Don't attempt to parse nested ASN1 strings by default.

diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index b8d69de4508214c4700a206221d79710cedf73a3..a64861c045b8eb8abc8fd8f35105958a02181b5f 100644 (file)
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -1171,6 +1171,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_MISSING_VALUE                            189
 #define ASN1_R_MSTRING_NOT_UNIVERSAL                    139
 #define ASN1_R_MSTRING_WRONG_TAG                        140
+#define ASN1_R_NESTED_ASN1_STRING                       197
 #define ASN1_R_NON_HEX_CHARACTERS                       141
 #define ASN1_R_NOT_ASCII_FORMAT                                 190
 #define ASN1_R_NOT_ENOUGH_DATA                          142

diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index d236a9fd4b0ae02404a50f56fb9e4d2f4164910a..8722281cd9db08ebb42c7e4b2e43b3b1c2195fd6 100644 (file)
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -227,6 +227,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_MISSING_VALUE)        ,"missing value"},
 {ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL),"mstring not universal"},
 {ERR_REASON(ASN1_R_MSTRING_WRONG_TAG)    ,"mstring wrong tag"},
+{ERR_REASON(ASN1_R_NESTED_ASN1_STRING)   ,"nested asn1 string"},
 {ERR_REASON(ASN1_R_NON_HEX_CHARACTERS)   ,"non hex characters"},
 {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT)     ,"not ascii format"},
 {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA)      ,"not enough data"},

diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 39a9d5a9aab472959d46cda1f1bd06317513b39a..ed79535e66552551973c45deeb0255b3a8b6263f 100644 (file)
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -1075,7 +1075,7 @@ static int asn1_find_end(const unsigned char **in, long len, char inf)
        expected_eoc = 1;
        /* Indefinite length constructed form. Find the end when enough EOCs
         * are found. If more indefinite length constructed headers
-        * are encountered increment the expected eoc count otherwise just
+        * are encountered increment the expected eoc count otherwise justi
         * skip to the end of the data.
         */
        while (len > 0)
@@ -1159,8 +1159,13 @@ static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
                /* If indefinite length constructed update max length */
                if (cst)
                        {
+#ifdef OPENSSL_ALLOW_NESTED_ASN1_STRINGS
                        if (!asn1_collect(buf, &p, plen, ininf, tag, aclass))
                                return 0;
+#else
+                       ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING);
+                       return 0;
+#endif
                        }
                else if (!collect_data(buf, &p, plen))
                        return 0;