mirror of
https://github.com/zeek/zeek.git
synced 2025-10-12 11:38:20 +00:00
Fix validation of OCSP replies inside of Bro.
At one place in the code, we do not check the correct return code. This makes it possible for a reply to get a response of "good", when the ocsp reply is not actually signed by the responder in question. This also instructs ocsp verication to skip certificate chain validation, which we do ourselves earlier because the OCSP verify function cannot do it correctly (no way to pass timestamp).
This commit is contained in:
Johanna Amann
parent
b39594408c
commit
37a51b354e
1 changed files with 5 additions and 2 deletions
|
|
@ -338,8 +338,11 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
|
|||
goto x509_ocsp_cleanup;
|
||||
}
|
||||
|
||||
out = OCSP_basic_verify(basic, NULL, ctx, 0);
|
||||
if ( result < 1 )
|
||||
// We pass OCSP_NOVERIFY to let OCSP_basic_verify skip the chain verification.
|
||||
// With that, it only verifies the signature of the basic response and we are responsible
|
||||
// for the chain ourselves. We have to do that since we cannot get OCSP_basic_verify to use our timestamp.
|
||||
out = OCSP_basic_verify(basic, NULL, ctx, OCSP_NOVERIFY);
|
||||
if ( out < 1 )
|
||||
{
|
||||
rval = x509_result_record(out, ERR_error_string(ERR_get_error(),NULL));
|
||||
goto x509_ocsp_cleanup;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue