So on Alpine Linux the libressl version is older then the fix to
ASN1_time_parse (rev 1.16 of lib/libcrypto/asn1/a_time_tm.c).
Because of this the expire times shown in the CSV and JSON output are all
over the place.
Lets add explicit memset before calling ASN1_time_parse() to make this
work even with older libressl versions. Alpine Linux should ship more
up to date versions of libressl (but this is not a security critical
library so why bother).
Btw. if you compile rpki-client on Alpine with OpenSSL this does not
happen because the compat version of ASN1_time_parse has the fix.
--
:wq Claudio
Index: parser.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v
retrieving revision 1.9
diff -u -p -r1.9 parser.c
--- parser.c 9 May 2021 11:18:57 -0000 1.9
+++ parser.c 11 May 2021 10:49:36 -0000
@@ -101,6 +101,7 @@ proc_parser_roa(struct entity *entp,
err(1, "X509_CRL_get0_nextUpdate failed");
goto out;
}
+ memset(&expires_tm, 0, sizeof(expires_tm));
if (ASN1_time_parse(at->data, at->length, &expires_tm,
V_ASN1_UTCTIME) != V_ASN1_UTCTIME) {
err(1, "ASN1_time_parse failed");
@@ -126,6 +127,7 @@ proc_parser_roa(struct entity *entp,
err(1, "X509_get0_notafter failed");
goto out;
}
+ memset(&expires_tm, 0, sizeof(expires_tm));
if (ASN1_time_parse(at->data, at->length, &expires_tm,
V_ASN1_UTCTIME) != V_ASN1_UTCTIME) {
err(1, "ASN1_time_parse failed");
Index: roa.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v
retrieving revision 1.18
diff -u -p -r1.18 roa.c
--- roa.c 6 May 2021 17:03:57 -0000 1.18
+++ roa.c 11 May 2021 10:49:11 -0000
@@ -366,6 +366,7 @@ roa_parse(X509 **x509, const char *fn)
warnx("%s: X509_get0_notAfter failed", fn);
goto out;
}
+ memset(&expires_tm, 0, sizeof(expires_tm));
if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) {
warnx("%s: ASN1_time_parse failed", fn);
goto out;
