Hi,
I have some code that calls OCSP_basic_verify with a NULL st argument,
and I have just found it will crash if the ocsp cert is self-signed.
What happens is that OCSP_basic_verify doesn't check the argument is non
NULL, but calls X509_verify_cert(&ctx) and we end up in
X509_STORE_get_by_subject that assumes vs->ctx is not NULL.
I think a test is needed in X509_STORE_get_by_subject, but should
OCSP_basic_verify also never be called with a NULL store argument ?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
