On Thu, Dec 22, 2005 at 11:56:20AM -0700, Cedar Cox wrote: > >>>>Do you know what the status is of bug #295449 regarding openssl x509 > >>>>-CAserial ? Do you know when/if the patch will be applied and the > >>>>package updated. Has it been tested? > >>> > >>>I did not get any reply from upstream concerning this bug. > >>>And we had not yet the chance to evaluate the patch from Tim Woodall. > >>> > >>>Kurt, what do you think about the patch? > >> > >>FYI, versions 0.9.7f and 0.9.7g both work. > > > > > >So this might have been fixed in version 0.9.7f? It was reported > >against version 0.9.7e. Did you also try version 0.9.8a? > > I'm attaching a diff I just did of vanilla 0.9.7e and 0.9.7f. Looks to > me like it contains a similar, but different fix.
This seems to be a combination of the following commits: http://cvs.openssl.org/chngview?cn=12647 http://cvs.openssl.org/chngview?cn=12881 http://cvs.openssl.org/chngview?cn=12730 And I think only the first of those is actually relevant to the bug report. Kurt > > -Cedar > --- openssl-0.9.7e/apps/x509.c 2004-05-12 12:20:57.000000000 -0600 > +++ openssl-0.9.7f/apps/x509.c 2005-02-05 11:24:50.000000000 -0700 > @@ -179,7 +179,7 @@ > X509_REQ *rq=NULL; > int fingerprint=0; > char buf[256]; > - const EVP_MD *md_alg,*digest=EVP_md5(); > + const EVP_MD *md_alg,*digest; > CONF *extconf = NULL; > char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = > NULL; > int need_rand = 0; > @@ -216,6 +216,13 @@ > if (ctx == NULL) goto end; > X509_STORE_set_verify_cb_func(ctx,callb); > > +#ifdef OPENSSL_FIPS > + if (FIPS_mode()) > + digest = EVP_sha1(); > + else > +#endif > + digest = EVP_md5(); > + > argc--; > argv++; > num=0; > @@ -598,10 +605,13 @@ > sno = ASN1_INTEGER_new(); > if (!sno || !rand_serial(NULL, sno)) > goto end; > - } > - > if (!X509_set_serialNumber(x, sno)) > goto end; > + ASN1_INTEGER_free(sno); > + sno = NULL; > + } > + else if (!X509_set_serialNumber(x, sno)) > + goto end; > > if (!X509_set_issuer_name(x,req->req_info->subject)) goto end; > if (!X509_set_subject_name(x,req->req_info->subject)) goto end; > @@ -971,9 +981,9 @@ > > if (checkend) > { > - time_t tnow=time(NULL); > + time_t tcheck=time(NULL) + checkoffset; > > - if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), > tnow+checkoffset) == -1) > + if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) > { > BIO_printf(out,"Certificate will expire\n"); > ret=1; -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

