From 163ad7a20f844203c3d901e1efa620c2e30e0f04 Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 3 Apr 2026 02:10:10 +0000 Subject: [PATCH] rpki-client: cast away const for X509_get_X509_PUBKEY() In cert_check_spki() the pubkey is a libcrypto-internal pointer hanging off cert->x509, which is then passed to the very const-incorrect getter X509_PUBKEY_get0_param(): that's a piece of art which hands back pointers to things deeper down in the x509 - some of them const, some non-const. OpenSSL 3 made its X509_PUBKEY argument const, but their X509_ALGOR ** still isn't. I don't believe they thought about this in #11894 as they had a more important _cmp() vs _eq() bikeshed to sort out. discussed with claudio --- usr.sbin/rpki-client/cert.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 2489cf813ed..315cfd1f46a 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.224 2026/02/03 16:21:37 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.225 2026/04/03 02:10:10 tb Exp $ */ /* * Copyright (c) 2022,2025 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -354,8 +354,12 @@ cert_check_spki(const char *fn, struct cert *cert) const void *pval = NULL; int rc = 0; - /* Should be called _get0_. It returns a pointer owned by cert->x509. */ - if ((pubkey = X509_get_X509_PUBKEY(cert->x509)) == NULL) { + /* + * Should be called _get0_. It returns a pointer owned by cert->x509. + * XXX - cast away const for OpenSSL 4. + */ + pubkey = (X509_PUBKEY *)X509_get_X509_PUBKEY(cert->x509); + if (pubkey == NULL) { warnx("%s: RFC 6487, 4.7: certificate without SPKI", fn); goto out; }