diff options
author | Dr. Stephen Henson <steve@openssl.org> | 1999-07-11 01:48:21 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 1999-07-11 01:48:21 +0000 |
commit | f7daafa442b79952d84646b7bd5e3d368669d920 (patch) | |
tree | ed69c992e5e821200986ca7e47f8842e9b12317c /CHANGES | |
parent | f8be08d200850b7046e1d9c67123b17b7e6ffd56 (diff) |
Fix a bug in x509.c that omitted DSA parameters when they didn't match the
signers parameters. Changed it to never omit parameters.
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 15 |
1 files changed, 15 insertions, 0 deletions
@@ -4,6 +4,21 @@ Changes between 0.9.3a and 0.9.4 + *) The x509 application mishandled signing requests containing DSA + keys when the signing key was also DSA and the parameters didn't match. + + It was supposed to omit the parameters when they matched the signing key: + the verifying software was then supposed to automatically use the CA's + parameters if they were absent from the end user certificate. + + Omitting parameters is no longer recommended. The test was also + the wrong way round! This was probably due to unusual behaviour in + EVP_cmp_parameters() which returns 1 if the parameters match. + This meant that parameters were omitted when they *didn't* match and + the certificate was useless. Certificates signed with 'ca' didn't have + this bug. + [Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>] + *) Memory leak checking had some problems. The interface is as follows: Applications can use CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), |