ocsp: fix uninitialized variables in BasicResponse#status

swhitt · swhitt · commit 667ce07f33f5 · 2026-02-16T09:58:48.000-06:00
revtime, thisupd, nextupd, and reason are not initialized before
being passed to OCSP_single_get0_status(). For GOOD and UNKNOWN
status, OpenSSL doesn't write to revtime or reason (only REVOKED
does), so they keep whatever was on the stack. The nil guard
`revtime ? asn1time_to_time(revtime) : Qnil` then tries to
convert a garbage pointer, which blows up with ASN1_TIME_to_tm.

Initialize all four to safe defaults before the call.
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
@@ -905,8 +905,8 @@ ossl_ocspbres_get_status(VALUE self)
     int count = OCSP_resp_count(bs);
     for (int i = 0; i < count; i++) {
         OCSP_SINGLERESP *single = OCSP_resp_get0(bs, i);
-        ASN1_TIME *revtime, *thisupd, *nextupd;
-        int reason;
+        ASN1_TIME *revtime = NULL, *thisupd = NULL, *nextupd = NULL;
+        int reason = -1;
 
         int status = OCSP_single_get0_status(single, &reason, &revtime, &thisupd, &nextupd);
         if (status < 0)
diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c
@@ -1010,7 +1010,7 @@ static VALUE
 ossl_pkcs7si_get_signed_time(VALUE self)
 {
     PKCS7_SIGNER_INFO *p7si;
-    ASN1_TYPE *asn1obj;
+    const ASN1_TYPE *asn1obj;
 
     GetPKCS7si(self, p7si);
 
diff --git a/test/openssl/test_ocsp.rb b/test/openssl/test_ocsp.rb
@@ -215,6 +215,35 @@ def test_basic_response_dup
     assert_equal bres.to_der, bres.dup.to_der
   end
 
+  def test_basic_response_status_good
+    bres = OpenSSL::OCSP::BasicResponse.new
+    cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
+    bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, nil)
+    bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert])
+
+    statuses = bres.status
+    assert_equal 1, statuses.size
+    status = statuses[0]
+    assert_equal cid.to_der, status[0].to_der
+    assert_equal OpenSSL::OCSP::V_CERTSTATUS_GOOD, status[1]
+    assert_nil status[3] # revtime should be nil for GOOD status
+  end
+
+  def test_basic_response_status_revoked
+    bres = OpenSSL::OCSP::BasicResponse.new
+    now = Time.at(Time.now.to_i)
+    cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
+    bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_REVOKED,
+                    OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, now - 400, -300, nil, nil)
+    bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert])
+
+    statuses = bres.status
+    assert_equal 1, statuses.size
+    status = statuses[0]
+    assert_equal OpenSSL::OCSP::V_CERTSTATUS_REVOKED, status[1]
+    assert_equal now - 400, status[3] # revtime should be the revocation time
+  end
+
   def test_basic_response_response_operations
     bres = OpenSSL::OCSP::BasicResponse.new
     now = Time.at(Time.now.to_i)

Original file line number	Diff line number	Diff line change
`@@ -1010,7 +1010,7 @@ static VALUE`
`1010`	`1010`	`ossl_pkcs7si_get_signed_time(VALUE self)`
`1011`	`1011`	`{`
`1012`	`1012`	`PKCS7_SIGNER_INFO *p7si;`
`1013`		`- ASN1_TYPE *asn1obj;`
	`1013`	`+ const ASN1_TYPE *asn1obj;`
`1014`	`1014`
`1015`	`1015`	`GetPKCS7si(self, p7si);`
`1016`	`1016`