Skip to content

Commit 62e4506

Browse files
committed
Don't try and verify signatures if key is NULL (CVE-2013-0166)
Add additional check to catch this in ASN1_item_verify too.
1 parent 014265e commit 62e4506

File tree

3 files changed

+16
-3
lines changed

3 files changed

+16
-3
lines changed

Diff for: CHANGES

+4
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@
44

55
Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]
66

7+
*) Return an error when checking OCSP signatures when key is NULL.
8+
This fixes a DoS attack. (CVE-2013-0166)
9+
[Steve Henson]
10+
711
*) Make openssl verify return errors.
812
[Chris Palmer <palmer@google.com> and Ben Laurie]
913

Diff for: crypto/asn1/a_verify.c

+6
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
140140

141141
int mdnid, pknid;
142142

143+
if (!pkey)
144+
{
145+
ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
146+
return -1;
147+
}
148+
143149
EVP_MD_CTX_init(&ctx);
144150

145151
/* Convert signature OID into digest and public key OIDs */

Diff for: crypto/ocsp/ocsp_vfy.c

+6-3
Original file line numberDiff line numberDiff line change
@@ -91,9 +91,12 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
9191
{
9292
EVP_PKEY *skey;
9393
skey = X509_get_pubkey(signer);
94-
ret = OCSP_BASICRESP_verify(bs, skey, 0);
95-
EVP_PKEY_free(skey);
96-
if(ret <= 0)
94+
if (skey)
95+
{
96+
ret = OCSP_BASICRESP_verify(bs, skey, 0);
97+
EVP_PKEY_free(skey);
98+
}
99+
if(!skey || ret <= 0)
97100
{
98101
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
99102
goto end;

0 commit comments

Comments
 (0)