diff --git a/CHANGES b/CHANGES index c0953c277..4d7834360 100644 --- a/CHANGES +++ b/CHANGES @@ -893,6 +893,11 @@ Changes between 0.9.8o and 0.9.8p [xx XXX xxxx] + *) Don't reencode certificate when calculating signature: cache and use + the original encoding instead. This makes signature verification of + some broken encodings work correctly. + [Steve Henson] + *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT is also one of the inputs. [Emilia Käsper (Google)] diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index dafd3cc92..de3df9eb5 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -63,7 +63,7 @@ #include #include -ASN1_SEQUENCE(X509_CINF) = { +ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = { ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0), ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER), ASN1_SIMPLE(X509_CINF, signature, X509_ALGOR), @@ -74,7 +74,7 @@ ASN1_SEQUENCE(X509_CINF) = { ASN1_IMP_OPT(X509_CINF, issuerUID, ASN1_BIT_STRING, 1), ASN1_IMP_OPT(X509_CINF, subjectUID, ASN1_BIT_STRING, 2), ASN1_EXP_SEQUENCE_OF_OPT(X509_CINF, extensions, X509_EXTENSION, 3) -} ASN1_SEQUENCE_END(X509_CINF) +} ASN1_SEQUENCE_END_enc(X509_CINF, X509_CINF) IMPLEMENT_ASN1_FUNCTIONS(X509_CINF) /* X509 top level structure needs a bit of customisation */ diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c index bed3b096b..834d54ab5 100644 --- a/crypto/ec/ectest.c +++ b/crypto/ec/ectest.c @@ -234,7 +234,7 @@ static void group_order_tests(EC_GROUP *group) BN_CTX_free(ctx); } -void prime_field_tests() +static void prime_field_tests() { BN_CTX *ctx = NULL; BIGNUM *p, *a, *b; @@ -777,7 +777,7 @@ void prime_field_tests() if (!EC_GROUP_copy(_variable, group)) ABORT; \ -void char2_field_tests() +static void char2_field_tests() { BN_CTX *ctx = NULL; BIGNUM *p, *a, *b; @@ -1211,7 +1211,7 @@ void char2_field_tests() } -void internal_curve_test(void) +static void internal_curve_test(void) { EC_builtin_curve *curves = NULL; size_t crv_len = 0, n = 0; diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 604f4fb27..e6f8a4039 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -258,6 +258,7 @@ typedef struct x509_cinf_st ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */ ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */ STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */ + ASN1_ENCODING enc; } X509_CINF; /* This stuff is certificate "auxiliary info" diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index ebae30b70..8ec88c215 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -90,6 +90,7 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { + x->cert_info->enc.modified = 1; return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature, x->sig_alg, x->signature, x->cert_info,pkey,md)); }