mirror of
https://github.com/openbsd/src.git
synced 2025-01-10 06:47:55 -08:00
Don't exit in certain cases on failures to parse x509 objects.
In most cases we already warn and continue if someone sends us malformed x509 objects. This makes this consistent behaviour in all places so that if someone passes in bogus X509, We end up failing their entry and continuing rather than exiting. We still exit on memory/system failures so that a future run of rpki client can simply do better when the machine is perhaps less hammered on ok job@ claudio@
This commit is contained in:
parent
42d1e0ec0b
commit
61c641a85a
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: cert.c,v 1.42 2021/10/27 21:56:58 beck Exp $ */
|
||||
/* $OpenBSD: cert.c,v 1.43 2021/10/28 09:02:19 beck Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
|
||||
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
|
||||
@ -1060,7 +1060,8 @@ cert_parse_inner(X509 **xp, const char *fn, const unsigned char *der,
|
||||
p.res->aia = x509_get_aia(x, p.fn);
|
||||
p.res->crl = x509_get_crl(x, p.fn);
|
||||
}
|
||||
p.res->expires = x509_get_expire(x, p.fn);
|
||||
if (!x509_get_expire(x, p.fn, &p.res->expires))
|
||||
goto out;
|
||||
p.res->purpose = x509_get_purpose(x, p.fn);
|
||||
|
||||
/* Validation on required fields. */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: extern.h,v 1.82 2021/10/27 21:56:58 beck Exp $ */
|
||||
/* $OpenBSD: extern.h,v 1.83 2021/10/28 09:02:19 beck Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
|
||||
*
|
||||
@ -558,7 +558,7 @@ struct ibuf *io_buf_recvfd(int, struct ibuf **);
|
||||
char *x509_get_aia(X509 *, const char *);
|
||||
char *x509_get_aki(X509 *, int, const char *);
|
||||
char *x509_get_ski(X509 *, const char *);
|
||||
time_t x509_get_expire(X509 *, const char *);
|
||||
int x509_get_expire(X509 *, const char *, time_t *);
|
||||
char *x509_get_crl(X509 *, const char *);
|
||||
char *x509_crl_get_aki(X509_CRL *, const char *);
|
||||
char *x509_get_pubkey(X509 *, const char *);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: parser.c,v 1.20 2021/10/26 16:12:54 claudio Exp $ */
|
||||
/* $OpenBSD: parser.c,v 1.21 2021/10/28 09:02:19 beck Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
|
||||
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
|
||||
@ -382,30 +382,37 @@ proc_parser_crl(struct entity *entp, const unsigned char *der, size_t len)
|
||||
if ((crl = malloc(sizeof(*crl))) == NULL)
|
||||
err(1, NULL);
|
||||
if ((crl->aki = x509_crl_get_aki(x509_crl, entp->file)) ==
|
||||
NULL)
|
||||
errx(1, "x509_crl_get_aki failed");
|
||||
NULL) {
|
||||
warnx("x509_crl_get_aki failed");
|
||||
goto err;
|
||||
}
|
||||
|
||||
crl->x509_crl = x509_crl;
|
||||
|
||||
/* extract expire time for later use */
|
||||
at = X509_CRL_get0_nextUpdate(x509_crl);
|
||||
if (at == NULL) {
|
||||
errx(1, "%s: X509_CRL_get0_nextUpdate failed",
|
||||
warnx("%s: X509_CRL_get0_nextUpdate failed",
|
||||
entp->file);
|
||||
goto err;
|
||||
}
|
||||
memset(&expires_tm, 0, sizeof(expires_tm));
|
||||
if (ASN1_time_parse(at->data, at->length, &expires_tm,
|
||||
0) == -1) {
|
||||
errx(1, "%s: ASN1_time_parse failed", entp->file);
|
||||
warnx("%s: ASN1_time_parse failed", entp->file);
|
||||
goto err;
|
||||
}
|
||||
if ((crl->expires = mktime(&expires_tm)) == -1) {
|
||||
if ((crl->expires = mktime(&expires_tm)) == -1)
|
||||
errx(1, "%s: mktime failed", entp->file);
|
||||
}
|
||||
|
||||
if (RB_INSERT(crl_tree, &crlt, crl) != NULL) {
|
||||
warnx("%s: duplicate AKI %s", entp->file, crl->aki);
|
||||
free_crl(crl);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
return;
|
||||
err:
|
||||
free_crl(crl);
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: roa.c,v 1.29 2021/10/27 21:56:58 beck Exp $ */
|
||||
/* $OpenBSD: roa.c,v 1.30 2021/10/28 09:02:19 beck Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
|
||||
*
|
||||
@ -374,10 +374,9 @@ roa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
|
||||
warnx("%s: ASN1_time_parse failed", fn);
|
||||
goto out;
|
||||
}
|
||||
if ((expires = mktime(&expires_tm)) == -1) {
|
||||
if ((expires = mktime(&expires_tm)) == -1)
|
||||
errx(1, "mktime failed");
|
||||
goto out;
|
||||
}
|
||||
|
||||
p.res->expires = expires;
|
||||
|
||||
if (!roa_parse_econtent(cms, cmsz, &p))
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: x509.c,v 1.28 2021/10/27 21:56:58 beck Exp $ */
|
||||
/* $OpenBSD: x509.c,v 1.29 2021/10/28 09:02:19 beck Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
|
||||
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
|
||||
@ -293,7 +293,7 @@ x509_get_aia(X509 *x, const char *fn)
|
||||
ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier),
|
||||
ASN1_STRING_length(ad->location->d.uniformResourceIdentifier));
|
||||
if (aia == NULL)
|
||||
err(1, NULL); /* why not just return NULL? */
|
||||
err(1, NULL);
|
||||
|
||||
out:
|
||||
AUTHORITY_INFO_ACCESS_free(info);
|
||||
@ -303,24 +303,29 @@ out:
|
||||
/*
|
||||
* Extract the expire time (not-after) of a certificate.
|
||||
*/
|
||||
time_t
|
||||
x509_get_expire(X509 *x, const char *fn)
|
||||
int
|
||||
x509_get_expire(X509 *x, const char *fn, time_t *tt)
|
||||
{
|
||||
const ASN1_TIME *at;
|
||||
struct tm expires_tm;
|
||||
time_t expires;
|
||||
|
||||
at = X509_get0_notAfter(x);
|
||||
if (at == NULL)
|
||||
errx(1, "%s: X509_get0_notafter failed", fn);
|
||||
if (at == NULL) {
|
||||
warnx("%s: X509_get0_notafter failed", fn);
|
||||
return 0;
|
||||
}
|
||||
memset(&expires_tm, 0, sizeof(expires_tm));
|
||||
if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1)
|
||||
errx(1, "%s: ASN1_time_parse failed", fn);
|
||||
|
||||
if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) {
|
||||
warnx("%s: ASN1_time_parse failed", fn);
|
||||
return 0;
|
||||
}
|
||||
if ((expires = mktime(&expires_tm)) == -1)
|
||||
errx(1, "%s: mktime failed", fn);
|
||||
|
||||
return expires;
|
||||
*tt = expires;
|
||||
return 1;
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
@ -394,7 +399,7 @@ x509_get_crl(X509 *x, const char *fn)
|
||||
crl = strndup(ASN1_STRING_get0_data(name->d.uniformResourceIdentifier),
|
||||
ASN1_STRING_length(name->d.uniformResourceIdentifier));
|
||||
if (crl == NULL)
|
||||
err(1, NULL); /* why not just return NULL? */
|
||||
err(1, NULL);
|
||||
|
||||
out:
|
||||
CRL_DIST_POINTS_free(crldp);
|
||||
|
Loading…
Reference in New Issue
Block a user