On Mon, Apr 04, 2022 at 08:44:43PM +0200, Theo Buehler wrote:
> p->res->mft and p->res->repo are populated in sbgp_sia_resouce_entry().
> Nothing guarantees that the resources are present. With our current
> strstr() implementation we would let a cert with a missing mft through
> while we would crash on a missing repo.
>
> Also, we don't check that the SIA extension isn't critical.
>
> Index: cert.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> retrieving revision 1.61
> diff -u -p -r1.61 cert.c
> --- cert.c 4 Apr 2022 13:15:11 -0000 1.61
> +++ cert.c 4 Apr 2022 18:12:23 -0000
> @@ -305,6 +305,12 @@ sbgp_sia_resource(struct parse *p, const
> goto out;
> }
>
> + if (p->res->mft == NULL || p->res->repo == NULL) {
> + warnx("%s: RFC 6487 section 4.8.8: SIA missing caRepository "
> + "or rpkiManifest", p->fn);
> + goto out;
> + }
> +
> if (strstr(p->res->mft, p->res->repo) != p->res->mft) {
> warnx("%s: RFC 6487 section 4.8.8: SIA: "
> "conflicting URIs for caRepository and rpkiManifest",
> @@ -329,6 +335,12 @@ sbgp_sia(struct parse *p, X509_EXTENSION
> ASN1_SEQUENCE_ANY *seq = NULL;
> const ASN1_TYPE *t;
> int dsz, rc = 0;
> +
> + if (X509_EXTENSION_get_critical(ext)) {
> + warnx("%s: RFC 6487 section 4.8.8: SIA: "
> + "extension not non-critical", p->fn);
> + goto out;
> + }
>
> if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) {
> cryptowarnx("%s: RFC 6487 section 4.8.8: SIA: "
>
OK claudio@
--
:wq Claudio
