Commit 92b45f0fb6 for openssl.org

commit 92b45f0fb647f5578616ecb4777ee042ae485cef
Author: Dr. David von Oheimb <dev@ddvo.net>
Date:   Fri Feb 7 10:50:02 2025 +0100

    OSSL_CMP_get1_rootCaKeyUpdate(): warn if genp contains oldWithNew certificate but not oldWithOld

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    MergeDate: Tue Mar 24 17:06:56 2026
    (Merged from https://github.com/openssl/openssl/pull/29074)

diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c
index 1c7ed9757d..86bad3a744 100644
--- a/crypto/cmp/cmp_genm.c
+++ b/crypto/cmp/cmp_genm.c
@@ -336,11 +336,14 @@ int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx,
         ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE);
         goto end;
     }
-    if (oldWithOld != NULL && my_oldWithNew != NULL
-        && !verify_ss_cert_trans(ctx, *newWithNew, my_oldWithNew,
-            oldWithOld_copy, "oldWithOld")) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE);
-        goto end;
+    if (my_oldWithNew != NULL) {
+        if (oldWithOld == NULL) {
+            ossl_cmp_log(WARN, ctx, "oldWithNew certificate received in genp for verifying oldWithOld, but oldWithOld was not provided");
+        } else if (!verify_ss_cert_trans(ctx, *newWithNew, my_oldWithNew,
+                       oldWithOld_copy, "oldWithOld")) {
+            ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE);
+            goto end;
+        }
     }

     if (!X509_up_ref(*newWithNew))