CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/04/13 10:00:19
Modified files:
usr.sbin/rpki-client: Tag: OPENBSD_7_8 http.c x509.c
Log message:
At the end of parsing the http response header do some sanity checks
to ensure that the response includes all needed data.
Right now only the presence of a Location header is checked if a HTTP
redirect was returned (e.g. a 301 status).
Different fix for a report from Daniel Anderson
from claudio@; OK tb@
rpki-client: fix incorrect error exit in x509_get_time()
A UTCTime represents a time between Jan 1, 1950 and Dec 31, 2049. This
includes Dec 31, 1969, 23:59:59 UTC, which translates to epoch -1 when
converted as a time_t. timegm()'s in-band error conflates this time with
its error return, so a hard error for this creates a DoS.
Instead, return an error for ASN.1 times that translate to negative time_t
and bubble up the error to reject the RPKI product as malformed. Real life
notBefore (or equivalent) are in the ongoing millenium, although strictly
speaking this is not guaranteed since Validity windows need not nest.
Thanks to Yuheng Zhang, Qi Wang, Jianjun Chen from Tsinghua University,
and Teatime Lab for reporting.
from tb@; ok claudio job
this is errata/7.8/030_rpki.patch.sig
