From 60c4be4a7336ac4568b261e709112e9cdcdfe3e9 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Tue, 7 Jun 2022 08:50:07 +0000
Subject: [PATCH] Fix path validation of AS numbers

If a certificate along the chain does not have an AS numbers extension,
this is a failure condition according to RFC 3779, section 3.3.

ok job
---
 usr.sbin/rpki-client/validate.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 8d01041c991..4d65f9de61d 100644
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: validate.c,v 1.38 2022/05/15 16:43:35 tb Exp $ */
+/*	$OpenBSD: validate.c,v 1.39 2022/06/07 08:50:07 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -46,15 +46,13 @@ valid_as(struct auth *a, uint32_t min, uint32_t max)
 		return 0;
 
 	/* Does this certificate cover our AS number? */
-	if (a->cert->asz) {
-		c = as_check_covered(min, max, a->cert->as, a->cert->asz);
-		if (c > 0)
-			return 1;
-		else if (c < 0)
-			return 0;
-	}
+	c = as_check_covered(min, max, a->cert->as, a->cert->asz);
+	if (c > 0)
+		return 1;
+	else if (c < 0)
+		return 0;
 
-	/* If it doesn't, walk up the chain. */
+	/* If it inherits, walk up the chain. */
 	return valid_as(a->parent, min, max);
 }
 
@@ -80,7 +78,7 @@ valid_ip(struct auth *a, enum afi afi,
 	else if (c < 0)
 		return 0;
 
-	/* If it doesn't, walk up the chain. */
+	/* If it inherits, walk up the chain. */
 	return valid_ip(a->parent, afi, min, max);
 }
 
-- 
2.20.1