Don't try and verify signatures if key is NULL (CVE-2013-0166)

Add additional check to catch this in ASN1_item_verify too. (cherry picked from commit 66e8211c0b1347970096e04b18aa52567c325200)
author: Dr. Stephen Henson <steve@openssl.org> 2013-01-24 13:30:42 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2014-04-01 16:37:51 +0100
commit: b48310627d1fdc58f64ccf208ac82c732e654dca (patch)
tree: 918e679e429cdad1bdd908291ac8fd16310f3bff /CHANGES
parent: 5a49001bde4e0cf8e34da55a9cfe9b5255275e10 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 1b10b774a9..404ac85690 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2038,6 +2038,10 @@
      This fixes a DoS attack. (CVE-2013-0166)
      [Steve Henson]
 
+  *) Return an error when checking OCSP signatures when key is NULL.
+     This fixes a DoS attack. (CVE-2013-0166)
+     [Steve Henson]
+
   *) Call OCSP Stapling callback after ciphersuite has been chosen, so
      the right response is stapled. Also change SSL_get_certificate()
      so it returns the certificate actually sent.
author	Dr. Stephen Henson <steve@openssl.org>	2013-01-24 13:30:42 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2014-04-01 16:37:51 +0100
commit	b48310627d1fdc58f64ccf208ac82c732e654dca (patch)
tree	918e679e429cdad1bdd908291ac8fd16310f3bff /CHANGES
parent	5a49001bde4e0cf8e34da55a9cfe9b5255275e10 (diff)