[gnutls-devel] OCSP certificate check

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Sep 3 10:58:13 CEST 2016


On Fri, 2016-09-02 at 18:31 +0200, Stefan Bühler wrote:
> Hi,
> 
> some days ago I discovered that the OCSP certificate check doesn't
> actually verify the serial length and might succeed when it
> shouldn't:
> 
> https://gitlab.com/gnutls/gnutls/blob/9bb4ca9ec8ed504429d582ac3de28aa
> f8d88b1e8/lib/x509/ocsp.c#L1322
> 
> `rserial.size != cserial.size` is never true, as `cserial.size`
> was initialized with `rserial.size`, and none of them gets
> changed; `t` is actually changed by `gnutls_x509_crt_get_serial`
> and should get checked; otherwise it might compare whatever bytes
> `gnutls_malloc` left at the end.  
> Nikos fixed it in:
> https://gitlab.com/gnutls/gnutls/commit/964632f37dfdfb914ebc5e49db4fa
> 29af35b1de9 
> 
> My reading is that this could allow someone to use a OCSP respose for
> a
> different certificate (but from the same CA) to continue using a
> revoked certificate, if the serial from the revoked certificate is a
> prefix of the other one, and the additional bytes happen to be equal
> on the system doing the verification.
> e.g. if the revoked serial is AB:CD:EF I might try to get an
> OCSP respone for AB:CD:EF:00 (hoping that gnutls_malloc returns a
> buffer with a zero at the 4th position during verification).

Right. That's indeed an issue, but since the requirements to exploit
that are not under the control of the attacker (but rather the CA), my
initial assessment was that this has low impact. However given that
most OCSP servers return valid replies for unknown serials, it makes
sense to assign it a GNUTLS-SA on the security page and link to your
description.

regards,
Nikos




More information about the Gnutls-devel mailing list