RUSTSEC-2021-0129

Source
https://rustsec.org/advisories/RUSTSEC-2021-0129
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0129.json
JSON Data
https://api.test.osv.dev/v1/vulns/RUSTSEC-2021-0129
Aliases
Published
2021-12-14T12:00:00Z
Modified
2023-12-06T00:46:30.116676Z
Summary
Invalid handling of `X509_verify_cert()` internal errors in libssl
Details

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.

This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains.

References

Affected packages

crates.io / openssl-src

Package

Affected ranges

Type
SEMVER
Events
Introduced
300.0.0
Fixed
300.0.4

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": null,
    "categories": [
        "denial-of-service"
    ]
}