From b48310627d1fdc58f64ccf208ac82c732e654dca Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 24 Jan 2013 13:30:42 +0000 Subject: [PATCH] Don't try and verify signatures if key is NULL (CVE-2013-0166) Add additional check to catch this in ASN1_item_verify too. (cherry picked from commit 66e8211c0b1347970096e04b18aa52567c325200) --- CHANGES | 4 ++++ crypto/asn1/a_verify.c | 6 ++++++ crypto/ocsp/ocsp_vfy.c | 9 ++++++--- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 1b10b774a9..404ac85690 100644 --- a/CHANGES +++ b/CHANGES @@ -2038,6 +2038,10 @@ This fixes a DoS attack. (CVE-2013-0166) [Steve Henson] + *) Return an error when checking OCSP signatures when key is NULL. + This fixes a DoS attack. (CVE-2013-0166) + [Steve Henson] + *) Call OCSP Stapling callback after ciphersuite has been chosen, so the right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c index 807587e628..87e7ef4f5e 100644 --- a/crypto/asn1/a_verify.c +++ b/crypto/asn1/a_verify.c @@ -140,6 +140,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, int mdnid, pknid; + if (!pkey) + { + ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + EVP_MD_CTX_init(&ctx); /* Convert signature OID into digest and public key OIDs */ diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 8a5e788d96..276718304d 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -91,9 +91,12 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, { EVP_PKEY *skey; skey = X509_get_pubkey(signer); - ret = OCSP_BASICRESP_verify(bs, skey, 0); - EVP_PKEY_free(skey); - if(ret <= 0) + if (skey) + { + ret = OCSP_BASICRESP_verify(bs, skey, 0); + EVP_PKEY_free(skey); + } + if(!skey || ret <= 0) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); goto end; -- GitLab