Check ipAddrBlock and autonomousSysNum for criticality

These extensions MUST be marked critical. Criticality is determined by the
ASN1_BOOLEAN that is extracted and ignored after the FIXME a few lines
below each of the two hunks. Rather than getting the info from there, it's
easier to use an API call that checks what was already parsed by d2i_X509().

ok claudio job

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 1551be6..b23b5dd 100644 (file)
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cert.c,v 1.47 2021/11/05 10:50:41 claudio Exp $ */
+/*     $OpenBSD: cert.c,v 1.48 2021/12/26 12:30:11 tb Exp $ */
 /*
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -588,6 +588,12 @@ sbgp_assysnum(struct parse *p, X509_EXTENSION *ext)
        int                      dsz, rc = 0, i, ptag;
        long                     plen;
 
+       if (!X509_EXTENSION_get_critical(ext)) {
+               cryptowarnx("%s: RFC 6487 section 4.8.11: autonomousSysNum: "
+                   "extension not critical", p->fn);
+               goto out;
+       }
+
        if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) {
                cryptowarnx("%s: RFC 6487 section 4.8.11: autonomousSysNum: "
                    "failed extension parse", p->fn);
@@ -891,6 +897,12 @@ sbgp_ipaddrblk(struct parse *p, X509_EXTENSION *ext)
        const ASN1_TYPE         *t = NULL;
        int                      i;
 
+       if (!X509_EXTENSION_get_critical(ext)) {
+               cryptowarnx("%s: RFC 6487 section 4.8.10: sbgp-ipAddrBlock: "
+                   "extension not critical", p->fn);
+               goto out;
+       }
+
        if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) {
                cryptowarnx("%s: RFC 6487 section 4.8.10: sbgp-ipAddrBlock: "
                    "failed extension parse", p->fn);