[openssl-dev] FW: AlgorithmIdentifier validation issue and PATCH openssl 1.0.1k 1.0.1l 1.0.2

Wed, 04 Feb 2015 09:28:56 -0800 

On 1/29/15, 16:20 , "Blumenthal, Uri - 0558 - MITLL" <[email protected]>
wrote:

>Certificates that are semantically correct but encoded by “obtuse” CA
>(Apple in particular) fail to validate because they encode
>AlgorithmIdentifier in two legal but slightly different ways.
>
>Until 1.0.1k OpenSSL code did not bother to check whether signature
>algorithm that is present in two places is the same. The check introduced
>in 1.0.1k breaks valid certificates that use “absent” for parameter list
>rather than encoding it as ASN.1 NULL.
>
>Leaving alone whether it is legal (it appears so from the relevant RFCs)
>or smart (it probably isn’t, but I can’t make Apple to change their
>software) to do so, here’s a patch (submitted through RT as well) that
>addresses this issue. It also fixes the problem when two
>AlgorithmIdentifier objects fail to compare if both have parameter list
>“absent”. This patch applies to (work with) versions 1.0.1k, 1.0.1l and
>1.0.2.
>Referred to in http://rt.openssl.org/Ticket/Display.html?id=3665
>
>Thanks!
>
>
>--- crypto/asn1/a_type.c.~1~ 2015-01-15 09:43:14.000000000 -0500
>+++ crypto/asn1/a_type.c 2015-01-20 22:57:48.000000000 -0500
>@@ -117,6 +117,8 @@
>{
>int result = -1;
>
>+ if (!a && !b) return 0; /* both null-pointers => both absent/equal */
>+
>if (!a || !b || a->type != b->type) return -1;
>
>switch (a->type)
>--- crypto/asn1/x_algor.c.~1~ 2015-01-15 09:43:14.000000000 -0500
>+++ crypto/asn1/x_algor.c 2015-01-20 23:00:54.000000000 -0500
>@@ -151,5 +151,12 @@
>return rv;
>if (!a->parameter && !b->parameter)
>return 0;
>+ if ((!a->parameter && b->parameter
>+ && b->parameter->type == V_ASN1_NULL)
>+ ||
>+ (!b->parameter && a->parameter
>+ && a->parameter->type == V_ASN1_NULL)
>+ )
>+ return 0;
>return ASN1_TYPE_cmp(a->parameter, b->parameter);
>}
>
>
>-- 
>Regards,
>Uri Blumenthal                               Voice: (781) 981-1638

Attachment: patch-null-absent.diff
Description: Binary data

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to