Skip to content

Commit

Permalink
Don't try and verify signatures if key is NULL (CVE-2013-0166)
Browse files Browse the repository at this point in the history
Add additional check to catch this in ASN1_item_verify too.
  • Loading branch information
snhenson committed Feb 5, 2013
1 parent dd2dee6 commit 66e8211
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 3 deletions.
4 changes: 4 additions & 0 deletions CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@

Changes between 0.9.8x and 0.9.8y [xx XXX xxxx]

*) Return an error when checking OCSP signatures when key is NULL.
This fixes a DoS attack. (CVE-2013-0166)
[Steve Henson]

*) Call OCSP Stapling callback after ciphersuite has been chosen, so
the right response is stapled. Also change SSL_get_certificate()
so it returns the certificate actually sent.
Expand Down
6 changes: 6 additions & 0 deletions crypto/asn1/a_verify.c
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
unsigned char *buf_in=NULL;
int ret= -1,i,inl;

if (!pkey)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
return -1;
}

EVP_MD_CTX_init(&ctx);
i=OBJ_obj2nid(a->algorithm);
type=EVP_get_digestbyname(OBJ_nid2sn(i));
Expand Down
9 changes: 6 additions & 3 deletions crypto/ocsp/ocsp_vfy.c
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,12 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
{
EVP_PKEY *skey;
skey = X509_get_pubkey(signer);
ret = OCSP_BASICRESP_verify(bs, skey, 0);
EVP_PKEY_free(skey);
if(ret <= 0)
if (skey)
{
ret = OCSP_BASICRESP_verify(bs, skey, 0);
EVP_PKEY_free(skey);
}
if(!skey || ret <= 0)
{
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
goto end;
Expand Down

0 comments on commit 66e8211

Please sign in to comment.