!217 漏洞修复

From: @hzero1996 
Reviewed-by: @zcfsite 
Signed-off-by: @zcfsite

backport-Add-a-Certificate-Policies-Test.patch

@@ -0,0 +1,49 @@
+From dda529ecc2d085488eef60235ef553dc5fd6e6dc Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 7 Mar 2023 17:07:57 +0000
+Subject: [PATCH] Add a Certificate Policies Test
+
+Test that a valid certificate policy is accepted and that an invalid
+certificate policy is rejected. Specifically we are checking that a
+leaf certificate with an invalid policy is detected.
+
+Related-to: CVE-2023-0465
+
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20587)
+---
+ test/recipes/25-test_verify.t | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
+index 2a4c36e86d..818c9ac50d 100644
+--- a/test/recipes/25-test_verify.t
++++ b/test/recipes/25-test_verify.t
+@@ -29,7 +29,7 @@ sub verify {
+     run(app([@args]));
+ }
+ 
+-plan tests => 164;
++plan tests => 166;
+ 
+ # Canonical success
+ ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
+@@ -516,3 +516,14 @@ SKIP: {
+     ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])),
+        'Mixed key + cert file test');
+ }
++
++# Certificate Policies
++ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"],
++          "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
++          "-explicit_policy"),
++   "Certificate policy");
++
++ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"],
++           "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
++           "-explicit_policy"),
++   "Bad certificate policy");
+-- 
+2.36.1
+

backport-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch

@@ -0,0 +1,52 @@
+From 1dd43e0709fece299b15208f36cc7c76209ba0bb Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 7 Mar 2023 16:52:55 +0000
+Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
+ certs
+
+Even though we check the leaf cert to confirm it is valid, we
+later ignored the invalid flag and did not notice that the leaf
+cert was bad.
+
+Fixes: CVE-2023-0465
+
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20587)
+---
+ crypto/x509/x509_vfy.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 9384f1da9b..a0282c3ef1 100644
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
+         goto memerr;
+     /* Invalid or inconsistent extensions */
+     if (ret == X509_PCY_TREE_INVALID) {
+-        int i;
++        int i, cbcalled = 0;
+ 
+         /* Locate certificates with bad extensions and notify callback. */
+-        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
++        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+             X509 *x = sk_X509_value(ctx->chain, i);
+ 
++            if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
++                cbcalled = 1;
+             CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
+                        ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
+         }
++        if (!cbcalled) {
++            /* Should not be able to get here */
++            ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
++            return 0;
++        }
++        /* The callback ignored the error so we return success */
+         return 1;
+     }
+     if (ret == X509_PCY_TREE_FAILURE) {
+-- 
+2.36.1
+

backport-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch

@@ -0,0 +1,46 @@
+From 51e8a84ce742db0f6c70510d0159dad8f7825908 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 21 Mar 2023 16:15:47 +0100
+Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
+
+The function was incorrectly documented as enabling policy checking.
+
+Fixes: CVE-2023-0466
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20563)
+---
+ doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++--
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+index 75a1677022..43c1900bca 100644
+--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+@@ -98,8 +98,9 @@ B<trust>.
+ X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
+ B<t>. Normally the current time is used.
+ 
+-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
+-by default) and adds B<policy> to the acceptable policy set.
++X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
++Contrary to preexisting documentation of this function it does not enable
++policy checking.
+ 
+ X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
+ by default) and sets the acceptable policy set to B<policies>. Any existing
+@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
+ The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
+ and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
+ 
++The function X509_VERIFY_PARAM_add0_policy() was historically documented as
++enabling policy checking however the implementation has never done this.
++The documentation was changed to align with the implementation.
++
+ =head1 COPYRIGHT
+ 
+ Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.
+-- 
+2.36.1
+

backport-Generate-some-certificates-with-the-certificatePolic.patch

@@ -0,0 +1,146 @@
+From a4e726428608e352283d745cb0716248d29ecf26 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 7 Mar 2023 15:22:40 +0000
+Subject: [PATCH] Generate some certificates with the certificatePolicies
+ extension
+
+Related-to: CVE-2023-0465
+
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20585)
+---
+ test/certs/ca-pol-cert.pem          | 19 +++++++++++++++++++
+ test/certs/ee-cert-policies-bad.pem | 20 ++++++++++++++++++++
+ test/certs/ee-cert-policies.pem     | 20 ++++++++++++++++++++
+ test/certs/mkcert.sh                |  9 +++++++--
+ test/certs/setup.sh                 |  6 ++++++
+ 5 files changed, 72 insertions(+), 2 deletions(-)
+ create mode 100644 test/certs/ca-pol-cert.pem
+ create mode 100644 test/certs/ee-cert-policies-bad.pem
+ create mode 100644 test/certs/ee-cert-policies.pem
+
+diff --git a/test/certs/ca-pol-cert.pem b/test/certs/ca-pol-cert.pem
+new file mode 100644
+index 0000000000..244af3292b
+--- /dev/null
++++ b/test/certs/ca-pol-cert.pem
+@@ -0,0 +1,19 @@
++-----BEGIN CERTIFICATE-----
++MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
++IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD
++DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
++j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
++n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
++l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
++YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
++ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
++CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD
++VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE
++PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3
++DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7
++Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H
++unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ
++7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g
++DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C
++9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx
++-----END CERTIFICATE-----
+diff --git a/test/certs/ee-cert-policies-bad.pem b/test/certs/ee-cert-policies-bad.pem
+new file mode 100644
+index 0000000000..0fcd6372b3
+--- /dev/null
++++ b/test/certs/ee-cert-policies-bad.pem
+@@ -0,0 +1,20 @@
++-----BEGIN CERTIFICATE-----
++MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
++Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy
++dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
++YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
++5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
++Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
++U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
++ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
++iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H
++mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC
++MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w
++bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G
++CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ
++P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs
++YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N
++XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa
++QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx
++wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF
++-----END CERTIFICATE-----
+diff --git a/test/certs/ee-cert-policies.pem b/test/certs/ee-cert-policies.pem
+new file mode 100644
+index 0000000000..2f06d7433f
+--- /dev/null
++++ b/test/certs/ee-cert-policies.pem
+@@ -0,0 +1,20 @@
++-----BEGIN CERTIFICATE-----
++MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
++Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy
++dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
++YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
++5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
++Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
++U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
++ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
++iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H
++mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC
++MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w
++bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB
++AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D
++QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl
++CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa
++dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK
++NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk
++D3brBn24UISaFRZoB7jsjok=
++-----END CERTIFICATE-----
+diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
+index 88e8740037..5bba589358 100755
+--- a/test/certs/mkcert.sh
++++ b/test/certs/mkcert.sh
+@@ -119,11 +119,12 @@ genca() {
+     local OPTIND=1
+     local purpose=
+ 
+-    while getopts p: o
++    while getopts p:c: o
+     do
+         case $o in
+         p) purpose="$OPTARG";;
+-        *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2
++        c) certpol="$OPTARG";;
++        *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2
+            return 1;;
+         esac
+     done
+@@ -146,6 +147,10 @@ genca() {
+     if [ -n "$NC" ]; then
+         exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
+     fi
++    if [ -n "$certpol" ]; then
++        exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol")
++    fi
++
+     csr=$(req "$key" "CN = $cn") || return 1
+     echo "$csr" |
+         cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
+diff --git a/test/certs/setup.sh b/test/certs/setup.sh
+index 7cd7e78b5e..bd8d49337d 100755
+--- a/test/certs/setup.sh
++++ b/test/certs/setup.sh
+@@ -465,3 +465,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \
+ 
+ # critical id-pkix-ocsp-no-check extension
+ ./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00"
++
++# certificatePolicies extension
++./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert
++./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1"
++# We can create a cert with a duplicate policy oid - but its actually invalid!
++./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1"
+-- 
+2.36.1
+

openssl.spec

@@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     3.0.8
-Release:     4
+Release:     5
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://www.openssl.org/
@@ -25,6 +25,10 @@ Patch13:     Backport-SM4-AESE-optimization-for-ARMv8.patch
 Patch14:     Backport-Fix-SM4-XTS-build-failure-on-Mac-mini-M1.patch
 Patch15:     Backport-CVE-2023-0464-x509-excessive-resource-use-verifying-policy-constra.patch
 Patch16:     Backport-test-add-test-cases-for-the-policy-resource-overuse.patch
+Patch17:     backport-Add-a-Certificate-Policies-Test.patch
+Patch18:     backport-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch
+Patch19:     backport-Generate-some-certificates-with-the-certificatePolic.patch
+Patch20:     backport-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch
 
 BuildRequires: gcc gcc-c++ perl make lksctp-tools-devel coreutils util-linux zlib-devel
 Requires:    coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@@ -225,6 +229,9 @@ make test || :
 %ldconfig_scriptlets libs
 
 %changelog
+* Tue Apr 4 2023 wangcheng <wangcheng156@huawei.com> - 1:3.0.8-5
+- fix some CVEs
+
 * Mon Mar 27 2023 xuraoqing <xuraoqing@huawei.com> - 1:3.0.8-4
 - fix CVE-2023-0464 and add test cases