On Mon, Apr 04, 2022 at 08:44:43PM +0200, Theo Buehler wrote: > p->res->mft and p->res->repo are populated in sbgp_sia_resouce_entry(). > Nothing guarantees that the resources are present. With our current > strstr() implementation we would let a cert with a missing mft through > while we would crash on a missing repo. > > Also, we don't check that the SIA extension isn't critical. > > Index: cert.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v > retrieving revision 1.61 > diff -u -p -r1.61 cert.c > --- cert.c 4 Apr 2022 13:15:11 -0000 1.61 > +++ cert.c 4 Apr 2022 18:12:23 -0000 > @@ -305,6 +305,12 @@ sbgp_sia_resource(struct parse *p, const > goto out; > } > > + if (p->res->mft == NULL || p->res->repo == NULL) { > + warnx("%s: RFC 6487 section 4.8.8: SIA missing caRepository " > + "or rpkiManifest", p->fn); > + goto out; > + } > + > if (strstr(p->res->mft, p->res->repo) != p->res->mft) { > warnx("%s: RFC 6487 section 4.8.8: SIA: " > "conflicting URIs for caRepository and rpkiManifest", > @@ -329,6 +335,12 @@ sbgp_sia(struct parse *p, X509_EXTENSION > ASN1_SEQUENCE_ANY *seq = NULL; > const ASN1_TYPE *t; > int dsz, rc = 0; > + > + if (X509_EXTENSION_get_critical(ext)) { > + warnx("%s: RFC 6487 section 4.8.8: SIA: " > + "extension not non-critical", p->fn); > + goto out; > + } > > if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) { > cryptowarnx("%s: RFC 6487 section 4.8.8: SIA: " >
OK claudio@ -- :wq Claudio