Skip to content

Commit 2eda987

Browse files
committed
Fix OCSP_basic_verify signer certificate validation
The function `OCSP_basic_verify` validates the signer certificate on an OCSP response. The internal function, ocsp_verify_signer, is responsible for this and is expected to return a 0 value in the event of a failure to verify. Unfortunately, due to a bug, it actually returns with a postive success response in this case. In the normal course of events OCSP_basic_verify will then continue and will fail anyway in the ocsp_check_issuer function because the supplied "chain" value will be empty in the case that ocsp_verify_signer failed to verify the chain. This will cause OCSP_basic_verify to return with a negative result (fatal error). Normally in the event of a failure to verify it should return with 0. However, in the case of the OCSP_NOCHECKS flag being used, OCSP_basic_verify will return with a positvie result. This could lead to callers trusting an OCSP Basic response when it should not be. CVE-2022-1343 Fixes #18053 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
1 parent ae3ece0 commit 2eda987

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

Diff for: crypto/ocsp/ocsp_vfy.c

+3-2
Original file line numberDiff line numberDiff line change
@@ -59,9 +59,10 @@ static int ocsp_verify_signer(X509 *signer, int response,
5959

6060
ret = X509_verify_cert(ctx);
6161
if (ret <= 0) {
62-
ret = X509_STORE_CTX_get_error(ctx);
62+
int err = X509_STORE_CTX_get_error(ctx);
63+
6364
ERR_raise_data(ERR_LIB_OCSP, OCSP_R_CERTIFICATE_VERIFY_ERROR,
64-
"Verify error: %s", X509_verify_cert_error_string(ret));
65+
"Verify error: %s", X509_verify_cert_error_string(err));
6566
goto end;
6667
}
6768
if (chain != NULL)

0 commit comments

Comments
 (0)