1
0
mirror of https://github.com/openbsd/src.git synced 2025-01-10 06:47:55 -08:00

Don't exit in certain cases on failures to parse x509 objects.

In most cases we already warn and continue if someone sends us malformed
x509 objects. This makes this consistent behaviour in all places
so that if someone passes in bogus X509, We end up failing their entry
and continuing rather than exiting.

We still exit on memory/system failures so that a future run of rpki
client can simply do better when the machine is perhaps less hammered
on

ok job@ claudio@
This commit is contained in:
beck 2021-10-28 09:02:19 +00:00
parent 42d1e0ec0b
commit 61c641a85a
5 changed files with 39 additions and 27 deletions

View File

@ -1,4 +1,4 @@
/* $OpenBSD: cert.c,v 1.42 2021/10/27 21:56:58 beck Exp $ */
/* $OpenBSD: cert.c,v 1.43 2021/10/28 09:02:19 beck Exp $ */
/*
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -1060,7 +1060,8 @@ cert_parse_inner(X509 **xp, const char *fn, const unsigned char *der,
p.res->aia = x509_get_aia(x, p.fn);
p.res->crl = x509_get_crl(x, p.fn);
}
p.res->expires = x509_get_expire(x, p.fn);
if (!x509_get_expire(x, p.fn, &p.res->expires))
goto out;
p.res->purpose = x509_get_purpose(x, p.fn);
/* Validation on required fields. */

View File

@ -1,4 +1,4 @@
/* $OpenBSD: extern.h,v 1.82 2021/10/27 21:56:58 beck Exp $ */
/* $OpenBSD: extern.h,v 1.83 2021/10/28 09:02:19 beck Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@ -558,7 +558,7 @@ struct ibuf *io_buf_recvfd(int, struct ibuf **);
char *x509_get_aia(X509 *, const char *);
char *x509_get_aki(X509 *, int, const char *);
char *x509_get_ski(X509 *, const char *);
time_t x509_get_expire(X509 *, const char *);
int x509_get_expire(X509 *, const char *, time_t *);
char *x509_get_crl(X509 *, const char *);
char *x509_crl_get_aki(X509_CRL *, const char *);
char *x509_get_pubkey(X509 *, const char *);

View File

@ -1,4 +1,4 @@
/* $OpenBSD: parser.c,v 1.20 2021/10/26 16:12:54 claudio Exp $ */
/* $OpenBSD: parser.c,v 1.21 2021/10/28 09:02:19 beck Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -382,30 +382,37 @@ proc_parser_crl(struct entity *entp, const unsigned char *der, size_t len)
if ((crl = malloc(sizeof(*crl))) == NULL)
err(1, NULL);
if ((crl->aki = x509_crl_get_aki(x509_crl, entp->file)) ==
NULL)
errx(1, "x509_crl_get_aki failed");
NULL) {
warnx("x509_crl_get_aki failed");
goto err;
}
crl->x509_crl = x509_crl;
/* extract expire time for later use */
at = X509_CRL_get0_nextUpdate(x509_crl);
if (at == NULL) {
errx(1, "%s: X509_CRL_get0_nextUpdate failed",
warnx("%s: X509_CRL_get0_nextUpdate failed",
entp->file);
goto err;
}
memset(&expires_tm, 0, sizeof(expires_tm));
if (ASN1_time_parse(at->data, at->length, &expires_tm,
0) == -1) {
errx(1, "%s: ASN1_time_parse failed", entp->file);
warnx("%s: ASN1_time_parse failed", entp->file);
goto err;
}
if ((crl->expires = mktime(&expires_tm)) == -1) {
if ((crl->expires = mktime(&expires_tm)) == -1)
errx(1, "%s: mktime failed", entp->file);
}
if (RB_INSERT(crl_tree, &crlt, crl) != NULL) {
warnx("%s: duplicate AKI %s", entp->file, crl->aki);
free_crl(crl);
goto err;
}
}
return;
err:
free_crl(crl);
}
/*

View File

@ -1,4 +1,4 @@
/* $OpenBSD: roa.c,v 1.29 2021/10/27 21:56:58 beck Exp $ */
/* $OpenBSD: roa.c,v 1.30 2021/10/28 09:02:19 beck Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@ -374,10 +374,9 @@ roa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
warnx("%s: ASN1_time_parse failed", fn);
goto out;
}
if ((expires = mktime(&expires_tm)) == -1) {
if ((expires = mktime(&expires_tm)) == -1)
errx(1, "mktime failed");
goto out;
}
p.res->expires = expires;
if (!roa_parse_econtent(cms, cmsz, &p))

View File

@ -1,4 +1,4 @@
/* $OpenBSD: x509.c,v 1.28 2021/10/27 21:56:58 beck Exp $ */
/* $OpenBSD: x509.c,v 1.29 2021/10/28 09:02:19 beck Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -293,7 +293,7 @@ x509_get_aia(X509 *x, const char *fn)
ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier),
ASN1_STRING_length(ad->location->d.uniformResourceIdentifier));
if (aia == NULL)
err(1, NULL); /* why not just return NULL? */
err(1, NULL);
out:
AUTHORITY_INFO_ACCESS_free(info);
@ -303,24 +303,29 @@ out:
/*
* Extract the expire time (not-after) of a certificate.
*/
time_t
x509_get_expire(X509 *x, const char *fn)
int
x509_get_expire(X509 *x, const char *fn, time_t *tt)
{
const ASN1_TIME *at;
struct tm expires_tm;
time_t expires;
at = X509_get0_notAfter(x);
if (at == NULL)
errx(1, "%s: X509_get0_notafter failed", fn);
if (at == NULL) {
warnx("%s: X509_get0_notafter failed", fn);
return 0;
}
memset(&expires_tm, 0, sizeof(expires_tm));
if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1)
errx(1, "%s: ASN1_time_parse failed", fn);
if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) {
warnx("%s: ASN1_time_parse failed", fn);
return 0;
}
if ((expires = mktime(&expires_tm)) == -1)
errx(1, "%s: mktime failed", fn);
return expires;
*tt = expires;
return 1;
}
/*
@ -394,7 +399,7 @@ x509_get_crl(X509 *x, const char *fn)
crl = strndup(ASN1_STRING_get0_data(name->d.uniformResourceIdentifier),
ASN1_STRING_length(name->d.uniformResourceIdentifier));
if (crl == NULL)
err(1, NULL); /* why not just return NULL? */
err(1, NULL);
out:
CRL_DIST_POINTS_free(crldp);