Don't try and verify signatures if key is NULL (CVE-2013-0166)

Add additional check to catch this in ASN1_item_verify too. (cherry picked from commit 66e8211c0b1347970096e04b18aa52567c325200)
author: Dr. Stephen Henson <steve@openssl.org> 2013-01-24 13:30:42 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2014-04-01 16:39:35 +0100
commit: e9b4b8afbd129adc18d3fe71ca2ab34fe61d8640 (patch)
tree: 6231ce8737298161827ae78914b0ee5278e7a12f /CHANGES
parent: bc5ec653ba65fedb1619c8182088497de8a97a70 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 51e65b7743..6130aefff0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1798,6 +1798,10 @@
      This fixes a DoS attack. (CVE-2013-0166)
      [Steve Henson]
 
+  *) Return an error when checking OCSP signatures when key is NULL.
+     This fixes a DoS attack. (CVE-2013-0166)
+     [Steve Henson]
+
   *) Call OCSP Stapling callback after ciphersuite has been chosen, so
      the right response is stapled. Also change SSL_get_certificate()
      so it returns the certificate actually sent.
author	Dr. Stephen Henson <steve@openssl.org>	2013-01-24 13:30:42 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2014-04-01 16:39:35 +0100
commit	e9b4b8afbd129adc18d3fe71ca2ab34fe61d8640 (patch)
tree	6231ce8737298161827ae78914b0ee5278e7a12f /CHANGES
parent	bc5ec653ba65fedb1619c8182088497de8a97a70 (diff)