From: tb Date: Sat, 3 Sep 2022 13:01:43 +0000 (+0000) Subject: Move non-inheritance check for BGPsec certs into cert_parse_pre() X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=bc1fb2e98a821c53ec8a7287ea3da96f5e9089a2;p=openbsd Move non-inheritance check for BGPsec certs into cert_parse_pre() ok claudio job (as part of a larger diff) --- diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 06a6d199b07..e0e145282fd 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.85 2022/08/19 12:45:53 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.86 2022/09/03 13:01:43 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -736,6 +736,13 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) p.fn); goto out; } + for (i = 0; i < p.res->asz; i++) { + if (p.res->as[i].type == CERT_AS_INHERIT) { + warnx("%s: inherited AS numbers in BGPsec cert", + p.fn); + goto out; + } + } if (sia_present) { warnx("%s: unexpected SIA extension in BGPsec cert", p.fn); diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 2638e38ab22..ae14fc5da3f 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.42 2022/08/30 18:56:49 job Exp $ */ +/* $OpenBSD: validate.c,v 1.43 2022/09/03 13:01:43 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -150,11 +150,8 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert) char buf1[64], buf2[64]; for (i = 0; i < cert->asz; i++) { - if (cert->as[i].type == CERT_AS_INHERIT) { - if (cert->purpose == CERT_PURPOSE_BGPSEC_ROUTER) - return 0; /* BGPsec doesn't permit inheriting */ + if (cert->as[i].type == CERT_AS_INHERIT) continue; - } min = cert->as[i].type == CERT_AS_ID ? cert->as[i].id : cert->as[i].range.min; max = cert->as[i].type == CERT_AS_ID ?