Warmcat homepage andy@warmcat.com
libwebsockets
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1747800726, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"9f81c5dd0548dc4c4bc8f6248b9dd984", "commit": {"type":"commit", "time": 1545293455, "time_ofs": 18446744073709551316, "oid_tree": { "oid": "2f448d2cf090806ffc122464510dc22e5771fb6e", "alias": []}, "oid":{ "oid": "ea7d2c5808f4711edfdd25a7a4e2e39f8ee3de62", "alias": []}, "msg": "Admit unknown pkey types at security level 0", "sig_commit": { "git_time": { "time": 1545293455, "offset": -300 }, "name": "Viktor Dukhovni", "email": "openssl-users@dukhovni.org", "md5": "2c3e16c80b811b59e707226a9aeb9d84" }, "sig_author": { "git_time": { "time": 1544817844, "offset": -300 }, "name": "Ken Goldman", "email": "kgoldman@us.ibm.com", "md5": "96148e4080e5a8a36402c1a0ea4b9b72" }}, "body": "Admit unknown pkey types at security level 0\n\nThe check_key_level() function currently fails when the public key\ncannot be extracted from the certificate because its algorithm is not\nsupported. However, the public key is not needed for the last\ncertificate in the chain.\n\nThis change moves the check for level 0 before the check for a\nnon-NULL public key.\n\nFor background, this is the TPM 1.2 endorsement key certificate.\nI.e., this is a real application with millions of certificates issued.\nThe key is an RSA-2048 key.\n\nThe TCG (for a while) specified\n\n Public Key Algorithm: rsaesOaep\n\nrather than the commonly used\n\n Public Key Algorithm: rsaEncryption\n\nbecause the key is an encryption key rather than a signing key.\nThe X509 certificate parser fails to get the public key.\n\nReviewed-by: Viktor Dukhovni \u003cviktor@openssl.org\u003e\nReviewed-by: Richard Levitte \u003clevitte@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/7906)\n" , "diff": "diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c\nindex 61e8192..4ced716 100644\n--- a/crypto/x509/x509_vfy.c\n+++ b/crypto/x509/x509_vfy.c\n@@ -3232,12 +3232,19 @@ static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)\n EVP_PKEY *pkey \u003d X509_get0_pubkey(cert);\n int level \u003d ctx-\u003eparam-\u003eauth_level;\n \n+ /*\n+ * At security level zero, return without checking for a supported public\n+ * key type. Some engines support key types not understood outside the\n+ * engine, and we only need to understand the key when enforcing a security\n+ * floor.\n+ */\n+ if (level \u003c\u003d 0)\n+ return 1;\n+\n /* Unsupported or malformed keys are not secure */\n if (pkey \u003d\u003d NULL)\n return 0;\n \n- if (level \u003c\u003d 0)\n- return 1;\n if (level \u003e NUM_AUTH_LEVELS)\n level \u003d NUM_AUTH_LEVELS;\n \n","s":{"c":1747634492,"u": 40103}} ],"g": 1180,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "7d0a"}