OpenBSD 5.9 Errata for OCSP available

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD 5.9 Errata for OCSP available

Bob Beck-2
This errata fixes several issues in the OCSP code that could result in
the incorrect generation and parsing of OCSP requests. This remediates
a lack of error checking on time parsing in these functions, and
ensures that only
GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.

Issues reported, and fixes provided by Kazuki Yamaguchi <[hidden email]>
and Kinichiro Inoguchi <[hidden email]>

Patches for OpenBSD 5.9 are available at:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/012_crypto.patch.sig

and have been committed to -current.

Portable LibreSSL releases will appear shortly.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.9 Errata for OCSP available

Alexander Rechinskiy
Hello,

         if (maxsec >= 0) {
             t_tmp = t_now - maxsec;
-            if (X509_cmp_time(thisupd, &t_tmp) < 0) {
+            if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
+                return 0;
+            if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
+                return 0;
+            if (asn1_tm_cmp(&tm_this, &tm_tmp) < 0) {

gmtime_r called twice with same arguments

2016-06-27 22:53 GMT+03:00 Bob Beck <[hidden email]>:

> This errata fixes several issues in the OCSP code that could result in
> the incorrect generation and parsing of OCSP requests. This remediates
> a lack of error checking on time parsing in these functions, and
> ensures that only
> GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.
>
> Issues reported, and fixes provided by Kazuki Yamaguchi <[hidden email]>
> and Kinichiro Inoguchi <[hidden email]>
>
> Patches for OpenBSD 5.9 are available at:
> http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/012_crypto.patch.sig
>
> and have been committed to -current.
>
> Portable LibreSSL releases will appear shortly.
>
>