summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client/x509.c
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2022-11-04 23:53:00 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2022-11-04 23:53:00 +0000
commit6d49a6d521398f98670031b7ce3329ced92f7f0b (patch)
tree48028da9e53b04a7af41e1f9df46e74873e6e47a /usr.sbin/rpki-client/x509.c
parent52cd83ba808cdbf5b5946903d25b6755ac5d83df (diff)
Do not fail on non-rsync URIs in EE cert SIA extensions
The spec allows multiple accessMethod entries, ordered by preference. While an rsync URI must be present, others are allowed. Do not fail in that situation and pick the first rsync URI encountered. The logic is very similar to the one in x509_get_crl(). ok job
Diffstat (limited to 'usr.sbin/rpki-client/x509.c')
-rw-r--r--usr.sbin/rpki-client/x509.c35
1 files changed, 24 insertions, 11 deletions
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 4276588ab19..a489189eb47 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.55 2022/11/04 23:42:56 tb Exp $ */
+/* $OpenBSD: x509.c,v 1.56 2022/11/04 23:52:59 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -386,7 +386,7 @@ x509_get_sia(X509 *x, const char *fn, char **sia)
ACCESS_DESCRIPTION *ad;
AUTHORITY_INFO_ACCESS *info;
ASN1_OBJECT *oid;
- int i, crit, rc = 0;
+ int i, crit, rsync_found = 0;
*sia = NULL;
@@ -420,16 +420,26 @@ x509_get_sia(X509 *x, const char *fn, char **sia)
continue;
}
- /* XXX: correctly deal with other (non-rsync) protocols. */
- if (!x509_location(fn, "SIA: signedObject", "rsync://",
- ad->location, sia))
+ /* Don't fail on non-rsync URI, so check this afterward. */
+ if (!x509_location(fn, "SIA: signedObject", NULL, ad->location,
+ sia))
goto out;
+
+ if (rsync_found)
+ continue;
+
+ if (strncasecmp(*sia, "rsync://", 8) == 0) {
+ rsync_found = 1;
+ continue;
+ }
+
+ free(*sia);
+ *sia = NULL;
}
- rc = 1;
out:
AUTHORITY_INFO_ACCESS_free(info);
- return rc;
+ return rsync_found;
}
/*
@@ -537,7 +547,7 @@ x509_get_crl(X509 *x, const char *fn, char **crl)
DIST_POINT *dp;
GENERAL_NAMES *names;
GENERAL_NAME *name;
- int i, crit, rc = 0;
+ int i, crit, rsync_found = 0;
*crl = NULL;
crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &crit, NULL);
@@ -572,14 +582,17 @@ x509_get_crl(X509 *x, const char *fn, char **crl)
names = dp->distpoint->name.fullname;
for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
name = sk_GENERAL_NAME_value(names, i);
- /* Don't warn on non-rsync URI, so check this afterward. */
+
+ /* Don't fail on non-rsync URI, so check this afterward. */
if (!x509_location(fn, "CRL distribution point", NULL, name,
crl))
goto out;
+
if (strncasecmp(*crl, "rsync://", 8) == 0) {
- rc = 1;
+ rsync_found = 1;
goto out;
}
+
free(*crl);
*crl = NULL;
}
@@ -589,7 +602,7 @@ x509_get_crl(X509 *x, const char *fn, char **crl)
out:
CRL_DIST_POINTS_free(crldp);
- return rc;
+ return rsync_found;
}
/*