[gnutls-devel] OCSP certificate check

Stefan Bühler stbuehler at lighttpd.net
Fri Sep 2 18:31:45 CEST 2016


Hi,

some days ago I discovered that the OCSP certificate check doesn't
actually verify the serial length and might succeed when it shouldn't:

https://gitlab.com/gnutls/gnutls/blob/9bb4ca9ec8ed504429d582ac3de28aaf8d88b1e8/lib/x509/ocsp.c#L1322

`rserial.size != cserial.size` is never true, as `cserial.size`
was initialized with `rserial.size`, and none of them gets
changed; `t` is actually changed by `gnutls_x509_crt_get_serial`
and should get checked; otherwise it might compare whatever bytes
`gnutls_malloc` left at the end.  

Nikos fixed it in:
https://gitlab.com/gnutls/gnutls/commit/964632f37dfdfb914ebc5e49db4fa29af35b1de9 

My reading is that this could allow someone to use a OCSP respose for a
different certificate (but from the same CA) to continue using a
revoked certificate, if the serial from the revoked certificate is a
prefix of the other one, and the additional bytes happen to be equal
on the system doing the verification.

e.g. if the revoked serial is AB:CD:EF I might try to get an
OCSP respone for AB:CD:EF:00 (hoping that gnutls_malloc returns a
buffer with a zero at the 4th position during verification).

Any other interpretations? Should this get a CVE?

regards,
Stefan



More information about the Gnutls-devel mailing list