The OID sanity check was incorrect. It should only disallow *leading* 0x80

values.

diff --git a/apps/x509.c b/apps/x509.c
index e7e46d7b6327bfb86ced4422c32ff896e71a46c6..7f55cd1acb7a1249874bb89609846c6da0a86805 100644 (file)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -904,6 +904,7 @@ bad:
                        else if (text == i)
                                {
                                X509_print_ex(out,x,nmflag, certflag);
+ERR_print_errors_fp(stderr);
                                }
                        else if (startdate == i)
                                {

diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index bd2d5a2d824458237c9c2706db3d6dc46b0dae0c..e5fbe7cbb1042bb80fb1399cb52a1d3ac4f8a55f 100644 (file)
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -290,12 +290,12 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
        const unsigned char *p;
        unsigned char *data;
        int i;
-       /* Sanity check OID encoding: can't have 0x80 in subidentifiers, see:
-        * X.690 8.19.2
+       /* Sanity check OID encoding: can't have leading 0x80 in
+        * subidentifiers, see: X.690 8.19.2
         */
        for (i = 0, p = *pp + 1; i < len - 1; i++, p++)
                {
-               if (*p == 0x80)
+               if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
                        {
                        ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
                        return NULL;