From f7daafa442b79952d84646b7bd5e3d368669d920 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 11 Jul 1999 01:48:21 +0000 Subject: [PATCH] Fix a bug in x509.c that omitted DSA parameters when they didn't match the signers parameters. Changed it to never omit parameters. --- CHANGES | 15 +++++++++++++++ apps/x509.c | 12 ------------ 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index 1d12ba9016..3f32fc3d22 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,21 @@ Changes between 0.9.3a and 0.9.4 + *) The x509 application mishandled signing requests containing DSA + keys when the signing key was also DSA and the parameters didn't match. + + It was supposed to omit the parameters when they matched the signing key: + the verifying software was then supposed to automatically use the CA's + parameters if they were absent from the end user certificate. + + Omitting parameters is no longer recommended. The test was also + the wrong way round! This was probably due to unusual behaviour in + EVP_cmp_parameters() which returns 1 if the parameters match. + This meant that parameters were omitted when they *didn't* match and + the certificate was useless. Certificates signed with 'ca' didn't have + this bug. + [Steve Henson, reported by Doug Erickson ] + *) Memory leak checking had some problems. The interface is as follows: Applications can use CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), diff --git a/apps/x509.c b/apps/x509.c index 3463ae6328..1024c0d3f7 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -855,18 +855,6 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) goto end; - /* don't save DSA parameters in child if parent has them - * and the parents and the childs are the same. */ - upkey=X509_get_pubkey(x); - if (!EVP_PKEY_missing_parameters(pkey) && - (EVP_PKEY_cmp_parameters(pkey,upkey) == 0)) - { - EVP_PKEY_save_parameters(upkey,0); - /* Force a re-write */ - X509_set_pubkey(x,upkey); - } - EVP_PKEY_free(upkey); - if(conf) { X509V3_CTX ctx2; X509_set_version(x,2); /* version 3 certificate */ -- 2.34.1