[openssl-dev] [openssl.org #3665] Bug report and a patch for OpenSSL 1.0.1l (and 1.0.1k)
Annie Yousar via RT
rt at openssl.org
Mon Jan 19 08:30:25 UTC 2015
Am 19.01.2015 um 05:29 schrieb Uri Blumenthal via RT:
> Well, technically you’re correct - but from semantic point of view,
> how different is an empty list, and a list presented as ASN.1 NULL?
> Don’t we have an empty list in both cases? And aren’t these two the
> only two ways to represent an empty list (so there’s little chance of
> somebody utilizing this difference to craft an attack)?
It is the difference as of an empty tumbler on the table and no tumbler at
all ;-)
RFC 4055 as well as RFC 5754 do not make this difference, both say:
When any of these four object identifiers appears within an
AlgorithmIdentifier, the parameters MUST be NULL. Implementations
MUST accept the parameters being absent as well as present.
If OpenSSL declines an empty paramter field then this is non-conformant
with theses RFCs.
/Ann.
More information about the openssl-dev
mailing list