openssl: Fix CVE-2023-0464

Fix CVE-2023-0464 for openssl A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service(DoS) attack on affected systems. Link: https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b (From OE-Core rev: 0c50550e2c8fca3263776c2bb985a8c58b920b99) Signed-off-by: Nikhil R <nikhil.r@kpit.com> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Nikhil R <nikhil.r@kpit.com> 2023-04-26 13:17:21 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-05-03 04:09:42 -1000
commit: acd638685c5a8d6ceca0592d50dd7891baf0eaff (patch)
tree: 1d11be3516d0dda2c140a7db35d61bdd98bab755
parent: a4f1c6baa3258935087c8da04364720a47f5036f (diff)
download: poky-acd638685c5a8d6ceca0592d50dd7891baf0eaff.tar.gz
2 files changed, 227 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
new file mode 100644
index 0000000000..cce5bad9f0
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
@@ -0,0 +1,226 @@
+From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001
+From: Pauli <pauli@openssl.org>
+Date: Wed, 8 Mar 2023 15:28:20 +1100
+Subject: [PATCH] x509: excessive resource use verifying policy constraints
+A security vulnerability has been identified in all supported versions
+of OpenSSL related to the verification of X.509 certificate chains
+that include policy constraints.  Attackers may be able to exploit this
+vulnerability by creating a malicious certificate chain that triggers
+exponential use of computational resources, leading to a denial-of-service
+(DoS) attack on affected systems.
+Fixes CVE-2023-0464
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/20569)
+CVE: CVE-2023-0464
+Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b]
+Signed-off-by: Nikhil R <nikhil.r@kpit.com>
+---
+ crypto/x509v3/pcy_local.h |  8 +++++++-
+ crypto/x509v3/pcy_node.c  | 12 +++++++++---
+ crypto/x509v3/pcy_tree.c  | 37 +++++++++++++++++++++++++++----------
+ 3 files changed, 43 insertions(+), 14 deletions(-)
+diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
+index 5daf78de45..344aa06765 100644
+--- a/crypto/x509v3/pcy_local.h
+++ b/crypto/x509v3/pcy_local.h
+@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
+ };
+ 
+ struct X509_POLICY_TREE_st {
+    /* The number of nodes in the tree */
+    size_t node_count;
+    /* The maximum number of nodes in the tree */
+    size_t node_maximum;
+
+     /* This is the tree 'level' data */
+     X509_POLICY_LEVEL *levels;
+     int nlevel;
+@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
+ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+                                  X509_POLICY_DATA *data,
+                                  X509_POLICY_NODE *parent,
+-                                 X509_POLICY_TREE *tree);
+                                 X509_POLICY_TREE *tree,
+                                 int extra_data);
+ void policy_node_free(X509_POLICY_NODE *node);
+ int policy_node_match(const X509_POLICY_LEVEL *lvl,
+                       const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
+diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
+index e2d7b15322..d574fb9d66 100644
+--- a/crypto/x509v3/pcy_node.c
+++ b/crypto/x509v3/pcy_node.c
+@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
+ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+                                  X509_POLICY_DATA *data,
+                                  X509_POLICY_NODE *parent,
+-                                 X509_POLICY_TREE *tree)
+                                 X509_POLICY_TREE *tree,
+                                 int extra_data)
+ {
+     X509_POLICY_NODE *node;
+ 
+    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
+    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
+        return NULL;
+
+     node = OPENSSL_zalloc(sizeof(*node));
+     if (node == NULL) {
+         X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
+@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+     }
+     node->data = data;
+     node->parent = parent;
+-    if (level) {
+    if (level != NULL) {
+         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
+             if (level->anyPolicy)
+                 goto node_error;
+@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+         }
+     }
+ 
+-    if (tree) {
+    if (extra_data) {
+         if (tree->extra_data == NULL)
+             tree->extra_data = sk_X509_POLICY_DATA_new_null();
+         if (tree->extra_data == NULL){
+@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+         }
+     }
+ 
+    tree->node_count++;
+     if (parent)
+         parent->nchild++;
+ 
+diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
+index 6e8322cbc5..6c7fd35405 100644
+--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
+@@ -13,6 +13,18 @@
+ 
+ #include "pcy_local.h"
+ 
+/*
+ * If the maximum number of nodes in the policy tree isn't defined, set it to
+ * a generous default of 1000 nodes.
+ *
+ * Defining this to be zero means unlimited policy tree growth which opens the
+ * door on CVE-2023-0464.
+ */
+
+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
+#endif
+
+ /*
+  * Enable this to print out the complete policy tree at various point during
+  * evaluation.
+@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+         return X509_PCY_TREE_INTERNAL;
+     }
+ 
+    /* Limit the growth of the tree to mitigate CVE-2023-0464 */
+    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
+
+     /*
+      * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
+      *
+@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+     level = tree->levels;
+     if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
+         goto bad_tree;
+-    if (level_add_node(level, data, NULL, tree) == NULL) {
+    if (level_add_node(level, data, NULL, tree, 1) == NULL) {
+         policy_data_free(data);
+         goto bad_tree;
+     }
+@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+  * Return value: 1 on success, 0 otherwise
+  */
+ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+-                                    X509_POLICY_DATA *data)
+                                    X509_POLICY_DATA *data,
+                                    X509_POLICY_TREE *tree)
+ {
+     X509_POLICY_LEVEL *last = curr - 1;
+     int i, matched = 0;
+@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+         X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
+ 
+         if (policy_node_match(last, node, data->valid_policy)) {
+-            if (level_add_node(curr, data, node, NULL) == NULL)
+            if (level_add_node(curr, data, node, tree, 0) == NULL)
+                 return 0;
+             matched = 1;
+         }
+     }
+     if (!matched && last->anyPolicy) {
+-        if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
+        if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
+             return 0;
+     }
+     return 1;
+@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+  * Return value: 1 on success, 0 otherwise.
+  */
+ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+-                           const X509_POLICY_CACHE *cache)
+                           const X509_POLICY_CACHE *cache,
+                           X509_POLICY_TREE *tree)
+ {
+     int i;
+ 
+@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+         X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
+ 
+         /* Look for matching nodes in previous level */
+-        if (!tree_link_matching_nodes(curr, data))
+        if (!tree_link_matching_nodes(curr, data, tree))
+             return 0;
+     }
+     return 1;
+@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
+     /* Curr may not have anyPolicy */
+     data->qualifier_set = cache->anyPolicy->qualifier_set;
+     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+-    if (level_add_node(curr, data, node, tree) == NULL) {
+    if (level_add_node(curr, data, node, tree, 1) == NULL) {
+         policy_data_free(data);
+         return 0;
+     }
+@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
+     }
+     /* Finally add link to anyPolicy */
+     if (last->anyPolicy &&
+-        level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
+        level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL)
+         return 0;
+     return 1;
+ }
+@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
+             extra->qualifier_set = anyPolicy->data->qualifier_set;
+             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
+                 | POLICY_DATA_FLAG_EXTRA_NODE;
+-            node = level_add_node(NULL, extra, anyPolicy->parent, tree);
+            node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
+         }
+         if (!tree->user_policies) {
+             tree->user_policies = sk_X509_POLICY_NODE_new_null();
+@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
+ 
+     for (i = 1; i < tree->nlevel; i++, curr++) {
+         cache = policy_cache_set(curr->cert);
+-        if (!tree_link_nodes(curr, cache))
+        if (!tree_link_nodes(curr, cache, tree))
+             return X509_PCY_TREE_INTERNAL;
+ 
+         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
+-- 
+2.34.1
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
index a1956ad8c2..94cb458508 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           file://afalg.patch \
           file://reproducible.patch \
           file://reproducibility.patch \
+           file://CVE-2023-0464.patch \
           "
 SRC_URI_append_class-nativesdk = " \
author	Nikhil R <nikhil.r@kpit.com>	2023-04-26 13:17:21 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-05-03 04:09:42 -1000
commit	acd638685c5a8d6ceca0592d50dd7891baf0eaff (patch)
tree	1d11be3516d0dda2c140a7db35d61bdd98bab755
parent	a4f1c6baa3258935087c8da04364720a47f5036f (diff)
download	poky-acd638685c5a8d6ceca0592d50dd7891baf0eaff.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch new file mode 100644 index 0000000000..cce5bad9f0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
@@ -0,0 +1,226 @@
		1	From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001
		2	From: Pauli <pauli@openssl.org>
		3	Date: Wed, 8 Mar 2023 15:28:20 +1100
		4	Subject: [PATCH] x509: excessive resource use verifying policy constraints
		5
		6	A security vulnerability has been identified in all supported versions
		7	of OpenSSL related to the verification of X.509 certificate chains
		8	that include policy constraints. Attackers may be able to exploit this
		9	vulnerability by creating a malicious certificate chain that triggers
		10	exponential use of computational resources, leading to a denial-of-service
		11	(DoS) attack on affected systems.
		12
		13	Fixes CVE-2023-0464
		14
		15	Reviewed-by: Tomas Mraz <tomas@openssl.org>
		16	Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
		17	(Merged from https://github.com/openssl/openssl/pull/20569)
		18
		19	CVE: CVE-2023-0464
		20	Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b]
		21	Signed-off-by: Nikhil R <nikhil.r@kpit.com>
		22
		23	---
		24	crypto/x509v3/pcy_local.h \| 8 +++++++-
		25	crypto/x509v3/pcy_node.c \| 12 +++++++++---
		26	crypto/x509v3/pcy_tree.c \| 37 +++++++++++++++++++++++++++----------
		27	3 files changed, 43 insertions(+), 14 deletions(-)
		28
		29	diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
		30	index 5daf78de45..344aa06765 100644
		31	--- a/crypto/x509v3/pcy_local.h
		32	+++ b/crypto/x509v3/pcy_local.h
		33	@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
		34	};
		35
		36	struct X509_POLICY_TREE_st {
		37	+ /* The number of nodes in the tree */
		38	+ size_t node_count;
		39	+ /* The maximum number of nodes in the tree */
		40	+ size_t node_maximum;
		41	+
		42	/* This is the tree 'level' data */
		43	X509_POLICY_LEVEL *levels;
		44	int nlevel;
		45	@@ -159,7 +164,8 @@ X509_POLICY_NODE tree_find_sk(STACK_OF(X509_POLICY_NODE) sk,
		46	X509_POLICY_NODE level_add_node(X509_POLICY_LEVEL level,
		47	X509_POLICY_DATA *data,
		48	X509_POLICY_NODE *parent,
		49	- X509_POLICY_TREE *tree);
		50	+ X509_POLICY_TREE *tree,
		51	+ int extra_data);
		52	void policy_node_free(X509_POLICY_NODE *node);
		53	int policy_node_match(const X509_POLICY_LEVEL *lvl,
		54	const X509_POLICY_NODE node, const ASN1_OBJECT oid);
		55	diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
		56	index e2d7b15322..d574fb9d66 100644
		57	--- a/crypto/x509v3/pcy_node.c
		58	+++ b/crypto/x509v3/pcy_node.c
		59	@@ -59,10 +59,15 @@ X509_POLICY_NODE level_find_node(const X509_POLICY_LEVEL level,
		60	X509_POLICY_NODE level_add_node(X509_POLICY_LEVEL level,
		61	X509_POLICY_DATA *data,
		62	X509_POLICY_NODE *parent,
		63	- X509_POLICY_TREE *tree)
		64	+ X509_POLICY_TREE *tree,
		65	+ int extra_data)
		66	{
		67	X509_POLICY_NODE *node;
		68
		69	+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
		70	+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
		71	+ return NULL;
		72	+
		73	node = OPENSSL_zalloc(sizeof(*node));
		74	if (node == NULL) {
		75	X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
		76	@@ -70,7 +75,7 @@ X509_POLICY_NODE level_add_node(X509_POLICY_LEVEL level,
		77	}
		78	node->data = data;
		79	node->parent = parent;
		80	- if (level) {
		81	+ if (level != NULL) {
		82	if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
		83	if (level->anyPolicy)
		84	goto node_error;
		85	@@ -90,7 +95,7 @@ X509_POLICY_NODE level_add_node(X509_POLICY_LEVEL level,
		86	}
		87	}
		88
		89	- if (tree) {
		90	+ if (extra_data) {
		91	if (tree->extra_data == NULL)
		92	tree->extra_data = sk_X509_POLICY_DATA_new_null();
		93	if (tree->extra_data == NULL){
		94	@@ -103,6 +108,7 @@ X509_POLICY_NODE level_add_node(X509_POLICY_LEVEL level,
		95	}
		96	}
		97
		98	+ tree->node_count++;
		99	if (parent)
		100	parent->nchild++;
		101
		102	diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
		103	index 6e8322cbc5..6c7fd35405 100644
		104	--- a/crypto/x509v3/pcy_tree.c
		105	+++ b/crypto/x509v3/pcy_tree.c
		106	@@ -13,6 +13,18 @@
		107
		108	#include "pcy_local.h"
		109
		110	+/*
		111	+ * If the maximum number of nodes in the policy tree isn't defined, set it to
		112	+ * a generous default of 1000 nodes.
		113	+ *
		114	+ * Defining this to be zero means unlimited policy tree growth which opens the
		115	+ * door on CVE-2023-0464.
		116	+ */
		117	+
		118	+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
		119	+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
		120	+#endif
		121	+
		122	/*
		123	* Enable this to print out the complete policy tree at various point during
		124	* evaluation.
		125	@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE *ptree, STACK_OF(X509) certs,
		126	return X509_PCY_TREE_INTERNAL;
		127	}
		128
		129	+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */
		130	+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
		131	+
		132	/*
		133	* http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
		134	*
		135	@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE *ptree, STACK_OF(X509) certs,
		136	level = tree->levels;
		137	if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
		138	goto bad_tree;
		139	- if (level_add_node(level, data, NULL, tree) == NULL) {
		140	+ if (level_add_node(level, data, NULL, tree, 1) == NULL) {
		141	policy_data_free(data);
		142	goto bad_tree;
		143	}
		144	@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE *ptree, STACK_OF(X509) certs,
		145	* Return value: 1 on success, 0 otherwise
		146	*/
		147	static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
		148	- X509_POLICY_DATA *data)
		149	+ X509_POLICY_DATA *data,
		150	+ X509_POLICY_TREE *tree)
		151	{
		152	X509_POLICY_LEVEL *last = curr - 1;
		153	int i, matched = 0;
		154	@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
		155	X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
		156
		157	if (policy_node_match(last, node, data->valid_policy)) {
		158	- if (level_add_node(curr, data, node, NULL) == NULL)
		159	+ if (level_add_node(curr, data, node, tree, 0) == NULL)
		160	return 0;
		161	matched = 1;
		162	}
		163	}
		164	if (!matched && last->anyPolicy) {
		165	- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
		166	+ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
		167	return 0;
		168	}
		169	return 1;
		170	@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
		171	* Return value: 1 on success, 0 otherwise.
		172	*/
		173	static int tree_link_nodes(X509_POLICY_LEVEL *curr,
		174	- const X509_POLICY_CACHE *cache)
		175	+ const X509_POLICY_CACHE *cache,
		176	+ X509_POLICY_TREE *tree)
		177	{
		178	int i;
		179
		180	@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
		181	X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
		182
		183	/* Look for matching nodes in previous level */
		184	- if (!tree_link_matching_nodes(curr, data))
		185	+ if (!tree_link_matching_nodes(curr, data, tree))
		186	return 0;
		187	}
		188	return 1;
		189	@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
		190	/* Curr may not have anyPolicy */
		191	data->qualifier_set = cache->anyPolicy->qualifier_set;
		192	data->flags \|= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
		193	- if (level_add_node(curr, data, node, tree) == NULL) {
		194	+ if (level_add_node(curr, data, node, tree, 1) == NULL) {
		195	policy_data_free(data);
		196	return 0;
		197	}
		198	@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
		199	}
		200	/* Finally add link to anyPolicy */
		201	if (last->anyPolicy &&
		202	- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
		203	+ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL)
		204	return 0;
		205	return 1;
		206	}
		207	@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
		208	extra->qualifier_set = anyPolicy->data->qualifier_set;
		209	extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
		210	\| POLICY_DATA_FLAG_EXTRA_NODE;
		211	- node = level_add_node(NULL, extra, anyPolicy->parent, tree);
		212	+ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
		213	}
		214	if (!tree->user_policies) {
		215	tree->user_policies = sk_X509_POLICY_NODE_new_null();
		216	@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
		217
		218	for (i = 1; i < tree->nlevel; i++, curr++) {
		219	cache = policy_cache_set(curr->cert);
		220	- if (!tree_link_nodes(curr, cache))
		221	+ if (!tree_link_nodes(curr, cache, tree))
		222	return X509_PCY_TREE_INTERNAL;
		223
		224	if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
		225	--
		226	2.34.1


diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb index a1956ad8c2..94cb458508 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
18	file://afalg.patch \	18	file://afalg.patch \
19	file://reproducible.patch \	19	file://reproducible.patch \
20	file://reproducibility.patch \	20	file://reproducibility.patch \
		21	file://CVE-2023-0464.patch \
21	"	22	"
22		23
23	SRC_URI_append_class-nativesdk = " \	24	SRC_URI_append_class-nativesdk = " \