diff options
| author | Job Snijders <job@cvs.openbsd.org> | 2023-09-25 08:48:15 +0000 |
|---|---|---|
| committer | Job Snijders <job@cvs.openbsd.org> | 2023-09-25 08:48:15 +0000 |
| commit | 71d7ab6c109344f0073b1282b7c19b77a6817b44 (patch) | |
| tree | 7fbb370447dccce81c7fa4619b229fb80a1f9ca0 | |
| parent | fff0f48fce109cd45724920ce4ba1edf48591ebf (diff) | |
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
| -rw-r--r-- | usr.sbin/rpki-client/extern.h | 4 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/ip.c | 34 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/validate.c | 100 |
3 files changed, 94 insertions, 44 deletions
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index dbef64d767f..8420d0f79c1 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.189 2023/09/12 09:33:30 job Exp $ */ +/* $OpenBSD: extern.h,v 1.190 2023/09/25 08:48:14 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -708,6 +708,8 @@ int ip_addr_parse(const ASN1_BIT_STRING *, enum afi, const char *, struct ip_addr *); void ip_addr_print(const struct ip_addr *, enum afi, char *, size_t); +void ip_addr_range_print(const struct ip_addr_range *, enum afi, + char *, size_t); int ip_addr_cmp(const struct ip_addr *, const struct ip_addr *); int ip_addr_check_overlap(const struct cert_ip *, const char *, const struct cert_ip *, size_t); diff --git a/usr.sbin/rpki-client/ip.c b/usr.sbin/rpki-client/ip.c index 89c3088aefb..f5ff23b03f5 100644 --- a/usr.sbin/rpki-client/ip.c +++ b/usr.sbin/rpki-client/ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip.c,v 1.27 2022/11/29 20:41:32 job Exp $ */ +/* $OpenBSD: ip.c,v 1.28 2023/09/25 08:48:14 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -254,6 +254,38 @@ ip_addr_print(const struct ip_addr *addr, } /* + * Convert a ip_addr into a NUL-terminated range notation string. + * The size of the buffer must be at least 95 (inclusive). + */ +void +ip_addr_range_print(const struct ip_addr_range *range, + enum afi afi, char *buf, size_t bufsz) +{ + char min[INET6_ADDRSTRLEN], max[INET6_ADDRSTRLEN]; + int ret, af; + + switch (afi) { + case AFI_IPV4: + af = AF_INET; + break; + case AFI_IPV6: + af = AF_INET6; + break; + default: + errx(1, "unsupported address family identifier"); + } + + if (inet_ntop(af, &range->min, min, sizeof(min)) == NULL) + err(1, "inet_ntop"); + if (inet_ntop(af, &range->max, max, sizeof(max)) == NULL) + err(1, "inet_ntop"); + + ret = snprintf(buf, bufsz, "%s--%s", min, max); + if (ret < 0 || (size_t)ret >= bufsz) + err(1, "malformed IP address"); +} + +/* * Given the addresses (range or IP) in cert_ip, fill in the "min" and * "max" fields with the minimum and maximum possible IP addresses given * those ranges (or singleton prefixed range). diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index d934f2c1e41..1638c2846fe 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.66 2023/06/29 10:28:25 tb Exp $ */ +/* $OpenBSD: validate.c,v 1.67 2023/09/25 08:48:14 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -135,48 +135,63 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert) { size_t i; uint32_t min, max; - char buf1[64], buf2[64]; + char buf[128]; for (i = 0; i < cert->asz; i++) { if (cert->as[i].type == CERT_AS_INHERIT) continue; - min = cert->as[i].type == CERT_AS_ID ? - cert->as[i].id : cert->as[i].range.min; - max = cert->as[i].type == CERT_AS_ID ? - cert->as[i].id : cert->as[i].range.max; + + if (cert->as[i].type == CERT_AS_ID) { + min = cert->as[i].id; + max = cert->as[i].id; + } else { + min = cert->as[i].range.min; + max = cert->as[i].range.max; + } + if (valid_as(a, min, max)) continue; - warnx("%s: RFC 6487: uncovered AS: " - "%u--%u", fn, min, max); + + switch (cert->as[i].type) { + case CERT_AS_ID: + warnx("%s: RFC 6487: uncovered AS: %u", fn, min); + break; + case CERT_AS_RANGE: + warnx("%s: RFC 6487: uncovered AS: %u--%u", fn, + min, max); + break; + case CERT_AS_INHERIT: + warnx("%s: RFC 6487: uncovered AS: (inherit)", fn); + break; + } + return 0; } for (i = 0; i < cert->ipsz; i++) { if (cert->ips[i].type == CERT_IP_INHERIT) continue; + if (valid_ip(a, cert->ips[i].afi, cert->ips[i].min, cert->ips[i].max)) continue; + switch (cert->ips[i].type) { - case CERT_IP_RANGE: - ip_addr_print(&cert->ips[i].range.min, - cert->ips[i].afi, buf1, sizeof(buf1)); - ip_addr_print(&cert->ips[i].range.max, - cert->ips[i].afi, buf2, sizeof(buf2)); - warnx("%s: RFC 6487: uncovered IP: " - "%s--%s", fn, buf1, buf2); - break; case CERT_IP_ADDR: ip_addr_print(&cert->ips[i].ip, - cert->ips[i].afi, buf1, sizeof(buf1)); - warnx("%s: RFC 6487: uncovered IP: " - "%s", fn, buf1); + cert->ips[i].afi, buf, sizeof(buf)); + warnx("%s: RFC 6487: uncovered IP: %s", fn, buf); + break; + case CERT_IP_RANGE: + ip_addr_range_print(&cert->ips[i].range, + cert->ips[i].afi, buf, sizeof(buf)); + warnx("%s: RFC 6487: uncovered IP: %s", fn, buf); break; case CERT_IP_INHERIT: - warnx("%s: RFC 6487: uncovered IP: " - "(inherit)", fn); + warnx("%s: RFC 6487: uncovered IP: (inherit)", fn); break; } + return 0; } @@ -458,25 +473,28 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc) { size_t i; uint32_t min, max; - char buf1[64], buf2[64]; + char buf[128]; for (i = 0; i < rsc->asz; i++) { - min = rsc->as[i].type == CERT_AS_RANGE ? rsc->as[i].range.min - : rsc->as[i].id; - max = rsc->as[i].type == CERT_AS_RANGE ? rsc->as[i].range.max - : rsc->as[i].id; + if (rsc->as[i].type == CERT_AS_ID) { + min = rsc->as[i].id; + max = rsc->as[i].id; + } else { + min = rsc->as[i].range.min; + max = rsc->as[i].range.max; + } if (as_check_covered(min, max, cert->as, cert->asz) > 0) continue; switch (rsc->as[i].type) { case CERT_AS_ID: - warnx("%s: RSC resourceBlock: uncovered AS Identifier: " - "%u", fn, rsc->as[i].id); + warnx("%s: RSC resourceBlock: uncovered AS: %u", fn, + min); break; case CERT_AS_RANGE: - warnx("%s: RSC resourceBlock: uncovered AS Range: " - "%u--%u", fn, min, max); + warnx("%s: RSC resourceBlock: uncovered AS: %u--%u", + fn, min, max); break; default: break; @@ -490,19 +508,17 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc) continue; switch (rsc->ips[i].type) { - case CERT_IP_RANGE: - ip_addr_print(&rsc->ips[i].range.min, - rsc->ips[i].afi, buf1, sizeof(buf1)); - ip_addr_print(&rsc->ips[i].range.max, - rsc->ips[i].afi, buf2, sizeof(buf2)); - warnx("%s: RSC ResourceBlock: uncovered IP Range: " - "%s--%s", fn, buf1, buf2); - break; case CERT_IP_ADDR: - ip_addr_print(&rsc->ips[i].ip, - rsc->ips[i].afi, buf1, sizeof(buf1)); - warnx("%s: RSC ResourceBlock: uncovered IP: " - "%s", fn, buf1); + ip_addr_print(&rsc->ips[i].ip, rsc->ips[i].afi, buf, + sizeof(buf)); + warnx("%s: RSC ResourceBlock: uncovered IP: %s", fn, + buf); + break; + case CERT_IP_RANGE: + ip_addr_range_print(&rsc->ips[i].range, rsc->ips[i].afi, + buf, sizeof(buf)); + warnx("%s: RSC ResourceBlock: uncovered IP: %s", fn, + buf); break; default: break; |