[openssl-dev] [openssl.org #3665] Bug report and a patch for OpenSSL 1.0.1l (and 1.0.1k)

Uri Blumenthal via RT rt at openssl.org
Mon Jan 19 03:49:28 UTC 2015 

I think it is not a regression, because the reported problem existed for as long as crypto/asn1/a_type.c has been around in its current shape. This commit in the 1.0.1k patch manifested (exposed) this problem, possibly for the first time.

Yes I think Kurt is perfectly correct pointing at the commit a8565530e27718760220df469f0a071c85b9e731.  But the problem is not in this commit, and it wouldn’t be good to revert it, I think. And IMHO X509_ALGOR_cmp() is implemented correctly. The problem is in the old ASN1_TYPE_cmp(), which I’m proposing a fix to.

Does the consensus on the list agree with my statement of the problem, and the proposed fix? I hope we all agree that semantically parameter list presented as ASN.1 NULL is equivalent to an empty parameter list, and should be treated as such?

Thanks!

On Jan 18, 2015, at 11:16 , Kurt Roeckx <kurt at roeckx.be<mailto:kurt at roeckx.be>> wrote:

On Sun, Jan 18, 2015 at 04:08:38PM +0100, Daniel Kahn Gillmor via RT wrote:

this suggests that Uri is reporting a regression in 1.0.1k and 1.0.1l.
I haven't tested those version yet.

The change in behaviour seems to be this commit:
commit a8565530e27718760220df469f0a071c85b9e731
Author: Dr. Stephen Henson <steve at openssl.org<mailto:steve at openssl.org>>
Date:   Sat Dec 20 15:09:50 2014 +0000

   Fix various certificate fingerprint issues.
[...]
   2. Check certificate algorithm consistency.

   Check the AlgorithmIdentifier inside TBS matches the one in the
   certificate signature. NB: this will result in signature failure
   errors for some broken certificates.

[...]

(The order of the commits is wrong resulting in it not building
because of the missing X509_ALGOR_cmp that's added in the
next commit.)

The backtrace is:
#0  ASN1_TYPE_cmp (a=0x944240, b=0x0) at a_type.c:118
#1  0x0000000000524e4b in X509_ALGOR_cmp (a=0x9409a0, b=0x939d80) at x_algor.c:154
#2  0x00000000005484c7 in X509_verify (a=0x939a50, r=0x945360) at x_all.c:75
#3  0x00000000005433eb in internal_verify (ctx=0x939300) at x509_vfy.c:1637
#4  0x0000000000540d37 in X509_verify_cert (ctx=0x939300) at x509_vfy.c:367
#5  0x0000000000404328 in check (ctx=0x937f60, file=0x7fffffffee1c "/home/kurt/RabbitMQ_Test.pem", uchain=0x0, tchain=0x0, crls=0x0, e=0x0) at verify.c:294
#6  0x0000000000404065 in verify_main (argc=1, argv=0x7fffffffeba8) at verify.c:234
#7  0x000000000040304a in do_cmd (prog=0x9328d0, argc=4, argv=0x7fffffffeb90) at openssl.c:491
#8  0x0000000000402cd8 in main (Argc=4, Argv=0x7fffffffeb90) at openssl.c:382



Kurt


--
Uri Blumenthal
uri at mit.edu<mailto:uri at mit.edu>

More information about the openssl-dev mailing list