Hi,
A team in our organisation has a small ASN.1 decoding example that works
with openssl 0.9.7g, but not with any more recent release. The reason
seems to be that the ASN.1 structure in question includes (perhaps
wrongly) a nested ASN.1 string, which is no longer supported by default.
I see from the commit logs that the change to conditionalise this in
tasn_dec.c was made prior to openssl-0.9.7h by Dr. Stephen Henson with
the comment "Don't attempt to parse nested ASN1 strings by default"
(code included below).
If we recompile openssl (e.g. 0.9.8e) with
OPENSSL_ALLOW_NESTED_ASN1_STRINGS then our example works. However, given
that this has been disabled by default since 2005 I assume that this is
not normally required, annd perhaps should be taken as an indication
that we have a bad ASN.1 structure or are parsing it incorrectly.
I was hoping someone (Dr Henson...?) could help me to understand why
this change was made, and in what circumstances it's appropriate to
recompile with OPENSSL_ALLOW_NESTED_ASN1_STRINGS.
Many thanks in advance,
Bryn Williams
PS The relevant change in tasn_dec.c is:
static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char
inf, int tag, int aclass)
{
...
/* If indefinite length constructed update max length */
if(cst) {
#ifdef OPENSSL_ALLOW_NESTED_ASN1_STRINGS
if (!asn1_collect(buf, &p, plen, ininf, tag,
aclass))
return 0;
#else
ASN1err(ASN1_F_ASN1_COLLECT,
ASN1_R_NESTED_ASN1_STRING);
return 0;
#endif
...
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
