clamav:sync with openwrt 19.07（Update to version 0.101.4）

1、 clamav: avoid host pickup of libxml2 If libxml2 is installed in the host, then the host library is used and compilation fails. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> 2、 clamav: Update to version 0.101.4 Change deprecated options to a new one: DetectBrokenExecutables to AlertBrokenExecutables ArchiveBlockEncrypted to AlertEncrypted Fixes: CVE-2019-12900 and CVE-2019-12625 Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> 3、 clamav: Update init scripts This replaces the use of uci_validate_section() with uci_load_validate(), which removes the need to declare local variables for every config option. This also removes some unnecessary curly brackets. Signed-off-by: Jeffery To <jeffery.to@gmail.com> 4、 clamav: don't install dev files into package This avoids copying /usr/include, unversioned *.so files, pkgconfig, /usr/lib/*.la, and the build-time libs/cflags configuration utility clamav-config. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry-picked from 815e05e) 5、 clamav: Change depends from uclibcxx to CXX_DEPENDS The build system allows changing uclibc++ to libstdcpp globally. This avoids an unnecessary depends in the case of libstdcpp usage. Signed-off-by: Rosen Penev <rosenp@gmail.com> 6、 clamav: enable clamav-milter Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com> 7、 clamav: fix invalid zlib version error ClamAV's configure script uses grep to check for bugy zlib version 1.2.1. Since current OpenWrt zlib version is 1.2.11 this check passes and build fails. This patch will disable this unneeded check and make sure we are looking for zlib on the right location. clamdtop was beeing built without it's ncurses dependency. Build system would link it to the host's ncurses making the program fail at run time. This patch will disable building of optional clamdtop, otherwise we need to add ncurses as a dependency and fix the search path. Increase PKG_RELEASE to reflect changes. Signed-off-by: Marko Ratkaj <marko.ratkaj@sartura.hr>
2025-05-01 10:50:39 +08:00 · 2020-02-11 22:28:09 +08:00 · 2020-02-11 22:28:09 +08:00 · 44783fd3f3
commit 44783fd3f3
parent 085be7136b
6 changed files with 266 additions and 60 deletions
--- a/net/clamav/Makefile
+++ b/net/clamav/Makefile
@ -8,30 +8,33 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=clamav
-PKG_VERSION:=0.100.0
+PKG_VERSION:=0.101.4
 PKG_RELEASE:=1

-PKG_LICENSE:=GPL-2.0
-PKG_MAINTAINER:=Marko Ratkaj <marko.ratkaj@sartura.hr> \
-		Lucian Cristian <lucian.cristian@gmail.com>
-
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.clamav.net/downloads/production/
-PKG_HASH:=c5c5edaf75a3c53ac0f271148fd6447310bce53f448ec7e6205124a25918f65c
+PKG_HASH:=0bf094f0919d158a578421d66bc2569c8c8181233ba162bb51722f98c802bccd
+
+PKG_MAINTAINER:=Marko Ratkaj <marko.ratkaj@sartura.hr> \
+		Lucian Cristian <lucian.cristian@gmail.com>
+PKG_LICENSE:=GPL-2.0-only
+PKG_LICENSE_FILES:=COPYING*
+PKG_CPE_ID:=cpe:/a:clamav:clamav

 PKG_BUILD_PARALLEL:=1
 PKG_INSTALL:=1
+PKG_FIXUP:=autoreconf

 include $(INCLUDE_DIR)/uclibc++.mk
 include $(INCLUDE_DIR)/package.mk

 define Package/clamav/Default
  SECTION:=net
-  DEPENDS:=+libpthread +uclibcxx +zlib +libcurl +libjson-c +libopenssl +libltdl +libpcre2 +USE_MUSL:musl-fts
+  DEPENDS:=$(CXX_DEPENDS) +libpthread +zlib +libcurl +libjson-c +libmilter-sendmail +libopenssl +libltdl +libpcre2 +USE_MUSL:musl-fts
  CATEGORY:=Network
  SUBMENU:=Web Servers/Proxies
  TITLE:=ClamAV
-  URL:=http://www.clamav.net/
+  URL:=https://www.clamav.net/
 endef

 define Package/clamav
@ -56,49 +59,48 @@ endef
 define Package/clamav/conffiles
 endef

+CONFIGURE_ARGS += \
+	--sysconfdir=/etc/clamav/ \
+	--enable-milter \
+	--disable-bzip2 \
+	--disable-check \
+	--disable-clamdtop \
+	--disable-rpath \
+	--disable-xml \
+	--disable-zlib-vcheck \
+	--with-user=nobody \
+	--with-group=nogroup \
+	--with-libcurl="$(STAGING_DIR)/usr/" \
+	--with-libjson="$(STAGING_DIR)/usr/" \
+	--with-openssl="$(STAGING_DIR)/usr/" \
+	--with-pcre="$(STAGING_DIR)/usr/" \
+	--with-zlib="$(STAGING_DIR)/usr/" \
+	--without-iconv \
+	--without-libncurses-prefix
+
 CONFIGURE_VARS += \
-	INCLUDES="" \
-	CXXFLAGS="$$$$CXXFLAGS -fno-rtti" \
-	$(if $(CONFIG_USE_MUSL),LIBS="-lpthread -lfts",LIBS="-lpthread") \
+	ax_cv_uname_syscall=yes \
+	ac_cv_c_mmap_private=yes \
+	have_cv_gai=yes \
+	ac_cv_sys_file_offset_bits=no

-define Build/Configure
-	$(call Build/Configure/Default, \
-		--sysconfdir=/etc/clamav/ \
-		--prefix=/usr/ \
-		--exec-prefix=/usr/ \
-		--disable-xml \
-		--disable-bzip2 \
-		--with-user nobody \
-		--with-group nogroup \
-		--with-pcre="$(STAGING_DIR)/usr/" \
-		--with-openssl="$(STAGING_DIR)/usr/" \
-		--with-zlib="$(STAGING_DIR)/usr/" \
-		--disable-zlib-vcheck \
-		--disable-clamdtop \
-	)
-endef
+CONFIGURE_VARS += $(if $(CONFIG_IPV6),have_cv_ipv6=yes)

-define Build/Compile
-	$(MAKE) -C $(PKG_BUILD_DIR) \
-		DESTDIR="$(PKG_INSTALL_DIR)" \
-		all install
-endef
+TARGET_CXXFLAGS += -ffunction-sections -fdata-sections -fno-rtti -flto
+TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed $(if $(CONFIG_USE_MUSL),-lfts)

 define Package/clamav/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/clamd $(1)/usr/sbin/
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/clamav-config $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/clamav-milter $(1)/usr/sbin/
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/clambc $(1)/usr/sbin/
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/clamconf $(1)/usr/sbin/
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/clamdscan $(1)/usr/sbin/
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/clamscan $(1)/usr/sbin/
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sigtool $(1)/usr/sbin/

-	$(INSTALL_DIR) $(1)/usr/include
-	$(CP) $(PKG_INSTALL_DIR)/usr/include/clamav.h $(1)/usr/include/
-
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(CP) $(PKG_INSTALL_DIR)/usr/lib*/* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib*/lib*.so.* $(1)/usr/lib/

 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/clamav.config $(1)/etc/config/clamav
--- a/net/clamav/files/clamav.config
+++ b/net/clamav/files/clamav.config
@ -19,14 +19,14 @@ config clamav 'clamav'
 	option ScanPE 'yes'
 	option DisableCertCheck 'no'
 	option ScanELF 'yes'
-	option DetectBrokenExecutables 'no'
+	option AlertBrokenExecutables 'no'
 	option ScanOLE2 'yes'
 	option ScanPDF 'yes'
 	option ScanSWF 'yes'
 	option ScanMail 'yes'
 	option ScanPartialMessages 'no'
 	option ScanArchive 'yes'
-	option ArchiveBlockEncrypted 'yes'
+	option AlertEncrypted 'yes'
 	option MaxFileSize '10M'
 	option TemporaryDirectory '/tmp'
 	option LocalSocket '/var/run/clamav/clamd.sock'
--- a/net/clamav/files/clamav.init
+++ b/net/clamav/files/clamav.init
@ -9,7 +9,7 @@ PROG=/usr/sbin/clamd
 CLAMD_CONFIGFILE="/tmp/clamav/clamd.conf"

 validate_clamav_section() {
-	uci_validate_section clamav clamav "${1}" \
+	uci_load_validate clamav clamav "$1" "$2" \
 		'clamd_config_file:string' \
 		'LogFile:string' \
 		'LogFileMaxSize:string' \
@ -30,7 +30,7 @@ validate_clamav_section() {
 		'ScanPE:string' \
 		'DisableCertCheck:string' \
 		'ScanELF:string' \
-		'DetectBrokenExecutables:string' \
+		'AlertBrokenExecutables:string' \
 		'ScanOLE2:string' \
 		'ScanPDF:string' \
 		'ScanSWF:string' \
@ -38,7 +38,7 @@ validate_clamav_section() {
 		'ScanPartialMessages:string' \
 		'ScanArchive:string' \
 		'TemporaryDirectory:string' \
-		'ArchiveBlockEncrypted:string' \
+		'AlertEncrypted:string' \
 		'MaxFileSize:string' \
 		'LocalSocket:string' \
 		'User:string' \
@ -46,15 +46,8 @@ validate_clamav_section() {
 		'DatabaseDirectory:string'
 }

-start_service() {
-	local clamd_config_file LogFile LogTime StreamMinPort \
-		StreamMaxPort MaxThreads ReadTimeout CommandReadTimeout MaxDirectoryRecursion \
-		FollowFileSymlinks FollowDirectorySymlinks SelfCheck DetectPUA ScanPE DisableCertCheck \
-		ScanELF DetectBrokenExecutables ScanOLE2 ScanPDF ScanSWF ScanMail ScanPartialMessages \
-		ScanArchive TemporaryDirectory ArchiveBlockEncrypted MaxFileSize LocalSocket User \
-		DatabaseDirectory
-
-	validate_clamav_section clamav || {
+start_clamav_instance() {
+	[ "$2" = 0 ] || {
 		echo "validation failed"
 		return 1
 	}
@ -86,7 +79,7 @@ start_service() {
 	echo "ScanPE " $ScanPE >> $CLAMD_CONFIGFILE
 	echo "DisableCertCheck " $DisableCertCheck >> $CLAMD_CONFIGFILE
 	echo "ScanELF " $ScanELF >> $CLAMD_CONFIGFILE
-	echo "DetectBrokenExecutables " $DetectBrokenExecutables >> $CLAMD_CONFIGFILE
+	echo "AlertBrokenExecutables " $AlertBrokenExecutables >> $CLAMD_CONFIGFILE
 	echo "ScanOLE2 " $ScanOLE2 >> $CLAMD_CONFIGFILE
 	echo "ScanPDF " $ScanPDF >> $CLAMD_CONFIGFILE
 	echo "ScanSWF " $ScanSWF >> $CLAMD_CONFIGFILE
@ -94,7 +87,7 @@ start_service() {
 	echo "ScanPartialMessages " $ScanPartialMessages >> $CLAMD_CONFIGFILE
 	echo "ScanArchive " $ScanArchive >> $CLAMD_CONFIGFILE
 	echo "TemporaryDirectory " $TemporaryDirectory >> $CLAMD_CONFIGFILE
-	echo "ArchiveBlockEncrypted " $ArchiveBlockEncrypted >> $CLAMD_CONFIGFILE
+	echo "AlertEncrypted " $AlertEncrypted >> $CLAMD_CONFIGFILE
 	echo "MaxFileSize " $MaxFileSize >> $CLAMD_CONFIGFILE
 	echo "LocalSocket " $LocalSocket >> $CLAMD_CONFIGFILE
 	echo "User " $User >> $CLAMD_CONFIGFILE
@ -107,9 +100,14 @@ start_service() {
 	procd_close_instance
 }

+start_service()
+{
+	validate_clamav_section clamav start_clamav_instance
+}
+
 stop_service()
 {
-	service_stop ${PROG}
+	service_stop $PROG
 }

 service_triggers()
--- a/net/clamav/files/freshclam.init
+++ b/net/clamav/files/freshclam.init
@ -9,7 +9,7 @@ PROG=/usr/sbin/freshclam
 FRESHCLAM_CONFIGFILE="/tmp/clamav/freshclam.conf"

 validate_freshclam_section() {
-	uci_validate_section freshclam freshclam "${1}" \
+	uci_load_validate freshclam freshclam "$1" "$2" \
 		'freshclam_config_file:string' \
 		'UpdateLogFile:string' \
 		'DatabaseMirror:string' \
@ -19,11 +19,8 @@ validate_freshclam_section() {
 		'DatabaseDirectory:string:'
 }

-start_service() {
-	local freshclam_config_file UpdateLogFile DatabaseOwner NotifyClamd DatabaseMirror \
-	DatabaseDirectory
-
-	validate_freshclam_section freshclam || {
+start_freshclam_instance() {
+	[ "$2" = 0 ] || {
 		echo "validation failed"
 		return 1
 	}
@ -51,6 +48,11 @@ start_service() {
 	procd_close_instance
 }

+start_service()
+{
+	validate_freshclam_section freshclam start_freshclam_instance
+}
+
 stop_service()
 {
 	[ ! -f /tmp/freshclam.pid ] && echo "not running" && return 0
--- a/net/clamav/patches/002-Avoid-libxml-checks-if-disable-xml-is-used.patch
+++ b/net/clamav/patches/002-Avoid-libxml-checks-if-disable-xml-is-used.patch
@ -0,0 +1,167 @@
+From de943f313fa5c17bf9cbd560a7578796991b24b5 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cotequeiroz@gmail.com>
+Date: Sat, 10 Aug 2019 19:43:20 -0300
+Subject: [PATCH] Avoid libxml checks if --disable-xml is used
+
+Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
+---
+ m4/reorganization/libs/xml.m4 | 126 +++++++++++++++++-----------------
+ 1 file changed, 62 insertions(+), 64 deletions(-)
+
+diff --git a/m4/reorganization/libs/xml.m4 b/m4/reorganization/libs/xml.m4
+index 77b2c13a8..0709d2914 100644
+--- a/m4/reorganization/libs/xml.m4
+++ b/m4/reorganization/libs/xml.m4
+@@ -12,87 +12,85 @@ if test "X$want_xml" != "Xno"; then
+                     @<:@default=/usr/local or /usr if not found in /usr/local@:>@]),
+     [with_xml_val=$withval]
+   )
+-fi
+-
+-AS_IF([test "x$with_xml_val" = "xno"], [XML_HOME=""],
+-  [test "x$with_xml_val" = "xyes"], [XML_HOME="/usr/local"],
+-  [XML_HOME="$with_xml_val"])
+ 
+-AS_IF([test "x$XML_HOME" != "x"], [
+-   AS_IF([test ! -x "$XML_HOME/bin/xml2-config"], [XML_HOME=""])
+-   ])
+  AS_IF([test "x$with_xml_val" = "xno"], [XML_HOME=""],
+    [test "x$with_xml_val" = "xyes"], [XML_HOME="/usr/local"],
+    [XML_HOME="$with_xml_val"])
+ 
+-AS_IF([test "x$XML_HOME" = "x" -a "x$with_xml_val" = "xyes"], [
+-   AS_IF([test -x "/usr/bin/xml2-config"], [XML_HOME="/usr"])
+-   ])
+  AS_IF([test "x$XML_HOME" != "x"], [
+     AS_IF([test ! -x "$XML_HOME/bin/xml2-config"], [XML_HOME=""])
+     ])
+ 
+-if test "x$XML_HOME" != "x"; then
+-  AC_MSG_RESULT([$XML_HOME])
+-else
+-  AC_MSG_RESULT([not found])
+-fi
+  AS_IF([test "x$XML_HOME" = "x" -a "x$with_xml_val" = "xyes"], [
+     AS_IF([test -x "/usr/bin/xml2-config"], [XML_HOME="/usr"])
+     ])
+ 
+-found_xml="no"
+-XMLCONF_VERSION=""
+-XML_CPPFLAGS=""
+-XML_LIBS=""
+-if test "x$XML_HOME" != "x"; then
+-  AC_MSG_CHECKING([xml2-config version])
+-  XMLCONF_VERSION="`$XML_HOME/bin/xml2-config --version`"
+-  if test "x%XMLCONF_VERSION" != "x"; then
+-    AC_MSG_RESULT([$XMLCONF_VERSION])
+-    found_xml="yes"
+-    XML_CPPFLAGS="`$XML_HOME/bin/xml2-config --cflags`"
+-    XML_LIBS="`$XML_HOME/bin/xml2-config --libs`"
+-    AS_ECHO("$XML_CPPFLAGS")
+-    AS_ECHO("$XML_LIBS")
+  if test "x$XML_HOME" != "x"; then
+    AC_MSG_RESULT([$XML_HOME])
+   else
+-    AC_MSG_ERROR([xml2-config failed])
+    AC_MSG_RESULT([not found])
+  fi
+
+  found_xml="no"
+  XMLCONF_VERSION=""
+  XML_CPPFLAGS=""
+  XML_LIBS=""
+  if test "x$XML_HOME" != "x"; then
+    AC_MSG_CHECKING([xml2-config version])
+    XMLCONF_VERSION="`$XML_HOME/bin/xml2-config --version`"
+    if test "x%XMLCONF_VERSION" != "x"; then
+      AC_MSG_RESULT([$XMLCONF_VERSION])
+      found_xml="yes"
+      XML_CPPFLAGS="`$XML_HOME/bin/xml2-config --cflags`"
+      XML_LIBS="`$XML_HOME/bin/xml2-config --libs`"
+      AS_ECHO("$XML_CPPFLAGS")
+      AS_ECHO("$XML_LIBS")
+    else
+      AC_MSG_ERROR([xml2-config failed])
+    fi
+   fi
+-fi
+ 
+-working_xml="no"
+-if test "X$found_xml" != "Xno"; then
+-  AC_MSG_CHECKING([for xmlreader.h in $XML_HOME])
+  working_xml="no"
+  if test "X$found_xml" != "Xno"; then
+    AC_MSG_CHECKING([for xmlreader.h in $XML_HOME])
+ 
+-  if test ! -f "$XML_HOME/include/libxml2/libxml/xmlreader.h"; then
+-    AC_MSG_RESULT([not found])
+-  else
+-    AC_MSG_RESULT([found])
+-    save_LIBS="$LIBS"
+-    save_CPPFLAGS="$CPPFLAGS"
+-    CPPFLAGS="$CPPFLAGS $XML_CPPFLAGS"
+-    save_LDFLAGS="$LDFLAGS"
+-    LDFLAGS="$LDFLAGS $XML_LIBS"
+    if test ! -f "$XML_HOME/include/libxml2/libxml/xmlreader.h"; then
+      AC_MSG_RESULT([not found])
+    else
+      AC_MSG_RESULT([found])
+      save_LIBS="$LIBS"
+      save_CPPFLAGS="$CPPFLAGS"
+      CPPFLAGS="$CPPFLAGS $XML_CPPFLAGS"
+      save_LDFLAGS="$LDFLAGS"
+      LDFLAGS="$LDFLAGS $XML_LIBS"
+ 
+-    AS_ECHO("CPPFLAGS: $CPPFLAGS")
+-    AS_ECHO("LD_FLAGS: $LDFLAGS")
+      AS_ECHO("CPPFLAGS: $CPPFLAGS")
+      AS_ECHO("LD_FLAGS: $LDFLAGS")
+ 
+-    AC_CHECK_LIB([xml2], [xmlTextReaderRead], [working_xml="yes"], [working_xml="no"], [$XML_LIBS])
+      AC_CHECK_LIB([xml2], [xmlTextReaderRead], [working_xml="yes"], [working_xml="no"], [$XML_LIBS])
+ 
+-    CPPFLAGS="$save_CPPFLAGS"
+-    LDFLAGS="$save_LDFLAGS"
+-    LIBS="$save_LIBS"
+      CPPFLAGS="$save_CPPFLAGS"
+      LDFLAGS="$save_LDFLAGS"
+      LIBS="$save_LIBS"
+    fi
+   fi
+-fi
+ 
+-if test "$working_xml" = "yes"; then
+-  AC_DEFINE([HAVE_LIBXML2],1,[Define to 1 if you have the 'libxml2' library (-lxml2).])
+-  AC_SUBST(XML_CPPFLAGS)
+-  AC_SUBST(XML_LIBS)
+-  AC_MSG_NOTICE([Compiling and linking with libxml2 from $XML_HOME])
+-else
+-  if test "$want_xml" = "yes"; then
+-     AC_MSG_ERROR([****** Please install libxml2 packages!])
+  if test "$working_xml" = "yes"; then
+    AC_DEFINE([HAVE_LIBXML2],1,[Define to 1 if you have the 'libxml2' library (-lxml2).])
+    AC_SUBST(XML_CPPFLAGS)
+    AC_SUBST(XML_LIBS)
+    AC_MSG_NOTICE([Compiling and linking with libxml2 from $XML_HOME])
+   else
+-    if test "$want_xml" != "no"; then
+    if test "$want_xml" = "yes"; then
+      AC_MSG_ERROR([****** Please install libxml2 packages!])
+    else
+       AC_MSG_NOTICE([****** libxml2 support unavailable])
+     fi
+    XML_CPPFLAGS=""
+    XML_LIBS=""
+    AC_SUBST(XML_CPPFLAGS)
+    AC_SUBST(XML_LIBS)
+   fi
+-  XML_CPPFLAGS=""
+-  XML_LIBS=""
+-  AC_SUBST(XML_CPPFLAGS)
+-  AC_SUBST(XML_LIBS)
+ fi
+ 
+ AM_CONDITIONAL([HAVE_LIBXML2], test "x$HAVE_LIBXML2" = "xyes")
+-- 
+2.21.0
+
--- a/net/clamav/patches/010-openssl-deprecated.patch
+++ b/net/clamav/patches/010-openssl-deprecated.patch
@ -0,0 +1,37 @@
+--- a/libclamav/crypto.c
+++ b/libclamav/crypto.c
+@@ -53,6 +53,10 @@
+ 
+ #include <openssl/evp.h>
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_CRL_get0_nextUpdate X509_CRL_get_nextUpdate
+#endif
+
+ #if !defined(_WIN32)
+ #include <unistd.h>
+ #endif
+@@ -132,12 +136,14 @@ time_t timegm(struct tm *t)
+  */
+ int cl_initialize_crypto(void)
+ {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+     SSL_load_error_strings();
+     SSL_library_init();
+     OpenSSL_add_all_digests();
+     OpenSSL_add_all_algorithms();
+     OpenSSL_add_all_ciphers();
+     ERR_load_crypto_strings();
+#endif
+ 
+     return 0;
+ }
+@@ -1140,7 +1146,7 @@ X509_CRL *cl_load_crl(const char *file)
+     if ((x)) {
+ 	ASN1_TIME *tme;
+ 
+-	tme = X509_CRL_get_nextUpdate(x);
+	tme = X509_CRL_get0_nextUpdate(x);
+ 	if (!tme || X509_cmp_current_time(tme) < 0) {
+ 		X509_CRL_free(x);
+ 		return NULL;