From 85c5c716c7d722adf664a046c376aa1b8dbfca8f Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 5 Apr 2022 03:56:20 +0000 Subject: [PATCH] Fix two missing checks in the SIA extension Make sure that the caRepository and rpkiManifest are present before calling strstr on them. Also check that the extension is not critical. ok claudio deraadt --- usr.sbin/rpki-client/cert.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index d4858f4f72d..54bfb8bb5ad 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.61 2022/04/04 13:15:11 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.62 2022/04/05 03:56:20 tb Exp $ */ /* * Copyright (c) 2021 Job Snijders * Copyright (c) 2019 Kristaps Dzonsons @@ -305,6 +305,12 @@ sbgp_sia_resource(struct parse *p, const unsigned char *d, size_t dsz) goto out; } + if (p->res->mft == NULL || p->res->repo == NULL) { + warnx("%s: RFC 6487 section 4.8.8: SIA missing caRepository " + "or rpkiManifest", p->fn); + goto out; + } + if (strstr(p->res->mft, p->res->repo) != p->res->mft) { warnx("%s: RFC 6487 section 4.8.8: SIA: " "conflicting URIs for caRepository and rpkiManifest", @@ -330,6 +336,12 @@ sbgp_sia(struct parse *p, X509_EXTENSION *ext) const ASN1_TYPE *t; int dsz, rc = 0; + if (X509_EXTENSION_get_critical(ext)) { + warnx("%s: RFC 6487 section 4.8.8: SIA: " + "extension not non-critical", p->fn); + goto out; + } + if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) { cryptowarnx("%s: RFC 6487 section 4.8.8: SIA: " "failed extension parse", p->fn); -- 2.20.1