Bug#295449: [Pkg-openssl-devel] Re: Debian bug #295449 - OpenSSL

Kurt Roeckx kurt at roeckx.be
Sun Dec 25 11:01:38 UTC 2005 

On Thu, Dec 22, 2005 at 11:56:20AM -0700, Cedar Cox wrote:
> >>>>Do you know what the status is of bug #295449 regarding openssl x509
> >>>>-CAserial ?  Do you know when/if the patch will be applied and the
> >>>>package updated.  Has it been tested?
> >>>
> >>>I did not get any reply from upstream concerning this bug.
> >>>And we had not yet the chance to evaluate the patch from Tim Woodall.
> >>>
> >>>Kurt, what do you think about the patch?
> >>
> >>FYI, versions 0.9.7f and 0.9.7g both work.
> >
> >
> >So this might have been fixed in version 0.9.7f?  It was reported
> >against version 0.9.7e.  Did you also try version 0.9.8a?
> 
> I'm attaching a diff I just did of vanilla 0.9.7e and 0.9.7f.  Looks to 
> me like it contains a similar, but different fix.

This seems to be a combination of the following commits:
http://cvs.openssl.org/chngview?cn=12647
http://cvs.openssl.org/chngview?cn=12881
http://cvs.openssl.org/chngview?cn=12730

And I think only the first of those is actually relevant to the
bug report.


Kurt

> 
> -Cedar

> --- openssl-0.9.7e/apps/x509.c	2004-05-12 12:20:57.000000000 -0600
> +++ openssl-0.9.7f/apps/x509.c	2005-02-05 11:24:50.000000000 -0700
> @@ -179,7 +179,7 @@
>  	X509_REQ *rq=NULL;
>  	int fingerprint=0;
>  	char buf[256];
> -	const EVP_MD *md_alg,*digest=EVP_md5();
> +	const EVP_MD *md_alg,*digest;
>  	CONF *extconf = NULL;
>  	char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
>  	int need_rand = 0;
> @@ -216,6 +216,13 @@
>  	if (ctx == NULL) goto end;
>  	X509_STORE_set_verify_cb_func(ctx,callb);
>  
> +#ifdef  OPENSSL_FIPS
> +	if (FIPS_mode())
> +		digest = EVP_sha1();
> +	else
> +#endif
> +		digest = EVP_md5();
> +
>  	argc--;
>  	argv++;
>  	num=0;
> @@ -598,10 +605,13 @@
>  			sno = ASN1_INTEGER_new();
>  			if (!sno || !rand_serial(NULL, sno))
>  				goto end;
> -			}
> -
>  		if (!X509_set_serialNumber(x, sno)) 
>  			goto end;
> +			ASN1_INTEGER_free(sno);
> +			sno = NULL;
> +			}
> +		else if (!X509_set_serialNumber(x, sno)) 
> +			goto end;
>  
>  		if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
>  		if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
> @@ -971,9 +981,9 @@
>  
>  	if (checkend)
>  		{
> -		time_t tnow=time(NULL);
> +		time_t tcheck=time(NULL) + checkoffset;
>  
> -		if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1)
> +		if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0)
>  			{
>  			BIO_printf(out,"Certificate will expire\n");
>  			ret=1;

More information about the Pkg-openssl-devel mailing list