Loading CHANGES +15 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,21 @@ Changes between 0.9.3a and 0.9.4 Changes between 0.9.3a and 0.9.4 *) The x509 application mishandled signing requests containing DSA keys when the signing key was also DSA and the parameters didn't match. It was supposed to omit the parameters when they matched the signing key: the verifying software was then supposed to automatically use the CA's parameters if they were absent from the end user certificate. Omitting parameters is no longer recommended. The test was also the wrong way round! This was probably due to unusual behaviour in EVP_cmp_parameters() which returns 1 if the parameters match. This meant that parameters were omitted when they *didn't* match and the certificate was useless. Certificates signed with 'ca' didn't have this bug. [Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>] *) Memory leak checking had some problems. The interface is as follows: *) Memory leak checking had some problems. The interface is as follows: Applications can use Applications can use CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), Loading apps/x509.c +0 −12 Original line number Original line Diff line number Diff line Loading @@ -855,18 +855,6 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) goto end; goto end; /* don't save DSA parameters in child if parent has them * and the parents and the childs are the same. */ upkey=X509_get_pubkey(x); if (!EVP_PKEY_missing_parameters(pkey) && (EVP_PKEY_cmp_parameters(pkey,upkey) == 0)) { EVP_PKEY_save_parameters(upkey,0); /* Force a re-write */ X509_set_pubkey(x,upkey); } EVP_PKEY_free(upkey); if(conf) { if(conf) { X509V3_CTX ctx2; X509V3_CTX ctx2; X509_set_version(x,2); /* version 3 certificate */ X509_set_version(x,2); /* version 3 certificate */ Loading Loading
CHANGES +15 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,21 @@ Changes between 0.9.3a and 0.9.4 Changes between 0.9.3a and 0.9.4 *) The x509 application mishandled signing requests containing DSA keys when the signing key was also DSA and the parameters didn't match. It was supposed to omit the parameters when they matched the signing key: the verifying software was then supposed to automatically use the CA's parameters if they were absent from the end user certificate. Omitting parameters is no longer recommended. The test was also the wrong way round! This was probably due to unusual behaviour in EVP_cmp_parameters() which returns 1 if the parameters match. This meant that parameters were omitted when they *didn't* match and the certificate was useless. Certificates signed with 'ca' didn't have this bug. [Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>] *) Memory leak checking had some problems. The interface is as follows: *) Memory leak checking had some problems. The interface is as follows: Applications can use Applications can use CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), Loading
apps/x509.c +0 −12 Original line number Original line Diff line number Diff line Loading @@ -855,18 +855,6 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) goto end; goto end; /* don't save DSA parameters in child if parent has them * and the parents and the childs are the same. */ upkey=X509_get_pubkey(x); if (!EVP_PKEY_missing_parameters(pkey) && (EVP_PKEY_cmp_parameters(pkey,upkey) == 0)) { EVP_PKEY_save_parameters(upkey,0); /* Force a re-write */ X509_set_pubkey(x,upkey); } EVP_PKEY_free(upkey); if(conf) { if(conf) { X509V3_CTX ctx2; X509V3_CTX ctx2; X509_set_version(x,2); /* version 3 certificate */ X509_set_version(x,2); /* version 3 certificate */ Loading
