Check ipAddrBlock and autonomousSysNum for criticality

These extensions MUST be marked critical. Criticality is determined by the
ASN1_BOOLEAN that is extracted and ignored after the FIXME a few lines
below each of the two hunks. Rather than getting the info from there, it's
easier to use an API call that checks what was already parsed by d2i_X509().

ok claudio job

1 files changed, 13 insertions, 1 deletions

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 1551be66ee4..b23b5dd6b5b 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.47 2021/11/05 10:50:41 claudio Exp $ */
+/*	$OpenBSD: cert.c,v 1.48 2021/12/26 12:30:11 tb Exp $ */
 /*
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -588,6 +588,12 @@ sbgp_assysnum(struct parse *p, X509_EXTENSION *ext)
 	int			 dsz, rc = 0, i, ptag;
 	long			 plen;
 
+	if (!X509_EXTENSION_get_critical(ext)) {
+		cryptowarnx("%s: RFC 6487 section 4.8.11: autonomousSysNum: "
+		    "extension not critical", p->fn);
+		goto out;
+	}
+
 	if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) {
 		cryptowarnx("%s: RFC 6487 section 4.8.11: autonomousSysNum: "
 		    "failed extension parse", p->fn);
@@ -891,6 +897,12 @@ sbgp_ipaddrblk(struct parse *p, X509_EXTENSION *ext)
 	const ASN1_TYPE		*t = NULL;
 	int			 i;
 
+	if (!X509_EXTENSION_get_critical(ext)) {
+		cryptowarnx("%s: RFC 6487 section 4.8.10: sbgp-ipAddrBlock: "
+		    "extension not critical", p->fn);
+		goto out;
+	}
+
 	if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) {
 		cryptowarnx("%s: RFC 6487 section 4.8.10: sbgp-ipAddrBlock: "
 		    "failed extension parse", p->fn);