From 3a363cbd2e87db7e718bc72fce62572da99339b6 Mon Sep 17 00:00:00 2001 From: job Date: Wed, 11 May 2022 21:19:06 +0000 Subject: [PATCH] Verify MFT and GBR objects only carry RFC 3779 extensions set to 'inherit' OK claudio@ tb@ --- usr.sbin/rpki-client/extern.h | 3 ++- usr.sbin/rpki-client/gbr.c | 10 ++++++-- usr.sbin/rpki-client/mft.c | 7 +++++- usr.sbin/rpki-client/x509.c | 47 ++++++++++++++++++++++++++++++++++- 4 files changed, 62 insertions(+), 5 deletions(-) diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 3e1c3e4894a..53d02024169 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.136 2022/05/11 14:42:01 job Exp $ */ +/* $OpenBSD: extern.h,v 1.137 2022/05/11 21:19:06 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -636,6 +636,7 @@ int x509_get_time(const ASN1_TIME *, time_t *); char *x509_convert_seqnum(const char *, const ASN1_INTEGER *); int x509_location(const char *, const char *, const char *, GENERAL_NAME *, char **); +int x509_inherits(X509 *); /* printers */ char *time2str(time_t); diff --git a/usr.sbin/rpki-client/gbr.c b/usr.sbin/rpki-client/gbr.c index 483a168645c..db0616fc89c 100644 --- a/usr.sbin/rpki-client/gbr.c +++ b/usr.sbin/rpki-client/gbr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gbr.c,v 1.15 2022/04/01 17:22:07 claudio Exp $ */ +/* $OpenBSD: gbr.c,v 1.16 2022/05/11 21:19:06 job Exp $ */ /* * Copyright (c) 2020 Claudio Jeker * @@ -74,9 +74,15 @@ gbr_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) "missing AIA, AKI or SKI X509 extension", fn); goto out; } + + if (!x509_inherits(*x509)) { + warnx("%s: RFC 3779 extension not set to inherit", fn); + goto out; + } + return p.res; -out: + out: gbr_free(p.res); X509_free(*x509); *x509 = NULL; diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c index b9875936b5b..2789ca0666c 100644 --- a/usr.sbin/rpki-client/mft.c +++ b/usr.sbin/rpki-client/mft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mft.c,v 1.63 2022/05/10 07:41:37 tb Exp $ */ +/* $OpenBSD: mft.c,v 1.64 2022/05/11 21:19:06 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -474,6 +474,11 @@ mft_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } + if (!x509_inherits(*x509)) { + warnx("%s: RFC 3779 extension not set to inherit", fn); + goto out; + } + /* get CRL info for later */ if (!x509_get_crl(*x509, fn, &crldp)) goto out; diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index cff78e58b02..0751b8e88e5 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.43 2022/05/10 10:52:09 job Exp $ */ +/* $OpenBSD: x509.c,v 1.44 2022/05/11 21:19:06 job Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -348,6 +348,51 @@ x509_get_expire(X509 *x, const char *fn, time_t *tt) } +/* + * Check whether the RFC 3779 extensions are set to inherit. + * Return 1 if both AS & IP are set to inherit. + * Return 0 on failure (such as missing extensions or no inheritance). + */ +int +x509_inherits(X509 *x) +{ + STACK_OF(IPAddressFamily) *addrblk = NULL; + ASIdentifiers *asidentifiers = NULL; + const IPAddressFamily *af; + int i, rc = 0; + + addrblk = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); + if (addrblk == NULL) + goto out; + + /* + * Check by hand, since X509v3_addr_inherits() success only means that + * at least one address family inherits, not all of them. + */ + for (i = 0; i < sk_IPAddressFamily_num(addrblk); i++) { + af = sk_IPAddressFamily_value(addrblk, i); + if (af->ipAddressChoice->type != IPAddressChoice_inherit) + goto out; + } + + asidentifiers = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, NULL, + NULL); + if (asidentifiers == NULL) + goto out; + + /* We need to have AS numbers and don't want RDIs. */ + if (asidentifiers->asnum == NULL || asidentifiers->rdi != NULL) + goto out; + if (!X509v3_asid_inherits(asidentifiers)) + goto out; + + rc = 1; + out: + ASIdentifiers_free(asidentifiers); + sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free); + return rc; +} + /* * Parse the very specific subset of information in the CRL distribution * point extension. -- 2.20.1