ITS#6466

diff --git a/CHANGES b/CHANGES
index 15d4896d1c5410524b23620192155ee43c5dba3b..bcb099b4db24a582413369bf856416096000f6ad 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,7 @@ OpenLDAP 2.4 Change Log
 
 OpenLDAP 2.4.22 Engineering
        Added slapd SLAP_SCHEMA_EXPOSE flag for hidden schema elements (ITS#6435)
+       Fixed slapd certificateListValidate (ITS#6466)
        Fixed slapd REP_ENTRY flag handling (ITS#5340)
        Fixed slapd sasl auxprop_lookup (ITS#6441)
        Fixed slapo-collect REP_ENTRY flag handling (ITS#5340,ITS#6423)

diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 9275d039a0802bfd4712e4ca5e783bf0a1681bbe..dc7fb9c5838b550c89fa17bc040c5235ded40f72 100644 (file)
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -326,9 +326,12 @@ certificateListValidate( Syntax *syntax, struct berval *in )
        /* revokedCertificates - Sequence of Sequence, Optional */
        if ( tag == LBER_SEQUENCE ) {
                ber_len_t seqlen;
-               if ( ber_peek_tag( ber, &seqlen ) == LBER_SEQUENCE ) {
-                       /* Should NOT be empty */
-                       ber_skip_data( ber, len );
+               ber_tag_t stag;
+               stag = ber_peek_tag( ber, &seqlen );
+               if ( stag == LBER_SEQUENCE || !len ) {
+                       /* RFC5280 requires non-empty, but X.509(2005) allows empty. */
+                       if ( len )
+                               ber_skip_data( ber, len );
                        tag = ber_skip_tag( ber, &len );
                }
        }