Hi all,
In the current release OpenSSL 0.9.8j, there are two bugs in ./crpto/x509/x509_vfy.c and ./crpto/x509/x509_cmp.c Here are the details: 1) The return value of function X509_NAME_cmp in ./crpto/x509/x509_cmp.c is not consistent. X509_NAME_cmp(a,b) should not only return boolean value (a=b or not) but also need to return 0 means a>b, =0 means a=b. Since this function is ued in sort and bsearch function, the return value should be absolutely consistent. Say if a>b, b>c, then a>c should be expected. The current logic may return conflict result. We have a CA cert file which contains over 300 trusted CA certs, if we enumerate the whole list and call X509_find_by_subjet, X509_find_by_subjec will failed on some certs due to this problem. FIX: return a memcmp(a,b) value once we find any diffrence. 2) X509_verify_cert function in ./crpto/x509/x509_vfy.c will only verify cert chain against the first cert in a trusted CA cert list. In the same cert file, we have two CA certs that have excat same subjet line. Since X509_find_by_subjet can only return the first CA cert found in the list, X509_verify_cert failed to verify a cert signed by the second CA sert, the root CA cert of this cert is in the ca cert list but cannot be returned by X509_find_by_subjet function. FIX: X509_find_by_subjet should return a NULL ended x509_NAME array, the X509_verify_cer then can try all the CA cert instances to verify the cert chain. BTW, we prepared the CA cert file by importing root CA certs from IE7/Firefox3 and other truscted source. So it a real problem. Best Regards, James Ding _________________________________________________________________ Reunite with the people closest to you, chat face to face with Messenger. http://go.microsoft.com/?linkid=9650736 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
