Workaround for compatibility issue with some libcrypto implementations

Historically, CMS_get1_crls() returned NULL if the CMS is an
unsupported content type or contained zero CRLs. Nowadays, if
the CMS contains zero CRLs, some implementations will return a
pointer to a STACK of CRLs with zero objects.

OK tb@

1 files changed, 5 insertions, 4 deletions

diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c
index 5ef7ebb0d59..7a5e49e47cd 100644
--- a/usr.sbin/rpki-client/cms.c
+++ b/usr.sbin/rpki-client/cms.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cms.c,v 1.48 2024/06/11 13:09:02 tb Exp $ */
+/*	$OpenBSD: cms.c,v 1.49 2024/11/26 13:35:48 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -100,7 +100,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 	CMS_ContentInfo			*cms;
 	long				 version;
 	STACK_OF(X509)			*certs = NULL;
-	STACK_OF(X509_CRL)		*crls;
+	STACK_OF(X509_CRL)		*crls = NULL;
 	STACK_OF(CMS_SignerInfo)	*sinfos;
 	CMS_SignerInfo			*si;
 	EVP_PKEY			*pkey;
@@ -311,10 +311,10 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 
 	/*
 	 * Check that there are no CRLS in this CMS message.
+	 * XXX - can only error check for OpenSSL >= 3.4.
 	 */
 	crls = CMS_get1_crls(cms);
-	if (crls != NULL) {
-		sk_X509_CRL_pop_free(crls, X509_CRL_free);
+	if (crls != NULL && sk_X509_CRL_num(crls) != 0) { 
 		warnx("%s: RFC 6488: CMS has CRLs", fn);
 		goto out;
 	}
@@ -365,6 +365,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 		X509_free(*xp);
 		*xp = NULL;
 	}
+	sk_X509_CRL_pop_free(crls, X509_CRL_free);
 	sk_X509_free(certs);
 	CMS_ContentInfo_free(cms);
 	return rc;