From aa93d7a1244a3cf8c92737b4891db93eed174495 Mon Sep 17 00:00:00 2001 From: Job Snijders Date: Tue, 26 Nov 2024 13:35:49 +0000 Subject: Workaround for compatibility issue with some libcrypto implementations Historically, CMS_get1_crls() returned NULL if the CMS is an unsupported content type or contained zero CRLs. Nowadays, if the CMS contains zero CRLs, some implementations will return a pointer to a STACK of CRLs with zero objects. OK tb@ --- usr.sbin/rpki-client/cms.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'usr.sbin/rpki-client') diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c index 5ef7ebb0d59..7a5e49e47cd 100644 --- a/usr.sbin/rpki-client/cms.c +++ b/usr.sbin/rpki-client/cms.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms.c,v 1.48 2024/06/11 13:09:02 tb Exp $ */ +/* $OpenBSD: cms.c,v 1.49 2024/11/26 13:35:48 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -100,7 +100,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der, CMS_ContentInfo *cms; long version; STACK_OF(X509) *certs = NULL; - STACK_OF(X509_CRL) *crls; + STACK_OF(X509_CRL) *crls = NULL; STACK_OF(CMS_SignerInfo) *sinfos; CMS_SignerInfo *si; EVP_PKEY *pkey; @@ -311,10 +311,10 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der, /* * Check that there are no CRLS in this CMS message. + * XXX - can only error check for OpenSSL >= 3.4. */ crls = CMS_get1_crls(cms); - if (crls != NULL) { - sk_X509_CRL_pop_free(crls, X509_CRL_free); + if (crls != NULL && sk_X509_CRL_num(crls) != 0) { warnx("%s: RFC 6488: CMS has CRLs", fn); goto out; } @@ -365,6 +365,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der, X509_free(*xp); *xp = NULL; } + sk_X509_CRL_pop_free(crls, X509_CRL_free); sk_X509_free(certs); CMS_ContentInfo_free(cms); return rc; -- cgit v1.2.3