Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past
authorDr. Stephen Henson <steve@openssl.org>
Tue, 6 Sep 2011 12:53:56 +0000 (12:53 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 6 Sep 2011 12:53:56 +0000 (12:53 +0000)
produce an error (CVE-2011-3207)

Fix TLS ephemeral DH crash bug (CVE-2011-3210)

CHANGES
crypto/x509/x509_vfy.c

diff --git a/CHANGES b/CHANGES
index f5e1ba250aac153d427e3d7bb7f22520db3b1767..f5de01aabc4d1b4e9b5e029adf1daaf5e0168987 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,8 +4,12 @@
 
  Changes between 1.0.0d and 1.0.0e [xx XXX xxxx]
 
+  *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+     by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+     [Kaspar Brand <ossl@velox.ch>]
+
   *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
-     for multi-threaded use of ECDH.
+     for multi-threaded use of ECDH. (CVE-2011-3210)
      [Adam Langley (Google)]
 
   *) Fix x509_name_ex_d2i memory leak on bad inputs.
index bd6695d0c137a4773d191783b5ff7ad18cb70389..5a0b0249b40c8eef0272e163a850f9a9bf570ec4 100644 (file)
@@ -703,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx)
        x = sk_X509_value(ctx->chain, cnum);
        ctx->current_cert = x;
        ctx->current_issuer = NULL;
+       ctx->current_crl_score = 0;
        ctx->current_reasons = 0;
        while (ctx->current_reasons != CRLDP_ALL_REASONS)
                {
@@ -2015,6 +2016,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
        ctx->error_depth=0;
        ctx->current_cert=NULL;
        ctx->current_issuer=NULL;
+       ctx->current_crl=NULL;
+       ctx->current_crl_score=0;
+       ctx->current_reasons=0;
        ctx->tree = NULL;
        ctx->parent = NULL;