From 7271e56bc7f8882f1d22ce1a617330e4fd975593 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Thu, 10 Jul 2025 18:48:31 +0000
Subject: Add missing check to X509_CRL_verify()

When fixing CVE-2014-8275 in commit 684400ce, Henson added a check
that the AlgorithmIdentifier in the certificate's signature matches
the one in the tbsCertificate. A corresponding check for CRLs was
missed. BoringSSL added such a check in 2022, so this should be fine
for us to do as well even though OpenSSL still doesn't have it. The
only caller will set an error on the stack, so we don't do it here.

There's no obvious check that X509_REQ_verify() could do.

ok beck kenjiro
---
 src/lib/libcrypto/asn1/x_crl.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
index f614884eec..19caf56cec 100644
--- a/src/lib/libcrypto/asn1/x_crl.c
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_crl.c,v 1.49 2025/05/10 05:54:38 tb Exp $ */
+/* $OpenBSD: x_crl.c,v 1.50 2025/07/10 18:48:31 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -540,6 +540,12 @@ LCRYPTO_ALIAS(X509_CRL_add0_revoked);
 int
 X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey)
 {
+	/*
+	 * The CertificateList's signature AlgorithmIdentifier must match
+	 * the one inside the TBSCertList, see RFC 5280, 5.1.1.2, 5.1.2.2.
+	 */
+	if (X509_ALGOR_cmp(crl->sig_alg, crl->crl->sig_alg) != 0)
+		return 0;
 	return ASN1_item_verify(&X509_CRL_INFO_it, crl->sig_alg, crl->signature,
 	    crl->crl, pkey);
 }
-- 
cgit v1.2.3-55-g6feb