artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0c60a44)
Warn when the same manifestNumber is recycled across multiple issuances of that manifest
authorjob <job@openbsd.org>
Mon, 11 Dec 2023 19:05:20 +0000 (19:05 +0000)
committerjob <job@openbsd.org>
Mon, 11 Dec 2023 19:05:20 +0000 (19:05 +0000)
OK tb@

usr.sbin/rpki-client/extern.h patch | blob | history
usr.sbin/rpki-client/parser.c patch | blob | history

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 571b2d8..9bb95ed 100644 (file)
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: extern.h,v 1.195 2023/11/24 14:05:47 job Exp $ */
+/*     $OpenBSD: extern.h,v 1.196 2023/12/11 19:05:20 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -210,6 +210,7 @@ struct mft {
        char            *sia; /* SIA signedObject */
        char            *ski; /* SKI */
        char            *crl; /* CRL file name */
+       unsigned char    mfthash[SHA256_DIGEST_LENGTH];
        unsigned char    crlhash[SHA256_DIGEST_LENGTH];
        time_t           signtime; /* CMS signing-time attribute */
        time_t           thisupdate; /* from the eContent */
diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index 0425984..c2fffa9 100644 (file)
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parser.c,v 1.102 2023/12/11 15:50:23 job Exp $ */
+/*     $OpenBSD: parser.c,v 1.103 2023/12/11 19:05:20 job Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -280,6 +280,10 @@ proc_parser_mft_pre(struct entity *entp, enum location loc, char **file,
                free(der);
                return NULL;
        }
+
+       if (!EVP_Digest(der, len, mft->mfthash, NULL, EVP_sha256(), NULL))
+               errx(1, "EVP_Digest failed");
+
        free(der);
 
        *crl = parse_load_crl_from_mft(entp, mft, DIR_TEMP, crlfile);
@@ -381,6 +385,11 @@ proc_parser_mft(struct entity *entp, struct mft **mp, char **crlfile,
                warnx("%s: manifest replay detected (expected >= #%s, got #%s)",
                    file1, mft2->seqnum, mft1->seqnum);
 
+       if (r == 0 && memcmp(mft1->mfthash, mft2->mfthash,
+           SHA256_DIGEST_LENGTH) != 0)
+               warnx("%s: manifest misissuance, #%s was recycled",
+                   file1, mft1->seqnum);
+
        if (r == 1) {
                *mp = proc_parser_mft_post(file1, mft1, entp->path, err1,
                    &warned);
OpenBSD src
by Ahmet Artu Yildirim