[gnutls-devel] OCSP certificate check

Stefan Bühler stbuehler at lighttpd.net
Fri Sep 2 18:31:45 CEST 2016


some days ago I discovered that the OCSP certificate check doesn't
actually verify the serial length and might succeed when it shouldn't:


`rserial.size != cserial.size` is never true, as `cserial.size`
was initialized with `rserial.size`, and none of them gets
changed; `t` is actually changed by `gnutls_x509_crt_get_serial`
and should get checked; otherwise it might compare whatever bytes
`gnutls_malloc` left at the end.  

Nikos fixed it in:

My reading is that this could allow someone to use a OCSP respose for a
different certificate (but from the same CA) to continue using a
revoked certificate, if the serial from the revoked certificate is a
prefix of the other one, and the additional bytes happen to be equal
on the system doing the verification.

e.g. if the revoked serial is AB:CD:EF I might try to get an
OCSP respone for AB:CD:EF:00 (hoping that gnutls_malloc returns a
buffer with a zero at the 4th position during verification).

Any other interpretations? Should this get a CVE?


More information about the Gnutls-devel mailing list