[openssl-dev] [openssl.org #3665] Bug report and a patch for OpenSSL 1.0.1l (and 1.0.1k)

Kurt Roeckx via RT rt at openssl.org
Sun Jan 18 16:21:56 UTC 2015


On Sun, Jan 18, 2015 at 04:08:38PM +0100, Daniel Kahn Gillmor via RT wrote:
> 
> this suggests that Uri is reporting a regression in 1.0.1k and 1.0.1l.
> I haven't tested those version yet.

The change in behaviour seems to be this commit:
commit a8565530e27718760220df469f0a071c85b9e731
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Dec 20 15:09:50 2014 +0000

    Fix various certificate fingerprint issues.
[...]
    2. Check certificate algorithm consistency.

    Check the AlgorithmIdentifier inside TBS matches the one in the
    certificate signature. NB: this will result in signature failure
    errors for some broken certificates.

[...]

(The order of the commits is wrong resulting in it not building
because of the missing X509_ALGOR_cmp that's added in the
next commit.)

The backtrace is:
#0  ASN1_TYPE_cmp (a=0x944240, b=0x0) at a_type.c:118
#1  0x0000000000524e4b in X509_ALGOR_cmp (a=0x9409a0, b=0x939d80) at x_algor.c:154
#2  0x00000000005484c7 in X509_verify (a=0x939a50, r=0x945360) at x_all.c:75
#3  0x00000000005433eb in internal_verify (ctx=0x939300) at x509_vfy.c:1637
#4  0x0000000000540d37 in X509_verify_cert (ctx=0x939300) at x509_vfy.c:367
#5  0x0000000000404328 in check (ctx=0x937f60, file=0x7fffffffee1c "/home/kurt/RabbitMQ_Test.pem", uchain=0x0, tchain=0x0, crls=0x0, e=0x0) at verify.c:294
#6  0x0000000000404065 in verify_main (argc=1, argv=0x7fffffffeba8) at verify.c:234
#7  0x000000000040304a in do_cmd (prog=0x9328d0, argc=4, argv=0x7fffffffeb90) at openssl.c:491
#8  0x0000000000402cd8 in main (Argc=4, Argv=0x7fffffffeb90) at openssl.c:382



Kurt




More information about the openssl-dev mailing list