ChangeLog.d/x509-add-tag-check-to-algorithm-params - third_party/github/ARMmbed/mbedtls - Git at Google

 Security
    * Fix a compliance issue whereby we were not checking the tag on the
      algorithm parameters (only the size) when comparing the signature in the
      description part of the cert to the real signature. This meant that a
      NULL algorithm parameters entry would look identical to an array of REAL
      (size zero) to the library and thus the certificate would be considered
      valid. However, if the parameters do not match in *any* way then the
      certificate should be considered invalid, and indeed OpenSSL marks these
      certs as invalid when mbedtls did not.
      Many thanks to guidovranken who found this issue via differential fuzzing
      and reported it in #3629.
	Security
	* Fix a compliance issue whereby we were not checking the tag on the
	algorithm parameters (only the size) when comparing the signature in the
	description part of the cert to the real signature. This meant that a
	NULL algorithm parameters entry would look identical to an array of REAL
	(size zero) to the library and thus the certificate would be considered
	valid. However, if the parameters do not match in any way then the
	certificate should be considered invalid, and indeed OpenSSL marks these
	certs as invalid when mbedtls did not.
	Many thanks to guidovranken who found this issue via differential fuzzing
	and reported it in #3629.