diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2013-01-24 13:30:42 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-04-01 16:37:51 +0100 |
commit | b48310627d1fdc58f64ccf208ac82c732e654dca (patch) | |
tree | 918e679e429cdad1bdd908291ac8fd16310f3bff /crypto/ocsp | |
parent | 5a49001bde4e0cf8e34da55a9cfe9b5255275e10 (diff) |
Don't try and verify signatures if key is NULL (CVE-2013-0166)
Add additional check to catch this in ASN1_item_verify too.
(cherry picked from commit 66e8211c0b1347970096e04b18aa52567c325200)
Diffstat (limited to 'crypto/ocsp')
-rw-r--r-- | crypto/ocsp/ocsp_vfy.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 8a5e788d96..276718304d 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -91,9 +91,12 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, { EVP_PKEY *skey; skey = X509_get_pubkey(signer); - ret = OCSP_BASICRESP_verify(bs, skey, 0); - EVP_PKEY_free(skey); - if(ret <= 0) + if (skey) + { + ret = OCSP_BASICRESP_verify(bs, skey, 0); + EVP_PKEY_free(skey); + } + if(!skey || ret <= 0) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); goto end; |