Add missing check to X509_CRL_verify() - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2025-07-10 18:48:31 +0000
committer	tb <>	2025-07-10 18:48:31 +0000
commit	03d9063618b2994c381512cccdf03470f7b08be4 (patch)
tree	bdff3d12cb9ca4d9a49cd6c8539e338a3efe28e8 /src/lib/libc/stdlib/rand.c
parent	aff293dbd9cfabda512ac59dac94bc93acbffc74 (diff)
download	openbsd-03d9063618b2994c381512cccdf03470f7b08be4.tar.gz openbsd-03d9063618b2994c381512cccdf03470f7b08be4.tar.bz2 openbsd-03d9063618b2994c381512cccdf03470f7b08be4.zip

Add missing check to X509_CRL_verify()

When fixing CVE-2014-8275 in commit 684400ce, Henson added a check that the AlgorithmIdentifier in the certificate's signature matches the one in the tbsCertificate. A corresponding check for CRLs was missed. BoringSSL added such a check in 2022, so this should be fine for us to do as well even though OpenSSL still doesn't have it. The only caller will set an error on the stack, so we don't do it here. There's no obvious check that X509_REQ_verify() could do. ok beck kenjiro

Diffstat (limited to 'src/lib/libc/stdlib/rand.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: