From c207abadaf5bba1d75e6d27ab09ffdc469095ea0 Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Mon, 15 Apr 2024 13:57:45 +0000
Subject: [PATCH] Use the manifest location as additional differentiator when
 comparing CRLs

OK tb@
---
 usr.sbin/rpki-client/crl.c    | 29 +++++++++++++++++++++++++++--
 usr.sbin/rpki-client/extern.h |  3 ++-
 usr.sbin/rpki-client/parser.c |  5 ++++-
 3 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c
index 6ea592560e7..c6ad99d2854 100644
--- a/usr.sbin/rpki-client/crl.c
+++ b/usr.sbin/rpki-client/crl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: crl.c,v 1.32 2024/02/01 15:11:38 tb Exp $ */
+/*	$OpenBSD: crl.c,v 1.33 2024/04/15 13:57:45 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -122,7 +122,28 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
 static inline int
 crlcmp(struct crl *a, struct crl *b)
 {
-	return strcmp(a->aki, b->aki);
+	int	 cmp;
+
+	cmp = strcmp(a->aki, b->aki);
+	if (cmp > 0)
+		return 1;
+	if (cmp < 0)
+		return -1;
+
+	/*
+	 * In filemode the mftpath cannot be determined easily,
+	 * but it is always set in normal top-down validation.
+	 */
+	if (a->mftpath == NULL || b->mftpath == NULL)
+		return 0;
+
+	cmp = strcmp(a->mftpath, b->mftpath);
+	if (cmp > 0)
+		return 1;
+	if (cmp < 0)
+		return -1;
+
+	return 0;
 }
 
 RB_GENERATE_STATIC(crl_tree, crl, entry, crlcmp);
@@ -137,7 +158,10 @@ crl_get(struct crl_tree *crlt, const struct auth *a)
 
 	if (a == NULL)
 		return NULL;
+
 	find.aki = a->cert->ski;
+	find.mftpath = a->cert->mft;
+
 	return RB_FIND(crl_tree, crlt, &find);
 }
 
@@ -153,6 +177,7 @@ crl_free(struct crl *crl)
 	if (crl == NULL)
 		return;
 	free(crl->aki);
+	free(crl->mftpath);
 	free(crl->number);
 	X509_CRL_free(crl->x509_crl);
 	free(crl);
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index c0d74715830..f72b383721b 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.215 2024/04/08 14:02:13 tb Exp $ */
+/*	$OpenBSD: extern.h,v 1.216 2024/04/15 13:57:45 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -474,6 +474,7 @@ RB_PROTOTYPE(brk_tree, brk, entry, brkcmp);
 struct crl {
 	RB_ENTRY(crl)	 entry;
 	char		*aki;
+	char		*mftpath;
 	char		*number;
 	X509_CRL	*x509_crl;
 	time_t		 thisupdate;	/* do not use before */
diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index a3f4e70fd44..d6a49373ebc 100644
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.131 2024/03/19 05:04:13 tb Exp $ */
+/*	$OpenBSD: parser.c,v 1.132 2024/04/15 13:57:45 job Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -277,6 +277,9 @@ parse_load_crl_from_mft(struct entity *entp, struct mft *mft, enum location loc,
 		goto out;
 	}
 
+	if ((crl->mftpath = strdup(mft->sia)) == NULL)
+		err(1, NULL);
+
 	*crlfile = fn;
 	free(f);
 
-- 
2.20.1