[Pkg-openssl-devel] Re: Debian bug #295449 - OpenSSL

Cedar Cox cox at waterstoneinc.com
Thu Dec 22 18:56:20 UTC 2005 

>>>>Do you know what the status is of bug #295449 regarding openssl x509
>>>>-CAserial ?  Do you know when/if the patch will be applied and the
>>>>package updated.  Has it been tested?
>>>
>>>I did not get any reply from upstream concerning this bug.
>>>And we had not yet the chance to evaluate the patch from Tim Woodall.
>>>
>>>Kurt, what do you think about the patch?
>>
>>FYI, versions 0.9.7f and 0.9.7g both work.
> 
> 
> So this might have been fixed in version 0.9.7f?  It was reported
> against version 0.9.7e.  Did you also try version 0.9.8a?

I'm attaching a diff I just did of vanilla 0.9.7e and 0.9.7f.  Looks to 
me like it contains a similar, but different fix.

-Cedar
-------------- next part --------------
--- openssl-0.9.7e/apps/x509.c	2004-05-12 12:20:57.000000000 -0600
+++ openssl-0.9.7f/apps/x509.c	2005-02-05 11:24:50.000000000 -0700
@@ -179,7 +179,7 @@
 	X509_REQ *rq=NULL;
 	int fingerprint=0;
 	char buf[256];
-	const EVP_MD *md_alg,*digest=EVP_md5();
+	const EVP_MD *md_alg,*digest;
 	CONF *extconf = NULL;
 	char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
 	int need_rand = 0;
@@ -216,6 +216,13 @@
 	if (ctx == NULL) goto end;
 	X509_STORE_set_verify_cb_func(ctx,callb);
 
+#ifdef  OPENSSL_FIPS
+	if (FIPS_mode())
+		digest = EVP_sha1();
+	else
+#endif
+		digest = EVP_md5();
+
 	argc--;
 	argv++;
 	num=0;
@@ -598,10 +605,13 @@
 			sno = ASN1_INTEGER_new();
 			if (!sno || !rand_serial(NULL, sno))
 				goto end;
-			}
-
 		if (!X509_set_serialNumber(x, sno)) 
 			goto end;
+			ASN1_INTEGER_free(sno);
+			sno = NULL;
+			}
+		else if (!X509_set_serialNumber(x, sno)) 
+			goto end;
 
 		if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
 		if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
@@ -971,9 +981,9 @@
 
 	if (checkend)
 		{
-		time_t tnow=time(NULL);
+		time_t tcheck=time(NULL) + checkoffset;
 
-		if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1)
+		if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0)
 			{
 			BIO_printf(out,"Certificate will expire\n");
 			ret=1;

More information about the Pkg-openssl-devel mailing list