diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2022-03-28 08:19:16 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2022-03-28 08:19:16 +0000 |
| commit | ec7105529ad04f9993de469755c983f54a0531e8 (patch) | |
| tree | cb0b60ae713f8109209d89e53d313c6386bf012e /usr.sbin | |
| parent | b0e596e992f01819eccb3c118a6cf74e8d86b0b2 (diff) | |
Fix error check of CMS_unsigned_get_addr_count()
According to RFC 5652, unsignedAttrs are a SET OF at least one member,
however the CMS code doesn't actually check for this. Since SET OF may
contain zero members in general, an empty set of unsignedAttrs would
be accepted. Catch this by explicitly checking for a -1 return value.
ok claudio
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/rpki-client/cms.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c index ef3f8514151..5594785ad49 100644 --- a/usr.sbin/rpki-client/cms.c +++ b/usr.sbin/rpki-client/cms.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms.c,v 1.14 2022/03/25 08:19:04 claudio Exp $ */ +/* $OpenBSD: cms.c,v 1.15 2022/03/28 08:19:15 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -149,7 +149,7 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der, "signed attribute", fn); goto out; } - if (CMS_unsigned_get_attr_count(si) > 0) { + if (CMS_unsigned_get_attr_count(si) != -1) { cryptowarnx("%s: RFC 6488: CMS has unsignedAttrs", fn); goto out; } |