Bug in parsing CRLs from RSA Keon

Brien Wheeler Tue, 21 Dec 1999 01:43:43 -0800
Folks,

     In using an older version of SSLeay in our product, we have
run across the following situation which I believe to be a bug
in parsing of CRL_INFO structures.  Essentially, the 1997 X.509
standard states that the optional version number in a CRL_INFO is
present only if a critical extension is present and shall be absent
if no critical extensions are present.

     The RSA Keon certificate server creates CRLs that have an
Authority Key Identifier (always non-critical) extension in them,
and no version number (following the standard's mandated handling).
The version of SSLeay we're using (and OpenSSL 0.9.4) both fail
to parse these correctly because they only parse extensions if
the version number is present and greater than or equal to one.

     A proposed diff to address this is appended.

     Thanks,
     Brien Wheeler
     Director of Engineering
     Authentica, Inc.

--------
*** openssl-0.9.4/crypto/asn1/x_crl.c.orig      Wed Jun  2 13:14:44 1999
--- openssl-0.9.4/crypto/asn1/x_crl.c   Mon Dec 20 18:21:49 1999
***************
*** 190,209 ****
                        }
                }
  
!       if (ver >= 1)
                {
!               if (ret->extensions != NULL)
!                       {
!                       while (sk_X509_EXTENSION_num(ret->extensions))
!                               X509_EXTENSION_free(
!                               sk_X509_EXTENSION_pop(ret->extensions));
!                       }
!                       
!               M_ASN1_D2I_get_EXP_set_opt_type(X509_EXTENSION,ret->extensions,
!                                               d2i_X509_EXTENSION,
!                                               X509_EXTENSION_free,0,
!                                               V_ASN1_SEQUENCE);
                }
  
        M_ASN1_D2I_Finish(a,X509_CRL_INFO_free,ASN1_F_D2I_X509_CRL_INFO);
        }
--- 190,214 ----
                        }
                }
  
!       /*
!        * Always look for extensions.  Previous code only looked if the
!        * version number was present and greater than or equal to one.
!        * However, the 1997 X.509 standard says that the version number
!        * shall be absent if no critical extensions exist.  It is legal
!        * to have non-critical extensions and no version number, which
!        * the previous code failed to parse correctly.
!        */
!       if (ret->extensions != NULL)
                {
!               while (sk_X509_EXTENSION_num(ret->extensions))
!                       X509_EXTENSION_free(
!                       sk_X509_EXTENSION_pop(ret->extensions));
                }
+                       
+       M_ASN1_D2I_get_EXP_set_opt_type(X509_EXTENSION,ret->extensions,
+                                       d2i_X509_EXTENSION,
+                                       X509_EXTENSION_free,0,
+                                       V_ASN1_SEQUENCE);
  
        M_ASN1_D2I_Finish(a,X509_CRL_INFO_free,ASN1_F_D2I_X509_CRL_INFO);
        }
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Bug in parsing CRLs from RSA Keon

Reply via email to
