From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Fri, 24 Feb 2012 09:20:19 +0000 (+0200)
Subject: Assert that the serial number for generated certificates
X-Git-Tag: BumpSslServerFirst.take05~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c5bd24d6b84f9289025b7fe4291c6043d622941d;p=thirdparty%2Fsquid.git

Assert that the serial number for generated certificates
does not exceed 20 bytes
---

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index e9ed33f76b..d701b51033 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -353,6 +353,9 @@ static  BIGNUM *createCertSerial(unsigned char *md, unsigned int n)
     if (BN_is_zero(serial))
         BN_one(serial);
 
+    // serial size does not exceed 20 bytes
+    assert(BN_num_bits(serial) <= 160);
+
     // According the RFC 5280, serial is an 20 bytes ASN.1 INTEGER (a signed big integer)
     // and the maximum value for X.509 certificate serial number is 2^159-1 and
     // the minimum 0. If the first bit of the serial is '1' ( eg 2^160-1),