diff options
author | Matt Caswell <matt@openssl.org> | 2022-04-13 16:36:54 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2022-05-03 10:54:03 +0100 |
commit | 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a (patch) | |
tree | c0aaaed0370ba3240d951c65ca8ffb40fc404103 /crypto/ocsp | |
parent | ae3ece03a61e8822fd7ea58f44812871efba82d1 (diff) |
Fix OCSP_basic_verify signer certificate validation
The function `OCSP_basic_verify` validates the signer certificate on an OCSP
response. The internal function, ocsp_verify_signer, is responsible for this
and is expected to return a 0 value in the event of a failure to verify.
Unfortunately, due to a bug, it actually returns with a postive success
response in this case. In the normal course of events OCSP_basic_verify
will then continue and will fail anyway in the ocsp_check_issuer function
because the supplied "chain" value will be empty in the case that
ocsp_verify_signer failed to verify the chain. This will cause
OCSP_basic_verify to return with a negative result (fatal error). Normally
in the event of a failure to verify it should return with 0.
However, in the case of the OCSP_NOCHECKS flag being used, OCSP_basic_verify
will return with a positvie result. This could lead to callers trusting an
OCSP Basic response when it should not be.
CVE-2022-1343
Fixes #18053
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'crypto/ocsp')
-rw-r--r-- | crypto/ocsp/ocsp_vfy.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 7a4a45d537..3c5f48ec0a 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -59,9 +59,10 @@ static int ocsp_verify_signer(X509 *signer, int response, ret = X509_verify_cert(ctx); if (ret <= 0) { - ret = X509_STORE_CTX_get_error(ctx); + int err = X509_STORE_CTX_get_error(ctx); + ERR_raise_data(ERR_LIB_OCSP, OCSP_R_CERTIFICATE_VERIFY_ERROR, - "Verify error: %s", X509_verify_cert_error_string(ret)); + "Verify error: %s", X509_verify_cert_error_string(err)); goto end; } if (chain != NULL) |