CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2024/08/28 01:37:50
Modified files:
lib/libcrypto/x509: x509_vfy.c
Log message:
Make use of X509_get_signature_info() in check_sig_level()
If an auth_level (i.e., security_level, but not quite, because Viktor) was
set on the X509_VERIFY_PARAM in the X509_STORE_CTX, the verifier would
reject RSA-PSS or EdDSA certificates for insufficient security bits due to
incorrect use of OBJ_find_sigid_algs() (this was also a bug in the initial
security level implementation in OpenSSL 1.1).
Using X509_get_signature_info() fixes this while preserving behavior for
all other algorithms.
Reported by Steffen Ullrich as one of multiple issues with RSA-PSS.
ok jsing
