Re: [openssl-dev] openssl 1.0.2h: Parsing really large CRLs fails, side effect of change in x_name.c?

2016-05-04 Thread Richard Levitte 
In message <5729fe86.1080...@dfn-cert.de> on Wed, 4 May 2016 15:52:06 +0200, 
Jürgen Brauckmann  said:

brauckmann> [double-post; sent this previously to r...@openssl.org, and didn't 
get a
brauckmann> ticket reply or something. As I feel that potentially a large number
brauckmann> of people is affected, e.g. via Apache crl parsing etc., re-sent to
brauckmann> openssl-dev.]

r...@openssl.org is moderated.  A little now and then, someone in the
team goes and checks for messages on hold (that is, everything that
comes in), lets messages such as yours through and tosses the load of
crap that came as well (you can't imagine the load of SPAM getting to
that address).

So, ticket replies aren't immediate.

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] openssl 1.0.2h: Parsing really large CRLs fails, side effect of change in x_name.c?

2016-05-04 Thread Jürgen Brauckmann 
[double-post; sent this previously to r...@openssl.org, and didn't get a 
ticket reply or something. As I feel that potentially a large number of 
people is affected, e.g. via Apache crl parsing etc., re-sent to 
openssl-dev.]


Hi.

Openssl 1.0.2h cannot parse really large CRLs anymore. "Really large" 
means > some 1MB.


It seems as if the new check in line 202 in x_name.c, commited 5 days 
ago, has a side effect beyond name decoding:


https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/asn1/x_name.c#L202

# openssl crl -in large_crl.pem
unable to load CRL
3078178440:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too 
long:x_name.c:203:
3078178440:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO
3078178440:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:697:Field=crl, Type=X509_CRL
3078178440:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 
lib:pem_oth.c:83:
[root@strangepork ~]# /services/inst/openssl/openssl-1.0.2g/bin/openssl 
crl -out c -in cacrl.pem
[root@strangepork ~]# /services/inst/openssl/openssl-1.0.2h/bin/openssl 
crl -out c -in cacrl.pem

unable to load CRL

All name structures in "large_crl.pem" have normal sizes, but the crl 
contains a large number of revoked certificates:


# openssl-102g crl -in large_crl.pem -noout -issuer
issuer=/C=DE/O=client-1/CN=Testinstanz client-1

# openssl-102g crl -in large_crl.pem -noout  | grep "Revocation Date:" | 
wc -l

49813

Best regards,
  Jürgen
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev