diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2021-10-28 09:02:20 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2021-10-28 09:02:20 +0000 |
| commit | c308ab0dfeec4c5ba3f9d2b625fc63644f1027e8 (patch) | |
| tree | 7a7bc14064f4826eb34cd0bbf8698aedc65a9538 /usr.sbin | |
| parent | 66f331b9c9fdb5b7854f555c6c2eb889873a7c47 (diff) | |
Don't exit in certain cases on failures to parse x509 objects.
In most cases we already warn and continue if someone sends us malformed
x509 objects. This makes this consistent behaviour in all places
so that if someone passes in bogus X509, We end up failing their entry
and continuing rather than exiting.
We still exit on memory/system failures so that a future run of rpki
client can simply do better when the machine is perhaps less hammered
on
ok job@ claudio@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/rpki-client/cert.c | 5 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/extern.h | 4 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/parser.c | 23 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/roa.c | 7 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/x509.c | 27 |
5 files changed, 39 insertions, 27 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index e6d50931f9e..c78f067563e 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.42 2021/10/27 21:56:58 beck Exp $ */ +/* $OpenBSD: cert.c,v 1.43 2021/10/28 09:02:19 beck Exp $ */ /* * Copyright (c) 2021 Job Snijders <job@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -1060,7 +1060,8 @@ cert_parse_inner(X509 **xp, const char *fn, const unsigned char *der, p.res->aia = x509_get_aia(x, p.fn); p.res->crl = x509_get_crl(x, p.fn); } - p.res->expires = x509_get_expire(x, p.fn); + if (!x509_get_expire(x, p.fn, &p.res->expires)) + goto out; p.res->purpose = x509_get_purpose(x, p.fn); /* Validation on required fields. */ diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index fc07970c6bf..023ac81e67c 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.82 2021/10/27 21:56:58 beck Exp $ */ +/* $OpenBSD: extern.h,v 1.83 2021/10/28 09:02:19 beck Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -558,7 +558,7 @@ struct ibuf *io_buf_recvfd(int, struct ibuf **); char *x509_get_aia(X509 *, const char *); char *x509_get_aki(X509 *, int, const char *); char *x509_get_ski(X509 *, const char *); -time_t x509_get_expire(X509 *, const char *); +int x509_get_expire(X509 *, const char *, time_t *); char *x509_get_crl(X509 *, const char *); char *x509_crl_get_aki(X509_CRL *, const char *); char *x509_get_pubkey(X509 *, const char *); diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index acafeb235d9..7c72f9cdb73 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.20 2021/10/26 16:12:54 claudio Exp $ */ +/* $OpenBSD: parser.c,v 1.21 2021/10/28 09:02:19 beck Exp $ */ /* * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -382,30 +382,37 @@ proc_parser_crl(struct entity *entp, const unsigned char *der, size_t len) if ((crl = malloc(sizeof(*crl))) == NULL) err(1, NULL); if ((crl->aki = x509_crl_get_aki(x509_crl, entp->file)) == - NULL) - errx(1, "x509_crl_get_aki failed"); + NULL) { + warnx("x509_crl_get_aki failed"); + goto err; + } + crl->x509_crl = x509_crl; /* extract expire time for later use */ at = X509_CRL_get0_nextUpdate(x509_crl); if (at == NULL) { - errx(1, "%s: X509_CRL_get0_nextUpdate failed", + warnx("%s: X509_CRL_get0_nextUpdate failed", entp->file); + goto err; } memset(&expires_tm, 0, sizeof(expires_tm)); if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) { - errx(1, "%s: ASN1_time_parse failed", entp->file); + warnx("%s: ASN1_time_parse failed", entp->file); + goto err; } - if ((crl->expires = mktime(&expires_tm)) == -1) { + if ((crl->expires = mktime(&expires_tm)) == -1) errx(1, "%s: mktime failed", entp->file); - } if (RB_INSERT(crl_tree, &crlt, crl) != NULL) { warnx("%s: duplicate AKI %s", entp->file, crl->aki); - free_crl(crl); + goto err; } } + return; + err: + free_crl(crl); } /* diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c index 766e4e441a3..eefe6a5cb94 100644 --- a/usr.sbin/rpki-client/roa.c +++ b/usr.sbin/rpki-client/roa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roa.c,v 1.29 2021/10/27 21:56:58 beck Exp $ */ +/* $OpenBSD: roa.c,v 1.30 2021/10/28 09:02:19 beck Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -374,10 +374,9 @@ roa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) warnx("%s: ASN1_time_parse failed", fn); goto out; } - if ((expires = mktime(&expires_tm)) == -1) { + if ((expires = mktime(&expires_tm)) == -1) errx(1, "mktime failed"); - goto out; - } + p.res->expires = expires; if (!roa_parse_econtent(cms, cmsz, &p)) diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 7d3962c11a5..1b5f3ff0454 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.28 2021/10/27 21:56:58 beck Exp $ */ +/* $OpenBSD: x509.c,v 1.29 2021/10/28 09:02:19 beck Exp $ */ /* * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -293,7 +293,7 @@ x509_get_aia(X509 *x, const char *fn) ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier), ASN1_STRING_length(ad->location->d.uniformResourceIdentifier)); if (aia == NULL) - err(1, NULL); /* why not just return NULL? */ + err(1, NULL); out: AUTHORITY_INFO_ACCESS_free(info); @@ -303,24 +303,29 @@ out: /* * Extract the expire time (not-after) of a certificate. */ -time_t -x509_get_expire(X509 *x, const char *fn) +int +x509_get_expire(X509 *x, const char *fn, time_t *tt) { const ASN1_TIME *at; struct tm expires_tm; time_t expires; at = X509_get0_notAfter(x); - if (at == NULL) - errx(1, "%s: X509_get0_notafter failed", fn); + if (at == NULL) { + warnx("%s: X509_get0_notafter failed", fn); + return 0; + } memset(&expires_tm, 0, sizeof(expires_tm)); - if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) - errx(1, "%s: ASN1_time_parse failed", fn); - + if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) { + warnx("%s: ASN1_time_parse failed", fn); + return 0; + } if ((expires = mktime(&expires_tm)) == -1) errx(1, "%s: mktime failed", fn); - return expires; + *tt = expires; + return 1; + } /* @@ -394,7 +399,7 @@ x509_get_crl(X509 *x, const char *fn) crl = strndup(ASN1_STRING_get0_data(name->d.uniformResourceIdentifier), ASN1_STRING_length(name->d.uniformResourceIdentifier)); if (crl == NULL) - err(1, NULL); /* why not just return NULL? */ + err(1, NULL); out: CRL_DIST_POINTS_free(crldp); |