[openssl-dev] FW: AlgorithmIdentifier validation issue and PATCH openssl 1.0.1k 1.0.1l 1.0.2

Blumenthal, Uri - 0558 - MITLL uri at ll.mit.edu
Wed Feb 4 17:09:01 UTC 2015 

On 1/29/15, 16:20 , "Blumenthal, Uri - 0558 - MITLL" <uri at ll.mit.edu>
wrote:

>Certificates that are semantically correct but encoded by “obtuse” CA
>(Apple in particular) fail to validate because they encode
>AlgorithmIdentifier in two legal but slightly different ways.
>
>Until 1.0.1k OpenSSL code did not bother to check whether signature
>algorithm that is present in two places is the same. The check introduced
>in 1.0.1k breaks valid certificates that use “absent” for parameter list
>rather than encoding it as ASN.1 NULL.
>
>Leaving alone whether it is legal (it appears so from the relevant RFCs)
>or smart (it probably isn’t, but I can’t make Apple to change their
>software) to do so, here’s a patch (submitted through RT as well) that
>addresses this issue. It also fixes the problem when two
>AlgorithmIdentifier objects fail to compare if both have parameter list
>“absent”. This patch applies to (work with) versions 1.0.1k, 1.0.1l and
>1.0.2.
>Referred to in http://rt.openssl.org/Ticket/Display.html?id=3665
>
>Thanks!
>
>
>--- crypto/asn1/a_type.c.~1~ 2015-01-15 09:43:14.000000000 -0500
>+++ crypto/asn1/a_type.c 2015-01-20 22:57:48.000000000 -0500
>@@ -117,6 +117,8 @@
>{
>int result = -1;
>
>+ if (!a && !b) return 0; /* both null-pointers => both absent/equal */
>+
>if (!a || !b || a->type != b->type) return -1;
>
>switch (a->type)
>--- crypto/asn1/x_algor.c.~1~ 2015-01-15 09:43:14.000000000 -0500
>+++ crypto/asn1/x_algor.c 2015-01-20 23:00:54.000000000 -0500
>@@ -151,5 +151,12 @@
>return rv;
>if (!a->parameter && !b->parameter)
>return 0;
>+ if ((!a->parameter && b->parameter
>+ && b->parameter->type == V_ASN1_NULL)
>+ ||
>+ (!b->parameter && a->parameter
>+ && a->parameter->type == V_ASN1_NULL)
>+ )
>+ return 0;
>return ASN1_TYPE_cmp(a->parameter, b->parameter);
>}
>
>
>-- 
>Regards,
>Uri Blumenthal                               Voice: (781) 981-1638

-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-null-absent.diff
Type: application/octet-stream
Size: 783 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150204/bd0b34b8/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150204/bd0b34b8/attachment-0001.bin>

More information about the openssl-dev mailing list