'Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response '

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-dev
Subject:    Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response 
From:       "Alessandro Ghedini via RT" <rt () openssl ! org>
Date:       2015-01-31 16:06:34
Message-ID: rt-4.0.4-29236-1422720394-1821.3668-6-0 () openssl ! org
[Download RAW message or body]

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote:
> Currently the OCSP_basic_verify() function fails with many apparently valid OCSP
> responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS,
> NSS) have no problem with them.
> 
> Essentially, in crypto/ocsp/ocsp_vfy.c in the OCSP_basic_verify() function, the
> X509_STORE_CTX_init() function is called like this:
> 
>   init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
> 
> where ctx is the X509_STORE_CTX to be initialized, st is the trust store passed
> by the user, signer is the signer of the OCSP response (which is what needs to
> be validated), and bs is the decoded OCSP basic response.
> 
> The problem is the last argument. OpenSSL uses the cert list embedded in the
> OCSP response to build the trust chain, but it seems that in some cases this
> list is somewhat broken. Other libraries (e.g. GnuTLS), do the verification
> differently, without including those bs->certs that OpenSSL uses.
> 
> I attached the patch and a simple test case. You can compile it with:
> 
>   $ cc ocsp_test.c -lcrypto -lssl
> 
> To test the problem run:
> 
>   $ ./a.out digitalocean.com 443
>   OCSP response verification failed
> 
> after the patch:
> 
>   $ ./a.out digitalocean.com 443
>   OK

I updated the patch so that it applies cleanly after the reformatting of
ocsp_vfy.c in commit 0f113f3.

Cheers


["0001-Don-t-use-the-cert-list-embedded-in-the-OCSP-respons.patch" (text/x-diff)]

From 7d18036c5469305719993c0080be71dfb5c50966 Mon Sep 17 00:00:00 2001
From: Alessandro Ghedini <alessandro@ghedini.me>
Date: Sat, 31 Jan 2015 17:01:54 +0100
Subject: [PATCH] Don't use the cert list embedded in the OCSP response to
 build the trust chain

Instead use the certificate stack passed by the user.

This is required in some cases where the embedded chain is incomplete and causes
the OCSP verification to fail, e.g. all DigiCert/Cloudflare sites.
---
 crypto/ocsp/ocsp_vfy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 6c0ccb5..ef1d253 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -110,7 +110,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
         if (flags & OCSP_NOCHAIN)
             init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
         else
-            init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+            init_res = X509_STORE_CTX_init(&ctx, st, signer, certs);
         if (!init_res) {
             ret = -1;
             OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
-- 
2.1.4



_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


[prev in list] [next in list] [prev in thread] [next in thread] 
