Re: OpenBSD 5.9 Errata for OCSP available

[Alexander Rechinskiy]

Hello,

 if (maxsec >= 0) {
 t_tmp = t_now - maxsec;
-if (X509_cmp_time(thisupd, &t_tmp) < 0) {
+if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
+return 0;
+if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
+return 0;
+if (asn1_tm_cmp(&tm_this, &tm_tmp) < 0) {

gmtime_r called twice with same arguments

2016-06-27 22:53 GMT+03:00 Bob Beck :

> This errata fixes several issues in the OCSP code that could result in
> the incorrect generation and parsing of OCSP requests. This remediates
> a lack of error checking on time parsing in these functions, and
> ensures that only
> GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.
>
> Issues reported, and fixes provided by Kazuki Yamaguchi 
> and Kinichiro Inoguchi 
>
> Patches for OpenBSD 5.9 are available at:
> http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/012_crypto.patch.sig
>
> and have been committed to -current.
>
> Portable LibreSSL releases will appear shortly.
>
>

OpenBSD 5.9 Errata for OCSP available

[Bob Beck]

This errata fixes several issues in the OCSP code that could result in
the incorrect generation and parsing of OCSP requests. This remediates
a lack of error checking on time parsing in these functions, and
ensures that only
GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.

Issues reported, and fixes provided by Kazuki Yamaguchi 
and Kinichiro Inoguchi 

Patches for OpenBSD 5.9 are available at:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/012_crypto.patch.sig

and have been committed to -current.

Portable LibreSSL releases will appear shortly.