Ensure CRLs carry the correct version

OK tb@

diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c
index ad43e18..bf9b19a 100644 (file)
--- a/usr.sbin/rpki-client/crl.c
+++ b/usr.sbin/rpki-client/crl.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: crl.c,v 1.25 2023/05/22 15:07:02 tb Exp $ */
+/*     $OpenBSD: crl.c,v 1.26 2023/06/20 12:48:32 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -51,6 +51,11 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
                goto out;
        }
 
+       if (X509_CRL_get_version(crl->x509_crl) != 1) {
+               warnx("%s: RFC 6487 section 5: version 2 expected", fn);
+               goto out;
+       }
+
        X509_CRL_get0_signature(crl->x509_crl, NULL, &palg);
        if (palg == NULL) {
                cryptowarnx("%s: X509_CRL_get0_signature", fn);