CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2025/07/10 12:48:31
Modified files:
lib/libcrypto/asn1: x_crl.c
Log message:
Add missing check to X509_CRL_verify()
When fixing CVE-2014-8275 in commit 684400ce, Henson added a check
that the AlgorithmIdentifier in the certificate's signature matches
the one in the tbsCertificate. A corresponding check for CRLs was
missed. BoringSSL added such a check in 2022, so this should be fine
for us to do as well even though OpenSSL still doesn't have it. The
only caller will set an error on the stack, so we don't do it here.
There's no obvious check that X509_REQ_verify() could do.
ok beck kenjiro
