From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Wed, 29 Feb 2012 21:12:18 +0000 (+0200)
Subject: Bug fix: Current serial number generation code does not produce a stable serial numbe... 
X-Git-Tag: BumpSslServerFirst.take06~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5cc307f3d0b280897b5b2157ac8d736e2050eecb;p=thirdparty%2Fsquid.git

Bug fix: Current serial number generation code does not produce a stable serial number for self-signed certificates

Squid always send the signing certificate to the ssl_crtd daemon even for
self-signed certificates because the signing certificate may used for cert
adaptation algorithms. The ssl_crtd currently ignore the signing certificate
in the case of self-signed certificates. This is has as result to
use a random number as serial number of generated certificate.

This patch also use 0 as serial number of the temporary intermediate certificate
used to generate the final serial number of the certificate, in the case of
signing certificate is not given.
---

diff --git a/src/ssl/crtd_message.cc b/src/ssl/crtd_message.cc
index 47ed6ed09a..6abe65d582 100644
--- a/src/ssl/crtd_message.cc
+++ b/src/ssl/crtd_message.cc
@@ -213,8 +213,7 @@ bool Ssl::CrtdMessage::parseRequest(Ssl::CertificateProperties &certProperties,
     else
         certProperties.signAlgorithm = Ssl::algSignTrusted;
 
-    if (certProperties.signAlgorithm != Ssl::algSignSelf && 
-        !Ssl::readCertAndPrivateKeyFromMemory(certProperties.signWithX509, certProperties.signWithPkey, certs_part.c_str())) {
+    if (!Ssl::readCertAndPrivateKeyFromMemory(certProperties.signWithX509, certProperties.signWithPkey, certs_part.c_str())) {
         error = "Broken signing certificate!";
         return false;
     }
diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 9fe9842adc..5c0a62ea1a 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -401,6 +401,10 @@ static bool createSerial(Ssl::BIGNUM_Pointer &serial, Ssl::CertificateProperties
     Ssl::X509_Pointer fakeCert;
 
     serial.reset(x509Pubkeydigest(properties.signWithX509));
+    if (!serial.get()) {
+        serial.reset(BN_new());
+        BN_is_zero(serial.get());
+    }
 
     if (!generateFakeSslCertificate(fakeCert, fakePkey, properties, serial))
         return false;