circumvention

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20569)


Compare: https://github.com/openssl/openssl/compare/969327390220...fa425f20955c

More information about the openssl-commits mailing list