From 660fcdefe201725f248f148667afd430bdb78b12 Mon Sep 17 00:00:00 2001 From: job Date: Tue, 20 Jun 2023 12:48:32 +0000 Subject: [PATCH] Ensure CRLs carry the correct version OK tb@ --- usr.sbin/rpki-client/crl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c index ad43e18fb68..bf9b19a62d6 100644 --- a/usr.sbin/rpki-client/crl.c +++ b/usr.sbin/rpki-client/crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crl.c,v 1.25 2023/05/22 15:07:02 tb Exp $ */ +/* $OpenBSD: crl.c,v 1.26 2023/06/20 12:48:32 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -51,6 +51,11 @@ crl_parse(const char *fn, const unsigned char *der, size_t len) goto out; } + if (X509_CRL_get_version(crl->x509_crl) != 1) { + warnx("%s: RFC 6487 section 5: version 2 expected", fn); + goto out; + } + X509_CRL_get0_signature(crl->x509_crl, NULL, &palg); if (palg == NULL) { cryptowarnx("%s: X509_CRL_get0_signature", fn); -- 2.20.1