/[smecontribs]/rpms/openssl3/contribs10/0101-CVE-2022-4203-nc-match.patch
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/0101-CVE-2022-4203-nc-match.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:50 2024 UTC (10 months ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 jpp 1.1 From c927a3492698c254637da836762f9b1f86cffabc Mon Sep 17 00:00:00 2001
2     From: Viktor Dukhovni <openssl-users@dukhovni.org>
3     Date: Tue, 13 Dec 2022 08:49:13 +0100
4     Subject: [PATCH 01/18] Fix type confusion in nc_match_single()
5    
6     This function assumes that if the "gen" is an OtherName, then the "base"
7     is a rfc822Name constraint. This assumption is not true in all cases.
8     If the end-entity certificate contains an OtherName SAN of any type besides
9     SmtpUtf8Mailbox and the CA certificate contains a name constraint of
10     OtherName (of any type), then "nc_email_eai" will be invoked, with the
11     OTHERNAME "base" being incorrectly interpreted as a ASN1_IA5STRING.
12    
13     Reported by Corey Bonnell from Digicert.
14    
15     CVE-2022-4203
16    
17     Reviewed-by: Paul Dale <pauli@openssl.org>
18     Reviewed-by: Hugo Landau <hlandau@openssl.org>
19     Reviewed-by: Tomas Mraz <tomas@openssl.org>
20     ---
21     crypto/x509/v3_ncons.c | 45 +++++++++++++++++++++++++++++-------------
22     1 file changed, 31 insertions(+), 14 deletions(-)
23    
24     diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
25     index 70a7e8304e..5101598512 100644
26     --- a/crypto/x509/v3_ncons.c
27     +++ b/crypto/x509/v3_ncons.c
28     @@ -31,7 +31,8 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
29     static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
30    
31     static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
32     -static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
33     +static int nc_match_single(int effective_type, GENERAL_NAME *sub,
34     + GENERAL_NAME *gen);
35     static int nc_dn(const X509_NAME *sub, const X509_NAME *nm);
36     static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
37     static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
38     @@ -472,14 +473,17 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
39     {
40     GENERAL_SUBTREE *sub;
41     int i, r, match = 0;
42     + int effective_type = gen->type;
43     +
44     /*
45     * We need to compare not gen->type field but an "effective" type because
46     * the otherName field may contain EAI email address treated specially
47     * according to RFC 8398, section 6
48     */
49     - int effective_type = ((gen->type == GEN_OTHERNAME) &&
50     - (OBJ_obj2nid(gen->d.otherName->type_id) ==
51     - NID_id_on_SmtpUTF8Mailbox)) ? GEN_EMAIL : gen->type;
52     + if (effective_type == GEN_OTHERNAME &&
53     + (OBJ_obj2nid(gen->d.otherName->type_id) == NID_id_on_SmtpUTF8Mailbox)) {
54     + effective_type = GEN_EMAIL;
55     + }
56    
57     /*
58     * Permitted subtrees: if any subtrees exist of matching the type at
59     @@ -488,7 +492,10 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
60    
61     for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
62     sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
63     - if (effective_type != sub->base->type)
64     + if (effective_type != sub->base->type
65     + || (effective_type == GEN_OTHERNAME &&
66     + OBJ_cmp(gen->d.otherName->type_id,
67     + sub->base->d.otherName->type_id) != 0))
68     continue;
69     if (!nc_minmax_valid(sub))
70     return X509_V_ERR_SUBTREE_MINMAX;
71     @@ -497,7 +504,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
72     continue;
73     if (match == 0)
74     match = 1;
75     - r = nc_match_single(gen, sub->base);
76     + r = nc_match_single(effective_type, gen, sub->base);
77     if (r == X509_V_OK)
78     match = 2;
79     else if (r != X509_V_ERR_PERMITTED_VIOLATION)
80     @@ -511,12 +518,15 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
81    
82     for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
83     sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
84     - if (effective_type != sub->base->type)
85     + if (effective_type != sub->base->type
86     + || (effective_type == GEN_OTHERNAME &&
87     + OBJ_cmp(gen->d.otherName->type_id,
88     + sub->base->d.otherName->type_id) != 0))
89     continue;
90     if (!nc_minmax_valid(sub))
91     return X509_V_ERR_SUBTREE_MINMAX;
92    
93     - r = nc_match_single(gen, sub->base);
94     + r = nc_match_single(effective_type, gen, sub->base);
95     if (r == X509_V_OK)
96     return X509_V_ERR_EXCLUDED_VIOLATION;
97     else if (r != X509_V_ERR_PERMITTED_VIOLATION)
98     @@ -528,15 +538,22 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
99    
100     }
101    
102     -static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
103     +static int nc_match_single(int effective_type, GENERAL_NAME *gen,
104     + GENERAL_NAME *base)
105     {
106     switch (gen->type) {
107     case GEN_OTHERNAME:
108     - /*
109     - * We are here only when we have SmtpUTF8 name,
110     - * so we match the value of othername with base->d.rfc822Name
111     - */
112     - return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name);
113     + switch (effective_type) {
114     + case GEN_EMAIL:
115     + /*
116     + * We are here only when we have SmtpUTF8 name,
117     + * so we match the value of othername with base->d.rfc822Name
118     + */
119     + return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name);
120     +
121     + default:
122     + return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
123     + }
124    
125     case GEN_DIRNAME:
126     return nc_dn(gen->d.directoryName, base->d.directoryName);
127     --
128     2.39.1
129    
130     From fe6842f5a5dc2fb66da7fb24bf4343a3aeedd50a Mon Sep 17 00:00:00 2001
131     From: Tomas Mraz <tomas@openssl.org>
132     Date: Tue, 13 Dec 2022 19:45:09 +0100
133     Subject: [PATCH 02/18] Add testcase for nc_match_single type confusion
134    
135     Reviewed-by: Paul Dale <pauli@openssl.org>
136     Reviewed-by: Hugo Landau <hlandau@openssl.org>
137     ---
138     test/certs/bad-othername-cert.pem | 20 ++++++++++++++++++++
139     test/certs/nccaothername-cert.pem | 20 ++++++++++++++++++++
140     test/certs/nccaothername-key.pem | 28 ++++++++++++++++++++++++++++
141     test/certs/setup.sh | 11 +++++++++++
142     test/recipes/25-test_verify.t | 5 ++++-
143     5 files changed, 83 insertions(+), 1 deletion(-)
144     create mode 100644 test/certs/bad-othername-cert.pem
145     create mode 100644 test/certs/nccaothername-cert.pem
146     create mode 100644 test/certs/nccaothername-key.pem
147    
148     diff --git a/test/certs/bad-othername-cert.pem b/test/certs/bad-othername-cert.pem
149     new file mode 100644
150     index 0000000000..cf279de5ea
151     --- /dev/null
152     +++ b/test/certs/bad-othername-cert.pem
153     @@ -0,0 +1,20 @@
154     +-----BEGIN CERTIFICATE-----
155     +MIIDRDCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
156     +IE5DIENBIG90aGVybmFtZTAgFw0yMjEyMTMxODMzMTZaGA8yMTIyMTIxNDE4MzMx
157     +NlowMTEvMC0GA1UECgwmTkMgZW1haWwgaW4gb3RoZXJuYW1lIFRlc3QgQ2VydGlm
158     +aWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPgeoakqHk1zYt
159     +JZpEC0qkJPU/X0lfI+6GY2LHFY9KOSFqqmTXxrUtjQc3SdpQvBZhPuMZ8p82Jid2
160     +kkRHnWs0uqX9NtLO923yQalYvP6Mt3fokcYgw/C9b+I/q1PKUyN0kPB6McROguD5
161     +Jz2DcEufJBhbpyay1bFjEI2DAQJKDP/U7uH0EA7kH/27UMk0vfvL5uVjDvlo8i6S
162     +Ul8+u0cDV5ZFJW2VAJKLU3wp6IY4fZl9UqkHZuRQpMJGqAjAleWOIEpyyvfGGh0b
163     +75n3GJ+4YZ7CIBEgY7K0nIbKxtcDZPvmtbYg3g1tkPMTHcodFT7yEdqkBTJ5AGL7
164     +6U850OhjAgMBAAGjdzB1MB0GA1UdDgQWBBTBz0k+q6d4c3aM+s2IyOF/QP6zCTAf
165     +BgNVHSMEGDAWgBTwhghX7uNdMejZ3f4XorqOQoMqwTAJBgNVHRMEAjAAMCgGA1Ud
166     +EQQhMB+gHQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEB
167     +CwUAA4IBAQAhxbCEVH8pq0aUMaLWaodyXdCqA0AKTFG6Mz9Rpwn89OwC8FylTEru
168     +t+Bqx/ZuTo8YzON8h9m7DIrQIjZKDLW/g5YbvIsxIVV9gWhAGohdsIyMKRBepSmr
169     +NxJQkO74RLBTamfl0WUCVM4HqroflFjBBG67CTJaQ9cH9ug3TKxaXCK1L6iQAXtq
170     +enILGai98Byo0LCFH4MQOhmhV1BDT2boIG/iYb5VKCTSX25vhaF+PNBhUoysjW0O
171     +vhQX8vrw42QRr4Qi7VfUBXzrbRTzxjOc4yqki7h2DcEdpginqe+aGyaFY+H9m/ka
172     +1AR5KN8h5SYKltSXknjs0pp1w4k49aHl
173     +-----END CERTIFICATE-----
174     diff --git a/test/certs/nccaothername-cert.pem b/test/certs/nccaothername-cert.pem
175     new file mode 100644
176     index 0000000000..f9b9b07b80
177     --- /dev/null
178     +++ b/test/certs/nccaothername-cert.pem
179     @@ -0,0 +1,20 @@
180     +-----BEGIN CERTIFICATE-----
181     +MIIDPjCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
182     +IENBMCAXDTIyMTIxMzE4MTgwM1oYDzIxMjIxMjE0MTgxODAzWjAfMR0wGwYDVQQD
183     +DBRUZXN0IE5DIENBIG90aGVybmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
184     +AQoCggEBAN0Dx+ei8CgtRKnDcYiLwX4vrA48at/o/zfX24X/WZZM1o9HUKo1FQBN
185     +vhESJu+gqPxuIePrk+/L25XdRqwCKk8wkWX0XIz18q5orOHUUFAWNK3g0FDj6N8H
186     +d8urNIbDJ44FCx+/0n8Ppiht/EYN3aVOW5enqbgZ+EEt+3AUG6ibieRdGri9g4oh
187     +IIx60MmVHLbuT/TcVZxaeWyTl6iWmsYosUyqlhTtu1uGtbVtkCAhBYloVvz4J5eA
188     +mVu/JuJbsNxbxVeO9Q8Kj6nb4jPPdGvZ3JPcabbWrz5LwaereBf5IPrXEVdQTlYB
189     +gI0pTz2CEDHSIrd7jzRUX/9EC2gMk6UCAwEAAaOBjzCBjDAPBgNVHRMBAf8EBTAD
190     +AQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU8IYIV+7jXTHo2d3+F6K6jkKDKsEw
191     +HwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwLAYDVR0eBCUwI6EhMB+g
192     +HQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IB
193     +AQDPI5uZd8DhSNKMvYF5bxOshd6h6UJ7YzZS7K6fhiygltdqzkHQ/5+4yiuUkDe4
194     +hOZlH8MCfXQy5jVZDTk24yNchpdfie5Bswn4SmQVQh3QyzOLxizoh0rLCf2PHueu
195     +dNVNhfiiJNJ5kd8MIuVG7CPK68dP0QrVR+DihROuJgvGB3ClKttLrgle19t4PFRR
196     +2wW6hJT9aXEjzLNyN1QFZKoShuiGX4xwjZh7VyKkV64p8hjojhcLk6dQkel+Jw4y
197     +OP26XbVfM8/6KG8f6WAZ8P0qJwHlhmi0EvRTnEpAM8WuenOeZH6ERZ9uZbRGh6xx
198     +LKQu2Aw2+bOEZ2vUtz0dBhX8
199     +-----END CERTIFICATE-----
200     diff --git a/test/certs/nccaothername-key.pem b/test/certs/nccaothername-key.pem
201     new file mode 100644
202     index 0000000000..d3e300ac2f
203     --- /dev/null
204     +++ b/test/certs/nccaothername-key.pem
205     @@ -0,0 +1,28 @@
206     +-----BEGIN PRIVATE KEY-----
207     +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdA8fnovAoLUSp
208     +w3GIi8F+L6wOPGrf6P8319uF/1mWTNaPR1CqNRUATb4REibvoKj8biHj65Pvy9uV
209     +3UasAipPMJFl9FyM9fKuaKzh1FBQFjSt4NBQ4+jfB3fLqzSGwyeOBQsfv9J/D6Yo
210     +bfxGDd2lTluXp6m4GfhBLftwFBuom4nkXRq4vYOKISCMetDJlRy27k/03FWcWnls
211     +k5eolprGKLFMqpYU7btbhrW1bZAgIQWJaFb8+CeXgJlbvybiW7DcW8VXjvUPCo+p
212     +2+Izz3Rr2dyT3Gm21q8+S8Gnq3gX+SD61xFXUE5WAYCNKU89ghAx0iK3e480VF//
213     +RAtoDJOlAgMBAAECggEAMFSJlCyEFlER3Qq9asXe9eRgXEuXdmfZ2aEVIuf8M/sR
214     +B0tpxxKtCUA24j5FL+0CzxKZTCFBnDRIzCyTbf1aOa9t+CzXyUZmP3/p4EdgmabF
215     +dcl93FZ+X7kfF/VUGu0Vmv+c12BH3Fu0cs5cVohlMecg7diu6zCYok43F+L5ymRy
216     +2mTcKkGc0ShWizj8Z9R3WJGssZOlxbxa/Zr4rZwRC24UVhfN8AfGWYx/StyQPQIw
217     +gtbbtOmwbyredQmY4jwNqgrnfZS9bkWwJbRuCmD5l7lxubBgcHQpoM+DQVeOLZIq
218     +uksFXeNfal9G5Bo747MMzpD7dJMCGmX+gbMY5oZF+QKBgQDs2MbY4nbxi+fV+KuV
219     +zUvis8m8Lpzf3T6NLkgSkUPRN9tGr95iLIrB/bRPJg5Ne02q/cT7d86B9rpE42w7
220     +eeIF9fANezX2AF8LUqNZhIR23J3tfB/eqGlJRZeMNia+lD09a7SWGwrS7sufY1I+
221     +JQGcHx77ntt+eQT1MUJ1skF06QKBgQDu4z+TW4QIA5ItxIReVdcfh5e3xLkzDEVP
222     +3KNo9tpXxvPwqapdeBh6c9z4Lqe3MKr5UPlDvVW+o40t6OjKxDCXczB8+JAM0OyX
223     +8V+K3zXXUxRgieSd3oMncTylSWIvouPP3aW37B67TKdRlRHgaBrpJT2wdk3kYR4t
224     +62J1eDdjXQKBgQDMsY0pZI/nskJrar7geM1c4IU5Xg+2aj/lRFqFsYYrC1s3fEd2
225     +EYjan6l1vi4eSLKXVTspGiIfsFzLrMGdpXjyLduJyzKXqTp7TrBebWkOUR0sYloo
226     +1OQprzuKskJJ81P6AVvRXw27vyW8Wtp5WwJJK5xbWq/YXj8qqagGkEiCAQKBgQCc
227     +RK3XAFurPmLGa7JHX5Hc/z8BKMAZo6JHrsZ6qFiGaRA0U1it0hz5JYfcFfECheSi
228     +ORUF+fn4PlbhPGXkFljPCbwjVBovOBA9CNl+J6u50pAW4r1ZhDB5gbqxSQLgtIaf
229     ++JcqbFxiG6+sT36lNJS+BO2I3KrxhZJPaZY7z8szxQKBgQDRy70XzwOk8jXayiF2
230     +ej2IN7Ow9cgSE4tLEwR/vCjxvOlWhA3jC3wxoggshGJkpbP3DqLkQtwQm0h1lM8J
231     +QNtFwKzjtpf//bTlfFq08/YxWimTPMqzcV2PgRacB8P3yf1r8T7M4fA5TORCDWpW
232     +5FtOCFEmwQHTR8lu4c63qfxkEQ==
233     +-----END PRIVATE KEY-----
234     diff --git a/test/certs/setup.sh b/test/certs/setup.sh
235     index b9766aab20..2240cd9df0 100755
236     --- a/test/certs/setup.sh
237     +++ b/test/certs/setup.sh
238     @@ -388,6 +388,17 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
239     "email.1 = good@good.org" "email.2 = any@good.com" \
240     "IP = 127.0.0.1" "IP = 192.168.0.1"
241    
242     +# Certs for CVE-2022-4203 testcase
243     +
244     +NC="excluded;otherName:SRVName;UTF8STRING:foo@example.org" ./mkcert.sh genca \
245     + "Test NC CA othername" nccaothername-key nccaothername-cert \
246     + root-key root-cert
247     +
248     +./mkcert.sh req alt-email-key "O = NC email in othername Test Certificate" | \
249     + ./mkcert.sh geneealt bad-othername-key bad-othername-cert \
250     + nccaothername-key nccaothername-cert \
251     + "otherName.1 = SRVName;UTF8STRING:foo@example.org"
252     +
253     # RSA-PSS signatures
254     # SHA1
255     ./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \
256     diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
257     index 4613489f57..e6a2bca731 100644
258     --- a/test/recipes/25-test_verify.t
259     +++ b/test/recipes/25-test_verify.t
260     @@ -29,7 +29,7 @@ sub verify {
261     run(app([@args]));
262     }
263    
264     -plan tests => 162;
265     +plan tests => 163;
266    
267     # Canonical success
268     ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
269     @@ -402,6 +402,9 @@ ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
270     ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
271     "Name constraints nested DNS name excluded");
272    
273     +ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ),
274     + "CVE-2022-4203 type confusion test");
275     +
276     #Check that we get the expected failure return code
277     with({ exit_checker => sub { return shift == 2; } },
278     sub {
279     --
280     2.39.1
281    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed