The bug is in the file x509v3/v3_lib.c in the function X509V3_get_d2i() in
the 0.9.7b source code.
This bug affects all operating systems.
The problem: If the idx parameter points to an integer index, then the
function always returns NULL.
Here's the fixed code, with my addition marked with a comment:
void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
{
int lastpos, i;
X509_EXTENSION *ex, *found_ex = NULL;
if(!x) {
if(idx) *idx = -1;
if(crit) *crit = -1;
return NULL;
}
if(idx) lastpos = *idx + 1;
else lastpos = 0;
if(lastpos 0) lastpos = 0;
for(i = lastpos; i sk_X509_EXTENSION_num(x); i++)
{
ex = sk_X509_EXTENSION_value(x, i);
if(OBJ_obj2nid(ex-object) == nid) {
if(idx) {
*idx = i;
found_ex = ex; /*** this fixes the bug */
break;
} else if(found_ex) {
/* Found more than one */
if(crit) *crit = -2;
return NULL;
}
found_ex = ex;
}
}
if(found_ex) {
/* Found it */
if(crit) *crit = X509_EXTENSION_get_critical(found_ex);
return X509V3_EXT_d2i(found_ex);
}
/* Extension not found */
if(idx) *idx = -1;
if(crit) *crit = -1;
return NULL;
}
--
Doug Sauder
Hunny Software, Inc
Email: [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]