diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2022-08-19 12:45:54 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2022-08-19 12:45:54 +0000 |
| commit | b1173eba134e45ed667af7eb737a1b188b35f10c (patch) | |
| tree | 516a709c69383eff8eed36282bb9a28442848b9c /usr.sbin/rpki-client/validate.c | |
| parent | 0bb941214e1ebd5f2444a4012b67cda053c85eaf (diff) | |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for
ROAs or RSCs can be a subset of the resources in the auth chain. So far
we compared that the resources of ROAs and RSCs are covered by the auth
chain, which is not entirely correct. Extract the necessary data from
the EE cert into rpki-client's own data structures, then verify that
the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are
covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
Diffstat (limited to 'usr.sbin/rpki-client/validate.c')
| -rw-r--r-- | usr.sbin/rpki-client/validate.c | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 5c3fcd87acd..cc6d9511a13 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.40 2022/06/10 10:36:43 tb Exp $ */ +/* $OpenBSD: validate.c,v 1.41 2022/08/19 12:45:53 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -201,19 +201,19 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert) * Returns 1 if valid, 0 otherwise. */ int -valid_roa(const char *fn, struct auth *a, struct roa *roa) +valid_roa(const char *fn, struct cert *cert, struct roa *roa) { size_t i; char buf[64]; for (i = 0; i < roa->ipsz; i++) { - if (valid_ip(a, roa->ips[i].afi, roa->ips[i].min, - roa->ips[i].max)) + if (ip_addr_check_covered(roa->ips[i].afi, roa->ips[i].min, + roa->ips[i].max, cert->ips, cert->ipsz) > 0) continue; - ip_addr_print(&roa->ips[i].addr, - roa->ips[i].afi, buf, sizeof(buf)); - warnx("%s: RFC 6482: uncovered IP: " - "%s", fn, buf); + + ip_addr_print(&roa->ips[i].addr, roa->ips[i].afi, buf, + sizeof(buf)); + warnx("%s: RFC 6482: uncovered IP: %s", fn, buf); return 0; } @@ -442,7 +442,7 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a, * Returns 1 if valid, 0 otherwise. */ int -valid_rsc(const char *fn, struct auth *a, struct rsc *rsc) +valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc) { size_t i; uint32_t min, max; @@ -459,7 +459,7 @@ valid_rsc(const char *fn, struct auth *a, struct rsc *rsc) max = rsc->as[i].type == CERT_AS_RANGE ? rsc->as[i].range.max : rsc->as[i].id; - if (valid_as(a, min, max)) + if (as_check_covered(min, max, cert->as, cert->asz) > 0) continue; switch (rsc->as[i].type) { @@ -483,8 +483,8 @@ valid_rsc(const char *fn, struct auth *a, struct rsc *rsc) return 0; } - if (valid_ip(a, rsc->ips[i].afi, rsc->ips[i].min, - rsc->ips[i].max)) + if (ip_addr_check_covered(rsc->ips[i].afi, rsc->ips[i].min, + rsc->ips[i].max, cert->ips, cert->ipsz) > 0) continue; switch (rsc->ips[i].type) { |