From 8a9424f8c5c906abef17d8f94fe007f2fa52c0bc Mon Sep 17 00:00:00 2001 From: job Date: Sat, 20 Apr 2024 15:45:41 +0000 Subject: [PATCH] Display distinct errors for various problematic CRL/MFT situationships RFC 6487 section 8 specifies only a single CRL is issued at a time, so error when multiple .crl files are listed in a Manifest's FileList. The CRLDP extension identifies the location of the CRL, so the CRL's filename must match the CA's CRLDP's 'rsync://' entry, error if that isn't the case. (RFC 6486 section 4.8.6) with & OK tb@ --- usr.sbin/rpki-client/mft.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c index 8f48a881d71..024dd7c8bcb 100644 --- a/usr.sbin/rpki-client/mft.c +++ b/usr.sbin/rpki-client/mft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mft.c,v 1.112 2024/02/22 12:49:42 job Exp $ */ +/* $OpenBSD: mft.c,v 1.113 2024/04/20 15:45:41 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2019 Kristaps Dzonsons @@ -201,8 +201,17 @@ mft_parse_filehash(const char *fn, struct mft *mft, const FileAndHash *fh, } type = rtype_from_mftfile(file); - /* remember the filehash for the CRL in struct mft */ - if (type == RTYPE_CRL && strcmp(file, mft->crl) == 0) { + if (type == RTYPE_CRL) { + if (*found_crl == 1) { + warnx("%s: RFC 6487: too many CRLs listed on MFT", fn); + goto out; + } + if (strcmp(file, mft->crl) != 0) { + warnx("%s: RFC 6487: name (%s) doesn't match CRLDP " + "(%s)", fn, file, mft->crl); + goto out; + } + /* remember the filehash for the CRL in struct mft */ memcpy(mft->crlhash, fh->hash->data, SHA256_DIGEST_LENGTH); *found_crl = 1; } -- 2.20.1