And hey, wasn't it a neat coincidence that the OCSP RFC is 2560? :)
OpenSSL_1_0_1-stable bea9a17 RT2560: missing NULL check in ocsp_req_find_signer
OpenSSL_1_0_2-stable a9d928a RT2560: missing NULL check in ocsp_req_find_signer
HEAD b2aa38a RT2560: missing NULL check in ocsp_req_find_signer
Aut
> It is from real world application. In some case the X509_find_by_subject
> (called from ocsp_req_find_signer) returned NULL, and the whole
> application halted.
Ah, I misunderstood the ticket. Add "if (!signer) return 0;" after the call to
X509_find_by_subject.
I'll submit that shortly. Than
-dev@openssl.org
Subject: [openssl.org #2560] missing NULL pointer check in ocsp_req_find_signer
This can't happen. It's an internal function and never gets NULL
--
Rich Salz, OpenSSL dev team; rs...@openssl.org
__
OpenS
This can't happen. It's an internal function and never gets NULL
--
Rich Salz, OpenSSL dev team; rs...@openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List
openssl 0.9.8r, 1.0.0c
ocsp_req_find_signer does'nt check the returned signer value. If the
signer is NULL, the sequence of
EVP_PKEY *skey;
skey = X509_get_pubkey(signer);
ret = OCSP_REQUEST_verify(req, skey);
in OCSP_request_verify leads to core dump.
--- ocsp_vfy.c