artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2bd53da) | patch
rpki-client: make IP address block checks stricter
authortb <tb@openbsd.org>
Thu, 14 Dec 2023 07:52:53 +0000 (07:52 +0000)
committertb <tb@openbsd.org>
Thu, 14 Dec 2023 07:52:53 +0000 (07:52 +0000)
commitde494ec361d1c2bf7497d6f9ed4f183691607a42
treea3053aa5838243fceb7e0b7ff3d4598e3d40c139tree | snapshot
parent2bd53da4f7f4210689ac0f17d219fd68b31c9a3fcommit | diff
rpki-client: make IP address block checks stricter

There are only two valid AFIs in this context, so check that we have one
or two of them. We only accept the IPv4 and IPv6 AFIs in ip_add_afi_parse()
and reject any SAFI, so enforce that neither AFI is repeated. This doesn't
change things for certificates, where all this is implied by other checks
combined. Making this explicit and match the logic needed for ROAs is a win.

looks good to job
ok claudio
usr.sbin/rpki-client/cert.c diff | blob | history
usr.sbin/rpki-client/roa.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim