Re: fix rpki-client on alpine using libressl

Tue, 11 May 2021 04:14:32 -0700 

On Tue, May 11, 2021 at 01:01:13PM +0200, Claudio Jeker wrote:
> So on Alpine Linux the libressl version is older then the fix to
> ASN1_time_parse (rev 1.16 of lib/libcrypto/asn1/a_time_tm.c).
> Because of this the expire times shown in the CSV and JSON output are all
> over the place.
> 
> Lets add explicit memset before calling ASN1_time_parse() to make this
> work even with older libressl versions. Alpine Linux should ship more
> up to date versions of libressl (but this is not a security critical
> library so why bother).
> 
> Btw. if you compile rpki-client on Alpine with OpenSSL this does not
> happen because the compat version of ASN1_time_parse has the fix.

It might be worth doing in mft.c as well even if it the memset() is only
really necessary for UTCTime. Up to you.

ok

> -- 
> :wq Claudio
> 
> Index: parser.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v
> retrieving revision 1.9
> diff -u -p -r1.9 parser.c
> --- parser.c  9 May 2021 11:18:57 -0000       1.9
> +++ parser.c  11 May 2021 10:49:36 -0000
> @@ -101,6 +101,7 @@ proc_parser_roa(struct entity *entp,
>                       err(1, "X509_CRL_get0_nextUpdate failed");
>                       goto out;
>               }
> +             memset(&expires_tm, 0, sizeof(expires_tm));
>               if (ASN1_time_parse(at->data, at->length, &expires_tm,
>                   V_ASN1_UTCTIME) != V_ASN1_UTCTIME) {
>                       err(1, "ASN1_time_parse failed");
> @@ -126,6 +127,7 @@ proc_parser_roa(struct entity *entp,
>                       err(1, "X509_get0_notafter failed");
>                       goto out;
>               }
> +             memset(&expires_tm, 0, sizeof(expires_tm));
>               if (ASN1_time_parse(at->data, at->length, &expires_tm,
>                   V_ASN1_UTCTIME) != V_ASN1_UTCTIME) {
>                       err(1, "ASN1_time_parse failed");
> Index: roa.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v
> retrieving revision 1.18
> diff -u -p -r1.18 roa.c
> --- roa.c     6 May 2021 17:03:57 -0000       1.18
> +++ roa.c     11 May 2021 10:49:11 -0000
> @@ -366,6 +366,7 @@ roa_parse(X509 **x509, const char *fn)
>               warnx("%s: X509_get0_notAfter failed", fn);
>               goto out;
>       }
> +     memset(&expires_tm, 0, sizeof(expires_tm));
>       if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) {
>               warnx("%s: ASN1_time_parse failed", fn);
>               goto out;
>

Reply via email to