From 0486cce653b62d26a8ca37ac12f69f1a6b998844 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 6 Sep 2011 15:15:09 +0000 Subject: [PATCH] Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past produce an error (CVE-2011-3207) --- CHANGES | 6 +++++- crypto/x509/x509_vfy.c | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index b3d4c06c00..66e9800948 100644 --- a/CHANGES +++ b/CHANGES @@ -431,8 +431,12 @@ Changes between 1.0.0d and 1.0.0e [xx XXX xxxx] + *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted + by initialising X509_STORE_CTX properly. (CVE-2011-3207) + [Kaspar Brand ] + *) Fix SSL memory handling for (EC)DH ciphersuites, in particular - for multi-threaded use of ECDH. + for multi-threaded use of ECDH. (CVE-2011-3210) [Adam Langley (Google)] *) Fix x509_name_ex_d2i memory leak on bad inputs. diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 64df4d34a1..b32c47b31b 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -745,6 +745,7 @@ static int check_cert(X509_STORE_CTX *ctx) x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; ctx->current_issuer = NULL; + ctx->current_crl_score = 0; ctx->current_reasons = 0; while (ctx->current_reasons != CRLDP_ALL_REASONS) { @@ -2057,6 +2058,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->error_depth=0; ctx->current_cert=NULL; ctx->current_issuer=NULL; + ctx->current_crl=NULL; + ctx->current_crl_score=0; + ctx->current_reasons=0; ctx->tree = NULL; ctx->parent = NULL; -- 2.34.1