From: claudio <claudio@openbsd.org>
Date: Wed, 3 Nov 2021 10:19:22 +0000 (+0000)
Subject: In proc_parser_roa() adjust the expiry calculation to walk all of
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=eb39c32b2c1655e91568c24a5250d9b0ce4a4936;p=openbsd

In proc_parser_roa() adjust the expiry calculation to walk all of
the auth tree (including the TA) and be more careful to not dereference
NULL pointers. Both valid_ski_aki() and get_crl() can return NULL
pointers. In these situations X509_verify_cert() should fail and
the affected code should be not reachable but better be prepared.
With and OK tb@
---

diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index 6b27ae79f94..63186af5e78 100644
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.24 2021/11/02 19:30:30 claudio Exp $ */
+/*	$OpenBSD: parser.c,v 1.25 2021/11/03 10:19:22 claudio Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -68,7 +68,6 @@ proc_parser_roa(struct entity *entp, const unsigned char *der, size_t len)
 		return NULL;
 
 	a = valid_ski_aki(entp->file, &auths, roa->ski, roa->aki);
-
 	build_chain(a, &chain);
 	crl = get_crl(a);
 	build_crls(crl, &crls);
@@ -99,14 +98,14 @@ proc_parser_roa(struct entity *entp, const unsigned char *der, size_t len)
 	/*
 	 * Check CRL to figure out the soonest transitive expiry moment
 	 */
-	if (roa->expires > crl->expires)
+	if (crl != NULL && roa->expires > crl->expires)
 		roa->expires = crl->expires;
 
 	/*
 	 * Scan the cert tree to figure out the soonest transitive
 	 * expiry moment
 	 */
-	for (; a->parent != NULL; a = a->parent) {
+	for (; a != NULL; a = a->parent) {
 		if (roa->expires > a->cert->expires)
 			roa->expires = a->cert->expires;
 	}