On Thu, Dec 22, 2005 at 11:56:20AM -0700, Cedar Cox wrote:
> >>>>Do you know what the status is of bug #295449 regarding openssl x509
> >>>>-CAserial ?  Do you know when/if the patch will be applied and the
> >>>>package updated.  Has it been tested?
> >>>
> >>>I did not get any reply from upstream concerning this bug.
> >>>And we had not yet the chance to evaluate the patch from Tim Woodall.
> >>>
> >>>Kurt, what do you think about the patch?
> >>
> >>FYI, versions 0.9.7f and 0.9.7g both work.
> >
> >
> >So this might have been fixed in version 0.9.7f?  It was reported
> >against version 0.9.7e.  Did you also try version 0.9.8a?
> 
> I'm attaching a diff I just did of vanilla 0.9.7e and 0.9.7f.  Looks to 
> me like it contains a similar, but different fix.

This seems to be a combination of the following commits:
http://cvs.openssl.org/chngview?cn=12647
http://cvs.openssl.org/chngview?cn=12881
http://cvs.openssl.org/chngview?cn=12730

And I think only the first of those is actually relevant to the
bug report.


Kurt

> 
> -Cedar

> --- openssl-0.9.7e/apps/x509.c        2004-05-12 12:20:57.000000000 -0600
> +++ openssl-0.9.7f/apps/x509.c        2005-02-05 11:24:50.000000000 -0700
> @@ -179,7 +179,7 @@
>       X509_REQ *rq=NULL;
>       int fingerprint=0;
>       char buf[256];
> -     const EVP_MD *md_alg,*digest=EVP_md5();
> +     const EVP_MD *md_alg,*digest;
>       CONF *extconf = NULL;
>       char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = 
> NULL;
>       int need_rand = 0;
> @@ -216,6 +216,13 @@
>       if (ctx == NULL) goto end;
>       X509_STORE_set_verify_cb_func(ctx,callb);
>  
> +#ifdef  OPENSSL_FIPS
> +     if (FIPS_mode())
> +             digest = EVP_sha1();
> +     else
> +#endif
> +             digest = EVP_md5();
> +
>       argc--;
>       argv++;
>       num=0;
> @@ -598,10 +605,13 @@
>                       sno = ASN1_INTEGER_new();
>                       if (!sno || !rand_serial(NULL, sno))
>                               goto end;
> -                     }
> -
>               if (!X509_set_serialNumber(x, sno)) 
>                       goto end;
> +                     ASN1_INTEGER_free(sno);
> +                     sno = NULL;
> +                     }
> +             else if (!X509_set_serialNumber(x, sno)) 
> +                     goto end;
>  
>               if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
>               if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
> @@ -971,9 +981,9 @@
>  
>       if (checkend)
>               {
> -             time_t tnow=time(NULL);
> +             time_t tcheck=time(NULL) + checkoffset;
>  
> -             if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), 
> tnow+checkoffset) == -1)
> +             if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0)
>                       {
>                       BIO_printf(out,"Certificate will expire\n");
>                       ret=1;



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to