Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past

produce an error (CVE-2011-3207)
author: Dr. Stephen Henson <steve@openssl.org> 2011-09-06 15:15:09 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2011-09-06 15:15:09 +0000
commit: 0486cce653b62d26a8ca37ac12f69f1a6b998844 (patch)
tree: c64c71c581fd887ef50a0f90132194a098cfda69 /crypto/x509
parent: 0f8d4d49dc33ce56023c6faf640c8f7ef48160d4 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 64df4d34a1..b32c47b31b 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -745,6 +745,7 @@ static int check_cert(X509_STORE_CTX *ctx)
 	x = sk_X509_value(ctx->chain, cnum);
 	ctx->current_cert = x;
 	ctx->current_issuer = NULL;
+	ctx->current_crl_score = 0;
 	ctx->current_reasons = 0;
 	while (ctx->current_reasons != CRLDP_ALL_REASONS)
 		{
@@ -2057,6 +2058,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	ctx->error_depth=0;
 	ctx->current_cert=NULL;
 	ctx->current_issuer=NULL;
+	ctx->current_crl=NULL;
+	ctx->current_crl_score=0;
+	ctx->current_reasons=0;
 	ctx->tree = NULL;
 	ctx->parent = NULL;
author	Dr. Stephen Henson <steve@openssl.org>	2011-09-06 15:15:09 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2011-09-06 15:15:09 +0000
commit	0486cce653b62d26a8ca37ac12f69f1a6b998844 (patch)
tree	c64c71c581fd887ef50a0f90132194a098cfda69 /crypto/x509
parent	0f8d4d49dc33ce56023c6faf640c8f7ef48160d4 (diff)