Implement more of RFC 8630 and support more than one URI in the TAL file.

The URI are sorted which results in preferrence of https URI.
To make rpki-client's handling easier enforce that all URI use the same
filename.
OK benno@

1 files changed, 34 insertions, 24 deletions

diff --git a/usr.sbin/rpki-client/tal.c b/usr.sbin/rpki-client/tal.c
index 518dcd5d7b6..8414c21a0c9 100644
--- a/usr.sbin/rpki-client/tal.c
+++ b/usr.sbin/rpki-client/tal.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tal.c,v 1.21 2020/10/01 19:57:00 claudio Exp $ */
+/*	$OpenBSD: tal.c,v 1.22 2020/10/11 12:39:25 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -62,20 +62,28 @@ fail:
 	return -1;
 }
 
+static int
+tal_cmp(const void *a, const void *b)
+{
+	char * const *sa = a;
+	char * const *sb = b;
+
+	return strcmp(*sa, *sb);
+}
+
 /*
- * Inner function for parsing RFC 7730 from a buffer.
+ * Inner function for parsing RFC 8630 from a buffer.
  * Returns a valid pointer on success, NULL otherwise.
  * The pointer must be freed with tal_free().
  */
 static struct tal *
 tal_parse_buffer(const char *fn, char *buf)
 {
-	char		*nl, *line;
+	char		*nl, *line, *f, *file = NULL;
 	unsigned char	*der;
 	size_t		 sz, dersz;
 	int		 rc = 0;
 	struct tal	*tal = NULL;
-	enum rtype	 rp;
 	EVP_PKEY	*pkey = NULL;
 
 	if ((tal = calloc(1, sizeof(struct tal))) == NULL)
@@ -93,10 +101,15 @@ tal_parse_buffer(const char *fn, char *buf)
 		if (*line == '\0')
 			break;
 
-		/* ignore https URI for now. */
-		if (strncasecmp(line, "https://", 8) == 0) {
-			warnx("%s: https schema ignored", line);
-			continue;
+		/* Check that the URI is sensible */
+		if (!(strncasecmp(line, "https://", 8) == 0 ||
+		    strncasecmp(line, "rsync://", 8) == 0)) {
+			warnx("%s: unsupported URL schema: %s", fn, line);
+			goto out;
+		}
+		if (strcasecmp(nl - 4, ".cer")) {
+			warnx("%s: not a certificate URL: %s", fn, line);
+			goto out;
 		}
 
 		/* Append to list of URIs. */
@@ -110,27 +123,24 @@ tal_parse_buffer(const char *fn, char *buf)
 			err(1, NULL);
 		tal->urisz++;
 
-		/* Make sure we're a proper rsync URI. */
-		if (!rsync_uri_parse(NULL, NULL,
-		    NULL, NULL, NULL, NULL, &rp, line)) {
-			warnx("%s: RFC 7730 section 2.1: "
-			    "failed to parse URL: %s", fn, line);
-			goto out;
-		}
-		if (rp != RTYPE_CER) {
-			warnx("%s: RFC 7730 section 2.1: "
-			    "not a certificate URL: %s", fn, line);
-			goto out;
-		}
-
+		f = strrchr(line, '/') + 1; /* can not fail */
+		if (file) {
+			if (strcmp(file, f)) {
+				warnx("%s: URL with different file name %s, "
+				    "instead of %s", fn, f, file);
+				goto out;
+			}
+		} else
+			file = f;
 	}
 
 	if (tal->urisz == 0) {
 		warnx("%s: no URIs in manifest part", fn);
 		goto out;
-	} else if (tal->urisz > 1)
-		warnx("%s: multiple URIs: using the first", fn);
-		/* XXX no support for TAL files with multiple TALs yet */
+	}
+
+	/* sort uri lexicographically so https:// is preferred */
+	qsort(tal->uri, tal->urisz, sizeof(tal->uri[0]), tal_cmp);
 
 	sz = strlen(buf);
 	if (sz == 0) {