Corporating releases of the OpenSSL cryptographic library 3.0.1 and 1.1.1m , in which Vulnerability ( CVE-2021-4044 ) , as well as Fixed about a dozen errors.
Vulnerability is present in the implementation of SSL / TLS clients and is related to the fact that the libssl library incorrectly processes the negative values of the error codes returned by the x509_verify_cert () function called to verify the certificate transmitted by the client by the server. Negative codes are returned when internal errors occur, for example, if it is impossible to allocate memory for the buffer. In case of returning such an error, the next call for I / O functions, such as SSL_Connect () and SSL_DO_HANDSHAKE (), will return to the unsuccessful completion and error code SSL_ERROR_WANT_RETRY_VERIFY, which must be returned only if the application has previously done the SSL_CALTX_SET_CERT_VERIFY_CALLBACK ().
Since most applications do not cause SSL_CTX_SET_CERT_VERIFY_CALLBACK (), the appearance of an SSL_ERROR_WANT_RETRY_VERIFY error may be incredibly interpreted and lead to emergency completion, looping or other incorrect reactions. The problem is the greatest danger in combination with another error in OpenSSL 3.0, resulting in an internal error when processing in X509_Verify_CERT () certificates without expansion of “Subject Alternative Name”, but with bindings to names in the limitations of use. In this case, the attack can lead to anneal-dependent anneal when processing certificates and setting TLS sessions.