From 0bb66b69ddfdd1940b9af3b2e86d87c1c2ce2263 Mon Sep 17 00:00:00 2001 From: tb Date: Sun, 26 Dec 2021 12:30:11 +0000 Subject: [PATCH] Check ipAddrBlock and autonomousSysNum for criticality These extensions MUST be marked critical. Criticality is determined by the ASN1_BOOLEAN that is extracted and ignored after the FIXME a few lines below each of the two hunks. Rather than getting the info from there, it's easier to use an API call that checks what was already parsed by d2i_X509(). ok claudio job --- usr.sbin/rpki-client/cert.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 1551be66ee4..b23b5dd6b5b 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.47 2021/11/05 10:50:41 claudio Exp $ */ +/* $OpenBSD: cert.c,v 1.48 2021/12/26 12:30:11 tb Exp $ */ /* * Copyright (c) 2021 Job Snijders * Copyright (c) 2019 Kristaps Dzonsons @@ -588,6 +588,12 @@ sbgp_assysnum(struct parse *p, X509_EXTENSION *ext) int dsz, rc = 0, i, ptag; long plen; + if (!X509_EXTENSION_get_critical(ext)) { + cryptowarnx("%s: RFC 6487 section 4.8.11: autonomousSysNum: " + "extension not critical", p->fn); + goto out; + } + if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) { cryptowarnx("%s: RFC 6487 section 4.8.11: autonomousSysNum: " "failed extension parse", p->fn); @@ -891,6 +897,12 @@ sbgp_ipaddrblk(struct parse *p, X509_EXTENSION *ext) const ASN1_TYPE *t = NULL; int i; + if (!X509_EXTENSION_get_critical(ext)) { + cryptowarnx("%s: RFC 6487 section 4.8.10: sbgp-ipAddrBlock: " + "extension not critical", p->fn); + goto out; + } + if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) { cryptowarnx("%s: RFC 6487 section 4.8.10: sbgp-ipAddrBlock: " "failed extension parse", p->fn); -- 2.20.1