diff options
-rw-r--r-- | usr.sbin/rpki-client/cert.c | 14 | ||||
-rw-r--r-- | usr.sbin/rpki-client/extern.h | 6 | ||||
-rw-r--r-- | usr.sbin/rpki-client/x509.c | 18 |
3 files changed, 20 insertions, 18 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 625f0479301..bc517e60da5 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.133 2024/06/03 12:58:39 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.134 2024/06/04 04:17:18 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2021 Job Snijders <job@openbsd.org> @@ -529,7 +529,7 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext) oid = ad->method; if (OBJ_cmp(oid, carepo_oid) == 0) { - if (!x509_location(fn, "SIA: caRepository", NULL, + if (!x509_location(fn, "SIA: caRepository", ad->location, &carepo)) goto out; if (cert->repo == NULL && strncasecmp(carepo, @@ -544,7 +544,7 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext) free(carepo); carepo = NULL; } else if (OBJ_cmp(oid, manifest_oid) == 0) { - if (!x509_location(fn, "SIA: rpkiManifest", NULL, + if (!x509_location(fn, "SIA: rpkiManifest", ad->location, &rpkimft)) goto out; if (cert->mft == NULL && strncasecmp(rpkimft, @@ -560,8 +560,14 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext) rpkimft = NULL; } else if (OBJ_cmp(oid, notify_oid) == 0) { if (!x509_location(fn, "SIA: rpkiNotify", - HTTPS_PROTO, ad->location, &cert->notify)) + ad->location, &cert->notify)) goto out; + if (strncasecmp(cert->notify, HTTPS_PROTO, + HTTPS_PROTO_LEN) != 0) { + warnx("%s: non-https uri in rpkiNotify: %s", + fn, cert->notify); + goto out; + } } } diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 46c64afc903..601d7d2893e 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.220 2024/05/31 02:45:15 tb Exp $ */ +/* $OpenBSD: extern.h,v 1.221 2024/06/04 04:17:18 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -913,8 +913,8 @@ char *x509_pubkey_get_ski(X509_PUBKEY *, const char *); enum cert_purpose x509_get_purpose(X509 *, const char *); int x509_get_time(const ASN1_TIME *, time_t *); char *x509_convert_seqnum(const char *, const ASN1_INTEGER *); -int x509_location(const char *, const char *, const char *, - GENERAL_NAME *, char **); +int x509_location(const char *, const char *, GENERAL_NAME *, + char **); int x509_inherits(X509 *); int x509_any_inherits(X509 *); int x509_valid_name(const char *, const char *, const X509_NAME *); diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 1aad594f318..39b16fcf2ee 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.91 2024/06/03 12:58:39 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.92 2024/06/04 04:17:18 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org> @@ -456,7 +456,7 @@ x509_get_aia(X509 *x, const char *fn, char **aia) goto out; } - if (!x509_location(fn, "AIA: caIssuers", NULL, ad->location, aia)) + if (!x509_location(fn, "AIA: caIssuers", ad->location, aia)) goto out; rc = 1; @@ -522,9 +522,7 @@ x509_get_sia(X509 *x, const char *fn, char **sia) goto out; } - /* Don't fail on non-rsync URI, so check this afterward. */ - if (!x509_location(fn, "SIA: signedObject", NULL, ad->location, - sia)) + if (!x509_location(fn, "SIA: signedObject", ad->location, sia)) goto out; if (rsync_found) @@ -764,9 +762,7 @@ x509_get_crl(X509 *x, const char *fn, char **crl) for (i = 0; i < sk_GENERAL_NAME_num(names); i++) { name = sk_GENERAL_NAME_value(names, i); - /* Don't fail on non-rsync URI, so check this afterward. */ - if (!x509_location(fn, "CRL distribution point", NULL, name, - crl)) + if (!x509_location(fn, "CRL distribution point", name, crl)) goto out; if (strncasecmp(*crl, RSYNC_PROTO, RSYNC_PROTO_LEN) == 0) { @@ -812,8 +808,8 @@ x509_get_time(const ASN1_TIME *at, time_t *t) * Returns 0 on failure and 1 on success. */ int -x509_location(const char *fn, const char *descr, const char *proto, - GENERAL_NAME *location, char **out) +x509_location(const char *fn, const char *descr, GENERAL_NAME *location, + char **out) { ASN1_IA5STRING *uri; @@ -824,7 +820,7 @@ x509_location(const char *fn, const char *descr, const char *proto, uri = location->d.uniformResourceIdentifier; - if (!valid_uri(uri->data, uri->length, proto)) { + if (!valid_uri(uri->data, uri->length, NULL)) { warnx("%s: RFC 6487 section 4.8: %s bad location", fn, descr); return 0; } |