Add missing check to X509_CRL_verify()

When fixing CVE-2014-8275 in commit 684400ce, Henson added a check
that the AlgorithmIdentifier in the certificate's signature matches
the one in the tbsCertificate. A corresponding check for CRLs was
missed. BoringSSL added such a check in 2022, so this should be fine
for us to do as well even though OpenSSL still doesn't have it. The
only caller will set an error on the stack, so we don't do it here.

There's no obvious check that X509_REQ_verify() could do.

ok beck kenjiro

1 files changed, 7 insertions, 1 deletions

diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
index f614884eec..19caf56cec 100644
--- a/src/lib/libcrypto/asn1/x_crl.c
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_crl.c,v 1.49 2025/05/10 05:54:38 tb Exp $ */
+/* $OpenBSD: x_crl.c,v 1.50 2025/07/10 18:48:31 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -540,6 +540,12 @@ LCRYPTO_ALIAS(X509_CRL_add0_revoked);
 int
 X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey)
 {
+        /*
+         * The CertificateList's signature AlgorithmIdentifier must match
+         * the one inside the TBSCertList, see RFC 5280, 5.1.1.2, 5.1.2.2.
+         */
+        if (X509_ALGOR_cmp(crl->sig_alg, crl->crl->sig_alg) != 0)
+                return 0;
         return ASN1_item_verify(&X509_CRL_INFO_it, crl->sig_alg, crl->signature,
             crl->crl, pkey);
 }