Fix a bug in x509.c that omitted DSA parameters when they didn't match the

signers parameters. Changed it to never omit parameters.

CHANGES

@@ -4,6 +4,21 @@
 
  Changes between 0.9.3a and 0.9.4
 
+  *) The x509 application mishandled signing requests containing DSA
+     keys when the signing key was also DSA and the parameters didn't match.
+
+     It was supposed to omit the parameters when they matched the signing key:
+     the verifying software was then supposed to automatically use the CA's
+     parameters if they were absent from the end user certificate.
+
+     Omitting parameters is no longer recommended. The test was also
+     the wrong way round! This was probably due to unusual behaviour in
+     EVP_cmp_parameters() which returns 1 if the parameters match. 
+     This meant that parameters were omitted when they *didn't* match and
+     the certificate was useless. Certificates signed with 'ca' didn't have
+     this bug.
+     [Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>]
+
   *) Memory leak checking had some problems.  The interface is as follows:
      Applications can use
          CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(),

apps/x509.c

@@ -855,18 +855,6 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 	if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
 		goto end;
 
-	/* don't save DSA parameters in child if parent has them
-	 * and the parents and the childs are the same. */
-	upkey=X509_get_pubkey(x);
-	if (!EVP_PKEY_missing_parameters(pkey) &&
-		(EVP_PKEY_cmp_parameters(pkey,upkey) == 0))
-		{
-		EVP_PKEY_save_parameters(upkey,0);
-		/* Force a re-write */
-		X509_set_pubkey(x,upkey);
-		}
-	EVP_PKEY_free(upkey);
-
 	if(conf) {
 		X509V3_CTX ctx2;
 		X509_set_version(x,2); /* version 3 certificate */