diff options
author | Claudio Jeker <claudio@cvs.openbsd.org> | 2022-01-06 16:06:31 +0000 |
---|---|---|
committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2022-01-06 16:06:31 +0000 |
commit | 489c8746bcca88213f3a96295d660fcdcba11b6e (patch) | |
tree | f4221c4051cf6b17f1a5a3756513102c23730637 | |
parent | 2271e5b41e3b9826af0500ef41aaca9ecdbfd370 (diff) |
Cleanup mft file handling, especially the stale mft bits.
Move staleness check up into mft_parse_econtent() to simplify code.
Remove the big FIXME bits since they are no longer needed. The parent
process will only process MFTs that are not stale.
Cleanup a few other bits mainly unneccessary else if cascades and
use valid_filename() to check if the filename embedded in the mft
fileandhash is sensible.
OK tb@
-rw-r--r-- | usr.sbin/rpki-client/main.c | 7 | ||||
-rw-r--r-- | usr.sbin/rpki-client/mft.c | 70 |
2 files changed, 26 insertions, 51 deletions
diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c index 0160877e96b..ce7abda7d12 100644 --- a/usr.sbin/rpki-client/main.c +++ b/usr.sbin/rpki-client/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.171 2022/01/04 18:41:32 claudio Exp $ */ +/* $OpenBSD: main.c,v 1.172 2022/01/06 16:06:30 claudio Exp $ */ /* * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -518,9 +518,10 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree, break; } mft = mft_read(b); - if (mft->stale) + if (!mft->stale) + queue_add_from_mft_set(mft); + else st->mfts_stale++; - queue_add_from_mft_set(mft); mft_free(mft); break; case RTYPE_CRL: diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c index 77e16c49e9d..3c30d5f4cf9 100644 --- a/usr.sbin/rpki-client/mft.c +++ b/usr.sbin/rpki-client/mft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mft.c,v 1.42 2021/10/28 13:51:42 job Exp $ */ +/* $OpenBSD: mft.c,v 1.43 2022/01/06 16:06:30 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -161,20 +161,8 @@ mft_parse_filehash(struct parse *p, const ASN1_OCTET_STRING *os) if (fn == NULL) err(1, NULL); - /* - * Make sure we're just a pathname and either an ROA or CER. - * I don't think that the RFC specifically mentions this, but - * it's in practical use and would really screw things up - * (arbitrary filenames) otherwise. - */ - - if (strchr(fn, '/') != NULL) { - warnx("%s: path components disallowed in filename: %s", - p->fn, fn); - goto out; - } else if (strlen(fn) <= 4) { - warnx("%s: filename must be large enough for suffix part: %s", - p->fn, fn); + if (!valid_filename(fn)) { + warnx("%s: invalid filename: %s", p->fn, fn); goto out; } @@ -257,7 +245,7 @@ mft_parse_flist(struct parse *p, const ASN1_OCTET_STRING *os) /* * Handle the eContent of the manifest object, RFC 6486 sec. 4.2. - * Returns <0 on failure, 0 on stale, >0 on success. + * Returns 0 on failure and 1 on success. */ static int mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) @@ -267,7 +255,7 @@ mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) const ASN1_GENERALIZEDTIME *from, *until; long mft_version; BIGNUM *mft_seqnum = NULL; - int i = 0, rc = -1; + int i = 0, rc = 0; if ((seq = d2i_ASN1_SEQUENCE_ANY(NULL, &d, dsz)) == NULL) { cryptowarnx("%s: RFC 6486 section 4.2: Manifest: " @@ -366,22 +354,26 @@ mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) } until = t->value.generalizedtime; - rc = check_validity(from, until, p->fn); - if (rc != 1) + switch (check_validity(from, until, p->fn)) { + case 0: + p->res->stale = 1; + /* FALLTHROUGH */ + case 1: + break; + case -1: goto out; - - /* The mft is valid. Reset rc so later 'goto out' return failure. */ - rc = -1; + } /* File list algorithm. */ t = sk_ASN1_TYPE_value(seq, i++); if (t->type != V_ASN1_OBJECT) { warnx("%s: RFC 6486 section 4.2.1: fileHashAlg: " - "want ASN.1 object time, have %s (NID %d)", + "want ASN.1 object, have %s (NID %d)", p->fn, ASN1_tag2str(t->type), t->type); goto out; - } else if (OBJ_obj2nid(t->value.object) != NID_sha256) { + } + if (OBJ_obj2nid(t->value.object) != NID_sha256) { warnx("%s: RFC 6486 section 4.2.1: fileHashAlg: " "want SHA256 object, have %s (NID %d)", p->fn, ASN1_tag2str(OBJ_obj2nid(t->value.object)), @@ -397,7 +389,9 @@ mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) "want ASN.1 sequence, have %s (NID %d)", p->fn, ASN1_tag2str(t->type), t->type); goto out; - } else if (!mft_parse_flist(p, t->value.octet_string)) + } + + if (!mft_parse_flist(p, t->value.octet_string)) goto out; rc = 1; @@ -418,8 +412,8 @@ struct mft * mft_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) { struct parse p; - int c, rc = 0; - size_t i, cmsz; + int rc = 0; + size_t cmsz; unsigned char *cms; memset(&p, 0, sizeof(struct parse)); @@ -451,27 +445,7 @@ mft_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } - /* - * If we're stale, then remove all of the files that the MFT - * references as well as marking it as stale. - */ - - if ((c = mft_parse_econtent(cms, cmsz, &p)) == 0) { - /* - * FIXME: it should suffice to just mark this as stale - * and have the logic around mft_read() simply ignore - * the contents of stale entries, just like it does for - * invalid ROAs or certificates. - */ - - p.res->stale = 1; - if (p.res->files != NULL) - for (i = 0; i < p.res->filesz; i++) - free(p.res->files[i].file); - free(p.res->files); - p.res->filesz = 0; - p.res->files = NULL; - } else if (c == -1) + if (mft_parse_econtent(cms, cmsz, &p) == 0) goto out; rc = 1; |