summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2022-06-07 08:50:08 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2022-06-07 08:50:08 +0000
commit64dee919109143ca963f03c89a79cf9e83a537fc (patch)
tree3b0d4fcdb2e5906babddb54144b9113e98621dfa
parenta08e7c9de5da16f92c18989048f4535e1e3f8ad0 (diff)
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3. ok job
-rw-r--r--usr.sbin/rpki-client/validate.c18
1 files changed, 8 insertions, 10 deletions
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 8d01041c991..4d65f9de61d 100644
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: validate.c,v 1.38 2022/05/15 16:43:35 tb Exp $ */
+/* $OpenBSD: validate.c,v 1.39 2022/06/07 08:50:07 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -46,15 +46,13 @@ valid_as(struct auth *a, uint32_t min, uint32_t max)
return 0;
/* Does this certificate cover our AS number? */
- if (a->cert->asz) {
- c = as_check_covered(min, max, a->cert->as, a->cert->asz);
- if (c > 0)
- return 1;
- else if (c < 0)
- return 0;
- }
+ c = as_check_covered(min, max, a->cert->as, a->cert->asz);
+ if (c > 0)
+ return 1;
+ else if (c < 0)
+ return 0;
- /* If it doesn't, walk up the chain. */
+ /* If it inherits, walk up the chain. */
return valid_as(a->parent, min, max);
}
@@ -80,7 +78,7 @@ valid_ip(struct auth *a, enum afi afi,
else if (c < 0)
return 0;
- /* If it doesn't, walk up the chain. */
+ /* If it inherits, walk up the chain. */
return valid_ip(a->parent, afi, min, max);
}