summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client/parser.c
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2021-11-03 10:19:23 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2021-11-03 10:19:23 +0000
commit3e920172ddc4a872b8a9e2a46ce8dc37b46f08d5 (patch)
tree5d0ed04066cf087b1e6f079fdea97db340371b69 /usr.sbin/rpki-client/parser.c
parent401f2e4fcd33436d0d98d60ca1a7cb9311c7cc6a (diff)
In proc_parser_roa() adjust the expiry calculation to walk all of
the auth tree (including the TA) and be more careful to not dereference NULL pointers. Both valid_ski_aki() and get_crl() can return NULL pointers. In these situations X509_verify_cert() should fail and the affected code should be not reachable but better be prepared. With and OK tb@
Diffstat (limited to 'usr.sbin/rpki-client/parser.c')
-rw-r--r--usr.sbin/rpki-client/parser.c7
1 files changed, 3 insertions, 4 deletions
diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index 6b27ae79f94..63186af5e78 100644
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: parser.c,v 1.24 2021/11/02 19:30:30 claudio Exp $ */
+/* $OpenBSD: parser.c,v 1.25 2021/11/03 10:19:22 claudio Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -68,7 +68,6 @@ proc_parser_roa(struct entity *entp, const unsigned char *der, size_t len)
return NULL;
a = valid_ski_aki(entp->file, &auths, roa->ski, roa->aki);
-
build_chain(a, &chain);
crl = get_crl(a);
build_crls(crl, &crls);
@@ -99,14 +98,14 @@ proc_parser_roa(struct entity *entp, const unsigned char *der, size_t len)
/*
* Check CRL to figure out the soonest transitive expiry moment
*/
- if (roa->expires > crl->expires)
+ if (crl != NULL && roa->expires > crl->expires)
roa->expires = crl->expires;
/*
* Scan the cert tree to figure out the soonest transitive
* expiry moment
*/
- for (; a->parent != NULL; a = a->parent) {
+ for (; a != NULL; a = a->parent) {
if (roa->expires > a->cert->expires)
roa->expires = a->cert->expires;
}