diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2022-06-07 08:50:08 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2022-06-07 08:50:08 +0000 |
commit | 64dee919109143ca963f03c89a79cf9e83a537fc (patch) | |
tree | 3b0d4fcdb2e5906babddb54144b9113e98621dfa /usr.sbin | |
parent | a08e7c9de5da16f92c18989048f4535e1e3f8ad0 (diff) |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension,
this is a failure condition according to RFC 3779, section 3.3.
ok job
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/rpki-client/validate.c | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 8d01041c991..4d65f9de61d 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.38 2022/05/15 16:43:35 tb Exp $ */ +/* $OpenBSD: validate.c,v 1.39 2022/06/07 08:50:07 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -46,15 +46,13 @@ valid_as(struct auth *a, uint32_t min, uint32_t max) return 0; /* Does this certificate cover our AS number? */ - if (a->cert->asz) { - c = as_check_covered(min, max, a->cert->as, a->cert->asz); - if (c > 0) - return 1; - else if (c < 0) - return 0; - } + c = as_check_covered(min, max, a->cert->as, a->cert->asz); + if (c > 0) + return 1; + else if (c < 0) + return 0; - /* If it doesn't, walk up the chain. */ + /* If it inherits, walk up the chain. */ return valid_as(a->parent, min, max); } @@ -80,7 +78,7 @@ valid_ip(struct auth *a, enum afi afi, else if (c < 0) return 0; - /* If it doesn't, walk up the chain. */ + /* If it inherits, walk up the chain. */ return valid_ip(a->parent, afi, min, max); } |