DANE: fix type-2xx TLSA under older OpenSSL versions Bug 2198

author Viktor Dukhovni <viktor1dane@dukhovni.org>

Fri, 1 Dec 2017 22:13:19 +0000 (22:13 +0000)

committer Jeremy Harris <jgh146exb@wizmail.org>

Sat, 16 Dec 2017 02:21:10 +0000 (02:21 +0000)
author Viktor Dukhovni <viktor1dane@dukhovni.org>
Fri, 1 Dec 2017 22:13:19 +0000 (22:13 +0000)
committer Jeremy Harris <jgh146exb@wizmail.org>
Sat, 16 Dec 2017 02:21:10 +0000 (02:21 +0000)
diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c

index 33c945d9abb02150291801e871a2bd854f5111a5..bb3763a4866328f74849ded861f41043783800f3 100644 (file)
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -409,7 +409,7 @@ return 0;
  }
  
  static int
-set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
+set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
  {
  X509_NAME *name = akid_issuer_name(akid);
  
@@ -418,7 +418,7 @@ X509_NAME *name = akid_issuer_name(akid);
   * must use that.
   */
  return X509_set_issuer_name(cert,
-                           name ? name : X509_get_subject_name(cert));
+                           name ? name : subj);
  }
  
  static int
@@ -500,7 +500,7 @@ akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
   */
  if (  !X509_set_version(cert, 2)
     || !set_serial(cert, akid, subject)
-   || !set_issuer_name(cert, akid)
+   || !set_issuer_name(cert, akid, name)
     || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
     || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
     || !X509_set_subject_name(cert, name)
author	Viktor Dukhovni <viktor1dane@dukhovni.org>
	Fri, 1 Dec 2017 22:13:19 +0000 (22:13 +0000)
committer	Jeremy Harris <jgh146exb@wizmail.org>
	Sat, 16 Dec 2017 02:21:10 +0000 (02:21 +0000)