Re: Bug in openssl 0.9.6 for certificate verification
Dr S N Henson wrote: Jean-Marc Desperrier wrote: I have some code that I could use to verify certificate, and that's not able to do it anymore when compiled with 0.9.6 I traced this to the following line (330) in the file by_dir.c - if(j != -1) tmp=sk_X509_OBJECT_value(xl-store_ctx-objs,i); + if(j != -1) tmp=sk_X509_OBJECT_value(xl-store_ctx-objs,j); Urgh, yes that is a bug. Maybe you could have something similar to the stable version of linux to incorporate only very simple bug corrections like this one. Something like : 0.9.6 = 0.9.6a only bugs corrections = 0.9.6b additional bugs corrections = dev 0.9.7 new features + bugs corrections I'm probably not the first to ask for that :-) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Bug in openssl 0.9.6 for certificate verification
Dr S N Henson wrote: I make the verification using a call to X509_verify_cert. When the call returns, they are some errors left in the error stack from a call to check_issued to check if the check is self-signed or not. Is this a normal behaviour ? That shouldn't happen unless you set the X509_V_FLAG_CB_ISSUER_CHECK flag. What specific error are you getting? I wasn't very clear. The return code is one, telling me that there is no error, but X509_STORE_CTX_get_error gives me an error value of 29 (subject issuer mismatch). I was afraid this error would be stored somewhere and be annoying later, but I've realised now it's freed when I call X509_STORE_CTX_free, therefore it's probably a non-issue. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Bug in openssl 0.9.6 for certificate verification
Jean-Marc Desperrier wrote: I have some code that I could use to verify certificate, and that's not able to do it anymore when compiled with 0.9.6 I traced this to the following line (330) in the file by_dir.c This line has been changed from 0.9.5 to 0.9.6. I think the last argument in the call to sk_X509_OBJECT_value should be j instead of I. The check works for me again with the following change. CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); j = sk_X509_OBJECT_find(xl-store_ctx-objs,stmp); - if(j != -1) tmp=sk_X509_OBJECT_value(xl-store_ctx-objs,i); + if(j != -1) tmp=sk_X509_OBJECT_value(xl-store_ctx-objs,j); else tmp = NULL; CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); Urgh, yes that is a bug. What I don't get is why this bug does not appear when using "opensssl -verify" or in the tests ? This is because it uses a different technique for looking up multiple matches in the store. It uses the normal lookup to prime the cache then searches through the cache itself, as such the returned certificate from the X509_LOOKUP_*() code isn't used. I make the verification using a call to X509_verify_cert. When the call returns, they are some errors left in the error stack from a call to check_issued to check if the check is self-signed or not. Is this a normal behaviour ? That shouldn't happen unless you set the X509_V_FLAG_CB_ISSUER_CHECK flag. What specific error are you getting? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
