Display distinct errors for various problematic CRL/MFT situationships

RFC 6487 section 8 specifies only a single CRL is issued at a time, so
error when multiple .crl files are listed in a Manifest's FileList.

The CRLDP extension identifies the location of the CRL, so the CRL's
filename must match the CA's CRLDP's 'rsync://' entry, error if that
isn't the case. (RFC 6486 section 4.8.6)

with & OK tb@

1 files changed, 12 insertions, 3 deletions

diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c
index 8f48a881d71..024dd7c8bcb 100644
--- a/usr.sbin/rpki-client/mft.c
+++ b/usr.sbin/rpki-client/mft.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mft.c,v 1.112 2024/02/22 12:49:42 job Exp $ */
+/*	$OpenBSD: mft.c,v 1.113 2024/04/20 15:45:41 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -201,8 +201,17 @@ mft_parse_filehash(const char *fn, struct mft *mft, const FileAndHash *fh,
 	}
 
 	type = rtype_from_mftfile(file);
-	/* remember the filehash for the CRL in struct mft */
-	if (type == RTYPE_CRL && strcmp(file, mft->crl) == 0) {
+	if (type == RTYPE_CRL) {
+		if (*found_crl == 1) {
+			warnx("%s: RFC 6487: too many CRLs listed on MFT", fn);
+			goto out;
+		}
+		if (strcmp(file, mft->crl) != 0) {
+			warnx("%s: RFC 6487: name (%s) doesn't match CRLDP "
+			    "(%s)", fn, file, mft->crl);
+			goto out;
+		}
+		/* remember the filehash for the CRL in struct mft */
 		memcpy(mft->crlhash, fh->hash->data, SHA256_DIGEST_LENGTH);
 		*found_crl = 1;
 	}