Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past

produce an error (CVE-2011-3207)

Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past
produce an error (CVE-2011-3207)
0486cce6 · Dr. Stephen Henson · 0f8d4d49 · 0486cce6 · 0486cce6
隐藏空白更改
内联并排

Showing with 9 addition and 1 deletion

CHANGES CHANGES +5 -1

crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c +4 -0

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -431,8 +431,12 @@
 Changes between 1.0.0d and 1.0.0e [xx XXX xxxx]
+  *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+     by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+     [Kaspar Brand <ossl@velox.ch>]
  *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
-     for multi-threaded use of ECDH.
+     for multi-threaded use of ECDH. (CVE-2011-3210)
     [Adam Langley (Google)]
  *) Fix x509_name_ex_d2i memory leak on bad inputs.

--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -745,6 +745,7 @@ static int check_cert(X509_STORE_CTX *ctx)
 	x = sk_X509_value(ctx->chain, cnum);
 	ctx->current_cert = x;
 	ctx->current_issuer = NULL;
+	ctx->current_crl_score = 0;
 	ctx->current_reasons = 0;
 	while (ctx->current_reasons != CRLDP_ALL_REASONS)
 		{
@@ -2057,6 +2058,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	ctx->error_depth=0;
 	ctx->current_cert=NULL;
 	ctx->current_issuer=NULL;
+	ctx->current_crl=NULL;
+	ctx->current_crl_score=0;
+	ctx->current_reasons=0;
 	ctx->tree = NULL;
 	ctx->parent = NULL;