The signtime may be used uninitialized, you can see this when pointing
rpki-client -f at the aspa test objects in regress that don't have it.
I think we should initialize on all levels: the local signtime variable
in the individual *_parse functions, in cms_parse_validate_internal(),
and in cms_get_signtime() for the case it is reused elsewhere.
Index: aspa.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/aspa.c,v
retrieving revision 1.14
diff -u -p -r1.14 aspa.c
--- aspa.c 10 Mar 2023 12:44:56 -0000 1.14
+++ aspa.c 12 Mar 2023 10:53:58 -0000
@@ -189,7 +189,7 @@ aspa_parse(X509 **x509, const char *fn,
size_t cmsz;
unsigned char *cms;
struct cert *cert = NULL;
- time_t signtime;
+ time_t signtime = 0;
int rc = 0;
memset(&p, 0, sizeof(struct parse));
Index: cms.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v
retrieving revision 1.31
diff -u -p -r1.31 cms.c
--- cms.c 9 Mar 2023 18:53:24 -0000 1.31
+++ cms.c 12 Mar 2023 11:02:56 -0000
@@ -69,6 +69,7 @@ cms_get_signtime(const char *fn, X509_AT
const char *time_str = "UTCtime";
int time_type = V_ASN1_UTCTIME;
+ *signtime = 0;
at = X509_ATTRIBUTE_get0_data(attr, 0, time_type, NULL);
if (at == NULL) {
time_str = "GeneralizedTime";
@@ -113,6 +114,7 @@ cms_parse_validate_internal(X509 **xp, c
*xp = NULL;
if (rsz != NULL)
*rsz = 0;
+ *signtime = 0;
/* just fail for empty buffers, the warning was printed elsewhere */
if (der == NULL)
Index: gbr.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/gbr.c,v
retrieving revision 1.25
diff -u -p -r1.25 gbr.c
--- gbr.c 10 Mar 2023 12:44:56 -0000 1.25
+++ gbr.c 12 Mar 2023 10:53:50 -0000
@@ -45,7 +45,7 @@ gbr_parse(X509 **x509, const char *fn, c
struct parse p;
size_t cmsz;
unsigned char *cms;
- time_t signtime;
+ time_t signtime = 0;
memset(&p, 0, sizeof(struct parse));
p.fn = fn;
Index: mft.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
retrieving revision 1.84
diff -u -p -r1.84 mft.c
--- mft.c 9 Mar 2023 18:53:24 -0000 1.84
+++ mft.c 12 Mar 2023 10:54:38 -0000
@@ -353,7 +353,7 @@ mft_parse(X509 **x509, const char *fn, c
size_t cmsz;
unsigned char *cms;
char *crldp = NULL, *crlfile;
- time_t signtime;
+ time_t signtime = 0;
memset(&p, 0, sizeof(struct parse));
p.fn = fn;
Index: roa.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v
retrieving revision 1.63
diff -u -p -r1.63 roa.c
--- roa.c 10 Mar 2023 12:44:56 -0000 1.63
+++ roa.c 12 Mar 2023 10:54:05 -0000
@@ -212,7 +212,7 @@ roa_parse(X509 **x509, const char *fn, c
size_t cmsz;
unsigned char *cms;
struct cert *cert = NULL;
- time_t signtime;
+ time_t signtime = 0;
int rc = 0;
memset(&p, 0, sizeof(struct parse));
Index: rsc.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/rsc.c,v
retrieving revision 1.23
diff -u -p -r1.23 rsc.c
--- rsc.c 10 Mar 2023 12:44:56 -0000 1.23
+++ rsc.c 12 Mar 2023 10:54:23 -0000
@@ -378,7 +378,7 @@ rsc_parse(X509 **x509, const char *fn, c
unsigned char *cms;
size_t cmsz;
struct cert *cert = NULL;
- time_t signtime;
+ time_t signtime = 0;
int rc = 0;
memset(&p, 0, sizeof(struct parse));
Index: tak.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/tak.c,v
retrieving revision 1.7
diff -u -p -r1.7 tak.c
--- tak.c 10 Mar 2023 12:44:56 -0000 1.7
+++ tak.c 12 Mar 2023 10:54:13 -0000
@@ -230,7 +230,7 @@ tak_parse(X509 **x509, const char *fn, c
struct parse p;
unsigned char *cms;
size_t cmsz;
- time_t signtime;
+ time_t signtime = 0;
int rc = 0;
memset(&p, 0, sizeof(struct parse));
