Changes between 0.9.3a and 0.9.4
+ *) The x509 application mishandled signing requests containing DSA
+ keys when the signing key was also DSA and the parameters didn't match.
+
+ It was supposed to omit the parameters when they matched the signing key:
+ the verifying software was then supposed to automatically use the CA's
+ parameters if they were absent from the end user certificate.
+
+ Omitting parameters is no longer recommended. The test was also
+ the wrong way round! This was probably due to unusual behaviour in
+ EVP_cmp_parameters() which returns 1 if the parameters match.
+ This meant that parameters were omitted when they *didn't* match and
+ the certificate was useless. Certificates signed with 'ca' didn't have
+ this bug.
+ [Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>]
+
*) Memory leak checking had some problems. The interface is as follows:
Applications can use
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(),
if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
goto end;
- /* don't save DSA parameters in child if parent has them
- * and the parents and the childs are the same. */
- upkey=X509_get_pubkey(x);
- if (!EVP_PKEY_missing_parameters(pkey) &&
- (EVP_PKEY_cmp_parameters(pkey,upkey) == 0))
- {
- EVP_PKEY_save_parameters(upkey,0);
- /* Force a re-write */
- X509_set_pubkey(x,upkey);
- }
- EVP_PKEY_free(upkey);
-
if(conf) {
X509V3_CTX ctx2;
X509_set_version(x,2); /* version 3 certificate */
projects / oweals / openssl.git / commitdiff