From: tb Date: Fri, 4 Nov 2022 23:52:59 +0000 (+0000) Subject: Do not fail on non-rsync URIs in EE cert SIA extensions X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=e6a231f03c6348b158d9a9b0faf6bcc7258d1411;p=openbsd Do not fail on non-rsync URIs in EE cert SIA extensions The spec allows multiple accessMethod entries, ordered by preference. While an rsync URI must be present, others are allowed. Do not fail in that situation and pick the first rsync URI encountered. The logic is very similar to the one in x509_get_crl(). ok job --- diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 4276588ab19..a489189eb47 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.55 2022/11/04 23:42:56 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.56 2022/11/04 23:52:59 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -386,7 +386,7 @@ x509_get_sia(X509 *x, const char *fn, char **sia) ACCESS_DESCRIPTION *ad; AUTHORITY_INFO_ACCESS *info; ASN1_OBJECT *oid; - int i, crit, rc = 0; + int i, crit, rsync_found = 0; *sia = NULL; @@ -420,16 +420,26 @@ x509_get_sia(X509 *x, const char *fn, char **sia) continue; } - /* XXX: correctly deal with other (non-rsync) protocols. */ - if (!x509_location(fn, "SIA: signedObject", "rsync://", - ad->location, sia)) + /* Don't fail on non-rsync URI, so check this afterward. */ + if (!x509_location(fn, "SIA: signedObject", NULL, ad->location, + sia)) goto out; + + if (rsync_found) + continue; + + if (strncasecmp(*sia, "rsync://", 8) == 0) { + rsync_found = 1; + continue; + } + + free(*sia); + *sia = NULL; } - rc = 1; out: AUTHORITY_INFO_ACCESS_free(info); - return rc; + return rsync_found; } /* @@ -537,7 +547,7 @@ x509_get_crl(X509 *x, const char *fn, char **crl) DIST_POINT *dp; GENERAL_NAMES *names; GENERAL_NAME *name; - int i, crit, rc = 0; + int i, crit, rsync_found = 0; *crl = NULL; crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &crit, NULL); @@ -572,14 +582,17 @@ x509_get_crl(X509 *x, const char *fn, char **crl) names = dp->distpoint->name.fullname; for (i = 0; i < sk_GENERAL_NAME_num(names); i++) { name = sk_GENERAL_NAME_value(names, i); - /* Don't warn on non-rsync URI, so check this afterward. */ + + /* Don't fail on non-rsync URI, so check this afterward. */ if (!x509_location(fn, "CRL distribution point", NULL, name, crl)) goto out; + if (strncasecmp(*crl, "rsync://", 8) == 0) { - rc = 1; + rsync_found = 1; goto out; } + free(*crl); *crl = NULL; } @@ -589,7 +602,7 @@ x509_get_crl(X509 *x, const char *fn, char **crl) out: CRL_DIST_POINTS_free(crldp); - return rc; + return rsync_found; } /*