Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 19:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix validation of OCSP replies inside of Bro.

Browse source 
At one place in the code, we do not check the correct return code. This
makes it possible for a reply to get a response of "good", when the ocsp
reply is not actually signed by the responder in question.

This also instructs ocsp verication to skip certificate chain
validation, which we do ourselves earlier because the OCSP verify
function cannot do it correctly (no way to pass timestamp).
This commit is contained in:
Johanna Amann 2016-11-30 13:17:09 -08:00
parent b39594408c
commit 37a51b354e
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/file_analysis/analyzer/x509/functions.bif
View file

@ -338,8 +338,11 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
goto x509_ocsp_cleanup; goto x509_ocsp_cleanup;
} }
out = OCSP_basic_verify(basic, NULL, ctx, 0); // We pass OCSP_NOVERIFY to let OCSP_basic_verify skip the chain verification.
if ( result < 1 ) // With that, it only verifies the signature of the basic response and we are responsible
// for the chain ourselves. We have to do that since we cannot get OCSP_basic_verify to use our timestamp.
out = OCSP_basic_verify(basic, NULL, ctx, OCSP_NOVERIFY);
if ( out < 1 )
{ {
rval = x509_result_record(out, ERR_error_string(ERR_get_error(),NULL)); rval = x509_result_record(out, ERR_error_string(ERR_get_error(),NULL));
goto x509_ocsp_cleanup; goto x509_ocsp_cleanup;