[openssl-dev] [openssl.org #3665] Bug report and a patch for OpenSSL 1.0.1l (and 1.0.1k)
Stephen Henson via RT
rt at openssl.org
Sun Jan 18 16:29:16 UTC 2015
On Sun Jan 18 12:58:26 2015, uri at mit.edu wrote:
>
> Probable cause: certificate decoder either fails to encode ASN.1 NULL
> for "signature algorithm parameters” when it should, or encodes an
> explicit ASN.1 NULL when it shouldn’t. As a result, the comparison
> code ASN1_TYPE_cmp in crypto/asn1/a_type.c is presented with a case
> when one argument is empty (a null pointer), and the other one is
> of type ASN.1 NULL (0x5). In result, the comparison fails when it
> actually should return OK (0).
>
In the example you gave the signature and signatureAlgorithm fields in the
certificate don't match. OpenSSL tolerated this before but the fix for
CVE-2014-8275 now rejects this case.
How did you generate this certificate? Do you have any pubic CA examples which
do this?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list