Hello,
While trying to generate Certificate chain using the Open SSL calls, we
found out that the certificate chain was not being formed correctly in
version 0.9.6; the same code worked fine for version 0.9.5a. Found a
bug in crypto/x509/by_dir.c, which looks for the CA certificates in the
directory defined by the environment variable
SSL_CERT_DIR. The bug fix is also shown within this bug report. Please
let me know when this change would be included in the Open SSL
distribution, which will save us from maintaining the open SSL source
tree within CVS.
Following are the details about the bug:
***** OpenSSL version:
***output of 'openssl version -a' on a BSD machine:
bash-2.04$ /usr/local/ssl/bin/openssl version -a
OpenSSL 0.9.6 24 Sep 2000
built on: Tue Nov 28 13:01:53 EST 2000
platform: FreeBSD-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long)
idea(int) blowfish(idx)
compiler: gcc -DTHREADS -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
-m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
***output of 'openssl version -a' on a Linux machine:
[lbhat@testlinux cert]$ /usr/local/ssl/bin/openssl version -a
OpenSSL 0.9.6 24 Sep 2000
built on: Tue Nov 14 17:12:41 EST 2000
platform: linux-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long)
idea(int) blowfish(idx)
compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM
******** Application Details (name, version)
Could not use any open SSL provided application to reproduce the
problem. It
was a home-grown application to generate certificate chain for a given
certificate, with the certificates of the Certificate Authorities stored
in
a directory specified by the environment variable SSL_CERT_DIR
******* Problem Description (steps that will reproduce the problem, if
known)
While trying to generate Certificate chain using the Open SSL calls, we
found out that the certificate chain was not being formed correctly in
version 0.9.6; the same code worked fine for version 0.9.5a. The
certificate chain would have simply the header + the user certificate;
the CA certificates were not being pre-pended to form the chain. The
return codes from the open SSL functions were normal.
****** BUG FIX:
File wuth the bug: crypto/x509/by_dir.c
When openSSL version went from 0.9.5a to 0.9.6, the certificate store
started saving the certificates in a stack, rather than in a hash
table. During this conversion, a bug seems to have been introduced
while obtaining a matching certificate from the stack of certificates in
the above file. In particular, the 2nd in the following lines was in
error:
j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
if(j != -1)
tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i);
After finding the object in the store at position "j" in the first line,
the 2nd line uses "i", instead of "j" to get the object value; "i" is a
loop variable in a for loop and will not be the same as the value of
"j", which is causing the problem. A change from "i" to "j" in the 2nd
line fixed the bug.
Appreciate your response to this email.
Regards,
Lalitha Bhat
SSN Inc.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
